September 19th 2018 Updates

Updates to Anti-Social Media 

Danny Bradbury for Sophos: Deepfake pics and videos set off Facebook’s fake news detector Centres on FB’s announcement that “To date, most of our fact-checking partners have focused on reviewing articles. However, we have also been actively working to build new technology and partnerships so that we can tackle other forms of misinformation. Today, we’re expanding fact-checking for photos and videos to all of our 27 partners in 17 countries around the world (and are regularly on-boarding new fact-checking partners). This will help us identify and take action against more types of misinformation, faster.”

The Register: Not so much changing their tune as enabling autotune: Facebook, Twitter bigwigs nod and smile to US senators – “Google slammed for no-show”


Graham Cluley: Twitter testing new feature that reveals when you’re online – “WHO OTHER THAN STALKERS ACTUALLY WANTS THIS?”


Lisa Vaas for Sophos: Review that! Fake TripAdvisor review peddler sent to jail

“The owner of a fake-review factory is going to get a chance to write a review about his trip to the inside of an Italian jail.

TripAdvisor announced (PDF) on Wednesday that, in one of the first cases of its kind, the criminal court of the Italian city of Lecce has ruled that writing fake reviews, under a fake identity, is criminal conduct.”


Michigan News (University of Michigan): Fake news detector algorithm works better than a human – “ANN ARBOR—An algorithm-based system that identifies telltale linguistic cues in fake news stories could provide news aggregator and social media sites like Google News with a new weapon in the fight against misinformation.

The University of Michigan researchers who developed the system have demonstrated that it’s comparable to and sometimes better than humans at correctly identifying fake news stories.”

Updates to Cryptocurrency/Crypto-mining News and Resources

Palo Alto: Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows – “Unit 42 researchers have found a new malware family that is targeting Linux and Microsoft Windows servers that we have named XBash. We can tie this malware to the Iron Group, a threat actor group known for ransomware attacks in the past.”


Tomáš Foltýn for ESET: One in three UK orgs hit by cryptojacking in previous month, survey finds – “Conversely, only a little over one-third of IT executives believe that their systems have never been hijacked to surreptitiously mine digital currencies”


Trend Micro took a little time out from snarfing customer data to issue a report that tells us of “a noticeable shift away from highly visible ransomware to a more discreet detection: cryptocurrency mining. Unseen Threats, Imminent Losses Phil Muncaster notes, based on that report, that Cryptomining Malware Soars 956% in a Year and also cites a report from Checkpoint which “warned last month that the number of global organizations affected by cryptojacking rose from just under 21% in the second half of 2017 to 42% in 1H 2018, with cyber-criminals making an estimated $2.5bn over the past six months.”


Graham Cluley: Cryptominers killing cryptominers to squeeze more out of your CPU

“As security researcher Xavier Mertens describes, a newly-encountered malicious miner for the Monero cryptocurrency is working hard to kill any potential competitors it encounters for system resources, using an ever-expanding list.”


Kaspars Osis for ESET: Kodi add-ons launch cryptomining campaign – “ESET researchers have discovered several third-party add-ons for the popular open-source media player Kodi being used to distribute Linux and Windows cryptocurrency-mining malware”

Commentary from Bleeping Computer: Malicious Kodi Add-ons Install Windows & Linux Coin Mining Trojans – “Security researchers discovered a campaign that infects machines running Kodi via a legitimate add-on that has been altered by cybercriminals looking to mine the onero cryptocurrency with the resources of Kodi users.”


Danny Bradbury for Sophos: Blockchain hustler beats the house with smart contract hack – “A wily hacker has scored a thousand dollar cryptocurrency jackpot … by using their own code to tamper with a smart contract run by a betting company on the EOS blockchain …. Unlike Bitcoin, which uses a blockchain to record the transfer of digital currency, EOS and Ethereum both enable people to run computer programs. These programs are called smart contracts, and instead of running in one place they run on many computers connected to the blockchain.” Fascinating article.

