SANS

Hancitor Maldoc Videos, (Mon, Dec 5th)

05 Dec 2016

I produced videos for the Hancitor maldoc mentioned in this ISC Stormcast For Monday, December 5th 2016 https://isc.sans.edu/podcastdetail.html?id=5277, (Sun, Dec 4th)

04 Dec 2016

...

Old posts >>


Sophos

How to guess credit card security codes

05 Dec 2016

That "short code" on the back of your credit card does make things harder for cybercrooks - but perhaps not that much harder.

News in brief: porn database hacked; Obama call to Trump; MPs move on Snooper’s Charter

05 Dec 2016

Your daily round-up of what else is in the news

Facebook reportedly looking at curating news (again)

05 Dec 2016

The latest fake-news wrinkle: Insiders say it will hand-pick news from favored media partners, including Snapchat, in an upcoming feature called Collections.

Website leaves 43,000 sensitive medical records exposed

05 Dec 2016

Troy Hunt struggles to get a response from affected company

Apple set to deploy drones to boost Maps accuracy

05 Dec 2016

It reportedly has FAA go-ahead to fly commercial drones. Indoor mapping is also in the works, but no worries: it's not peeping-Tom time.

Monday review – the hot 24 stories of the week

05 Dec 2016

From Uber collecting location data even when not in use and the new iOS lockscreen-bypassing bug to the IoT camera turning zombie in 2 mins

Old posts >>

‘Avalanche’ botnet takes a tumble after Europol cyber-bust

02 Dec 2016

Multi-agency global operation takes down longstanding cybercrime platform

New iOS lockscreen bypass renders Activation Lock useless

02 Dec 2016

Security researchers have found a new bug that allows bypassing the Activation Lock feature.

News in brief: meals on robot wheels; Mirai blamed for new attacks; police bypass iPhone encryption

02 Dec 2016

Your daily round-up of what else is in the news

Would Facebook or Twitter dare to ban Trump? [Poll]

02 Dec 2016

Facebook employees have already reportedly pushed to have his posts about banning Muslims from entering the country deemed hate speech.


TrendMicro

Old posts >>

One Bit To Rule A System: Analyzing CVE-2016-7255 Exploit In The Wild

02 Dec 2016

Recently, Google researchers discovered a local privilege escalation vulnerability in Windows which was being used in zero-day attacks, including those carried out by the Pawn Storm espionage group. This is an easily exploitable vulnerability which can be found in all supported versions of Windows, from Windows 7 to Windows 10. By changing one bit, the attacker can elevate the privileges of a thread, giving administrator access to a process that would not have it under normal circumstances.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

One Bit To Rule A System: Analyzing CVE-2016-7255 Exploit In The Wild

New SmsSecurity Variant Roots Phones, Abuses Accessibility Features and TeamViewer

01 Dec 2016

In January of 2016, we found various "SmsSecurity" mobile apps that claimed to be from various banks. Since then, we've found some new variants of this attack that add new malicious capabilities. These capabilities include: anti-analysis measures, automatic rooting, language detection, and remote access via TeamViewer. In addition, SmsSecurity now cleverly uses the accessibility features of Android to help carry out its routines in a stealthy manner, without interaction from the user.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

New SmsSecurity Variant Roots Phones, Abuses Accessibility Features and TeamViewer

HDDCryptor: Subtle Updates, Still a Credible Threat

30 Nov 2016

Since first writing about the discovery of HDDCryptor back in September, we have been tracking this ransomware closely as it has evolved. Last week, a new version was spotted in the wild, and based on our analysis, we believe that this variant is the one used in a recent attack against San Francisco Municipal Transport Agency (SFMTA).

