KRACK WiFi Security Vulnerability Allows Attackers to Decrypt WiFi Traffic
Oct17

KRACK WiFi Security Vulnerability Allows Attackers to Decrypt WiFi Traffic

Security researchers at the University of Leuven in Belgium have discovered a WiFi security flaw in WPA2 called KRACK. The KRACK WiFi security vulnerability affects all modern WiFi networks and could be exploited with relative ease. While there have been no known attacks leveraging the vulnerability, it is one of the most serious WiFi flaws discovered to date, with potential to be used to attack millions of users. If the KRACK WiFi security vulnerability is exploited, attackers could decrypt encrypted WiFi traffic and steal login credentials, credit and debit card numbers, or inject malware. Most business and consumer WiFi networks that use Wi-Fi Protected Access 2 (WPA2) are affected KRACK WiFi Security Vulnerability Allows Attackers to Induce Nonce and Session Key Reuse The attack...

Read More
Adobe Patches Actively Exploited Flash Player Flaw Used to Deliver FinSpy Malware
Oct17

Adobe Patches Actively Exploited Flash Player Flaw Used to Deliver FinSpy Malware

Yesterday, Adobe released a new update for Flash Player to address an actively exploited flaw (CVE-2017-11292) that is being used by the hacking group Black Oasis to deliver FinSpy malware. Finspy is not malware as such, it is a legitimate software program developed by the German software company Gamma International. However, its capabilities include many malware-like functions. As the name suggests, FinSpy is surveillance software that is used for espionage. The software has been extensively used by governments and law enforcement agencies to gather intelligence on criminal organizations as well as foreign governments. It would appear that Black Oasis is targeting military and government organizations by leveraging this Adobe zero-day flaw to deliver FinSpy malware. So far, Black Oasis...

Read More
Department of Education Issues Advisory to Hacking and Extortion Threats
Oct16

Department of Education Issues Advisory to Hacking and Extortion Threats

Recently, the hacking group TheDarkOverlord has been targeting K12 schools; gaining access to networks, stealing data and attempting to extort money. In response to the hacking and extortion threats, the U.S. Department of Education has issued an advisory to K12 schools and has provided advice to help educational institutions mitigate risk and protect their networks from attack. The attacks on schools by TheDarkOverlord in recent weeks have seen the threats escalate. Previous attacks have seen organizations threatened with the publication of sensitive data. The latest attacks have included more serious threats, not just against the hacked entity, but also threats to parents of students whose data has been stolen. Some parents have also received threats of violence against their children...

Read More
FormBook Malware Campaign Targets U.S. Organizations
Oct11

FormBook Malware Campaign Targets U.S. Organizations

Most Formbook malware attacks have targeted specific industry sectors in the United States and South Korea, but there is concern that the malware will be used in more widespread attacks around the globe. To date, the Aerospace industry, defense contractors, and the manufacturing sector have been extensively targeted; however, attacks have not been confined to these sectors. The financial services, energy and utility companies, services/consulting firms and educational institutions have also been attacked. FireEye detected several ‘significant campaigns’ in the United States and South Korea and reports that attacks are primarily occurring via spam email. The emails being sent are generic, rather than spear phishing emails at specific targets, although the attacks are concentrated on...

Read More
Microsoft Patches Actively Exploited Zero Day Vulnerabilities
Oct11

Microsoft Patches Actively Exploited Zero Day Vulnerabilities

This Patch Tuesday has seen Microsoft issue several updates for critical vulnerabilities, some of which are being actively exploited in the wild. Microsoft is urging companies to apply the patches immediately to keep their systems secure. Some of the vulnerabilities are easy to exploit, requiring little skill. In total, 62 vulnerabilities have been patched, including 33 that can result in remote code execution. Out of the 62 vulnerabilities, 23 are rated as critical and 34 as important. CVE-2017-11771 is a critical vulnerability in the Windows Search service, which can be exploited via SMB and used to take control of a server or workstation. While this vulnerability is not related to the SMBv1 vulnerabilities that were exploited in the WannaCry ransomware attacks, it is just as serious...

Read More
New Rowhammer Exploit Enables Hackers to Bypass Mitigations
Oct05

New Rowhammer Exploit Enables Hackers to Bypass Mitigations

The Rowhammer exploit was first discovered in 2014 and was shown to allow attackers to take control of devices by targeting DRAM memory cells. Rowhammer attacks take advantage of the close proximity of memory cells, causing them to leak their charge and alter the content of neighboring memory cells. The attack involves delivering constant read-write operations using carefully crafted memory access patterns to continuously activate the same memory rows, which can enable powerful privilege escalation attacks. Since the attack method was discovered, security researchers have discovered the technique has been used in many attacks. The attacks have even been performed using simple JavaScript, and have been shown to be effective on Windows Machines, Linux-based virtual machines, and Android...

Read More
3 Billion Accounts Compromised in 2013 Yahoo Data Breach
Oct05

3 Billion Accounts Compromised in 2013 Yahoo Data Breach

While the 2013 Yahoo data breach was soon known to involve many of the company’s customers, it became apparent in December 2016 that 1 billion accounts had been compromised. Before that in September 2016, a separate breach was discovered that involved around half a billion email accounts. Now Verizon, which finalized the purchase of Yahoo this summer, has discovered the 2013 Yahoo date breach was far worse than initially thought. Instead of 1 billion accounts, it is now thought that all Yahoo accounts were compromised. That’s 3 billion email accounts; every account that had been created at the time of the breach. The attackers are understood to have gained access to the accounts using forged cookies. Verizon announced this week that during the integration of Yahoo into its Oath...

Read More
Flusihoc Botnet Activity Increases, Delivering Crippling DDoS Attacks
Oct05

Flusihoc Botnet Activity Increases, Delivering Crippling DDoS Attacks

The Flusihoc Botnet is being used for crippling DDoS attacks, some as high as 45 Gbps according to researchers at Arbor networks. The botnet has been operational for at least two years, although activity has increased over the past few months, with more than 900 attacks conducted using the Flusihoc botnet over the past four months. The botnet has more than 48 active command and control servers, although there have been more than 154 detected. The malware is being constantly updated with more than 500 versions of the C++ malware having been identified in the past 2 years. Arbor networks suggests that the botnet is available for hire, based on the variance of its targets. The latest version analyzed by Arbor makes a change to the registry to ensure persistence – a change from recent...