Updates to GDPR page

Veronika Gallisova for ESET: 100 days of GDPR – “What impact has the new data protection directive had on businesses so far?”

Updates to Internet of (not necessarily necessary) Things

[Many of the Things that crop up on this page are indeed necessary. But that doesn’t mean that connecting them to the Internet of Things (or even the Internet of Everything) is necessary, or even desirable, given how often that connectivity widens the attack surface.]

John Leyden for The Register: 2-bit punks’ weak 40-bit crypto didn’t help Tesla keyless fobs one bit – “Eggheads demo how to clone gizmo, nick flash motor in seconds – flaw now patched”

“Researchers from the Computer Security and Industrial Cryptography (COSIC) group – part of the Department of Electrical Engineering at Belgian university KU Leuven – were able to clone a key fob, open the doors, and drive away the electric sports car.”


The Register: Mikrotik routers pwned en masse, send network data to mysterious box – “Researchers uncover botnet malware pouncing on security holes”


The Register: Thousands of misconfigured 3D printers on interwebz run risk of sabotage

“Internet-connected 3D printers are at risk of being tampered with or even sabotaged because users fail to apply security controls, a researcher has warned.”


The Register: M-M-M-MONSTER KILL: Cisco’s bug-wranglers swat 29 in single week – “If you’re running the end-of-life RV110 Wireless-N VPN firewall or RV215W Wireless-N VPN router, bad news: some of their security vulnerabilities won’t be patched and there’s no workaround – so it is probably time to replace them.”


Tomáš Foltýn for ESET: Could home appliances knock down power grids? –  “The researchers tested the plausibility of the new type of attack on “state-of-the-art simulators on real-world power grid models”. The threat is described in a paper called “BlackIoT: IoT Botnet of High Wattage Devices Can Disrupt the Power Grid”, and the research was also presented at a recent USENIX security symposium.”

Updates to: Ransomware Resources

Mark Stockley for Sophos: The rise of targeted ransomware

“While cryptomining and cryptojacking have been sucking all the air out of the press room, a snowball that started rolling well before anyone had ever heard of WannaCry has been gathering pace and size.

The snowball is a trend for stealthier and more sophisticated ransomware attacks – attacks that are individually more lucrative, harder to stop and more devastating for their victims than attacks that rely on email or exploits to spread.”

Updates to Specific Ransomware Families and Types

John Leyden for The Register: Sextortion scum armed with leaked credentials are persistent pests – “If you’re going to batter 8,497 folk with over 60,000 threats, odds are someone will crack”

Bleeping Computer: Barack Obama’s Blackmail Virus Ransomware Only Encrypts .EXE Files – “It is unknown how this ransomware is distributed or if the developer will even provide a decryption key if paid. ”

Updates to Mac Virus

Dangers on Safari – The Safari Reaper attack, and URL spoofing

Android Issues – Android Malware-as-a-Service botnet, CVE-2018-9489, and open-source vulnerabilities in Android apps.

Smartphones that talk too much acoustic side-channel attacks

Flushing the Mac App Store  Ad-Doctor and three Trend apps removed

Apple to make life easier for law enforcement – portal to apply for access to information and training

Krebs: commentary on global authentication via your wireless carrier – what could go wrong?

David Harley

Advertisements

Tech support scams: curse of the Evil Cursor, and Technet ads removed

Jérôme Segura for Malwarebytes: Partnerstroka: Large tech support scam operation features latest browser locker – “We have been monitoring a particular tech support scam campaign for some time which, like several others, relies on malvertising to redirect users to the well-known browser lockers (browlocks) pages. … we were still able to isolate incidents pertaining to this group which we have been tracking under the name Partnerstrokam …. and noticed that the fake alert pages contained what seemed to be a new browlock technique designed specifically for Google Chrome.”

Summary/commentary from Zeljka Zorz for Help Net: Tech support scammers leverage “evil cursor” technique to “lock” Chrome


John E. Dunn for Sophos: Microsoft purges 3,000 tech support scams hiding on TechNet – “Microsoft has taken down thousands of ads for tech support scams that had infested the company’s TechNet support domain in a sly attempt to boost their search ranking….Microsoft’s site was home to around 3,000 of these ads, mostly associated with the gallery.technet.microsoft.com downloads section.