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

HDDCryptor: Subtle Updates, Still a Credible Threat

CEO Fraud Email Scams Target Healthcare Institutions

23 Nov 2016

A series of Business Email Compromise (BEC) campaigns that used CEO fraud schemes was seen targeting 17 healthcare institutions in the US, ten in the UK, and eight in Canada over the past two weeks. These institutions range from general hospitals and teaching hospitals to specialty care and walk-in clinics. Even pharmaceutical companies were not safe from the BEC scams, as one UK-based company and two Canadian pharma companies were also targeted.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

CEO Fraud Email Scams Target Healthcare Institutions

Selling Online Gaming Currency: How It Makes Way for Attacks Against Enterprises

23 Nov 2016

Offhand, companies and enterprises being affected by attacks like DDoS against the online gaming industry may be far-fetched. But the gaming industry, being a billion-dollar business with a continuously growing competitive community, is naturally bound to garner attention from cybercriminals. A recent wire fraud case, for instance, allowed a group of hackers to mine $16 million worth of coins in the hugely popular FIFA series and sell them to buyers in Europe and China. And in our research, we found that the sale of such gaming currencies sends ripples of impact to fund cybercrime operations often targeting entities however unrelated to online gaming.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Selling Online Gaming Currency: How It Makes Way for Attacks Against Enterprises

Businesses as Ransomware’s Goldmine: How Cerber Encrypts Database Files

22 Nov 2016

Possibly to maximize the earning potential of Cerber’s developers and their affiliates, the ransomware incorporated a routine with heavier impact to businesses: encrypting database files. These repositories of organized data enable businesses to store, retrieve, sort, analyze, and manage pertinent information. When utilized effectively they help maintain the organization’s efficiency, so holding these mission-critical files hostage can adversely affect the business’s operations and bottom line.

A known ransomware peddled as a turnkey service to budding cybercriminals, Cerber has metamorphosed into a myriad of versions throughout its lifecycle. It picked up more tricks along the way, some of which include integrating a DDoS component, using double-zipped Windows Script Files, and leveraging a cloud productivity platform, even serving as secondary payload for an information-stealing Trojan.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Businesses as Ransomware’s Goldmine: How Cerber Encrypts Database Files

Pawn Storm Ramps Up Spear-phishing Before Zero-Days Get Patched

09 Nov 2016

The effectiveness of a zero-day quickly deteriorates as an attack tool after it gets discovered and patched by the affected software vendors. Within the time between the discovery of the vulnerability and the release of the fix, a bad actor might try to get the most out of his previously valuable attack assets. This is exactly what we saw in late October and early November 2016, when the espionage group Pawn Storm (also known as Fancy Bear, APT28, Sofacy, and STRONTIUM) ramped up its spear-phishing campaigns against various governments and embassies around the world.  In these campaigns, Pawn Storm used a previously unknown zero-day in Adobe’s Flash (CVE-2016-7855, fixed on October 26, 2016 with an emergency update) in combination with a privilege escalation in Microsoft’s Windows Operating System (CVE-2016-7255) that was fixed on November 8, 2016.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Pawn Storm Ramps Up Spear-phishing Before Zero-Days Get Patched

Patch Tuesday of November 2016: Six Critical Bulletins, Eight Important

09 Nov 2016

November is the second-to-last Patch Tuesday of 2016, and it brings a slightly higher than typical number of bulletins: six Critical bulletins and eight Important bulletins. The 8th is the earliest date that Patch Tuesday can take place in a month; December's Patch Tuesday (and the last of 2016) takes place in exactly five weeks. Among the items fixed today was the zero-day vulnerability in Windows that was used in the same attacks at the Adobe Flash Player zero-day in late October.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Patch Tuesday of November 2016: Six Critical Bulletins, Eight Important

New Bizarro Sundown Exploit Kit Spreads Locky

04 Nov 2016

A new exploit kit has arrived which is spreading different versions of Locky ransomware. We spotted two cases of this new threat, which is based on the earlier Sundown exploit kit. Sundown rose to prominence (together with Rig) after the then-dominant Neutrino exploit kit was neutralized.

