Using Market Pressures to Improve Cybersecurity

Post-MedSec, Chris Wysopal discusses what impact the investor community — if not consumers — can have on squashing vulnerabilities and improving cybersecurity.
Source: Vulnerabilitys & Threats

TekThing 140 – WiFi Router Under $100, Can UPRIGHT GO Fix Your Posture, Backup Windows FAST!!!

WiFi Router Under $100, Can UPRIGHT GO Fix Your Posture, Backup Windows FAST, Safe Headphones For School!
——
00:40 Things to do before you back up!!!
We talk 3-2-! backups, why (whether it’s Houston, NYC, house fires, earthquakes…) offsite backup is critical, getting started with a USB drive (if you can’t get BackBlaze or SpiderOak), checking your data before you back up (SpaceSniffer!), encrypting it, and more!
http://amzn.to/2vP1iqm
https://spideroak.com/
https://www.backblaze.com/
http://www.uderzo.it/main_products/space_sniffer/

8:50 Upright Go – Gimmick or the Real Deal?
Can the tiny Upright Go train you to stop slouching, fix your posture and enjoy less back pain? We’ve got a review!
http://uprightgo.com/

16:34 Back To School Headphones for Kids
Jason kindergartner needs headphones for school next week, what would we recommend? We talk the best volume limited option, Puro’s BT2200, Monoprice’s 8323, and The Wirecutter’s awesome research on the Best Kid’s Headphones!
https://purosound.com/products/kids-wireless-headphones-w-hard-case
https://www.monoprice.com/product?p_id=8323
http://thewirecutter.com/reviews/best-kids-headphones/

22:43 Best Wireless Router Under $100???
David needs a new router, and emailed ask@tekthing.com, “what would be a good replacement that’s under $100?” We’re still fans of TP-Link’s Archer C7!
https://www.amazon.com/dp/B00BUSDVBQ/?tag=thewire06-20&linkCode=xm2&ascsubtag=AgEAAAAAAAAAAB_u

24:15 TarSnap Reccos
Replacing Crashplan? several folks emailed about TarSnap (“Online backups for the truly paranoid”) as great option for powerusers… Jeff’s email explains why in the video!
http://www.tarsnap.com/

26:30 Do Something Analog!
Like Stephen, who writes, “White water rafting on the Ocoee in Tennessee. I’m in the middle on the right. I had that same goofy expression on my face the entire trip. Also did a zipline tour while visiting Helen, Ga. Also, I may have eaten all the pastries in Helen.” Awesome!!!

——
Thank You Patrons! Without your support via patreon.com/tekthing, we wouldn’t be able to make the show for you every week!
https://www.patreon.com/tekthing
——
EMAIL US!
ask@tekthing.com
——
Amazon Associates: http://amzn.to/2gm9Egf
Subscribe: https://www.youtube.com/c/tekthing
——
Website: http://www.tekthing.com
RSS: http://feeds.feedburner.com/tekthing
THANKS!
HakShop: https://hakshop.myshopify.com/
——
SOCIAL IT UP!
Twitter: https://twitter.com/tekthing
Facebook: https://www.facebook.com/TekThing
Reddit: https://www.reddit.com/r/tekthingers
——

Source: Security news


Source: Zologic

Hacker Tactics – Part 1: Domain Generation Algorithms

DGA Domain Matches in Anomali Enterprise

Coauthored by Evan Wright and Payton Bush

Adversaries are constantly changing and improving how they attack us. In this six-part series we’ll explore new or advanced tactics used by threat actors to circumvent even the most cutting-edge defenses.

What are DGAs?

DGAs are code that programmatically produce a list of domain names. In most cases, the algorithms behind the malware that generate DGA domains vary just two elements when creating domains:

  1. The length of the domain name
  2. The possible top-level domains it can use

These algorithms produce command and control domains which are used to communicate with malware-infected machines. Often these domains are nonsensical, such as sndjfnin.com. In other cases DGAs like Oderoor and Bobax will produce domains on sites that allow 3rd party domains. This usually includes sites that provide dynamic DNS, and may look more like sndjfnin.dyndns.org. Measurements of domains generated by DGAs provide an understanding of a large cross-section of malware targeting nearly all industries, and includes such well known categories as exploit kits, crimeware, and ransomware.

Why are they used?