Read More
Beware of Equifax Data Breach Phishing Scams
Sep14

Beware of Equifax Data Breach Phishing Scams

Consumers are being warned to be on high alert for Equifax data breach phishing scams, telephone and text message scams, and fraudulent use of their sensitive information. Almost Half of All Americans Impacted by Equifax Data Breach The massive Equifax data breach has resulted in the personal information of almost half of the population of the United States being stolen. More than 143 million Americans have been impacted by the breach, which potentially exposed their names, dates of birth, email addresses, phone numbers, home addresses, Social Security numbers and driver’s license numbers. 209,000 Americans also had their credit card numbers stolen. As is common following any data breach, victims have to be alert to the risk of identity theft and fraud. Criminals are quick to use credit...

Read More
Equifax Data Breach Affects 143 Million Consumers
Sep10

Equifax Data Breach Affects 143 Million Consumers

A massive Equifax data breach has resulted in the exposure, and possible theft, of 143 million American’s records, including highly sensitive data such as Social Security numbers.  To put that figure into perspective, that’s virtually half the population of the United States. Hackers gained access to a website database via an unpatched vulnerability in a web application. Security experts are suggesting the vulnerability was in Apache Struts and that a patch had been issued in March, two months before the attack occurred. In addition to Social Security numbers, the data exposed/stolen included names, addresses, telephone numbers, email addresses, birthdates, and in some cases, driver’s license numbers. Approximately 209,000 individuals also had their credit card numbers stolen, while...

Read More
Siemens CT and PET Scanners Vulnerable to Cyberattacks
Aug08

Siemens CT and PET Scanners Vulnerable to Cyberattacks

The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued a warning about vulnerabilities in Siemens CT and PET scanner systems. Healthcare organizations have been put on alert and warned that there are publicly available exploits for all four of the vulnerabilities. If exploited, hackers would be able to alter the functioning of the devices, potentially placing patient safety at risk. Data stored on the systems would be accessible, malware could be downloaded, and the devices could be used to attack the networks to which the devices connect. The vulnerabilities can be exploited remotely with no user interaction required. The vulnerabilities are not in Siemens systems, but the platform on which the systems run – Windows 7. The...

Read More
Global Petya Ransomware Attacks involve Modified EternalBlue Exploit
Jun28

Global Petya Ransomware Attacks involve Modified EternalBlue Exploit

Global Petya ransomware attacks are underway with the campaign bearing similar hallmarks to the WannaCry ransomware attacks in May. The attackers are using the a modified EternalBlue exploit that takes advantage of the same SMBv1 vulnerability used in WannaCry. The ransomware variant bears a number of similarities to Petya ransomware, although this appears to be a new variant. Petya ransomware was first discovered last year, with the latest variant using a similar encryption process. In contrast to WannaCry, Locky and CryptXXX, this ransomware variant does not encrypt files. Instead, it encrypts the master file table (MFT) which is what computer use to locate files on hard disks. Without the MFT, the computer cannot locate files. Stored files are not encrypted but they still cannot be...

Read More
Patch Issued for Actively Exploited Drupal Vulnerability
Jun22

Patch Issued for Actively Exploited Drupal Vulnerability

An actively exploited Drupal vulnerability – tracked as CVE-2017-6922 – has been patched this week. The flaw, which affects Drupal v 7.56 and 8.3.4, is being exploited. The flaw is an access bypass vulnerability that Drupal was aware of since last October, although a patch has only just been issued. The flaw can be exploited on misconfigured websites, allowing anonymous users to upload files which are stored in a public file system and can therefore be accessed by other anonymous users. Private files that are not attached to website content should only be accessible by the individual that uploaded the files. The vulnerability only affects websites that permit file uploads by anonymous or untrusted visitors. Drupal says anonymous users could upload images or other files via webforms on a...

Read More
Samba Vulnerability Could be Exploited in WannaCry Style Attacks
May29

Samba Vulnerability Could be Exploited in WannaCry Style Attacks

A Samba vulnerability has been discovered that could potentially be exploited and used in network worm attacks akin to those used to deliver WannaCry ransomware on May 12. Samba is used on Unix and Linux systems to add Windows file and print sharing services as well as on many NAS devices. Samba can also be used as an Active Directory server for access control on Windows networks. Samba uses a protocol based on Windows Server Message Block (SMB) with the vulnerability allowing malicious actors to execute arbitrary code with root-level permissions. The Samba flaw is also easy to exploit, requiring just a single line of code. The Samba vulnerability has existed since 2010 and is present in Samba 3.5.0 and later versions. A security alert about the open source Samba project indicates the...

Read More
Worldwide WannaCry Ransomware Attacks Reported
May13

Worldwide WannaCry Ransomware Attacks Reported

There has been a massive spike in worldwide WannaCry ransomware attacks, with a new campaign launched on Friday. In contrast to past WannaCry ransomware attacks, this campaign leverages a vulnerability in Server Message Block 1.0 (SMBv1). Zero day exploits are commonly used by cybercriminals, although this one was allegedly developed by the National Security Agency (NSA) and was stolen and given to the hacking group Shadow Brokers. Shadow Brokers published the exploit last month, with the gang behind this attack having combined it with a worm capable of spreading rapidly to affect all vulnerable networked machines. ETERNALBLUE exploit attacks were blocked when Microsoft released a patch on March 13 (MS17-010); however, judging by the number of WannaCry ransomware attacks already...

Read More
OCR Issues Warning to Healthcare Providers on Use of HTTPS Inspection Tools
Apr05

OCR Issues Warning to Healthcare Providers on Use of HTTPS Inspection Tools

Many healthcare organization use HTTPS inspection tools to monitor HTTPS connections for malware. HTTPS inspection tools decrypt secure HTTPS network traffic and review content before re-encrypting traffic. HTTPS inspection tools are used to enhance security, although a recent warning from the Department of Health and Human Services’ Office for Civil Rights highlights recent research indicating HTTPS inspection tools could potentially introduce vulnerabilities which would leave healthcare organizations susceptible to man-in-the-middle attacks. Man-in-the-middle attacks involve third parties intercepting communications between two parties. During a MITM attack, the attacker could potentially eavesdrop on conversations, steal data, manipulate communications or run malicious code. While the...