Called Bizarro Sundown, the first version was spotted on October 5 with a second sighting two weeks later, on October 19. Users in Taiwan and Korea made up more than half of the victims of this threat. Bizarro Sundown shares some features with its Sundown predecessor but added anti-analysis features. The October 19 attack also changed its URL format to closely resemble legitimate web advertisements. Both versions were used exclusively by the ShadowGate/WordsJS campaign.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

New Bizarro Sundown Exploit Kit Spreads Locky

Security Update Patches 13 Android Vulnerabilities Discovered by Trend Micro

01 Nov 2016

Mobile threats are trending upward, with vulnerability exploits gaining traction. The silver lining? More of these vulnerabilities are also disclosed, analyzed and detected. This helps better mitigate Android devices from zero-days and malware, enabling OEMs/vendors to more proactively respond to these threats. This is echoed by our continuous initiatives on Android vulnerability research: from June to August 2016, for instance, we’ve discovered and disclosed 13 vulnerabilities to Google. Their real-world impact ranges from battery drainage and unauthorized capture of photos, videos, and audio recordings, to system data leakage and remote control. This is on top of 16 other security flaws we’ve uncovered that were cited in Android/Google’s security bulletins from January to September this year.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Security Update Patches 13 Android Vulnerabilities Discovered by Trend Micro


Kaspersky

Old posts >>

New wave of Mirai attacking home routers

28 Nov 2016

Starting from yesterday, many DSL customers in Germany were reporting problems with their routers. Today we saw news, that a malicious attack could be the reason for this widespread problem.

Malicious code and the Windows integrity mechanism

28 Nov 2016

My goal wasn't to review the techniques of elevating system privileges. Here, I wanted to look at the overall picture and talk about the whole range of Windows operating systems in all their diversity dating back to Windows Vista, but without discussing specific versions.

Caribbean scuba diving with IT-security in mind

24 Nov 2016

Dare to submit your research proposal before December 1, 2016 to dive into undiscovered and uncharted cybercrimes, hacks, espionage and much more at the Security Analyst Summit.

Research on unsecured Wi-Fi networks across the world

24 Nov 2016

Confidential data can be protected by encrypting traffic at wireless access points. In fact, this method of protection is now considered essential for all Wi-Fi networks. But what actually happens in practice?

DDoS attack on the Russian banks: what the traffic data showed

24 Nov 2016

From November 8 to 12, websites of some of the largest Russian banks fell victim to heavy DDoS attacks. Initially, it was no indication of anything unusual - all well-known banks get attacked from time to time - but further developments have evolved in the manner that allowed us to suggest a high level of organization in regards to the series of attacks.

InPage zero-day exploit used to attack financial institutions in Asia

23 Nov 2016

In September 2016, while researching a new wave of attacks, we found an interesting target which appeared to constantly receive spearphishes, a practice we commonly describe as a "magnet of threats". Among all the attacks received by this magnet of threats, which included various older Office exploits such as CVE-2012-0158, one of them attracted our attention.

Lost in Translation, or the Peculiarities of Cybersecurity Tests

21 Nov 2016

AV-Comparatives simultaneously conducted two tests of cybersecurity products using one and the same methodology. What's the difference between them and how to read the reports to see manipulation of figures and recognize biased marketing 'next-gen' rhetoric.

Kaspersky Security Bulletin. Predictions for 2017

16 Nov 2016

Yet another year has flown past and, as far as notable infosec happenings are concerned, this is one for the history books. Drama, intrigue and exploits have plagued 2016 and, as we take stock of some of the more noteworthy stories, we once again cast our gaze forward to glean the shapes of the 2017 threat landscape.

Kaspersky Lab Black Friday Threat Overview 2016

14 Nov 2016

Our research shows that, over the last few years, the holiday period which starts on so-called Black Friday was marked by an increase in phishing and other types of attacks, which suggests that the pattern will be repeated this year.

Loop of Confidence

10 Nov 2016

With the arrival of Apple Pay and Samsung Pay in Russia, many are wondering just how secure these payment systems are, and how popular they are likely to become. In our opinion, these technologies require a more detailed examination and a separate evaluation of the threats they face.


ThreatPost

Distributed Guessing Attack Reels in Payment Card Data

05 Dec 2016

A research paper describes vulnerabilities enabling distributed guessing attacks which allow an attacker to collect payment card data across a number of sites without triggering alerts.

New Large-Scale DDoS Attacks Follow Schedule

05 Dec 2016

Researchers are tracking a new wave of DDoS attacks that rival Mirai when it comes to intensity and scope.

EFF Blasts DEA in Ongoing Secret ‘Super Search Engine’ Lawsuit

05 Dec 2016

EFF is dismayed by the cavalier attitude by law enforcement over warrantless searches of trillions of phone records and its refusal to turn over documents.