DGAs are a robust way for malicious actors to protect their ability to get data from a compromised computer back to a computer that they can more easily access. With a network connection between these two computers malicious actors are able to do things like:

  • Send credit card information from compromised machines to sell elsewhere
  • Coordinate infected machines to attack another computer or system (botnets)
  • Send out spam, which can be monetized
  • Engage in hacktivism by stealing emails and publishing them for all to see

DGAs are advantageous for malicious actors in a number of ways. For one, hard coded lists of domains created by a human may contain a pattern, making detection and extraction from malware easier. An algorithm can instead generate thousands of pseudorandom domains which are difficult for humans to link to one another.

A grossly oversimplified example would be:

bird.com, tiger.com, elephant.com

vs

jsdijiasd.com, neniwehrj.com, asjksrhej.com

The latter obviously look suspicious, but with the prior ones it’s easier to identify what connects each domain. Automatically generating domains instead makes malware authors more nimble. DGA domains ultimately serve to make blocklists ineffective – even if you positively identified and blocked one there are still an unknown number of DGA domains out there. Many DGA implementations will generate hundreds or thousands per day, but only make a few active. This puts a large burden on the defender to stop all domains while minimizing domain registration effort for the malicious actor. Some DGAs could also be pre-registered months in advance of being used to help bypass blocking newly registered domains.

After all of this discussion of domains, some of you may be rightfully wondering why an IP wouldn’t still be easily identified as the source of thousands of domains. In the majority of cases DGA domains are not hosted on one IP. Malware authors recognized this issue and began pairing DGAs with another technique that shuffles around IPs by using technologies such as Fast-Flux. How rapidly they could change IPs is a contributing factor for why IP blocklists are an aging tool, and another reason that DGA domains are so difficult to detect. This combination of DGAs with IP shifting proved to be the key to getting past defenses.

How is it advanced?

Domain Generation Algorithms create a constantly moving target that cyber defenders struggle to successfully hit with a blocklist. Part of this is due to how the algorithm is set up and how easy they are to update. All DGAs are based off of a static and dynamic seed, which ensures that the domains are constantly changing. Nearly all algorithms use different approaches to randomize how they pick the letters in the second-level domain, which is the section of the domain before the “.com”. These seeds could be anything from today’s date to the 8th most popular topic on Twitter. To make matters more complicated, malicious actors could choose to represent the date in different formats like 8/31/17 or 083117. However it’s coded, the software knows what to look for.

Some DGA domain names can even be entirely word-based, which creates a significant problem for those trying to identify them. Sdkfjdi.com looks odd, but birddog.com does not. Random character DGAs are more common than these wordlists due to the difficulty to create and register domains without pre-existing domains complicating their registration effort. By our count, algorithms that generate entirely word-based domains account for only about 5% of all known DGA-capable malware families.

Malicious actors can also change how long these domain names are active. In the majority of cases they’re active for only one to three days, although the potential lifespan of DGA domains has appears to be increasing. Five years ago, most had the characteristic lifespan of three days or less, but now DGA domains lasting even 40 days are somewhat prevalent. Some may even endure beyond that mark. Whatever the lifespan is, a blocklist largely proves ineffective because these domains will expire and others will immediately take its place.

History

The evolution of DGAs is a traditional cat and mouse game between malware authors and cyber defenders. In the late 1990’s, malware began proliferating across the Internet. Its authors noticed that once their malware was installed on a computer, security analysts would simply block the outbound traffic’s IP addresses. Blocking IP addresses was straightforward because it took place on the router, which was required for internet connectivity. In response to this, malware authors began to use domain names for identifying their infrastructure. Rather than calling to a list of domains they developed a way to generate domains which could not easily be identified. Hard coding domains proved to be an ineffective measure. Network defenders in turn began filtering domain names at proxies and DNS stub resolvers.

In 2008, the Conficker botnet was the first malware botnet to use DGAs. Conficker.A generated 250 domains per day in order to remove defenders’ ability to discover and block the malware communicating with the C2 infrastructure.

How are people trying to fight it?

For the past few decades security has been based on signature or indicator based blocking. This proves to be not as effective for something like DGAs, where the indicator is constantly changing. Lists of DGA domains are published by some organizations as a remediation measure, but unlike other indicators will usually expire within 24-48 hours.

