6th October 2018 updates

Updates to Anti-Social Media 

Lisa Vaas for Sophos: Facebook finds “no evidence” attackers accessed third-party apps – “Facebook said … Nevertheless, it’s building a tool to allow developers to manually identify which of their apps’ users may have been affected, so they can log them out.”

Updates to: Ransomware Resources

Updates to Chain Mail Check

Extortion & Breach Compilation archive; BEC as a service

Updates to Mac Virus

Supply chain hacking: bull in a China shop? [updated]

Android SMS Worm, plus setting up a Mac for kids

David Harley


Resources update: 3rd October

Updates to Anti-Social Media 

ESET: Facebook: No evidence attackers used stolen access tokens on third-party sites
“The social networking behemoth is expected to face a formal investigation by Ireland’s Data Protection Commission in what could be the “acid test” of GDPR since the law became effective in May”

Graham Cluley: Two reasons to reconsider your Facebook membership
“Not only was it revealed that millions of users had their accounts exposed by a vulnerability, but the site has been up to dirty tricks with mobile phone numbers you gave them to supposedly enhance your security.”

Joseph Cox for Motherboard: Hackers Are Holding High Profile Instagram Accounts Hostage
“Hackers have hijacked the accounts of at least four high profile Instagrammers recently, locking them out and demanding a bitcoin ransom.”

Updates to Cryptocurrency/Crypto-mining News and Resources

Lawrence Abrams for Bleeping Computer: Roaming Mantis Group Testing Coinhive Miner Redirects on iPhones
“Kaspersky has discovered that [Roaming Mantis Group] is testing a new monetization scheme by redirecting iOS users to pages that contain the Coinhive in-browser mining script rather than the normal Apple phishing page.”

John E. Dunn for Sophos: Monero fixes major ‘burning bug’ flaw, preventing mass devaluation
“…the developers realised that the apparent non-expert had just confirmed a major flaw in wallets used to transact the controversial and what is reportedly the world’s tenth most popular cryptocurrency.”

Updates to GDPR page

ESET: Facebook: No evidence attackers used stolen access tokens on third-party sites
“The social networking behemoth is expected to face a formal investigation by Ireland’s Data Protection Commission in what could be the “acid test” of GDPR since the law became effective in May”

Updates to Internet of (not necessarily necessary) Things

Gabrielle Ladouceur Despins for ESET: Top tips for protecting your Smart TV
“The final few months of 2018 will likely be a busy time of year for people and cybercriminals will be no different as they continue to look for weak spots in networks”

Updates to: Ransomware Resources

Joseph Cox for Motherboard: Hackers Are Holding High Profile Instagram Accounts Hostage
“Hackers have hijacked the accounts of at least four high profile Instagrammers recently, locking them out and demanding a bitcoin ransom.”

Updates to Mac Virus

News Update October 3rd

David Harley

AVIEN roundup 28th September 2018

Updates to Cryptocurrency/Crypto-mining News and Resources

Sophos: Cryptojacking – coming to a server-laptop-phone near you (and how to stop it) – Paul Ducklin’s summary of blockchain and cryptojacking, with particular reference to Android.

Updates to Specific Ransomware Families and Types


Zeljka Zorz for Help Net: Phorpiex bots target remote access servers to deliver ransomware – “Threat actors are brute-forcing their way into enterprise endpoints running server-side remote access applications and attempting to spread the GandCrab ransomware onto other enterprise computers, SecurityScorecard researchers are warning.”


Trend Micro: Viro Botnet Ransomware Breaks Through – “we have recently observed Viro botnet (detected by Trend Micro as RANSOM_VIBOROT.THIAHAH), with both ransomware and botnet capabilities, affecting users in the United States.”

Updates to Mac Virus

David Harley

Internet of Things update

John Leyden for The Register: Looking after the corporate Apple mobile fleet? Beware: MDM onboarding is ‘insecure’ –  “Hackers can blow holes in Apple’s managed service technology and sneak their own rogue devices onto corporate fleets of mobile iThings.

Weaknesses in Apple’s Device Enrollment Program (DEP) allow the ne’er-do-wells to run targeted attacks on both the networks of the corporate shiny-shiny and the backend systems that support them, researchers at Duo Security warned.”

Catalin Cimpanu for ZDnet: Researchers find vulnerability in Apple’s MDM DEP process – “Vulnerability could lead to attackers enrolling malicious devices in enterprise networks, researchers say.”

