WTB: CCleanup, A Vast Number of Machines at Risk

The intelligence in this week’s iteration discuss the following threats: Adware, Compromise, Data Breach, Malspam, Malicious Plugin, Phishing, and Vulnerability. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.

Trending Threats

CCleanup: A Vast Number of Machines at Risk (September 18, 2017)
The system maintenance application, “CCleaner,” has been identified to contain malware, specifically, version 5.33, according to Cisco Talos researchers. The authentic version of CCleaner 5.33 distributed by the software company, “Avast,” was found to contain a multi-stage malware payload in addition to the CCleaner application. The malware was found to be the “Floxif” trojan. The downloaded installation executable was signed with a legitimate digital signature that was issued to software company, “Piriform.” The affected CCleaner version was released on August 15, and researchers discovered that the malicious version was still hosted on the download servers as recent as September 11, 2017.
Recommendation: Threat actors are willing to go to great lengths to abuse trust relationships in supply-chain attacks. If CCleaner version 5.33 was downloaded it is likely that the machine is infected with malware. As of this writing, detection signatures have been made available by and they should be run against your systems to check for potential malicious activity. Additionally, Piriform suggests that its CCleaner users updated to version 5.34 as soon as possible.
Tags: Compromise, CCleaner, Malicious version, Malware

Poisoned WordPress ‘Display Widgets’ Plugin Finally Purged (September 15, 2017)
Since June 2017, approximately 200,000 WordPress sites have been corrupted by a plugin called “Display Widgets,” according to Wordfence. Display Widgets was discovered to have been updated with malicious code on multiple occasions. Wordfence CEO, Mark Maunder, warned customers to remove the Display Widgets plugin as soon as possible because the plugin contains a backdoor, allowing the author to publish content on any site with the plugin installed.
Recommendation: Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs.
Tags: Compromised websites, Malicious plugin, Display Widgets

Adware Installs InfoStealer Trojan That Loads via Chrome DLL Hijacking (September 15, 2017)
Researchers have discovered that the “AdService” trojan is being distributed by threat actors via adware bundles. This Trojan performs Dynamic Link Library (DLL) hijacking in Chrome web browsers. AdService is capable of stealing passwords for online accounts such as Facebook and Twitter. AdService uses DLL hijacking to load itself when Chrome is executed and attempts to load a DLL that contains malware. In this instance, AdService is placing a malicious version “winhttp.dll” in the “C:Program Files (x86)GoogleChromeApplication” folder.
Recommendation: The AdService Trojan is installed on a victim’s computer via free programs that do not disclose that other software is being installed along with it. All applications should be carefully researched prior to installing on a personal or work machine. Additionally, all applications, especially free versions, should only be downloaded from trusted vendors. If given an option between a “quick/express” installation or a “custom” installation, always choose the custom installation as it is more likely to disclose other applications being installed. If you are installing a desired application, check that you are getting the installer from the author’s website and not a third party installer. It is also recommended to have trusted antivirus software installed and that it always kept up-to-date, as AdService is detected by most of the antivirus vendors.
Tags: Adware, Trojan, AdService, Chrome

ExpensiveWall: A Dangerous ‘Packed’ Malware on Google Play That Will Hit Your Wallet (September 14, 2017)
More than 100 applications in the Google Play Store have been found to contain a mobile malware family called, “ExpensiveWall,” according to Check Point researchers. The malicious applications were identified to have been downloaded approximately 5.9 to 21.1 million times. The malicious code was found to reside within a Software Development Kit (SDK) named, “gtk.”ExpensiveWall’s objective is to generate revenue by registering users to premium services and sending premium SMS messages which charge the victim without their knowledge. ExpensiveWall is capable of mimicking clicks on any multi-step procedure as well as hiding confirmation SMS messages. As of this writing, Google has removed the malicious applications from the Google Play Store.
Recommendation: Always keep your mobile phone fully patched with the latest security updates. Use the Google Play Store / Apple App Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores. In addition, it is important to review the permission the application will request and comments from others who have downloaded the application. Furthermore, it is paramount that mobile devices be kept up-to-date with the latest security patches and employ trusted antivirus software.
Tags: Android, Mobile, Malware, ExpensiveWall