One approach that people take is to try to reverse engineer DGAs. While it can be successful, this method is ultimately inefficient because each family has an almost entirely different algorithm. You would also need to know that you can identify every family, which is impossible because new families are developed every day. From a mechanical standpoint, a new giant list of domains each day is too much for a computer to sift through. This isn’t taking into account that each malware family and subsequent algotihm would be spitting out that many domains per day. It also takes a huge investment of human time and effort to reverse engineer these algorithms. There simply are not enough trained professionals to operate at scale. Regardless of the technology or expertise applied to the task, the malware can always be changed and updated, effectively canceling out any reverse engineering efforts.

At Anomali, our approach is to focus on detection via pattern matching, where incoming domains are analyzed in real-time to find statistical patterns of DGA characteristics. This approach does suffer from any of the drawbacks listed above, and our product Anomali Enterprise can perform this detection immediately upon deployment.

Threat actors are constantly changing their tactics, techniques, and procedures. While we can never exactly predict what these changes might be, we can better equip ourselves to meet these challenges by working collaboratively across industries and areas of expertise.


Source: Honeypot Tech

MagPi 61: ten amazing Raspberry Pi Zero W projects

Hey folks! Rob here, with another roundup of the latest The MagPi magazine. MagPi 61 focuses on some incredible ‘must make’ Raspberry Pi Zero W projects, 3D printers and – oh, did someone mention the Google AIY Voice Projects Kit?

Cover of The MagPi magazine with a picture of the Pi Zero W - MagPi 61

Make amazing Raspberry Pi Zero W projects with our latest issue

Inside MagPi 61

In issue 61, we’re focusing on the small but mighty wonder that is the Raspberry Pi Zero W, and on some of the very best projects we’ve found for you to build with it. From arcade machines to robots, dash cams, and more – it’s time to make the most of our $10 computer.

And if that’s not enough, we’ve also delved deeper into the maker relationship between Raspberry Pi and Ardunio, with some great creations such as piano stairs, a jukebox, and a smart home system. There’s also a selection of excellent tutorials on building 3D printers, controlling Hue lights, and making cool musical instruments.

A spread of The MagPi magazine showing a DJ deck tutorial - MagPi 61

Spin it, DJ!

Get the MagPi 61

The new issue is out right now, and you can pick up a copy at WH Smith, Tesco, Sainsbury’s, and Asda. If you live in the US, check out your local Barnes & Noble or Micro Center over the next few days. You can also get the new issue online from our store, or digitally via our Android or iOS app. And don’t forget, there’s always the free PDF as well.

Subscribe for free goodies

Some of you have asked me about the goodies that we give out to subscribers. This is how it works: if you take out a twelve-month print subscription to The MagPi, you’ll get a Pi Zero W, Pi Zero case, and adapter cables, absolutely free! This offer does not currently have an end date.

Pre-order AIY Kits

We have some AIY Voice Kit news! Micro Center has opened pre-orders for the kits in America, and Pimoroni has set up a notification service for those closer to the UK.

We hope you all enjoy the issue. Oh, and if you’re at World Maker Faire, New York, come and see us at the Raspberry Pi stall! Otherwise – see you next month.

The post MagPi 61: ten amazing Raspberry Pi Zero W projects appeared first on Raspberry Pi.


Source: RaspberryPi – IOT Anonimo

Source: Privacy Online


Source: Zologic

St. Jude Pacemaker Gets Firmware Update 'Intended as a Recall'

The devices that were the subject of a vulnerability disclosure debate last summer now have an FDA-approved fix.
Source: Vulnerabilitys & Threats

Netflix develops Morse code search option

What happens when Netflix gives its staff two days to hack the platform and create innovative (and often unnecessary) variations on the streaming service?

This. This is what happens.

Hack Day Summer 2017 Teleflix

Uploaded by NetflixOpenSource on 2017-08-28.

Netflix Hack Day

Twice a year, the wonderful team at Netflix is given two days to go nuts and create fun, random builds, taking inspiration from Netflix and its content. So far they’ve debuted a downgraded version of the streaming platform played on an original Nintendo Entertainment System (NES), turned hit show Narcos into a video game, and utilised VR technology into many more builds that, while they’ll never be made public, have no doubt led to some lightbulb moments for the creative teams involved.

DarNES – Netflix Hack Day – Winter 2015

In a world… where devices proliferate… darNES digs back in time to provide Netflix access to the original Nintendo Entertainment System.