The Duo Labs paper is available from here: Weak Apple DEP Authentication Leaves Enterprises Vulnerable to Social Engineering Attacks and Rogue Devices

Talos Intelligence: VPNFilter III: More Tools for the Swiss Army Knife of Malware – “Cisco Talos recently discovered seven additional third-stage VPNFilter modules that add significant functionality to the malware, including an expanded ability to exploit endpoint devices from footholds on compromised network devices. The new functions also include data filtering and multiple encrypted tunneling capabilities to mask command and control (C2) and data exfiltration traffic.”

Softpedia: Study Finds 83 Percent of Home Routers are Vulnerable to Attacks – “A study published by The American Consumer Institute found that out of a sample of 186 home routers, 83% of them were exposed to security attacks because of known vulnerabilities in their firmware.” The study is available here: New Study Warns of Inadequate Security Provisions in Home and Office Routers

Help Net: Connected car security is improving, researchers say  Referring to this report from IOactive: Commonalities in Vehicle Vulnerabilities – 2018 Remix

Help Net: Hackers are finding creative ways to target connected medical devices.  Refers to this Zingbox paper: Discovery of Cyberattack Trends Targeting Connected Medical Device [sic] – “Detailed analysis of hackers leveraging device error messages”

Shaun Nichols for The Register: DEF CON hackers’ dossier on US voting machine security is just as grim as feared

“The full 50-page report [PDF], released Thursday during a presentation in Washington DC, was put together by the organizers of the DEF CON hacking conference’s Voting Village. It recaps the findings of that village, during which attendees uncovered ways resourceful miscreants could compromise electoral computer systems and change vote tallies.”

David Harley

Anti-social media update

Thomas Claburn for The Register: Facebook sued for exposing content moderators to Facebook – “Endless series of beheadings and horrible images take mental toll, US lawsuit claims”

Silicon: WhatsApp Founder Admits Selling Out Privacy To Facebook – “Co-founder of WhatsApp Brian Acton admits selling out the privacy of WhatsApp users to Facebook”

Sophos: Facebook scolds police for using fake accounts to snoop on citizens

‘In a letter to MPD Director Michael Rallings, Facebook’s Andrea Kirkpatrick, director and associate general counsel for security, scolded the police for creating multiple fake Facebook accounts and impersonating legitimate Facebook users as part of its investigations into “alleged criminal conduct unrelated to Facebook.”’

Graham Cluley for BitDefender: Zuckerberg’s Facebook page? I’ll livestream its deletion, says hacker

New York Times: Facebook Network is Breached, Putting 50 Million Users’ Data at Risk

The Register: Facebook confesses crappy code has exposed up to 90 million users to hackers

David Harley

Tech support scam update

Updates to Tech support scams resource page

Jérôme Segura reports (20th September 2018) for Malwarebytes on Mass WordPress compromises redirect to tech support scams. There have been high volumes of hijackings of sites using the WordPress content management system, especially sites using outdated plugins. Prominent among the client-side payloads observed by Malwarebytes are redirections to tech support scams. Segura notes that:

“That .TK URL pattern is well known and has been documented in detail as part of a large Traffic Distribution System (TDS) responsible for massive redirections to browlock pages. Note the custom mouse cursor (the “Evil cursor”), which we reported on recently, has yet to be patched.”

David Harley

Cryptocurrency/cryptojacking updates

Steve Kaaru for Null TX: Hackers Mining Cryptos Using Leaked NSA Surveillance Tools, New Report Reveals – “The report revealed that cryptojacking incidences have spiked by over 450 percent in 2018, attributing the increased incidences to an NSA tool that was leaked in late 2017 which has been used by North Korean and Russian hackers in the past to infiltrate strategic targets. ”


Alyza Sebenius for Bloomberg: Hackers Are Targeting Bitcoin With a Leaked NSA Software Tip, Report Says

Lukas Stefanko for ESET: Fake finance apps on Google Play target users from around the world – “Cybercrooks use bogus apps to phish six online banks and a cryptocurrency exchange…the apps have impersonated six banks from New Zealand, Australia, the United Kingdom, Switzerland and Poland, and the Austrian cryptocurrency exchange Bitpanda. Using bogus forms, the malicious fakes phish for credit card details and/or login credentials to the impersonated legitimate services.”

David Harley

Anti-Social Media updates

Updates to Anti-Social Media 

Lisa Vaas for Sophos: Years on, third party apps still exposing Grindr users’ locations – “Grindr, the premium gay dating app, is exposing the precise location of its more than 3.6 million active users, in addition to their body types, sexual preferences, relationship status, and HIV status…


Nathan Gleicher for Facebook: Expanding Security Tools to Protect Political Campaigns – “Over the past year, we have invested in new technology and more people to stay ahead of bad actors who are determined to use Facebook to disrupt elections. Today we’re introducing additional tools to further secure candidates and campaign staff who may be particularly vulnerable to targeting by hackers and foreign adversaries. This pilot program is an addition to our existing security tools and procedures, and we will apply what we learn to other elections in the US and around the world.”