The ads covered a wide range of fraudulent support issues, from virtual currency sites to Google Wallet and Instagram. Johnston told ZDNet…”

David Harley

31st August 2018 AVIEN resource updates

Updates to Anti-Social Media 

Tomáš Foltýn for ESET: Instagram expands 2FA and account verification – “The move is part of a three-pronged plan that is intended to bolster user trust and safety on the photo-sharing platform”

Brian Krebs: Instagram’s New Security Tools are a Welcome Step, But Not Enough – “…Unfortunately, this welcome new security offering does nothing to block Instagram account takeovers when thieves manage to hijack a target’s mobile phone number…”


Raj Samani (McAfee) for Help Net: The anatomy of fake news: Rise of the bots

Updates to Cryptocurrency/Crypto-mining News 

ZDNet: Bitfi finally gives up claim cryptocurrency wallet is unhackable – ‘On Twitter, the company posted a statement which said the company had hired external help in the form of a “Security Manager” who is “confirming vulnerabilities that have been identified by researchers.” “Effective immediately, we will be removing the “Unhackable” claim from our branding which has caused a significant amount of controversy,” the company added.’


Talos: Rocke: The Champion of Monero Miners – “Rocke actively engages in distributing and executing cyrptomining malware using a varied toolkit that includes Git repositories, HttpFileServers (HFS), and a myriad of different payloads, including shell scripts, JavaScript backdoors, as well as ELF and PE miners.”

ThreatPost: New Threat Actor ‘Rocke’: A Rising Monero Cryptomining Menace – “Researchers at Cisco Talos, who discovered the threat actor they call “Rocke”, said they have been tracking the adversary since April as it continues to plant various Monero miners on vulnerable systems. … “Rocke will continue to leverage Git repositories to download and execute illicit mining onto victim machines,” the research team said in a post Thursday.”


The Register: Cryptojacking isn’t a path to riches – payout is a lousy $5.80 a day – “Hackers shouldn’t quit their day scams if they want to eat…Cryptojacking, the hijacking of computing resources to mine cryptocurrency, turns out to be both relatively widespread and not particularly profitable, according to a paper published by code boffins from Braunschweig University of Technology in Germany.” The paper is here. 

Updates to Ransomware Recovery and Prevention and Specific Ransomware Families and Types

Decrypter for RansomWarrior [sic] from Checkpoint: Ransom Warrior Decryption Tool

Updates to GDPR page

The Register: Fear mongers forced to eat shorts over spam swamping claims – “GDPR and no Whois hasn’t caused catastrophe…Researchers at Recorded Future have been tracking spam through Cisco’s Talos reporting system and have concluded that GDPR has had zero impact on online problems.”

Updates to Internet of (not necessarily necessary) Things

[Many of the Things that crop up on this page are indeed necessary. But that doesn’t mean that connecting them to the Internet of Things (or even the Internet of Everything) is necessary, or even desirable, given how often that connectivity widens the attack surface.]

Help Net: Old “Misfortune Cookie” flaw opens medical gateway and devices to attack summarizes this article from CyberMDX: CyberMDX Discovers Vulnerability in Qualcomm Life’s Capsule Datacaptor Terminal Server (DTS)

See also

Updates to Mac Virus

Nightwatch Security: Sensitive Data Exposure via WiFi Broadcasts in Android OS [CVE-2018-9489] – “System broadcasts by Android OS expose information about … WiFi network name, BSSID, local IP addresses, DNS server information and the MAC address.”

Commentary by TechRepublic: Android ‘API breaking’ vulnerability leaks device data, allows user tracking 


Sophos: Hacked stalking app reveals victims’ photos, texts and location info – “TheTruthSpy sells an iOS and Android app that enables someone to spy on someone else’s phone. The software is not available on official app stores and has to be installed on a jailbroken iPhone or via an alternative source on an Android phone.”