Kevin Spacey? More like ‘Kevin Spacebar’, am I right? Aha…ha…haaaa…I’ll get my coat.

Teleflix

The Teleflix build from this summer’s Hack Day is obviously the best one yet, as it uses a Raspberry Pi. By writing code that decodes the dots and dashes from an original 1920s telegraph (provided by AT&T, and lovingly restored by the team using ketchup!) into keystrokes, they’re able to search for their favourite shows via Morse code.

Netflix Morse Code

Morse code, for the unaware, is a method for transmitting letters and numbers via a standardised series of beeps, clicks, or flashes. Stuck in a sticky situation? Three dots followed by three dashes and a further three dots gives you ‘SOS’. Sorted. So long as there’s someone there to see or hear it, who also understands Morse Code.

Morse Code

Morse code was a method of transmiting textual information as a series of on-off tones that could be directly understood by a skilled listener. Mooo-Theme: http://soundcloud.com/mooojvm/mooo-theme

So if you’d like to watch, for example, The Unbreakable Kimmy Schmidt, you simply send: – …. . / ..- -. -… .-. . .- -.- .- -… .-.. . / -.- .. — — -.– / … -.-. …. — .. -.. – and you’re set. Easy!

To reach Netflix, the team used a Playstation 4. However, if you want to skip a tech step, you could stream Netflix directly to your Raspberry Pi by following this relatively new tutorial. Nobody at Pi Towers has tried it out yet, but if you have we’d be interested to see how you got on in the comments below.

And if you’d like to play around a little more with the Raspberry Pi and Morse code, you can pick up your own Morse code key, or build one using conductive components such as buttons or bananas, and try it out for yourself.

Alex’s Netflix-themed Morse code quiz

Just for fun, here are the titles of some of my favourite shows to watch on Netflix, translated into Morse code. Using the key below, why not take a break and challenge your mind to translate them back into English. Reward yourself +10 imaginary House Points for each correct answer.

Netflix Morse Code

  1. -.. — -.-. – — .-. / .– …. —
  2. …. .- -. -. .. -… .- .-..
  3. – …. . / — .-
  4. … . -. … . —..
  5. .— . … … .. -.-. .- / .— — -. . …
  6. –. .. .-.. — — .-. . / –. .. .-. .-.. …
  7. –. .-.. — .–

The post Netflix develops Morse code search option appeared first on Raspberry Pi.


Source: RaspberryPi – IOT Anonimo

Source: Privacy Online


Source: Zologic

Alienware 25 Inch Gaming Monitor with G-SYNC! – TekThing Short

Alienware 25 Gaming Monitor – AW2518H

Looking for a solid monitor that comes with customized lighting, Nvidia G-SYNC, and a sweet response time and refresh rate? Alienware sent me their new 25″ monitor and I think it’ll fit your needs.

http://www.dell.com/en-us/shop/new-alienware-25-gaming-monitor-aw2518h/apd/210-amsr/monitors-monitor-accessories

——
Thank You Patrons! Without your support via patreon.com/tekthing, we wouldn’t be able to make the show for you every week!
https://www.patreon.com/tekthing
——
EMAIL US!
ask@tekthing.com
——
Amazon Associates: http://amzn.to/2gm9Egf
Subscribe: https://www.youtube.com/c/tekthing
——
Website: http://www.tekthing.com
RSS: http://feeds.feedburner.com/tekthing
THANKS!
HakShop: https://hakshop.myshopify.com/
——
SOCIAL IT UP!
Twitter: https://twitter.com/tekthing
Facebook: https://www.facebook.com/TekThing
Reddit: https://www.reddit.com/r/tekthingers
——

Source: Security news


Source: Zologic

Sarahah Uploads Your Data, Internet of Things Creds Exposed – Threat Wire

Sarahah was Caught Uploading Contacts, ROPEMAKER Changes Emails Post-Delivery, default credentials are still impacting IoT devices, and a New Crowdfunding Campaign for MalwareTech is now up and running. All that coming up now on ThreatWire.