Read More
FBI Warns Healthcare Providers of Risk of Using Anonymous FTP Servers
Mar28

FBI Warns Healthcare Providers of Risk of Using Anonymous FTP Servers

Healthcare organizations could be placing the protected health information of patients at risk by using anonymous FTP servers, according to a recent alert issued by the FBI. Cybercriminals are taking advantage of the lack of protection on FTP servers to gain access to the PHI of patients. Anonymous FTP servers allow data stored on the server to be accessed by individuals without authentication. In anonymous mode, all that is required to gain access to data is a username. In some cases, a password is not even required, or when it is, a generic password can be used. While the username would need to be guessed, default usernames can be found online. The risk of using anonymous FTP servers is considerable. If PHI is stored on FTP servers it could be easily accessed by members of the public....

Read More
US-Certs Says SSL Inspection Tools May Actually Weaken Cybersecurity
Mar24

US-Certs Says SSL Inspection Tools May Actually Weaken Cybersecurity

SSL inspection tools are commonly used by healthcare providers to improve security; however, according to a recent warning issued by US-CERT, SSL inspection tools may actually weaken organizations’ defenses and make them more susceptible to man-in-the-middle attacks. It is not necessarily the SSL inspection tools that are the problem, more that organizations are relying on those solutions to advise them which connections can be trusted and which cannot. If the solution is 100% trusted and it is ineffective or is not performing thorough or complete checks, an organization could be left exposed to attacks and they would be unaware that there is a problem. SSL inspection tools are now included in a wide range of cybersecurity products, including secure gateways, firewalls, data loss...

Read More
PetrWrap Used for Targeted Ransomware Attacks on Businesses
Mar16

PetrWrap Used for Targeted Ransomware Attacks on Businesses

Petya ransomware has been hijacked and is being used in ransomware attacks on businesses without the ransomware authors’ knowledge. The criminals behind the new PetrWrap campaign have added a new module to Petya ransomware that modifies the ransomware ‘on the fly’, controlling the encryption process so that even the ransomware authors would not be able to unlock the encryption. Petya ransomware first appeared in May last year. The ransomware uses a different method of attack than most other forms of ransomware. Instead of simply encrypting files such as documents, spreadsheets, images and databases, the ransomware replaces the master boot record on the hard drive and encrypts the master file table. Since the master boot record is accessed on boot and starts the operating system, the...

Read More
Actively Exploited Apache Struts Vulnerability Discovered
Mar10

Actively Exploited Apache Struts Vulnerability Discovered

The discovery of a new Apache Struts vulnerability that is being actively exploited in the wild has prompted both Cisco Talos and Apache to issue warnings to users. The zero-day vulnerability in the popular Java application framework was recently discovered by Cisco Talos researchers, and attacks have been occurring at a steady pace over the past few days. The Apache Struts vulnerability – CVE-2017-5638 – is in the Jakarta Multipart parser, according to a statement released by Apache this week. The flaw could be exploited in an RCE attack with a malicious Content-Type value. Apache warns that” If the Content-Type value isn’t valid an exception is thrown which is then used to display an error message to a user.” Attackers have been using a publicly published...

Read More
Powershell Remote Access Trojan Uses DNS for 2-Way Communications with C2 Server
Mar07

Powershell Remote Access Trojan Uses DNS for 2-Way Communications with C2 Server

A new Powershell remote access Trojan has been identified by researchers at Cisco Talos. The memory-resident malware does not write any files to the hard drive and it uses a novel method of communicating with its C2, making it almost impossible to detect. Infection occurs via a malicious Word document sent via email. Cisco Talos researchers said only 6 out of 54 AV engines recognized the malware. If the document is opened, the user will be presented with a message saying the contents of the document have been protected. To view the document, the user must ‘enable content.’ The document contains the McAfee Secure logo, making it appear as if the file has been secured by a well-known security firm. The logo makes the document look official, increasing the likelihood of macros being enabled...

Read More
MacOS Malware Spread by Malicious Word Macros
Feb13

MacOS Malware Spread by Malicious Word Macros

Security researchers have discovered that MacOS malware is being spread by malicious Word macros. This is the first time that MacOS malware has been discovered to be spread using this attack vector. Windows users can expect to be attacked with malware, but Mac users have remained relatively safe. The vast majority of malware targets Windows users, with malware attacks on Mac users still relatively rare. However, MacOS malware does exist and users of Apple devices are now being targeted, although still on a relatively small scale. However, a new method of infection is now being used. Security researchers have identified a campaign that is using malicious Word macros to infect Macs. The campaign uses a document titled “U.S. Allies and Rivals Digest Trump’s Victory – Carnegie...

Read More
SMB File Sharing Protocol Flaw Published Before Patched
Feb06

SMB File Sharing Protocol Flaw Published Before Patched

A SMB file sharing protocol flaw in Windows has been publicly disclosed 12 days before a patch to correct the issue will be released by Microsoft. According to the researcher who published details of the flaw – Laurent Gaffié – Microsoft has known about the issue for 3 months yet has so far failed to patch the vulnerability. If the SMB file sharing protocol flaw is exploited, an attacker would be able to crash Windows 10 and 8.1 machines, although at present no reports have been received to suggest the flaw could be exploited to allow remote code execution. The flaw is a memory corruption vulnerability in the way that the latest two Windows versions handle Server Message Block (SMB) traffic. If an attacker were to send a specially crafted message from their server, it would...

Read More
Security Flaws in Multi-Function Printers Could Lead to Password Theft
Feb03

Security Flaws in Multi-Function Printers Could Lead to Password Theft

Researchers at Ruhr University have discovered security flaws in multi-function printers that could be exploited remotely by hackers to shut down the printers, or worse, manipulate documents or steal passwords. It is also possible for hackers to exploit the flaws to cause physical damage to printers. The researchers have so far identified security flaws in multi-function printers manufactured by computer hardware giants HP, Lexmark and Dell. At least 20 multi-function printers are known to contain the flaws. The printer security flaws exist in common printing languages used by printer manufacturers – languages that were first developed some 32 years ago. According to the researchers the flaws in PJL and PostScript languages could potentially be exploited remotely using advanced...