Potential Phishing Scams Related to Equifax Data Breach (September 14, 2017)
The U.S. Federal Trade Commission (FTC) has issued an alert warning individuals to be aware of malicious activity associated with the Equifax breach. The FTC is warning consumers to be aware of potential calls or emails from individuals purporting to be Equifax employees. Equifax representatives will not contact individuals asking to verify their information.
Recommendation: Significant data breaches often result in threat actors attempting to steal information by capitalizing on fear-tactics. Individuals who are concerned about the Equifax breach can check to see if their data may have been affected by using the following website “https://www.equifaxsecurity2017.com/potential-impact/”. Furthermore, it is important that individuals understand, as the FTC stated, that Equifax representatives will not contact consumers to verify their information.
Tags: Scams, Equifax, Data breach

Hangul Word Processor and PostScript Abused Via Malicious Attachments (September 14, 2017)
Trend Micro researchers have discovered a new campaign in which actors are exploiting PostScript code in the Hangul Word Processor (HWP) software. Older versions of HWP were discovered to have implemented a branch of PostScript called “Encapsulated PostScript,” incorrectly. Encapsulated PostScript adds restrictions to code that can be run within HWP documents. However, the incorrect implementation has caused malicious documents to be capable of dropping malicious files on the affected machine.
Recommendation: All employees should be educated on the risks of malspam, and how to identify such attempts. Poor grammar and urgent content are often indicators of these type of attacks. Additionally, messages that request a recipient to open a file attachment should also be avoided.
Tags: Vulnerability, HWP

Equifax Confirms Apache Struts Security Flaw It Failed to Patch is to Blame for Hack (September 14, 2017)
The consumer credit reporting agency, “Equifax,” has confirmed that the breach that affects approximately 143 million individuals was caused by a web server vulnerability in Apache Struts. The vulnerability, registered as CVE-2017-5638, was patched by Apache back in March 2017. The Equifax breach took place from mid-May to July 2017.
Recommendation: Zero-day based attacked can sometimes be detected by less conventional methods, such as behavior analysis, and heuristic and machine learning based detection systems. Threat actors are often observed to use vulnerabilities even after they have been patched by the affected company. As this story portrays, it is crucial that policies are in place to ensure that all employees install patches as soon as they are made available in order to prevent exploitation by malicious actors.
Tags: Vulnerability, Patch

Phishers Targeting LinkedIn Users via Hijacked Accounts (September 13, 2017)
Researchers have identified a phishing campaign in which threat actors are using compromised LinkedIn accounts in attempts to steal credentials. The actors are using LinkedIn’s “InMail” feature to distribute a shortened “Owd[.]ly” link that state that the sender has just shared a document via GoogleDoc/Drive. The link directs recipients to a fake login page for AOL, Gmail, or Yahoo that steals user credentials if entered.
Recommendation: All employees should be educated on the risks of phishing, specifically, how to identify such attempts and whom to contact if a phishing attack is identified. Emails that request that the recipient follow a link that then asks for credentials to be entered is often an indicator of a phishing attack.
Tags: Phishing, LinkedIn, Compromised accounts

Immediately Patch Windows 0-Day Flaw That’s Being Used to Spread Spyware (September 13, 2017)
Microsoft’s “Patch Tuesday” for September addresses 81 vulnerabilities that affect all supported Windows operating systems and other Microsoft products. The vulnerabilities affect eight Microsoft products. 27 of the vulnerabilities are rated critical and 54 are rated important. 39 vulnerabilities could allow an actor to remotely execute code on a vulnerable machine.
Recommendation: Your company should regularly check the software you use in everyday business practices to ensure that everything is always up-to-date with the latest security features. Using the automatic update feature in Windows operating systems is a good mediation step to ensure that your company is always using the most recent version.
Tags: Vulnerabilities, Windows, Malware