Commentary by Danny Bradbury for Sophos: How Facebook wants to protect political campaigners from hacking – “Facebook is making the extra protections available to a select class of political operatives, namely candidates for federal or statewide office, and staff members and representatives from federal and state political party committees.”

Also by Lisa Vaas for Sophos: Facebook faces sanctions if it drags its feet on data transparency – Vera Jourova, the European Commissioner for justice, consumers and gender equality, is evidently not in the least impressed.

David Harley

September 19th 2018 Updates

Updates to Anti-Social Media 

Danny Bradbury for Sophos: Deepfake pics and videos set off Facebook’s fake news detector Centres on FB’s announcement that “To date, most of our fact-checking partners have focused on reviewing articles. However, we have also been actively working to build new technology and partnerships so that we can tackle other forms of misinformation. Today, we’re expanding fact-checking for photos and videos to all of our 27 partners in 17 countries around the world (and are regularly on-boarding new fact-checking partners). This will help us identify and take action against more types of misinformation, faster.”

The Register: Not so much changing their tune as enabling autotune: Facebook, Twitter bigwigs nod and smile to US senators – “Google slammed for no-show”

Graham Cluley: Twitter testing new feature that reveals when you’re online – “WHO OTHER THAN STALKERS ACTUALLY WANTS THIS?”

Lisa Vaas for Sophos: Review that! Fake TripAdvisor review peddler sent to jail

“The owner of a fake-review factory is going to get a chance to write a review about his trip to the inside of an Italian jail.

TripAdvisor announced (PDF) on Wednesday that, in one of the first cases of its kind, the criminal court of the Italian city of Lecce has ruled that writing fake reviews, under a fake identity, is criminal conduct.”

Michigan News (University of Michigan): Fake news detector algorithm works better than a human – “ANN ARBOR—An algorithm-based system that identifies telltale linguistic cues in fake news stories could provide news aggregator and social media sites like Google News with a new weapon in the fight against misinformation.

The University of Michigan researchers who developed the system have demonstrated that it’s comparable to and sometimes better than humans at correctly identifying fake news stories.”

Updates to Cryptocurrency/Crypto-mining News and Resources

Palo Alto: Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows – “Unit 42 researchers have found a new malware family that is targeting Linux and Microsoft Windows servers that we have named XBash. We can tie this malware to the Iron Group, a threat actor group known for ransomware attacks in the past.”

Tomáš Foltýn for ESET: One in three UK orgs hit by cryptojacking in previous month, survey finds – “Conversely, only a little over one-third of IT executives believe that their systems have never been hijacked to surreptitiously mine digital currencies”

Trend Micro took a little time out from snarfing customer data to issue a report that tells us of “a noticeable shift away from highly visible ransomware to a more discreet detection: cryptocurrency mining. Unseen Threats, Imminent Losses Phil Muncaster notes, based on that report, that Cryptomining Malware Soars 956% in a Year and also cites a report from Checkpoint which “warned last month that the number of global organizations affected by cryptojacking rose from just under 21% in the second half of 2017 to 42% in 1H 2018, with cyber-criminals making an estimated $2.5bn over the past six months.”

Graham Cluley: Cryptominers killing cryptominers to squeeze more out of your CPU

“As security researcher Xavier Mertens describes, a newly-encountered malicious miner for the Monero cryptocurrency is working hard to kill any potential competitors it encounters for system resources, using an ever-expanding list.”

Kaspars Osis for ESET: Kodi add-ons launch cryptomining campaign – “ESET researchers have discovered several third-party add-ons for the popular open-source media player Kodi being used to distribute Linux and Windows cryptocurrency-mining malware”

Commentary from Bleeping Computer: Malicious Kodi Add-ons Install Windows & Linux Coin Mining Trojans – “Security researchers discovered a campaign that infects machines running Kodi via a legitimate add-on that has been altered by cybercriminals looking to mine the onero cryptocurrency with the resources of Kodi users.”

Danny Bradbury for Sophos: Blockchain hustler beats the house with smart contract hack – “A wily hacker has scored a thousand dollar cryptocurrency jackpot … by using their own code to tamper with a smart contract run by a betting company on the EOS blockchain …. Unlike Bitcoin, which uses a blockchain to record the transfer of digital currency, EOS and Ethereum both enable people to run computer programs. These programs are called smart contracts, and instead of running in one place they run on many computers connected to the blockchain.” Fascinating article.