Read More
New Zero Day WordPress Vulnerability: Thousands of Websites at Risk
Feb02

New Zero Day WordPress Vulnerability: Thousands of Websites at Risk

A new zero day WordPress vulnerability has been discovered in the WordPress REST API that allows content injection and user privileges to be escalated. If exploited, an unauthenticated user would be able to modify any content on the WordPress sites, including adding malicious links or exploit kits, turning harmless sites into malicious malware and ransomware-downloading websites. The new zero day WordPress vulnerability was recently discovered by a security researcher at Sucuri. The flaw was passed on to WordPress and the issue has now been addressed in the latest release of the CMS platform. WordPress has started automatically updating websites and downloading the new version. However, there are still many sites that are running older, vulnerable versions of WordPress. All businesses...

Read More
Disk-Wiping Malware Used to Wipe Virtual Desktops
Jan13

Disk-Wiping Malware Used to Wipe Virtual Desktops

Disk-wiping malware has been around for many years; however, a new variant of an old malware variant has been discovered that is being use to target companies that have implemented a virtual desktop infrastructure (VDI). Rather than each individual employee using their own computer, each is set up with a virtual desktop on a remote server. This arrangement is popular in data centers as it makes for easier management. One of other benefits of using a VDI system is it protects against disk-wiping malware attacks. VDI systems take a snapshot of each virtual desktop at regular intervals. Should anything happen, it is a relatively simple process to restore the desktops to a working state. However, the attackers behind the latest campaign have realized that simply wiping data would not be...

Read More
Twitter Credit Card Phishing Scam Offers Quick Account Verification
Jan04

Twitter Credit Card Phishing Scam Offers Quick Account Verification

A new Twitter credit card phishing scam has been detected by cybersecurity firm Proofpoint. Twitter users are offered verified account status via native Twitter ads; however, signing up involves providing credit card details, which will be handed directly to the attackers. Achieving verified account status can be a long-winded process. Users of public interest accounts are required to complete multiple steps to verify the identity of the account holder. The ads offer a quick method of bypassing all of those steps. The scam has been developed to appeal to brand managers, influencers, and small businesses, many of whom not be able to achieve verified status easily as they do not have immediate access to all of the necessary identification documents required by Twitter. The advertisements...

Read More
Ransomware Attackers Target the Industrial Sector with KillDisk Variant
Dec29

Ransomware Attackers Target the Industrial Sector with KillDisk Variant

Throughout 2016, ransomware gangs have targeted the healthcare sector with increased rigor. However, a new ransomware variant has been developed that is being used to attack industrial companies. The new threat does not permanently lock files as with other ransomware variants. Companies are threatened with full disk deletion if they do not pay the ransom, and the ransomware is capable of doing just that. The malware variant used for the attacks is a tweaked version of KillDisk. KillDisk, as the name suggests, is a malware that deletes the entire contents of hard drives. KillDisk has previously been used with BlackEnergy malware to target industrial companies, most notably perhaps, energy companies in Ukraine. The latest ransomware attacks are believed to have been conducted by malicious...

Read More
Ticno Trojan Downloader Mimics Windows Dialog Box
Dec22

Ticno Trojan Downloader Mimics Windows Dialog Box

A new Trojan downloader has been identified by Russian antivirus firm Dr. Web, which installs malicious payloads – currently adware – using a popup Windows ‘Save As’ dialog box. The malware, which has been named Trojan.Ticno.1537 covertly installs a range of adware and a malicious Google Chrome extension. The Ticno Trojan, which is downloaded by a separate malware, is packaged with legitimate software in a single installation file. Legitimate software that are packaged with the Trojan include Tray Calendar and the Amigo web browser. The package is believed to be part of an affiliate program that pays for software downloads, with the person behind the campaign profiting from the software that are installed, as well as from the ads that are displayed. If the user click save when the ‘Save...

Read More
Netgear Router Vulnerability Prompts US-CERT Warning to Stop Using the Devices
Dec13

Netgear Router Vulnerability Prompts US-CERT Warning to Stop Using the Devices

A Netgear router vulnerability that has remained unpatched for three months has now been publicly disclosed, placing users at risk of their devices being hacked. So severe is the threat, that US-CERT has issued a stern warning to all users of the devices strongly advising them to replace the devices. US-CERT Coordination Center at Carnegie Mellon University assigned the Netgear router vulnerability a rating of 9.3 out of 10. An exploit for the Netgear router vulnerability was published by a security researcher going by the handle Acew0rm on Friday last week. Acew0rm claims that he notified Netgear of the flaw in August this year, yet received no response and a patch has not yet to be developed. Following the publication of the exploit, Netgear initially confirmed that its R6400, R7000,...

Read More
Popcorn Time Ransomware Offers Victims A Criminal Choice
Dec12

Popcorn Time Ransomware Offers Victims A Criminal Choice

Ransomware authors are constantly developing new ways to spread their malicious software and pull in more ransom payments; however, Popcorn Time ransomware – a new ransomware variant recently discovered by researchers at MalwareHunterTeam – uses tactics never before seen. Popcorn Time ransomware gives victims a choice: Pay the ransom and regain access to their encrypted files or obtain the decryption key for free. The catch? They need to spread the ransomware and infect at least two further computers, thus giving the attackers a twofer deal. Two ransom payments instead of one. Of course, there is no guarantee that spreading the ransomware infection to other users will see the attackers make good on their offer. The victim’s files may remain locked and the attackers would potentially get...

Read More
Holiday Season Malware Infections Double in 2016
Dec02

Holiday Season Malware Infections Double in 2016

Holiday season malware infections are to be expected. Each year as more shoppers head online, Windows malware infections increase. According to figures from Enigma Software Group (ESG), between Black Friday and Cyber Monday in 2015, malware infections were 84% higher than normal levels. However, this year during the same period, malware infections were 118% times the level seen at other times of the year. Holiday season malware infections were twice that of last year, jumping by 106% between Black Friday and Cyber Monday. The number of devices infected by malware was undoubtedly higher as ESG only used data from PCs, not mobile devices or Apple computers. ESG attributes the increase mostly to the number of individuals that head online and make purchases over the weekend, which marks the...

