Monday, June 27, 2016

Feedly:Understanding Java Code and Malware | Malwarebytes Unpacked. A week in security (Jun 19 – Jun 25)



from Understanding Java Code and Malware | Malwarebytes Unpacked


Last week, we touched on Acer’s breach on their e-commerce site and explained what typosquatting is plus why it continues to be an effective tactic by threat actors.

On the mobile front, our researchers uncovered an app, which we detect as Android/Trojan.Pawost, that was capable of making malicious calls to target users via Google Talk. The said app was said to originate from China.

We also featured what we call the Bonnie and Clyde of advance threats: malvertising and ransomware.

Notable news stories and security related happenings:

  • GoToMyPC Accounts Hacked, All Customer Passwords Reset. “It’s a shame in their recommendations GoToMyPC’s security team left out the most important one of all – don’t reuse your passwords in multiple places. It’s a shame in their recommendations GoToMyPC’s security team left out the most important one of all – don’t reuse your passwords in multiple places.” (Source: Graham Cluley’s Blog)
  • Inside A Phishing Attack. “Thanks to proper training, the finance employee recognized that the email’s blatant disregard for the official chain of command and finance protocols was suspicious and alerted the proper personnel. Marc Laliberte, a threat analyst at Watchguard, walks us through the ordeal. ” (Source: CSO)
  • 18-year-old Hacker Honored At Pentagon. “Dworken was one of two private citizens presented with a challenge coin from Carter on Friday for their roles in “Hack the Pentagon,” a program designed for computer hackers to compete against one another in searching for technical vulnerabilities within the DOD’s public websites. Dworken and Craig Arendt, 35, were two of the 1,410 hackers who responded to the competition.” (Source: Stars and Stripes)
  • 5 Tips For Staying Cyber-Secure On Your Summer Vacation. “Summer is officially here, and with that comes vacation season. But before you go, make sure you’re following these simple steps to stay cyber-secure while you soak up the sun…” (Source: Dark Reading)
  • Hunting The Hackers: Why Threat Intelligence Isn’t Enough. “Perhaps threat intelligence isn’t the solution after all. Or perhaps it’s just part of the answer? What’s rapidly becoming clear is that there’s no substitute for human analysis. This is seeing the emergence of a new concept: threat hunting. Threat hunting combines threat intelligence gathering by automated solutions (technical tools and machine learning techniques) with human data analysis to create a more intuitive, responsive and human-led form of threat detection.” (Source: SC Magazine)
  • Malware Families Attacking Business Networks Continue To Grow. “The number of active global malware families increased by 15 percent in May 2016, according to Check Point. They detected 2,300 unique and active malware families attacking business networks in May. The continued rise in the number of active malware variants highlights the wide range of threats and scale of challenges security teams face in preventing an attack on their business critical information.” (Source: Help Net Security)
  • Ransomware That’s 100% Pure JavaScript, No Download Required. “After decrypting your files and making sure that the ransomware program has been removed so it can’t accidentally strike again, the theory is that you’re back where you were before the attack started. But JS/Ransom-DDL is interestingly different, because it deliberately installs a secondary malware infection: a password stealer…” (Source: Sophos’ Naked Security Blog)
  • Apple Fixes Serious Flaw In AirPort Wireless Routers. “According to Apple security, the flaw is a memory corruption issue stemming from DNS (Domain Name System) data parsing that could lead to arbitrary code execution. The company released firmware updates 7.6.7 and 7.7.7 for AirPort Express, AirPort Extreme and AirPort Time Capsule base stations with 802.11n Wi-Fi, as well as AirPort Extreme and AirPort Time Capsule base stations with 802.11ac Wi-Fi.” (Source: CSO)
  • People Go To Extreme Lengths To Protect Their Devices – But Do Not Understand The Threats. “Many users do not use the correct methods to keep them safe online. Multiple research studies and ‘Are you cyber savvy?’ quizzes carried out by cyber security company Kaspersky Lab show that not enough users are aware of the risks. Those that are, are using the wrong methods to stay safe online.” (Source: ZDNet)
  • Brexit Will Make UK More Vulnerable To Cyber Attack, Say Security Pros. “They are concerned because Brexit will mean that they would no longer benefit from intelligence sharing with other EU states, according to the survey by security firm AlienVault. The research, which polled around 300 information security professionals at the 2016 Infosecurity Europe conference in London, also found that 78% of those surveyed do not believe that their jobs would be made any easier by the UK leaving the EU.” (Source: Computer Weekly)
  • Sticky Security Issues: How Your Website Security Should Handle Tor Users. “As your mother and a handful of other well-meaning adults probably told you, there is a certain thing that happens when you assume things. It pertains to the u and me that ends the word assume turning into its first three letters, if you were somehow unaware […] Just as it is unacceptable to ban shoppers from a brick and mortar store solely based on the neighborhood they come from, you can’t ban users from your website because of assumptions made based on their browsing habits. Securing your website when it comes to the anonymity network Tor requires a lot more finesse.” (Source: Axcess News)
  • Tor Project Tests New Tool For Foiling De-anonymization Attacks. “Upcoming hardened releases of the Tor Browser will use a new technique aimed at preventing de-anonymization efforts by anyone who might want to mount them. Created by a group of researchers from the University of California, Irvine, and dubbed ‘selfrando,’ the technique allows for enhanced and practical load-time randomization.” (Source: Help Net Security)
  • Complex Bitcoin Phishing Scheme Leads Back To Rogue Web Hosting Firm. “Researchers from Cisco’s OpenDNS security team have uncovered a complex phishing scheme aimed at collecting user credentials from various Bitcoin-related services, which, under a closer scrutiny, led back to a known bulletproof hosting firm.” (Source: Softpedia)
  • New Android Malware Can Secretly Root Your Phone And Install Programs. “Android users beware: a new type of malware has been found in legitimate-looking apps that can ‘root’ your phone and secretly install unwanted programs.  The malware, dubbed Godless, has been found lurking on app stores including Google Play, and it targets devices running Android 5.1 (Lollipop) and earlier, which accounts for more than 90 percent of Android devices, Trend Micro said Tuesday in a blog post.” (Source: Computer World)