——————————-
Shop: http://www.hakshop.com
Support: http://www.patreon.com/threatwire
Subscribe: http://www.youtube.com/hak5
Our Site: http://www.hak5.org
Contact Us: http://www.twitter.com/hak5
Threat Wire RSS: https://shannonmorse.podbean.com/feed/
Threat Wire iTunes: https://itunes.apple.com/us/podcast/threat-wire/id1197048999
Help us with Translations! http://www.youtube.com/timedtext_cs_panel?tab=2&c=UC3s0BtrBJpwNDaflRSoiieQ
——————————

Links:

Anonymous Messaging App Sarahah to Halt Collection of User Data With Next Update

https://thehackernews.com/2017/08/sarahah-privacy.html
https://theintercept.com/2017/08/27/hit-app-sarahah-quietly-uploads-your-address-book/

https://www.theregister.co.uk/2017/08/28/crowdfunding_for_hutchins_legal_fees/?mt=1503964117577

https://www.theregister.co.uk/2017/08/23/ropemaker_exploit/

ROPEMAKER Exploit Allows for Changing of Email Post-Delivery

https://www.mimecast.com/globalassets/documents/whitepapers/wp_the_ropemaker_email_exploit.pdf

https://arstechnica.com/information-technology/2017/08/leak-of-1700-valid-passwords-could-make-the-iot-mess-much-worse/

http://www.securityweek.com/thousands-iot-devices-impacted-published-credentials-list

Race is On To Notify Owners After Public List of IoT Device Credentials Published

https://arstechnica.com/tech-policy/2017/08/malwaretechs-legal-defense-fund-bombarded-with-fraudulent-donations/?comments=1


https://www.crowdjustice.com/case/malwaretech/

Youtube Thumbnail credit:
https://cdn.pixabay.com/photo/2016/06/06/10/48/communication-1439187_960_720.jpg

Source: Security news


Source: Zologic

Now Available: AP420 Indoor High Density Access Point

It gives me great pleasure to announce the availability of the AP420, our indoor 802.11ac Wave 2 4×4 access point. The AP420’s Multi-User MIMO (MU-MIMO) features mean it’s perfectly suited for the highest client density deployments. This access point easily serves crowded rooms full of smartphones, laptops and tablets to give users an excellent mobile connectivity experience. The AP420 also includes a 3rd radio for dedicated WIPS (Wireless Intrusion Prevention System) and RF optimization scanning. This 3rd radio will constantly defend your airspace against prolific man-in-the-middle (MitM) attacks responsible for stolen passwords, credit cards and other sensitive information, as well as optimize radio power, channel, and other RF parameters for the optimal Wi-Fi connectivity experience. Common deployment scenarios include tradeshow floors, auditoriums, large conference rooms, and shopping malls. 

Key Specifications

  • 802.11ac Wave 2
  • 4×4 MU-MIMO
  • Third 2×2 MIMO dual band radio for dedicated WIPS and RF scanning
  • Up to 800 Mbps for 2.4GHz
  • Up to 1.7 Gbps for 5GHz
  • 20/40/80/80+80 MHz channel width support
  • 10 internal antennas
  • 2x GbE ports (link aggregation supported in Wi-Fi Cloud)
  • PoE+ power required

The AP420 can be managed with either a Firebox®, via the Gateway Wireless Controller, or with WatchGuard’s Wi-Fi Cloud. With the Wi-Fi Cloud, you get an expanded set of features including:

  • WIPS powered with patented technology for hack-free hotspots
  • Engaging guest Wi-Fi experiences
  • Powerful location-based analytics
  • Ability to scale from 1 to unlimited access points with no infrastructure

The latest version of the Wi-Fi Cloud (Manage 8.3) includes new Wi-Fi performance features that improve the quality of experience for users connected to WatchGuard’s access points, new application visibility and firewall policy control, plus an integration with Google for Education to ensure that only devices registered in the school’s Google domain can connect to the school Wi-Fi network and enforce network access policies. This unique integration brings even more control, usability and ease of use to school districts.

To learn more, visit http://www.watchguard.com/wifi


Source: WatchGuard

WTB: US Arrests Chinese Man Involved With Sakula Malware Used in OPM and Anthem Hacks

The intelligence in this week’s iteration discuss the following threats: APTs, Cybercriminals, Data leaks, Exploit kits, Malspam, Malware, Mobile, Ransomware, Vulnerabilities. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.