Read More
1.3 Million Google Accounts Compromised Due to Gooligan Malware Infection
Nov30

1.3 Million Google Accounts Compromised Due to Gooligan Malware Infection

Israeli cybersecurity firm CheckPoint has discovered a new form of Android malware – Gooligan – that is spreading at an alarming rate. A Gooligan malware infection potentially gives attackers access to Google accounts and the data stored in Gmail, Google Drive, Google Photos, Google Play, G Suite and Google Docs. on their device. Already, more than 1.3 million Google accounts have potentially been compromised as a result of a Gooligan malware infection. Around 13,000 new devices are being compromised every day. Checkpoint researchers said “We believe that it is the largest Google account breach to date.” Gooligan malware is spread via malicious applications that are downloaded from a host of third-party app stores. The apps look legitimate, although a download will result in a...

Read More
New Ransomware Variant Blackmails Victims
Nov17

New Ransomware Variant Blackmails Victims

Researchers at Proofpoint have identified a new ransomware variant named Ransoc that uses different techniques to extort money from victims. Rather than encrypting a wide range of file types and demanding a ransom payment from the victims to supply a key to unlock data, the victims are blackmailed into making payment. Ransomware typically locks stored data with powerful encryption. Most common file formats are locked including spreadsheets, documents, images, and database files. Users must pay the ransom demand in order to recover their files. Usually there is an incentive for the victim to act quickly. The attackers usually claim data will be permanently locked if payment is not made within the stipulated time frame – anything from a couple of days to a week after the attack. If the...

Read More
Attackers Using ICMP Ping Floods to Take Down Enterprise Firewalls
Nov15

Attackers Using ICMP Ping Floods to Take Down Enterprise Firewalls

According to researchers from Danish telecom firm TDC, attackers are using ICMP ping floods to perform Denial of Service (DoS) attacks which are capable of taking down enterprise firewalls. In contrast to standard DDoS attacks, the attacker does not need to use an army of hacked devices to pull off the attack. It can be performed using a single laptop computer. Further, the mitigations put in place to counter traditional DDoS attacks – provisioning extra bandwidth – are ineffective against this type of attack. The technique, termed BlackNurse, is an Internet Control Message Protocol (ICMP) attack using type 3 (destination unreachable) code 3 (port unreachable) packets. Attacks of 40K to 50K packets per second with a traffic speed of around 18 Mbit per second are all that is required to...

Read More
Cybercriminals Calling Customer Service Reps to Convince them to Open Infected Email Attachments
Nov15

Cybercriminals Calling Customer Service Reps to Convince them to Open Infected Email Attachments

Training employees not to open file attachments send from unknown email accounts can help to prevent malware and ransomware infections. However, a well known cybercriminal gang is increasing the number of infections by calling hotel and restaurant employees and asking them to open emails with infected attachments. Trustwave has recently issued a warning to hotel and restaurant chains advising them to be wary of the scam. The gang behind the campaign are calling customer service representatives and are pretending to be clients who are having difficulty making reservations using the online booking function on the company’s website. The attackers tell the representative that they have sent the details needed for the reservation in a Word document attached to an email. The scammer remains on...

Read More
Locky Ransomware Campaign Targets OPM Data Breach Victims
Nov11

Locky Ransomware Campaign Targets OPM Data Breach Victims

The actors behind Locky ransomware have started using data from the OPM data breaches of 2014 and 2015 as part of a new campaign to spread cryptoransomware. It is unclear how much of the data has been obtained, although in total, 22 million user records were stolen in the OPM data breach. The mass spam emails contain a malicious JavaScript file which downloads Locky onto computers. Once installed the ransomware can encrypt files on the infected machine and network drives. At present there is no way of decrypting files locked by the ransomware. Files must either be recovered from backups or the ransom must be paid to obtain decryption keys. Individuals whose email addresses were obtained in the OPM data breach are being sent a fake notification that appears to have come from OPM account...

Read More
Microsoft Security Bulletins to End In January
Nov11

Microsoft Security Bulletins to End In January

Do you rely on Microsoft Security Bulletins to keep abreast of new patches and fixes to known vulnerabilities? If so, you should get prepared for a change to how Microsoft makes its announcement of security fixes. In a recent blog post, Microsoft has confirmed that the Security Bulletins – as we know them – will be stopping in January 2017. From February 2017, all patches and security fixes will be added to the Microsoft Security Updates Guide database. No More Security Bulletins will be released. The change is unlikely to have a major impact on users, as update information will still be made available. However, all the information that has previously been released via Microsoft Security Bulletins will be moved to a single database, which should – in theory at least – make it easy to...

Read More
New Business Email Compromise Scam Tactics Uncovered
Nov11

New Business Email Compromise Scam Tactics Uncovered

There are a variety of business email compromise tactics that are used by scammers to convince executives to make fraudulent wire transfers. However, a security researcher from Symantec has noticed some scammers have started taking a different approach to increase the success rate of BEC scams. The problem for the scammers is trust. While busy executives may be careless and fail to adequately check the legitimacy of bank transfer requests, widely publicized attacks on corporations have helped to raise awareness of the scams. Accounts department executives and other individuals responsible for making bank transfers are becoming more cautious. Cybercriminals have responded by changing their business email compromise scam tactics. Some scammers have resorted to more elaborate scams,...

Read More
New LinkedIn Social Engineering Scam Uncovered
Nov10

New LinkedIn Social Engineering Scam Uncovered

Researchers at Heimdal Security have uncovered a new LinkedIn social engineering scam that attempts to get the LinkedIn account holders to reveal their personal information. The attackers are trying to gain access to users’ financial data as well as identity documents such as passport and driver’s license numbers that can be used to commit identity theft. The attackers are using a common social engineering technique designed to scare potential victims into responding. The emails claim that there is a security issue with users’ accounts that must be rectified promptly. Common to other scams of this nature, a sense of urgency is injected by telling users that they must respond within 24 hours to ensure their account is not blocked. While many scams are sophisticated, this LinkedIn social...