  • Phishing, Whaling & The Surprising Importance Of Privileged Users. “There are those within the cybersecurity world who believe that since it is impossible to completely prevent employees from being suckered by phishing emails, there’s no point in even trying to educate them. The theory goes that defending against any form of cyber attack (including phishing) is the responsibility of your information security team. Employees are simply too busy, and too ignorant, to be involved in the process.” (Source: Dark Reading)
  • Akamai Says Subtlety Is Out, Brute Force Is In For Identity Theft. “Subtlety is out when it comes to compromising user credentials. Instead, cybercriminals are looking to brute-force their way in, take what they can and get out. Consider the case of GitHub: As noted by TechCrunch, the online code repository recently announced that there have been ‘unauthorized attempts to access a large number of GitHub.com accounts’ using credentials stolen from other hacked sites.” (Source: IBM’s Security Intelligence)
  • Google Simplifies Two-Step Verification. “Google is the latest to chop away at the complexity of sign-ins. On Monday, it announced that it had made available a feature by which users could approve the prompt, at left, on their phones as a second form of authentication. Users can simply tap yes if they want to allow the authentication request, rather than search through SMS messages and remember a sometimes-complex verification code.” (Source: Kaspersky’s ThreatPost)
  • Kiwi And Aussie Workers’ Security Attitudes Concerning, Says ESET. “While it seems internet users in Australia and New Zealand have strong knowledge of cybersecurity best practices, they are rarely applying this knowledge at home, according to new research from ESET. The security specialists’ whitepaper, ‘ESET Australia and New Zealand cyber-savviness report: understanding and driving cybersecurity best practices’, analyses the results of a survey of more than 1,300 online users across Australia and New Zealand.” (Source: IT Brief)
  • Opinion: How We Can Finally Kill The Password. “While it’s easy to blame users for being lazy or blasé when it comes to securing passwords, the reality is that the deck is stacked against us. The problem is not that consumers do not know that they should use strong and unique passwords; it’s that it’s really hard to remember long strings of numbers and letters. It’s particularly difficult when asked to remember multiple passwords across all of our various accounts.” (Source: The Christian Science Monitor)
  • 5 Steps For Victims Of Email Fraud To Trace And Recover Stolen Assets. “But while the U.S. Department of Justice has published “best practices” on how to respond to a cyber-attack, the U.S. government has offered little guidance on what steps a victim should take to recover stolen funds. The following is a step-by-step guide of what a victim of email fraud should do to maximize the chances of recovering stolen funds. Ideally, each of these steps should be undertaken simultaneously…” (Source: LegalTech News)
  • Central Banks Of South Korea And Indonesia Bulk Up Security Following DDoS Attacks By Hacktivists. “The official stressed that no money was lost in the attack and instead the hackers used DDoS tools in an attempt to force the bank’s website offline. These tools – readily for sale on the dark web – send waves of internet traffic towards a server to disrupt its normal operations. While this form of attack is mostly used as a form of protest by so-called ‘hacktivists’, it can also be used as a distraction technique to hide malicious entry into a website with the intention of stealing sensitive information.” (Source: International Business Times)
  • Hackers Make Off With Millions Of Air India Frequent Flier Miles. “The Flying Returns program has more than 195,000 customer accounts. The Delhi Police said that the attack appears to have been aided by a company insider or travel agency staffer who knew the loopholes and vulnerabilities in the system. Those responsible created 20 separate email IDs to ‘divert the reward points earned by passengers,’ according to Air India.” (Source: InfoSecurity Magazine)
  • A Botnet Of 3M Zombie Twitter Accounts Grew In 24 Hours, But Twitter Didn’t Seem To Notice. “Researchers from social media fraud investigations team Sadbottrue have found a botnet containing three million Twitter accounts, together with two other botnets each containing 100,000 bots that are likely being used by online services that offer to rent or sell Twitter followers to businesses, celebrities or individuals that want more followers. The researchers say that the largest botnet has been around since 2014, but although Twitter frowns on any usage of bots, the botnet has remained completely undetected because none of the accounts have any connections to each other.” (Source: International Business Times)
  • Hackers Just Leaked Personal Data Of US Military Officials And It’s Legit. “The data was first found and analysed by Shay Rozen, cyber intelligence and Darknet expert for Hacked-DB who found out that there is a raw .txt file containing 4948 Lines of data on 2,437 US Army personals including names, emails, phone numbers, Dob, addresses, zip codes, credit card data including types, numbers, expiration date and CVV codes in plain text.” (Source: HackRead)
  • Popular Anime Site Infected, Redirecting To Exploit Kit, Ransomware. “Researchers at Forcepoint, a Raytheon company, disclosed the attacks this week. Nicholas Griffin, senior security researcher said the payload is the CryptXXX 3.0 ransomware, which has mainly been distributed by Neutrino since Angler’s disappearance in late June. Griffin said Jkanime was injected with script that includes a JavaScript file that loads an iFrame redirecting to the Neutrino landing page. He added that it does not appear the site is compromised any longer.” (Source: Kaspersky’s ThreatPost)
  • How MDM Software Exposes Your Personal Data. “Researchers configured the MDM software to route mobile data traffic through a corporate proxy and installed corporate-issued certificates on employee devices to decrypt SSL traffic. This, a common configuration in enterprise MDM deployments for inspecting traffic for malware, enabled them to see the contents of employees’ personal email inboxes, social networking accounts and even banking information.How MDM Software Exposes Your Personal Data. Bitglass tracked the personal mobile devices of several willing employee volunteers with mobile device management (MDM) software to understand how MDM could be misused and to assess the true extent of access employers have to personal data and user behavior.” (Source: Help Net Security)