Old posts >>

Google Fixes 12 High-Severity Flaws In Chrome Browser

02 Dec 2016

Chrome 55.0.2883.75 for Windows, Mac, and Linux was released Thursday and patched 36 vulnerabilities, including 12 high-severity flaws eligible for bounties.

Rule 41 Opponents Vow to Fight Government’s New Hacking Powers

01 Dec 2016

Opponents of the controversial Rule 41 say they are committed to fighting the government’s expanded powers.

Mozilla Patches Firefox Zero Day Used to Unmask Tor Browser Users

01 Dec 2016

Mozilla released a new version of Firefox on Wednesday to address a zero day vulnerability that was actively being exploited to de-anonymize Tor Browser users.

Gooligan Malware Breaches 1 Million Google Accounts

01 Dec 2016

The Gooligan Android malware steals Google authentication tokens from mobile devices to breach user and corporate accounts.

Microsoft Silently Fixes Kernel Bug That Led to Chrome Sandbox Bypass

30 Nov 2016

Microsoft appears to have silently fixed a two-year-old bug in in Windows Kernel Object Manager that could have allowed for the bypass of privileges in Google's Chrome browser.

Tor Patched Against Zero Day Under Attack

30 Nov 2016

The Tor Project has provided a browser update that patches a zero-day vulnerability being exploited in the wild to de-anonymize Tor users.

New Cerber Variant Leverages Tor2Web Proxies, Google Redirects

30 Nov 2016

Researchers have discovered that criminals behind the latest Cerber ransomware variant are leveraging Google redirects and Tor2Web proxies in a new and novel way to evade detection.


Symantec

Old posts >>

Avalanche malware network hit with law enforcement takedown

01 Dec 2016

Symantec plays part in takedown of the Avalanche malware-hosting network.

Read More

Shamoon: Back from the dead and destructive as ever

30 Nov 2016

Malware hit targets in Saudi Arabia and was configured to wipe disks on November 17.

Read More

Mirai: New wave of IoT botnet attacks hits Germany

29 Nov 2016

New variant of malware used in attacks that knocked 900,000 home internet users offline.

Read More

Gatak: Healthcare organizations in the crosshairs

21 Nov 2016

Mysterious threat group infects organizations using malicious key generators for pirated software.

Read More

Android banking malware whitelists itself to stay connected with attackers

17 Nov 2016

New Android.Fakebank.B variants use social engineering to bypass a battery-saving process and stay active in the background.

Read More

Latest Intelligence for October 2016

10 Nov 2016

Number of new malware variants rises to over 96 million and global spam hits highest rate in nearly a year.

Read More

New BEC scams seek to build trust first, request wire transfer later

09 Nov 2016

Business email compromise scammers have gradually changed their tactics to improve their scam success rate.

Read More

Microsoft Patch Tuesday – November 2016

08 Nov 2016

This month the vendor is releasing 14 bulletins, six of which are rated Critical.

Read More

Mirai: what you need to know about the botnet behind recent major DDoS attacks

27 Oct 2016

Botnet has grown by exploiting weak security on a range of IoT devices.

Read More

Android ransomware gets around auto-start restrictions by pretending to be a launcher

27 Oct 2016

The latest Android.Lockscreen variants declare their activity as part of the launcher category to get around Android's security restrictions.

Read More

Flash Player zero-day being exploited in targeted attacks

27 Oct 2016

Adobe patches vulnerability (CVE-2016-7855) which was being used in a limited number of targeted attacks.

Read More

Tech support scams increasing in complexity

26 Oct 2016

Tech support scammers have begun using code obfuscation to avoid detection.

Read More

Attackers use Discord VoIP chat servers to host NanoCore, njRAT, SpyRAT

20 Oct 2016

Malicious actors are abusing a free VoIP service for gamers to distribute remote access Trojans, as well as infostealers and downloaders.

Read More

Malware and spam groups exploit US election fever

19 Oct 2016

As the presidential election draws near, the level of malware and spam activity attempting to capitalize on interest in the campaigns of Donald Trump and Hillary Clinton has risen.