Read More
Google Takes Action Against Websites that Repeatedly Serve Malware
Nov09

Google Takes Action Against Websites that Repeatedly Serve Malware

Google is to take action against websites that are repeatedly used to serve malware, unwanted software, or are used to phish for information. Once a website has been identified as a repeat offender, visitors to the website that use the Chrome browser will be served a warning alerting them that the site is being used to distribute malware. Site owners will be given the opportunity to clean their sites and have the warning removed, but the warning message will not be removed for 30 days. There will be no exceptions. Once branded as a repeat offender, webmasters will be required to wait 30 days before the warning will be removed. Google will notify site owners by email if their sites have been deemed to be repeat offenders. Webmasters will be able to submit a request to Google to have the...

Read More
Patch Tuesday Sees 68 Microsoft Vulnerabilities Fixed
Nov08

Patch Tuesday Sees 68 Microsoft Vulnerabilities Fixed

Microsoft has fixed 68 vulnerabilities this Patch Tuesday – including six that have been rated critical. The updates are spread across 14 security bulletins. The updates include fixes for two vulnerabilities that are currently being actively exploited, one of which (CVE-2016-7255) was announced by Google late last month. Google took the decision to announce the vulnerability within 10 days of alerting Microsoft to the issue, even though Microsoft’s policy of issuing updates would result in the vulnerability being known for some time before a fix was released. Google has a policy of issuing alerts within seven days if vulnerabilities are being actively exploited. Otherwise Google provides companies with three months to address the flaws or issue advice to mitigate the threat. Since...

Read More
Joomla Website Attacks Increase as Hackers Reverse Engineer Patches
Oct31

Joomla Website Attacks Increase as Hackers Reverse Engineer Patches

Two recently discovered critical vulnerabilities in the Joomla content management system are now being used by hackers in a wave of attacks on Joomla websites. While the vulnerabilities were not believed to have been exploited last week, that is no longer the case. Following the release of any Joomla patch, hackers are quick to take advantage. Attacks on unpatched sites usually start within a matter of hours after a patch has been released. Hackers have now reverse-engineered the patches and have discovered how to attack unpatched websites. It took hijackers less than 24 hours since the patches were released to work out how to compromise websites. Within 36 hours, mass exploit attempts were detected with almost 28,000 attacks attempted before the week was out, according to security firm...

Read More
NetSkope Performs Analysis of CloudFanta Malware
Oct27

NetSkope Performs Analysis of CloudFanta Malware

A new report published by NetSkope Threat Research Labs casts some light on CloudFanta malware, which is currently being spread via spearphishing campaigns. CloudFanta malware was first identified in July 2016 and is known to have been used in upwards of 26,000 credential-stealing attacks. The purpose of the malware is to steal email credentials and monitor online banking activities. Once email credentials have been obtained, messages are sent from the compromised account, while stolen banking credentials are used to make fraudulent transfers. Attacks have been concentrated in Brazil, although the use of CloudFanta malware is likely to spread further afield. As with many malware campaigns, infection begins with an email attachment or malicious link. The emails use social engineering...

Read More
New Locky Ransomware Variant Detected in Three Major Campaigns
Oct27

New Locky Ransomware Variant Detected in Three Major Campaigns

Locky ransomware continues to spread at an alarming pace, in part due to the number of different Locky ransomware variants that have now been released. New variants are now appearing on a weekly basis, with the malicious file-encrypting malware constantly being tweaked to avoid detection and keep security researchers guessing. Some of the latest variants of the ransomware have used the .sh*t extension rather than the more familiar .locky, although the latest variant has switched to the .thor extension. Regardless of the extension used, the effect is the same: Widespread encryption of files and deletion of Windows Shadow copies. At present, there is no decryptor available for any Locky variant. Recovery depends on the ability of victims to restore files from backups. Locky ransomware is...

Read More
Critical Joomla Vulnerabilities Addressed in New Security Release
Oct27

Critical Joomla Vulnerabilities Addressed in New Security Release

Two critical Joomla vulnerabilities and a 2-factor authentication bug have been addressed this week. A new version of Joomla 3x was released on Tuesday – Joomla! Version 3.6.4 – and users are being encouraged to upgrade at the earliest opportunity to keep their websites secure. If exploited, the vulnerabilities could allow attackers to take full control of the Joomla CMS. The critical Joomla vulnerabilities can be exploited by attackers to create new user accounts and to elevate privileges. The vulnerabilities were identified earlier this month and affect versions 3.4.4 to 3.6.3. One of the vulnerabilities – CVE-2016-8870 – allows a new user to register on the site and obtain elevated user privileges. The vulnerability was first identified on October 18 and work on a patch started...

Read More
Emergency Flash Player Update Issued to Address Critical Flaw
Oct27

Emergency Flash Player Update Issued to Address Critical Flaw

An emergency Flash Player update has been issued by Adobe to plug a critical vulnerability that is currently being exploited in the wild. The flaw – which is being tracked as CVE-2016-7855 – is a use-after-free error which could be used for arbitrary code execution. The flaw could allow attackers to take full control of an affected system. The update has been released for Windows, Macintosh, Linux, and the Chrome OS, although the exploit identified in the wild is being used to target Windows users (versions 7, 8.1, and 10). Due to the high risk of attack, users have been recommended to update Adobe Flash at the earliest opportunity. Attacks most commonly take place when users with outdated Flash versions visit compromised websites. However, even with careful browsing attacks can...

Read More
Cisco Email Security Appliance Flaws Patched
Oct26

Cisco Email Security Appliance Flaws Patched

On Wednesday this week, updated software was released to address nine Cisco email security appliance flaws. Cisco has not uncovered any evidence to suggest that any of the recently addressed flaws have actually been exploited in the wild, although users of its email security appliances have been advised to update to the latest version of its software at the earliest opportunity. The latest update resolves three Denial-of-Service flaws that affect the company’s AsynchOS software. Each of these vulnerabilities could be exploited by sending specially crafted emails and attachments which could cause a Denial-of-Service condition. All three of these Cisco email security appliance flaws has been rated as high severity. CVE-2016-6356 is a flaw in the email message filtering feature of AsyncOS...