Updates to GDPR page

Veronika Gallisova for ESET: 100 days of GDPR – “What impact has the new data protection directive had on businesses so far?”

Updates to Internet of (not necessarily necessary) Things

[Many of the Things that crop up on this page are indeed necessary. But that doesn’t mean that connecting them to the Internet of Things (or even the Internet of Everything) is necessary, or even desirable, given how often that connectivity widens the attack surface.]

John Leyden for The Register: 2-bit punks’ weak 40-bit crypto didn’t help Tesla keyless fobs one bit – “Eggheads demo how to clone gizmo, nick flash motor in seconds – flaw now patched”

“Researchers from the Computer Security and Industrial Cryptography (COSIC) group – part of the Department of Electrical Engineering at Belgian university KU Leuven – were able to clone a key fob, open the doors, and drive away the electric sports car.”

The Register: Mikrotik routers pwned en masse, send network data to mysterious box – “Researchers uncover botnet malware pouncing on security holes”

The Register: Thousands of misconfigured 3D printers on interwebz run risk of sabotage

“Internet-connected 3D printers are at risk of being tampered with or even sabotaged because users fail to apply security controls, a researcher has warned.”

The Register: M-M-M-MONSTER KILL: Cisco’s bug-wranglers swat 29 in single week – “If you’re running the end-of-life RV110 Wireless-N VPN firewall or RV215W Wireless-N VPN router, bad news: some of their security vulnerabilities won’t be patched and there’s no workaround – so it is probably time to replace them.”

Tomáš Foltýn for ESET: Could home appliances knock down power grids? –  “The researchers tested the plausibility of the new type of attack on “state-of-the-art simulators on real-world power grid models”. The threat is described in a paper called “BlackIoT: IoT Botnet of High Wattage Devices Can Disrupt the Power Grid”, and the research was also presented at a recent USENIX security symposium.”

Updates to: Ransomware Resources

Mark Stockley for Sophos: The rise of targeted ransomware

“While cryptomining and cryptojacking have been sucking all the air out of the press room, a snowball that started rolling well before anyone had ever heard of WannaCry has been gathering pace and size.

The snowball is a trend for stealthier and more sophisticated ransomware attacks – attacks that are individually more lucrative, harder to stop and more devastating for their victims than attacks that rely on email or exploits to spread.”

Updates to Specific Ransomware Families and Types

John Leyden for The Register: Sextortion scum armed with leaked credentials are persistent pests – “If you’re going to batter 8,497 folk with over 60,000 threats, odds are someone will crack”

Bleeping Computer: Barack Obama’s Blackmail Virus Ransomware Only Encrypts .EXE Files – “It is unknown how this ransomware is distributed or if the developer will even provide a decryption key if paid. ”

Updates to Mac Virus

Dangers on Safari – The Safari Reaper attack, and URL spoofing

Android Issues – Android Malware-as-a-Service botnet, CVE-2018-9489, and open-source vulnerabilities in Android apps.

Smartphones that talk too much acoustic side-channel attacks

Flushing the Mac App Store  Ad-Doctor and three Trend apps removed

Apple to make life easier for law enforcement – portal to apply for access to information and training

Krebs: commentary on global authentication via your wireless carrier – what could go wrong?

David Harley

Tech support scams: curse of the Evil Cursor, and Technet ads removed

Jérôme Segura for Malwarebytes: Partnerstroka: Large tech support scam operation features latest browser locker – “We have been monitoring a particular tech support scam campaign for some time which, like several others, relies on malvertising to redirect users to the well-known browser lockers (browlocks) pages. … we were still able to isolate incidents pertaining to this group which we have been tracking under the name Partnerstrokam …. and noticed that the fake alert pages contained what seemed to be a new browlock technique designed specifically for Google Chrome.”

Summary/commentary from Zeljka Zorz for Help Net: Tech support scammers leverage “evil cursor” technique to “lock” Chrome

John E. Dunn for Sophos: Microsoft purges 3,000 tech support scams hiding on TechNet – “Microsoft has taken down thousands of ads for tech support scams that had infested the company’s TechNet support domain in a sly attempt to boost their search ranking….Microsoft’s site was home to around 3,000 of these ads, mostly associated with the gallery.technet.microsoft.com downloads section.

The ads covered a wide range of fraudulent support issues, from virtual currency sites to Google Wallet and Instagram. Johnston told ZDNet…”

David Harley