Read More

Beware of the student loan forgiveness scam spam

13 Oct 2016

Trojan.Ascesso has been observed trying to send out thousands of student loan forgiveness scam emails.

Read More

Surge of email attacks using malicious WSF attachments

13 Oct 2016

Ransomware attack groups among the most frequent users of new tactic.

Read More

Microsoft Patch Tuesday – October 2016

11 Oct 2016

This month the vendor is releasing 10 bulletins, five of which are rated Critical.

Read More

Odinaff: New Trojan used in high level financial attacks

11 Oct 2016

Multiple banks attacked by Carbanak-linked group.

Read More

Latest Intelligence for September 2016

07 Oct 2016

The RIG exploit kit was the most active web attack toolkit in September and the number of new malware variants reached its highest point of the last year.

Read More

Zero Days film puts two Symantec researchers in the spotlight

03 Oct 2016

Alex Gibney's film highlights Eric Chien and Liam O'Murchu's research on Stuxnet and cyberattacks.

Read More


F-Secure

Old posts >>

A Joint Centre To Combat Hybrid Warfare Threats

24 Nov 2016

Helsinki will host a new centre focused on curbing the growing threat of hybrid warfare according to recent reports. Disinformation and fake news is considered “hybrid warfare” in this context. The proposed annual budget is reportedly estimated at two million euros. I think… they’re gonna need a bigger boat. Fighting against hybrid warfare disinformation will […]

Yahoo! Voice Call 2FA Fail

17 Nov 2016

Netflix recently fixed an account takeover vulnerability involving automated phone calls and caller ID spoofing. The issue? An attacker could use Netflix’s “forgot email/password” feature to reset an account’s password by directing the reset code to a voice call. In order to force the code to voice mail, the attacker would need to call the […]

What’s The Deal With “Next Gen”?

16 Nov 2016

We’re frequently asked about “Next Gen” antivirus companies, which is not surprising. They’ve been making a lot of noise and bold claims during the last couple of years (so, basically, since they were founded). So let’s take a look at what they’re all about. Coopetition in the AV industry But before getting into what “Next […]

A RAT For The US Presidential Elections

10 Nov 2016

A day before the controversial United States Presidential elections, an email was distributed to inform the recipients of a possible attack during election day as mentioned in a manifesto, allegedly from the ISIS terrorist group, entitled “The Murtadd Vote”. The email was supposedly sent by the head of a US-based terrorist monitoring group. The message […]

How To Vet URL Shorteners #2016CampaignEdition

31 Oct 2016

John Podesta, the Chairman of Hillary Clinton’s 2016 presidential campaign, allowed his Gmail account to be compromised in March 2016. And as a consequence, his correspondence has been in the news throughout the month of October. Recently, the March 2016 phishing message itself was published. Do you notice anything odd about the message? The very […]

CSS Disclosure: tar Extract Pathname Bypass

27 Oct 2016

T2’16 Infosec Conference kicked off this morning in Helsinki. And to celebrate this, F-Secure CSS security consultant Harry Sintonen has a vulnerability disclosure to publish. See below for more info. tar Extract Pathname Bypass Full Disclosure: POINTYFEATHER / tar Extract Pathname Bypass (CVE-2016-6321) Tagged: CSS, Disclosure, Kyb3r, tar, Vulnerability

Hacking An Election Is Hard. Why Not Pwn The Messenger Instead?

26 Oct 2016

Election day USA, November 8th, is nigh. US elections (during a presidential election year) are a massive affair comprising federal, state, and local candidates for all sorts of elected positions: president, governors, senators, representatives, judges, state and county commissioners, et cetera. They are organized and run at the county level. There are 3,144 counties and […]

Fun With Internet Metadata (AKA The Deep Web)

21 Oct 2016

Our Cyber Security Services (CSS) division spend a fair amount of time working with companies on threat assessments. They’ve been doing this stuff for several years, and during that time, they developed some useful tools to make their jobs easier. One of those tools is Riddler. It’s a web crawler that makes Internet metadata available via […]

What’s The Deal With Non-Signature-Based Anti-Malware Solutions?