Read More
Warning Issued on Fake Microsoft Security Essentials Installer
Oct25

Warning Issued on Fake Microsoft Security Essentials Installer

A fake Microsoft Security Essentials installer is being used by scammers to fool users into calling a bogus tech support team. The fake Microsoft Security Essentials installer generates what appears to be Microsoft’s infamous “blue screen of death.” The mouse arrow is disabled and users are prevented from opening up task manager. To fix the problem they are told they must call a tech support line. Calling the support line will require the user to part with their credit card details in order to pay for support, download and install software to fix a non-existent problem, or simply install additional malware on their computer. The fake installer is a malware variant called Hicurdismos. The fake Microsoft Security Essentials installer is being distributed bundled with other software...

Read More
Dirty Cow Linux Kernel Security Flaw Being Actively Exploited
Oct21

Dirty Cow Linux Kernel Security Flaw Being Actively Exploited

The Dirty Cow Linux kernel security flaw (CVE-2016-5195) discovered by a security researcher at software vendor Red Hat is being actively exploited in the wild. The discovery has prompted Red Hat to issue a stern warning to Linux administrators to patch the flaw immediately. Failure to do so could see the vulnerability exploited. Unfortunately, should the Dirty Cow Linux kernel security flaw be exploited, it may be hard to detect because it is is difficult to differentiate between legitimate use and an attack. Currently anti-virus software is unlikely to detect Dirty Cow. Even if signatures are developed, they are only likely to be able to detect an attack when one occurs. They would be unlikely to be able to block an attack. The flaw has been around for around 9 years. It was given the...

Read More
Critical VeraCrypt Flaws Patched: Users Urged to Upgrade
Oct21

Critical VeraCrypt Flaws Patched: Users Urged to Upgrade

Critical VeraCrypt flaws that were recently uncovered by cybersecurity firm QuarksLab have now been patched in version 1.19 of the popular full-disk encryption software. Users are being urged to upgrade to the latest version of the software as soon as possible now that details of the vulnerabilities have been disclosed publicly. VeraCrypt is the successor to TrueCrypt, which was a popular open source free file encryption program used by many organizations until the program was abandoned in 2014 when it was deemed not to be safe to use. QuarksLab conducted an audit, which was funded by the Open Source Technology Improvement Fund (OSTIF), in August this year. A previous Open Crypto Audit Project audit of TrueCrypt revealed numerous vulnerabilities in the program. The purpose of the latest...

Read More
Warning Issued About Hurricane Matthew Phishing Scams
Oct12

Warning Issued About Hurricane Matthew Phishing Scams

US-CERT has issued warning about a spate of Hurricane Matthew phishing scams as cybercriminals attempt to defraud users and infect computers by taking advantage of interest in the hurricane. Following any natural disaster or major new event, scammers launch new campaigns to obtain sensitive information that can be used for identity theft and fraud. Cybercriminals also seize the opportunity to spread malware and ransomware. This natural disaster is no different. Hurricane Matthew phishing scams are conducted to obtain sensitive information such as bank account information and credit card numbers which can be used to commit fraud. Users should also be careful about divulging any sensitive information online or via email which could be used by identity thieves. Hurricane Matthew phishing...

Read More
Increase in IT Support Scams Reported by ESET
Oct12

Increase in IT Support Scams Reported by ESET

According to a recent report from ESET, IT support scams are on the increase with users in France, Canada, the U.S. and UK currently most at risk. ESET has discovered an increase in HTML/FakeAlert malware signaling a new global campaign has been launched. HTML/FakeAlert is a generic name given to webpages which display fake alert messages warning that systems are infected with malware or viruses. The sites also warn of technical problems that have been detected on users’ computers. Visiting an infected website or malicious site that uses HTML/FakeAlert malware will result in a warning message being displayed. IT support scams typically start with users being advised to download software which it is claimed will scan their device for malware or technical issues. The scans reveal numerous...

Read More
Virlock Ransomware Capable of Spreading via Cloud Sync
Oct11

Virlock Ransomware Capable of Spreading via Cloud Sync

Virlock Ransomware has been around since 2014; however, the latest version of the file-encrypting malware has a host of new capabilities making it even more dangerous. Virlock ransomware can now encrypt all files it comes into contact with. The methods used for spreading infections are also now much more effective. The latest version is capable of spreading internally via cloud sync and collaboration applications. Initial infection occurs via email, malicious websites, or USB sticks. Once one computer is infected, all files on that device are encrypted, yet those encrypted files can also infect other users. According to security researchers at NetSkope, Virlock is a polymorphic file infector ransomware. The malware contains polymorphic code, malware code, and embedded clean code....

Read More
StrongPity Malware Masquerades as WinRAR and TrueCrypt Installers
Oct11

StrongPity Malware Masquerades as WinRAR and TrueCrypt Installers

Researchers at Kaspersky Lab have discovered a new malware named StrongPity which is being spread via bogus WinRAR and TrueCrypt installers. Infection with StrongPity malware would result in attackers gaining full control of the user’s device. The malware is also an information stealer and can be used by the attackers to steal the entire contents of a hard drive. StrongPity malware infections have mostly been limited to Belgium and Italy, although there have been reports that users in the Middle East and North Africa have also been attacked with the malware. Outside of Italy and Belgium, most attacks have occurred in Turkey and Algeria. At present, no attacks are believed to have occurred in the United States. Users looking to install the file compression software WinRAR, or the...

Read More
5 Critical Flaws and 5 Zero Days Fixed This Patch Tuesday
Oct11

5 Critical Flaws and 5 Zero Days Fixed This Patch Tuesday

Microsoft has issued ten bulletins this Patch Tuesday, which fix five new zero days and five critical vulnerabilities. In contrast to previous Patch Tuesdays, older Microsoft operating systems are now being updated using Microsoft’s new patching policy of bundling patches together. Administrators must therefore decide whether to apply all of the patches or none since it is no longer possible to select which updates to install. This could potentially create problems for administrators. Updates may need to be applied when there is a known compatibility issue with one or more elements. Otherwise the update will need to be avoided which will leave systems vulnerable. Then there is the issue of the size of the updates. When a large number of issues are addressed on Patch Tuesday, downloading...