Trending Threats

US Arrests Chinese Man Involved With Sakula Malware Used in OPM and Anthem Hacks (August 26, 2017)
The U.S. Federal Bureau of Investigation has arrested an individual believed to be associated with the Advanced Persistent Threat (APT) group “Deep Panda.” Additionally, the bureau believes that the suspect, Yu Pingan, is associated with the “Sakula” malware that was used in attacks against U.S. companies including the Office of Personnel Management (OPM) and Anthem Health Insurance.
Recommendation: Defense in depth (layering of security mechanisms, redundancy, fail safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of phishing, how to identify such attempts.
Tags: APT, Crybercriminal

New Arena Crysis Ransomware Variant Released (August 25, 2017)
A new variant of the “Crysis” ransomware has been discovered in the wild by security researcher Michael Gillespie. As of this writing, it is unknown how the malware is being distributed, but in previous campaigns threat actors compromised Remote Desktop Services and manually installed Crysis. This variant is capable of encrypting mapped network drives and unmapped network shares and appends “.arena” to each encrypted file.
Recommendation: Ransomware is a continually evolving threat. It is paramount to have a comprehensive and tested backup solution in place. In the unfortunate case a reproducible backup is not in place, make sure to check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for cyber criminals.
Tags: Ransomware, Crysis variant, Arena

New EMPTY CryptoMix Ransomware Variant Released (August 25, 2017)
The security researchers “MalwareHunterTeam” have discovered a new variant of the CryptoMix ransomware called “EMPTY,” named after the text it appends to encrypted files. The file encryption is the same as previous versions, however, there is a new ransom note that contains new email contacts for victims.
Recommendation: Ransomware is a continually evolving threat. It is paramount to have a comprehensive and tested backup solution in place. If a reproducible backup is not available, there may a decryptor available that can assist in retrieving encrypted files. Additionally, educate your employees about the dangers of downloading applications when they are not offered from the website of the official provider/developer.
Tags: Ransomware, CryptoMix variant, EMPTY

Defray – New Ransomware Targeting Education and Healthcare Verticals (August 24, 2017)
A new ransomware family, dubbed “Defray” has been discovered to be targeting specific sectors in two separate campaigns, according to Proofpoint researchers. In August 2017, actors used the Defray ransomware in phishing emails with malicious Microsoft Word attachments that targeted the education and healthcare sectors in one campaign, and manufacturing and technology sectors in another campaign. The campaigns primarily target entities in the U.K. and U.S., and the ransom note demands $5,000 USD for the decryption key.
Recommendation: Always run antivirus and endpoint protection software to assist in preventing ransomware infection. Maintain secure backups of all your important files to avoid the need to consider payment for the decryption key. Emails received from unknown sources should be carefully avoided, and attachments and links should not be followed or opened. Your company should sustain policies to consistently check for new system security patches. In the case of ransomware infection, the affected systems should be wiped and reformatted, even if the ransom is paid. Other machines on the same network should be scanned for other potential infections.
Tags: Ransomware, Defray

New Multi-Platform Malware/Adware Spreading Via Facebook Messenger (August 24, 2017)
Kaspersky Labs researchers have discovered a new malware campaign that is being spread via “Facebook Messenger.” Researchers note that initial distribution of the malware is conducted through Messenger via links that lead to a Google document. The document purports to be a playable movie that uses an image from the user’s Facebook profile. If the fake movie is clicked, it redirects to a set of websites that enumerates the user’s browser, operating system, and other information. As of this writing, it is unknown how exactly the malware is actually spreading via Messenger, but it is possible it is spreading through clickjacking, hijacked browsers, or stolen Facebook credentials.
Recommendation: Messages that attempt to redirect a user to link should be viewed with scrutiny, especially when they come from individuals with whom you do not typically communicate. Education is the best defense. Inform your employees on the dangers of phishing, specifically, how they can take place in different forms of online communications, and whom to contact if a phishing attempt is identified.
Tags: Malware, Adware