Ionut Ilascu for Bleeping Computer: Unsophisticated Android Spyware Monitors Device Sensors – “Tagged BusyGasper by security experts at Kaspersky, the malware stands out through its ability to monitor the various sensors present on the targeted phone. … Kaspersky’s Alexey Firsh writes in the analysis.”

David Harley

August 29th 2018 resources update

Updates to Anti-Social Media 

Lisa Vaas for Sophos: Tumblr outlaws creepshots and deepfake porn – “The blogging site wants to go back to a simpler time, where, it says, people were a lot nicer … and didn’t glorify gore and upskirting.”

Updates to GDPR page

Recorded Future: 90 Days of GDPR: Minimal Impact on Spam and Domain Registration – “While it has only been three months since the GDPR went into effect, based on our research, not only has there not been an increase in spam, but the volume of spam and new registrations in spam-heavy generic top-level domains (gTLDs) has been on the decline.”

Updates to Internet of (not necessarily necessary) Things

[Many of the Things that crop up on this page are indeed necessary. But that doesn’t mean that connecting them to the Internet of Things (or even the Internet of Everything) is necessary, or even desirable, given how often that connectivity widens the attack surface.]

The Register: Voting machine maker claims vote machine hack-fests a ‘green light’ for foreign hackers – “NSA code smacker says no, hackers perform a service” – ES&S criticized for reluctance to participate in DEF CON demo.

Updates to Mac Virus

Android/iOS malware detections down, but Fortnite flaw problematic

David Harley

28th August updates – AVIEN Resources

Updates to Cryptocurrency/Crypto-mining News and Resources

Bleeping Computer: Atlas Quantum Cryptocurrency Investment Platform Suffers Data Breach – “Atlas Quantum said the hacker (or hackers) did not steal any funds from users’ accounts.”

Updates to Internet of (not necessarily necessary) Things

[Many of the Things that crop up on this page are indeed necessary. But that doesn’t mean that connecting them to the Internet of Things (or even the Internet of Everything) is necessary, or even desirable, given how often that connectivity widens the attack surface.]

Security Boulevard: Here’s how anyone with $20 can hire an IoT botnet to blast out a week-long DDoS attack – “This is borne out by Akamai Technologies’ Summer 2018 Internet Security/Web Attack Report.

Updates to Meltdown/Spectre and other chip-related resources

The Register: Linux 4.19 lets you declare your trust in AMD, IBM and Intel – “Wave the the CPU trust flag if you’re feeling safe enough….When random number generation is insufficiently random, encryption based on such numbers can be broken with less effort.”

Updates to Specific Ransomware Families and Types

Security Boulevard: Here’s how anyone with $20 can hire an IoT botnet to blast out a week-long DDoS attack – “This is borne out by Akamai Technologies’ Summer 2018 Internet Security/Web Attack Report.

Updates to Tech support scams resource page

Link to Chainmailcheck article below.

Updates to Chain Mail Check

William Tsing for Malwarebytes: Green card scams: preying on the desperate – Green card scams are far from new. Though in fact this site does actually indicate in the small print that its usefulness to someone wanting to improve their chances of getting a green card via the diversity visa lottery is going to be very limited indeed. But Tsing makes the interesting point that the scam site looks more authentic than the real site because it provides more information, and compares it to “what we see with legitimate tech support and tech support scammers. An official entity does a poor job communicating with its constituency, and that creates a vacuum that scammers are all too eager to fill.” Seems an entirely valid point.

I talked about the issue of inadequate tech support in an article for ESET – Tech support scams and the call of the void – The importance of providing the best possible after-sales service to customers. That article was sparked off by a useful article on the Security Boulevard site by Christopher Burgess on When Scammers Fill the Tech Support Void.

Updates to Mac Virus

Tomáš Foltýn for ESET: Why now could be a good time to fortify your Android defenses
“Stop us if you’ve heard this before: avoid installing apps from outside Google Play. But what if you’re itching to battle it out in Fortnite?”