17 Oct 2016

Gartner recently published an insightful report entitled “The Real Value of a Non-Signature-Based Anti-Malware Solution to Your Organization”. In this report, it discusses the ways in which non-signature technologies can be used to augment an organization’s endpoint protection strategy. Let’s take a look at how Gartner has defined non-signature malware detection solutions. Here’s a clip directly […]

Definitely Not Cerber

20 Sep 2016

At the beginning of last week we noticed a spam campaign delivering a double zipped JScript file. The campaign started on September 8th. The email had the subject line of “RE: [name of recipient]” with an empty body, and an attached zip file named “[recipient name][a-z]{4}.zip”. The characteristics of the mail, naming of the attached item, […]

Seriously, Put Away The Foil

15 Sep 2016

I was scanning the headlines this morning, as I do, and came across this article by YLE Uutiset (News). — “Finnish police: Keep your car keys in the fridge” From YLE’s article: “These so-called smart keys work by emitting a signal when the driver touches the door handle. The lock opens when it recognises the […]

0ld 5ch00l MBR Malware

07 Sep 2016

I recently installed Audacity, an open source audio editor… And while verifying the current version to download, I came across an interesting security notification. Before I read the details, I fully expected to discover yet another case of some crypto-ransomware group hijacking and trojanizing an application installer. But not so! Audacity’s download partner was infiltrated […]

What’s The Deal With Machine Learning?

26 Aug 2016

We’ve recently received quite a few questions regarding the use of machine learning techniques in cyber security. I figured it was time for a blog post. Interestingly, while I was writing this post, we got asked even more questions, so the timing couldn’t be better. It seems that there are quite a few companies out […]

Coming Soon: iOS 10

19 Aug 2016

I’ve been testing iOS 10 Beta for several weeks (on a secondary iPad mini 2 of mine) and so far, so good. I’m enjoying Swift Playgrounds and looking forward to the final release. Most of the changes I’ve noticed have been surface (i.e., UI) changes. But today I read an interesting blog post by @nabla_c0d3, […]

Got Ransomware? Negotiate

10 Aug 2016

ICYMI: we recently published a customer service study of various crypto-ransomware families. Communication being a crucial element of ransomware schemes, we decided to put it to a comparative test. The biggest takeaway? If you find yourself compromised – negotiate. You have little to lose, the majority of extortionists appear to be willing work with their […]

NanHaiShu: RATing the South China Sea

04 Aug 2016

Since last year, we have been following a threat that we refer to as NanHaiShu, which is a Remote Access Trojan. The threat actors behind this malware target government and private-sector organizations that were directly or indirectly involved in the international territorial dispute centering on the South China Sea. Hence, the name nán hǎi shǔ […]

Bye Bye Flash! Part 2.5. Microsoft Edge Is Going “Click To Flash”

25 Jul 2016

After last Thursday’s article on how Firefox will start reducing support for Flash, I received some comments pointing me to an announcement from Microsoft, back in April, where they stated that their Edge browser would also move towards a “Click to Flash” approach. The announcement notes that Flash plugins not central to the web page will […]

Bye Bye Flash! Part 2 – Firefox Plans To “Reduce” Support For Flash

21 Jul 2016

Earlier this year, in our 2015 Threat Report, our own Sean Sullivan predicted that Chrome, Firefox, and Microsoft would announce an iterative shift away from supporting Flash in the browser by 2017. Last month, we covered the announcement made by Google. As predicted, just yesterday, the Firefox developers made a similar announcement on their blog. […]

Malware History: Code Red

19 Jul 2016

Fifteen years (5479 days) ago… Code Red hit its peak. An infamous computer worm, Code Red exploited a vulnerability in Microsoft Internet Information Server (IIS) to propagate. Infected servers displayed the following message. See @mikko‘s Tweet below for a visualization. @FSLabs @FSecure @5ean5ullivan pic.twitter.com/7c0yTc66ix — Mikko Hypponen (@mikko) July 18, 2016 Tagged: Code Red, Historical, […]

A New High For Locky

13 Jul 2016

After seeing a drop during first weeks of June, the spam campaigns distributing Locky crypto-ransomware has returned as aggressive as ever. Normally we have seen around 4000-10,000 spam hits a day during spam campaigns. Last week from Wednesday to Friday we observed a notable increase in amount of spam distributing Locky. At most we saw […]