WAP-billing Trojan-Clickers on the Rise (August 24, 2017)
Threat actors behind mobile trojans that steal money have been discovered to be using the “WAP-billing” (Wireless Application Protocol) mobile payment system, according to Kaspersky Labs researchers. Researchers note that other variants of the identified families, “Ubsod” and “Autosus,” were also executing other malicious payloads in addition to stealing money. Additionally, the malware is capable of executing commands in the device shell, sending SMS messages, stealing credentials and credit card data via overlays, and showing advertisements.
Recommendation: Always keep your mobile phone fully patched with the latest security updates. Use the Google Play Store / Apple App Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores. In addition, it is important to review the permission the application will request and comments from others who have downloaded the application. Furthermore, it is paramount that mobile devices be kept up-to-date with the latest security patches and employ trusted antivirus software.
Tags: Android, Mobile, Trojan

ziVA: Zimperium’s iOS Video Audio Kernel Exploit (August 23, 2017)
An iOS audio kernel exploit has been discovered by Zimperium researchers that they claim should work on all iOS devices running iOS 10.3.1 or earlier. In total, seven vulnerabilities were found that are associated with memory corruption. Some of the vulnerabilities can be exploited to gain kernel access to a device. Any iOS device running version 10.3.1 or earlier should be updated as soon as possible if they have not been already.
Recommendation: Mobile devices should be kept up-to-date at all times to provide the most recent security patches. In this case, the proof of concept code has been released which increases the likelihood that threat actors will attempt to exploit the vulnerabilities in the wild.
Tags: iOS, Vulnerability

Deep Analysis of New Poison Ivy Variant (August 23, 2017)
Fortinet Labs researchers have identified a phishing campaign that is distributing a new variant of the “Poison Ivy” malware. The actors behind this campaign are using malicious PowerPoint file attachments titled “Payment_Advice.ppsx.” If the file is opened, a prompt will appear that attempts to trick the user into running the external program by purporting that the user is enabling Adobe Flash Player. The malware uses anti-analysis and evasion techniques such as checking registry locations for analysis tools and using legitimate Microsoft processes to conduct malicious activity.
Recommendation: All employees should be educated on the risks of phishing, specifically, how to identify such attempts and whom to contact if a phishing attack is identified. It may also be useful for employees to stop using email attachments, in favor of a cloud file hosting service like Box or Dropbox.
Tags: Malware, Poison Ivy

BEC Campaigns Target Organizations Across Sectors Using Credential Phishing (August 23, 2017)
A Business Email Compromise (BEC) campaign has been ongoing by a threat actor from March 28, 2017 to at least August 8, 2017, according to Flashpoint researchers. Researchers state that this campaign had a low detection rate because of its simplistic tactics. The threat actors sent out approximately 73 PDF documents in phishing emails that purport to be a “secure online document.” If the PDF is opened, a recipient would be presented with a prompt to view a secure online document. The prompt leads recipients to a fake webpage of the targeted organization and requests that work credentials be entered.
Recommendation: It is important that your company institute policies to educate your employees on phishing attacks. Specifically, how to identify such attacks and whom to contact if a phishing email is identified. Furthermore, maintain policies regarding what kind of requests and information your employees can expect to receive from colleagues and management.
Tags: BEC, Phishing, Credential theft

Bankbot Dropper Hiding on Google Play (August 22, 2017)
An application in the Google Play store called “Earn Real Money Gift Cards” has been identified to contain the “Bankbot” trojan, according to SfyLabs researchers. Another application, from the same developer, was identified to be a dropper for the Bankbot trojan called, “Bubble Shooter Wild Life.” The Bubble Shooter application requires the user to enable it as an Accessibility Service, which will then display a screen that purports to be a Google update. Researchers note that the dropper application appears to be in development because it’s ability to install malicious APKs is currently disabled in the source code.
Recommendation: Always keep your mobile phone fully patched with the latest security updates. Use the Google Play Store / Apple App Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores. In addition, it is important to review the permission the application will request and comments from others who have downloaded the application. Furthermore, it is paramount that mobile devices be kept up-to-date with the latest security patches and employ trusted antivirus software.
Tags: Android, Mobile, Bankbot, Trojan

Hiking Club Malvertisements Drop Monero Miners Via Neptune Exploit Kit (August 22, 2017)
Since July 16, 2017, Trend Micro researchers have observed changes in a malvertising campaign that leads users to the Neptune Exploit Kit (EK). The changes consist of new payloads dropped by Neptune, different Uniform Resource Identifier (URI) patterns, and abusing legitimate popup advertisement services that redirect to fake advertisements. The fake advertisements imitate legitimate sources and if clicked, will redirect to Neptune which then checks the Adobe Flash versions and will attempt to exploit vulnerable versions of Flash or Internet Explorer.
Recommendation: Malvertising and exploit kits techniques are often updated by threat actors, therefore, keeping software updated with the latest security patches is critical for users and enterprises. This includes both the operating system and all applications being used. Make sure there is a security system in place that can proactively provide a comprehensive defense against attackers targeting new vulnerabilities.
Tags: Malvertising, Neptune, Exploit kit, Monero, Malware