Follow-up article- interview with Lukáš Štefanko, who says I hope other app developers don’t follow Epic‘s example – “After Epic Games shunned Google Play, debates about threats faced by Android users have taken on a whole new tenor. Joining us to add his voice to the mix is ESET Malware Researcher Lukáš Štefanko”

My own view is slightly (but only slightly) different, as discussed in my MacVirus article: Fortnite and Android: an Epic disagreement

David Harley

Facebook takedown of influence operations

I was a little late spotting this New York Times article from August 21st: Sheera Frenkel and Nicholas Fandos: Facebook Identifies New Influence Operations Spanning Globe – “We know that trolls on social media are trying to sow discord on contentious subjects like race, guns and abortion, but how do they do it? Here is a visual guide to their strategy.”

It’s starting point is this article from Facebook – Taking Down More Coordinated Inauthentic Behavior – regarding how it has taken down 652 pages, groups and accounts for ‘inauthentic behavior’ after receiving information from FireEye about ‘Liberty Front Press’. FireEye’s analysis is summarized here – Suspected Iranian Influence Operation Leverages Network of Inauthentic News Sites & Social Media Targeting Audiences in U.S., UK, Latin America, Middle East – linking to a 38-page report.

Fascinating stuff.

David Harley

Untangling the Web

I was away when this series of articles on ESET’s WeLiveSecurity blog was published, and in fact for quite a few days afterwards, so I didn’t do much to flag it at the time, but I think it was quite interesting.

ESET’s Tomáš Foltýn contacted a handful of us who’ve been in the security business a long, long time, and asked us some questions related to the recent 27th anniversary of the World Wide Web, publicly announced by Tim Berners-Lee on the 6th August 1991. In fact, he asked a wide range of questions relating to the web past, present and future.

I, for one, have never been one to resist the opportunity to share the benefit of my prejudices, so my responses can be found in the first article in the series here: Interviewing ESET’s experts about the Web’s journey so far – part 1.

For part two in the series, Tomáš talked to Cameron Camp, who focused less on the historical aspects of the Web and more on the clear and present dangers. And finally, he talked to Aryeh Goretsky, who was already working in the antivirus industry in 1991.

(Oddly enough, one of my jobs in the early 90s was coding some primitive programs to supplement a basic AV scanner in use at that time in my workplace, but wasn’t assimilated into the industry until 2006 or thereabouts. In small steps, admittedly, but resistance turned out to be futile. Ironically, I’ve never been involved with program development at ESET.)

David Harley

Other resource updates August 24th 2018

Updates to Cryptocurrency/Crypto-mining News and Resources

Brian Krebs: Alleged SIM Swapper Arrested in California – “Authorities in Santa Clara, Calif. have arrested and charged a 19-year-old area man on suspicion hijacking mobile phone numbers as part of a scheme to steal large sums of bitcoin and other cryptocurrencies. The arrest is the third known law enforcement action this month targeting “SIM swappers,” individuals who specialize in stealing wireless phone numbers and hijacking online financial and social media accounts tied to those numbers.”

Commentary from CoinTelegraph.


SecureList: Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware

Commentary by The Register: Nork hackers Lazarus brought back to life by AppleJeus to infect Macs for the first time – “Malware with polished website spotted stealing crypto-coins from traders”

Updates to GDPR page

Rebecca Hill for The Register: Chap asks Facebook for data on his web activity, Facebook says no, now watchdog’s on the case – “Info collected on folk outside the social network ‘not readily accessible’ … Facebook’s refusal … is to be probed by the Irish Data Protection Commissioner … Under the General Data Protection Regulation … people can demand that organisations hand over the data they hold on them.”

Updates to Internet of (not necessarily necessary) Things

[Many of the Things that crop up on this page are indeed necessary. But that doesn’t mean that connecting them to the Internet of Things (or even the Internet of Everything) is necessary, or even desirable, given how often that connectivity widens the attack surface.]