BlueBorne Bluetooth Attack Puts 5 Billion Devices at Risk (September 13, 2017)
A new attack vector has the potential to put billions of Bluetooth-enabled devices at risk of compromise, according to Armis researchers. Threat actors could potentially connect to a Bluetooth-enabled device using zero-day buffer overflow vulnerabilities researchers discovered in devices associated with Apple, Google, Linux, Microsoft, and Samsung. The vulnerabilities were reported to said companies who are currently working on patches.
Recommendation: All devices should be kept up-to-date with the latest software versions to use the newest security features implemented in the updated. Additionally, only trusted devices should be connected to via Bluetooth, and Bluetooth should be turned off when not in use.
Tags: Vulnerability, Bluetooth, BlueBorne

Massive ElasticSearch Infected Malware Botnet (September 12, 2017)
Thousands of publicly accessible ElasticSearch nodes have been identified to be hosting variants of Point of Sale (POS) malware, according to Kromtech researchers. Among the ElasticSearch servers, researchers discovered file names that are associated with the AlinaPOS and JackPOS malware families. This discovery coincides with other findings in which new variants of POS malware have been advertised for purchase on various underground forums. As of this writing, approximately 4,000 ElasticSearch servers were found to be infected with POS malware.
Recommendation: This story depicts the potential dangers that may reside in publicly accessible services. A public service that uses some form a authentication should be required if open source resources are being used. Additionally, databases should not be directly accessible over the internet, and they should require a form of authentication to access.
Tags: Breach, ElasticSearch servers, Malware, Botnet

Multiple Vulnerabilities in FreeXL Library (September 11, 2017)
Cisco Talos researchers have released information regarding two remote code execution vulnerabilities in the “FreeXL” library. FreeXL is an open source software that is used to extract data from a Microsoft Excel spreadsheet. The two vulnerabilities can be exploited via a buffer overflow that could possibly allow a threat actor to execute arbitrary code on a machine.
Recommendation: Zero-day based attacked can sometimes be detected by less conventional methods, such as behavior analysis, and heuristic and machine learning based detection systems. Threat actors are often observed to use vulnerabilities even after they have been patched by the affected company. Therefore, it is crucial that policies are in place to ensure that all employees install patches as soon as they are made available.
Tags: Vulnerabilities, FreeXL Library

Source: Honeypot Tech

Astro Pi upgrades on the International Space Station

In 2015, The Raspberry Pi Foundation built two space-hardened Raspberry Pi units, or Astro Pis, to run student code on board the International Space Station (ISS).

Astro Pi

A space-hardened Raspberry Pi

Astro Pi upgrades

Each school year we run an Astro Pi challenge to find the next generation of space scientists to program them. After the students have their code run in space, any output files are downloaded to ground and returned to them for analysis.

That download process was originally accomplished by an astronaut shutting down the Astro Pi, moving its micro SD card to a crew laptop and copying over the files manually. This used about 20 minutes of precious crew time.

space pi – Create, Discover and Share Awesome GIFs on Gfycat

Watch space pi GIF by sooperdave on Gfycat. Discover more GIFS online on Gfycat

Last year, we passed the qualification to allow the Astro Pi computers to be connected to the Local Area Network (LAN) on board the ISS. This allows us to remotely access them from the ground, upload student code and download the results without having to involve the crew.

This year, we have been preparing a new payload to upgrade the operational capabilities of the Astro Pi units.

The payload consists of the following items:

  • 2 × USB WiFi dongles
  • 5 × optical filters
  • 4 × 32GB micro SD cards

Before anyone asks – no, we’re not going outside into the vacuum of space!

USB WiFi dongle

Currently both Astro Pi units are located in the European Columbus module. They’re even visible on Google Street View (pan down and right)! You can see that we’ve created a bit of a bird’s nest of wires behind them.