Igexin Advertising Network Put User Privacy at Risk (August 21, 2017)
The advertising Software Development Kit (SDK) called, “Lgexin,” has the ability to spy and gather data on Android users who have downloaded applications that contain the kit, according to Lookout researchers. Lgexin has been identified in approximately 500 applications in the Google Play store, and the applications have been downloaded approximately 500 million times. Researchers note that the malicious activity can be altered at any time and that the SDK is capable of stealing device information as well as incoming calling numbers and call times. Google Play has since removed the applications that contained this feature.
Recommendation: Always keep your mobile phone fully patched with the latest security updates. Use the Google Play Store / Apple App Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores. In addition, it is important to review the permission the application will request and comments from others who have downloaded the application. Furthermore, it is paramount that mobile devices be kept up-to-date with the latest security patches and employ trusted antivirus software.
Tags: Mobile, Data theft

Online Hotel Booking Service Allegedly Exposed Sensitive Data (August 21, 2017)
Kromtech researchers have discovered a publicly accessible Amazon Web Services (AWS) database that may be associated with the online group hotel booking service company, “Groupize.” The database required no login or passwords to access the data that researchers state shows how “the discount hotel business model works in detail.” Besides business models, other data consisted of payment information such as credit card numbers, expiration date, and CVV codes, among other data.
Recommendation: Always make sure your cloud storage is properly configured. Experts have been warning companies that Amazon S3 buckets are too often misconfigured. Leaked data can be used by extortionists in an attempt to make money. Ensure that any cloud storage services you use are properly configured to only allow access to trusted and authorized users. Require multi-factor authentication for access to the most sensitive materials you store.
Tags: Misconfigured database, Data leak

Malspam Continues Pushing Trickbot Banking Trojan (August 21, 2017)
The Trickbot banking trojan is continuing to be distributed by threat actors via financially-themed malspam, according to researchers. The actors are using email addresses that appear to be associated with NatWest Bank via typosquatting their email address. The message purports that the recipient’s August 2017 financial statement is available for download in the attached Microsoft Word attachment. If the attachment is downloaded and macros are enabled, the macro will generate a URL to retrieve the Trickbot binary.
Recommendation: All employees should be educated on the risks of malspam, and how to identify such attempts. Poor grammar and urgent content are often indicators of these type of attacks. Additionally, messages that request a recipient to open a file attachment should also be avoided.
Tags: Malspam, Trickbot trojan, Malware

Seamless Campaign Uses RIG EK to Drop Ramnit Trojan (August 21, 2017)
Researchers have discovered a malvertising campaign that uses the RIG Exploit Kit (EK) to infect users with the Ramnit banking trojan. If a user clicks on a malvertisement and visits the website, they will be directed to a location that hosts a script that will then point to a RIG EK iframe. The exploit kit then attempts to use an Adobe Flash Player exploit to install a Ramnit payload.
Recommendation: Malvertising and exploit kits techniques are often updated by threat actors, therefore, keeping software updated with the latest security patches is critical for users and enterprises. This includes both the operating system and all applications being used. Make sure there is a security system in place that can proactively provide a comprehensive defense against attackers targeting new vulnerabilities.
Tags: RIG, Exploit kit, Ramnit trojan, Malware

Observed Threats

This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. Click here to request a trial.

CrySiS Tool TIP
CrySiS is a Ransomware variant that first appeared in early 2016. The CrySiS ransomware is commoditized and distributed amongst forums to many actors. Distribution and delivery of the CrySiS ransomware is left to the actor who has purchased the malware. In the summer of 2016 Trend Micro reported that CrySiS was delivered to hosts in the Southern Pacific region (Australia and New Zealand) via RDP-brute force attacks. As of mid-2016 the builder for CrySiS leaves the PDB-path of C:crysisReleasePDBpayload.pdb as an artifact within the unpacked binary. Additionally the encrypted files are renamed using the pattern of filename.ext.id-UNIQUEID.emailAddr.newext as described below.
Tags: CrySiS


Source: Honeypot Tech