Safe surfing, everyone!

The Malwarebytes Labs Team

RELATED ARTICLES

July 26, 2012 - That’s right, this week some of the Malwarebytes gang will be out in Las Vegas for the hacker convention: DefCon 20! Who is going? Marcin Kleczynski – CEO Rebecca Kline – Director of Marketing Josh Hall-Bachner – Web Developer Doug Swanson – VP of Development Adam Kujawa – Me! What are we doing there? DefCon...

July 30, 2012 - As mentioned last week, the Malwarebytes crew made it out to DefCon this year to check out all of the interesting talks and presentations given by various members of the computer/intelligence security community. This blog is meant to summarize most of what we saw, giving a brief explanation of which talks we thought were the...

August 8, 2012 - My colleague Adam Kujawa recently wrote a great post about the Malwarebytes experience at the hacker convention DefCon this year. By popular demand, here’s a round-up of my top four favorite DefCon talks from a development perspective: 1. “Stiltwalker”, by “DC949” (http://ift.tt/28JOru2) I am sure everyone is familiar with reCAPTCHA. You have likely wasted hours...

August 24, 2012 - BitCoin is a new-ish form of digital currency.  It allows people to perform financial transactions without the need for a bank or central authority and allows for a large amount of privacy.  Transactions are currently limited to ones performed online and only by individuals and organizations that accept BitCoin as payment. However, in the next...

September 18, 2012 - In war, there are always two sides: the attackers and the defenders.  A less focused on group is the researchers and developers.  While soldiers are fighting a war on the front lines, scientists and engineers are researching and developing new weapons, defenses and tools; things that give their side an advantage.  If one of these...

Web Analytics