Astro Pi

The D-Link DWA-171

The decision to add WiFi capability is partly to clean up the cabling situation, but mainly so that the Astro Pi units can be deployed in ISS locations other than the Columbus module, where we won’t have access to an Ethernet switch.

The Raspberry Pi used in the Astro Pi flight units is the B+ (released in 2014), which does not have any built in wireless connectivity, so we need to use a USB dongle. This particular D-Link dongle was recommended by the European Space Agency (ESA) because a number of other payloads are already using it.

Astro Pi

An Astro Pi unit with WiFi dongle installed

Plans have been made for one of the Astro Pi units to be deployed on an Earth-facing window, to allow Earth-observation student experiments. This is where WiFi connectivity will be required to maintain LAN access for ground control.

Optical filters

With Earth-observation experiments in mind, we are also sending some flexible film optical filters. These are made from the same material as the blue square which is shipped with the Pi NoIR camera module, as noted in this post from when the product was launched. You can find the data sheet here.

Astro Pi

Rosco Roscalux #2007 Storaro Blue

To permit the filter to be easily attached to the Astro Pi unit, the film is laser-cut to friction-fit onto the 12 inner heatsink pins on the base, so that the camera aperture is covered.

Astro Pi

Laser cutting at Makespace

The laser-cutting work was done right here in Cambridge at Makespace by our own Alex Bate, and local artist Diana Probst.

Astro Pi

An Astro Pi with the optical filter installed

32GB micro SD cards

A consequence of running Earth observation experiments is a dramatic increase in the amount of disk space needed. To avoid a high frequency of commanding windows to download imagery to ground, we’re also flying some larger 32GB micro SD cards to replace the current 8GB cards.

Astro Pi

The Samsung Evo MB-MP32DA/EU

This particular type of micro SD card is X-ray proof, waterproof, and resistant to magnetism and heat. Operationally speaking there is no difference, other than the additional available disk space.

Astro Pi

An Astro Pi unit with the new micro SD card installed

The micro SD cards will be flown with a security-hardened version of Raspbian pre-installed.

Crew activities

We have several crew activities planned for when this payload arrives on the ISS. These include the installation of the upgrade items on both Astro Pi units; moving one of the units from Columbus to an earth-facing window (possibly in Node 2); and then moving it back a few weeks later.

Currently it is expected that these activities will be carried out by German ESA astronaut Alexander Gerst who launches to the ISS in November (and will also be the ISS commander for Expedition 57).

Payload launch

We are targeting a January 2018 launch date for the payload. The exact launch vehicle is yet to be determined, but it could be SpaceX CRS 14. We will update you closer to the time.


If you have any questions about this payload, how an item works, or why that specific model was chosen, please post them in the comments below, and we’ll try to answer them.

The post Astro Pi upgrades on the International Space Station appeared first on Raspberry Pi.

Source: RaspberryPi – IOT Anonimo

Source: Privacy Online

Source: Zologic

Cybersecurity: The Commission scales up its response to cyber-attacks

To equip Europe with the right tools to deal with cyber-attacks, the European Commission and the High Representative are proposing a wide-ranging set of measures to build strong cybersecurity in the EU. This includes a proposal for an EU Cybersecurity Agency to assist Member States in dealing with cyber-attacks, as well as a new European certification scheme that will ensure that products and services in the digital world are safe to use.
Source: Cybersecurity and digital privacy newsletter

Source: Privacy Online

Source: Zologic

Final report on the Evaluation of the European Union Agency for Network and Information Security (ENISA)

The study involved the evaluation of ENISA over the 2013-2016 period, assessing the Agency’s performance, governance and organisational structure, and positioning with respect to other EU and national bodies. The results of this study as well as the results of the public consultation were used as input to the impact assessment of the policy options for the review of the mandate of ENISA.
Source: Cybersecurity and digital privacy newsletter

Source: Privacy Online

Source: Zologic

Cybersecurity – An EU Cybersecurity Agency and an EU framework for cybersecurity certification