John Leyden for The Register: If it doesn’t need to be connected, don’t: Nurse prescribes meds for sickly hospital infosec – “Pro shares healthcare horror stories”. I met Jelena Milosevic when she presented at Virus Bulletin in 2017 on a similar topic. She made several good points.

Updates to Mac Virus

Graham Cluley for BitDefender: Facebook pulls its VPN from the iOS App Store after data-harvesting accusations – “Facebook has withdrawn its Onavo Protect VPN app from the iOS App Store after Apple determined that it was breaking data-collection policies.”

Juli Clover for MacRumors: Facebook Removing Onavo VPN From App Store After Apple Says It Violates Data Collection Policies

Based on a story from the Wall Street Journal (requires subscription).


Also from Bitdefender: Triout – The Malware Framework for Android
That Packs Potent Spyware Capabilities


SecureList: Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware

David Harley

(Anti-)Social Media updates 24th August 2018

Updates to Anti-Social Media 

Richi Jennings for TechBeacon’s Security Blogwatch: It’s election hacking season: Are you a target? A selection of commentary from a variety of sources. “Allegedly, Russia and Iran have been phishing, hacking, and building fake profiles on Facebook, Twitter, and YouTube…With the midterms just a few months away, the froth is building.”


Graham Cluley for BitDefender: Facebook pulls its VPN from the iOS App Store after data-harvesting accusations – “Facebook has withdrawn its Onavo Protect VPN app from the iOS App Store after Apple determined that it was breaking data-collection policies.”

John Leyden for The Register: Facebook pulls ‘snoopy’ Onavo VPN from Apple’s App Store after falling foul of rules


Rebecca Hill for The Register: Chap asks Facebook for data on his web activity, Facebook says no, now watchdog’s on the case – “Info collected on folk outside the social network ‘not readily accessible’ … Facebook’s refusal … is to be probed by the Irish Data Protection Commissioner … Under the General Data Protection Regulation … people can demand that organisations hand over the data they hold on them.”


Lisa Vaas for Sophos: Facebook’s rating you on how trustworthy you are – a good analysis of the difficulties Facebook and other social media face in addressing the problem of fake news.

David Harley

August 22nd resources update

Updates to Cryptocurrency/Crypto-mining News and Resources

Next Web: Arrested BitConnect kingpin is connected to yet another cryptocurrency scam – “Something is cooking up in the Indian state of Gujarat”

Updates to GDPR page

Catalin Cimpanu for Bleeping Computer: Number of Third-Party Cookies on EU News Sites Dropped by 22% Post-GDPR  “Researchers looked at 200 news sites in total, from seven countries —Finland, France, Germany, Italy, Poland, Spain, and the UK.” Sadly, there seem to be an awful lot of sites outside the EU that regard GDPR as avoidable simply by saying “We use cookies: live with it or live without us.” Sigh…

The Register takes a slightly broader view: That’s the way the cookies crumble: Consent banners up 16% since GDPR – “While news sites cut cookies by 22% – but Google retains omnipresence”

Updates to Meltdown/Spectre and other chip-related resources

Foreshadow web page resource:


The Register: Fix for July’s Spectre-like bug is breaking some supers – “RDMA-Lustre combo swatted, HPC admins scramble”

Updates to Specific Ransomware Families and Types

GandGrab:

Trend Micro: .EGG Files in Spam Delivers GandCrab v4.3 Ransomware to South Korean Users Apparently the otherwise obscure .EGG file compression format is widely used in South Korea.

Commentary by Graham Cluley: Rotten EGGs spread ransomware in South Korea – “RANSOMWARE CHANGES FILE EXTENSION TO .KRAB.”

Commentary by David Bisson for Tripwire: Spam Campaign Targeting South Korean Users With GandCrab v4.3 Ransomware


Ryuk:

Catalin Cimpanu for Bleeping Computer: Ryuk Ransomware Crew Makes $640,000 in Recent Activity Surge – “There have been several reports from victims regarding infections with Ryuk in the past week, including one on the Bleeping Computer forums.”

David Harley