In order to scale up the EU’s response to cyber-attacks, improve cyber resilience and increase trust in the Digital single
market, the European Commission has proposed a European Union Cybersecurity Agency and the establishment of an EU cybersecurity certification framework.
Source: Cybersecurity and digital privacy newsletter

Source: Privacy Online

Source: Zologic

Cybersecurity – Tackling non-cash payment fraud

The fraud and counterfeiting of non-cash means of payment pose a serious threat to the EU’s security – they provide important income for organised crime and enable other criminal activities such as terrorism, drug trafficking and trafficking in human beings. In addition, non-cash payment fraud affects the trust of consumers
in the security of the digital single market, reduces economic online activity and causes important economic losses.
Source: Cybersecurity and digital privacy newsletter

Source: Privacy Online

Source: Zologic

Full report on the public consultation on the evaluation and review of the European Union Agency for Network and Information Security (ENISA)

The public consultation took place between 18 January and 12 April 2017. It was conducted in the context of the evaluation and review of ENISA in accordance with Article 32 of Regulation (EU) No 526/2013. A full report has been published.
Source: Cybersecurity and digital privacy newsletter

Source: Privacy Online

Source: Zologic

Resilience, Deterrence and Defence: Building strong cybersecurity in Europe

The European Commission and the High Representative have proposed a wide range of concrete measures that will further strengthen the EU’s cybersecurity structures and capabilities with more cooperation between the Member States and the different EU structures concerned. These measures will ensure that the EU is better prepared to face the ever-increasing cybersecurity challenges.
Source: Cybersecurity and digital privacy newsletter

Source: Privacy Online

Source: Zologic

Special Eurobarometer: Europeans’ attitudes towards cyber security

This report brings together the results of the Special Eurobarometer public opinion survey towards cyber security in the 28 European Union countries.
Source: Cybersecurity and digital privacy newsletter

Source: Privacy Online

Source: Zologic

Pioneers: only you can save us

Pioneers, we just received this message through our network — have you seen it?

Can you see me? Only YOU can save us!

Uploaded by Raspberry Pi on 2017-09-14.

Only you can save us

We have no choice – we must help her! If things are as bad as she says they are, our only hope of survival is to work together.

We know you have the skills and imagination required to make something. We’ve seen that in previous Pioneers challenges. That’s why we’re coming directly to you with this: we know you won’t let her down.

What you need to do

We’ve watched back through the recording and pulled out as much information as we can:

  • To save us, you have ten weeks to create something using tech. This means you need to be done on 1 December, or it will be too late!
  • The build you will create needs to help her in the treacherous situation she’s in. What you decide to make is completely up to you.
  • Her call is for those of you aged between 11 and 16 who are based in the UK or Republic of Ireland. You need to work in groups of up to five, and you need to find someone aged 18 or over to act as a mentor and support your project.
  • Any tech will do. We work for the Raspberry Pi Foundation, but this doesn’t mean you need to use a Raspberry Pi. Use anything at all — from microcontrollers to repurposed devices such as laptops and cameras.

To keep in contact with you, it looks like she’s created a form for you to fill in and share your team name and details with her. In return she will trade some items with you — things that will help inspire you in your mission. We’ve managed to find the link to the form: you can fill it in here.

Only you can save us - Raspberry Pi Pioneers

In order to help her (and any others who might still be out there!) to recreate your project, you need to make sure you record your working process. Take photos and footage to document how you build your make, and put together a video to send to her when you’re done making.

If you manage to access social media, you could also share your progress as you go along! Make sure to use #MakeYourIdeas, so that other survivors can see your work.

We’ve assembled some more information on the Pioneers website to create a port of call for you. Check it out, and let us know if you have any questions. We will do whatever we can to help you protect the world.

Good luck, everybody! It’s up to you now.

Only you can save us.

The post Pioneers: only you can save us appeared first on Raspberry Pi.

Source: RaspberryPi – IOT Anonimo

Source: Privacy Online

Source: Zologic