Read More
Zero-Day WinRAR Vulnerability is Simply a New Attack Vector
Oct07

Zero-Day WinRAR Vulnerability is Simply a New Attack Vector

In late September, news surfaced of a new zero-day WinRAR vulnerability affecting the latest version (WinRAR 5.21) of the software. If exploited, users would risk not only infecting their computer but also networks to which their computer connects. WinRAR is a popular file compressing program that has been installed more than 500 million devices around the world. The WinRAR vulnerability was rated with a 9.2 on the Common Vulnerability Scoring System (CVSS). Vulnerabilities with a rating of 7-10 are classed as high severity. According to the security researcher who claims to have discovered the WinRAR flaw – Mohammad Reza Espargham – “The code execution vulnerability can be exploited by remote attackers without privilege system user account or user interaction,” in remote code...

Read More
DressCode Android Malware Capable of Stealing Data from Corporate Networks
Oct04

DressCode Android Malware Capable of Stealing Data from Corporate Networks

DressCode Android malware is now packaged into more than 3,000 apps, many of which are available through the Google Play store according to Trend Micro. The malware is spreading fast and has been since April, although it was only discovered in August this year. One of the main risks from infection with the malware is not the theft of data from the device itself, but from any networks to which the device connects. If a personal device infected with the malware is used to access a corporate network, the malware could potentially steal a wealth of data. Since 82% of companies have a BYOD policy or allow the use of personal devices to access corporate networks, many companies are likely to be at risk of an DressCode Android malware attack. The malware has been discovered in over 400 apps...

Read More
MarsJoke Ransomware Campaign Discovered: K12 Schools Targeted
Sep28

MarsJoke Ransomware Campaign Discovered: K12 Schools Targeted

A massive spam email campaign was launched this week to spread MarsJoke Ransomware, a relatively new ransomware variant that was first discovered by Proofpoint researcher Darien Huss in August this year. Spam emails are often sent out randomly by cybercriminal gangs in the hope that some end users will open the emails and infect their computers. However, the gang behind this campaign is targeting government organizations and K12 educational institutions, and to a lesser extent, healthcare organizations and companies in the telecommunication sector. MarsJoke Ransomware was initially sent out in small campaigns in August using the Kelihos botnet. Security researchers noticed that the Kelihos botnet had been growing in size over the summer and that operations had been changed from...

Read More
Malicious Hancitor Downloader Receives an Update
Sep27

Malicious Hancitor Downloader Receives an Update

Security researchers at FireEye have reported that the malicious Hancitor downloader has been updated again. The latest version of the malware now uses a three-pronged approach to infect users and gain access to – and steal –data. The Hancitor downloader was first discovered about two years ago, although infections had all but stopped for a number of months until the malware re-emerged in May this year. Now it would appear that the malware has been updated again and has new capabilities. According to FireEye researchers, “These [new] capabilities include leveraging uncommon APIs and obscuring malicious PowerShell commands, tactics that made detection more challenging.” The malware is primarily being spread by spam email via infected documents that appear to be invoices. Infection occurs...

Read More
Malvertising on Adult Websites Increases
Sep16

Malvertising on Adult Websites Increases

The use of malvertising on adult websites is nothing new. However, over the past few weeks malvertising attacks have increased and users of adult websites are being targeted. The latest attacks are used to direct visitors to malicious websites in what has been termed the ‘Afraidgate’ campaign. The campaign is used to redirect visitors to websites hosting the Neutrino exploit kit. Neutrino has been used to push Locky ransomware in the past, although that ransomware variant is now mostly being sent via spam email. This campaign uses Neutrino to install CryptXXX ransomware. The latest attacks are taking place via adult websites that serve ad banners in the sidebars. An ad server has been hacked and malicious adverts are now being displayed. Website visitors are not required to click the...

Read More
Malicious Microsoft Publisher Files Used in Phishing Attacks on Businesses
Sep16

Malicious Microsoft Publisher Files Used in Phishing Attacks on Businesses

Hackers are using malicious Microsoft Publisher files to create backdoors in Windows computers. The files are being used in targeted attacks on businesses, with a view to stealing sensitive data. A new campaign has been identified by Bitdefender that is targeting small to medium-sized businesses in the UK and China. So far, around 2,000 of the malicious emails have been captured. Spear phishing emails containing malicious Microsoft Publisher files appear to be sent from employees in legitimate businesses. The emails claim to contain a purchase order and users are advised to open the attachment to view details of the order and to confirm that it has been received. It is relatively rare for spammers to use the .pub format to spread malware, instead they tend to prefer other Microsoft...

Read More
Microsoft Patch Tuesday Sees 47 Vulnerabilities Addressed
Sep14

Microsoft Patch Tuesday Sees 47 Vulnerabilities Addressed

Microsoft Patch Tuesday saw 47 security vulnerabilities addressed in Windows, Office, Office Service and Web Apps, MS Exchange, Adobe Flash Player, and Internet Explorer and Edge. The updates are split across 14 security bulletins. 7 of the security bulletins address critical vulnerabilities, while the remaining 7 are rated as important. Microsoft has warned that the failure to install the updates would leave systems vulnerable to remote code execution attacks. The critical security bulletins are: MS16-104: Cumulative Security Update for Internet Explorer (3183038) MS16-105: Cumulative Security Update for Microsoft Edge (3183043) These bulletins address vulnerabilities that could be exploited if the user visits a specially crafted webpage using the IE or Edge browsers. The...

Read More
September Flash Player Update Tackles 29 Vulnerabilities
Sep14

September Flash Player Update Tackles 29 Vulnerabilities

The September Flash Player update – which was released on September 13, 2016 – addresses 29 security vulnerabilities in the software. This year has seen a number of emergency updates issued by Adobe to plug critical vulnerabilities in Flash Player. Between May and June 2016, 52 bugs were fixed that could potentially be exploited by hackers to gain access to the host system, some of which were being actively exploited by hackers. No update was issued last month, but this month a number of critical Flash Player vulnerabilities have been addressed. Most of the vulnerabilities that have been addressed in the September Flash Player update could be exploited to allow remote code execution by malicious actors, although Adobe says none of the flaws have been used in public attacks on host...

Read More
RAA Ransomware Tweaked to Attack Businesses
Sep12

RAA Ransomware Tweaked to Attack Businesses

A new variant of RAA ransomware has been discovered by Kaspersky Lab. The new RAA ransomware variant has been developed to make it more effective against businesses. RAA ransomware was first discovered in June. The ransomware was also discovered to incorporate Pony; an information stealing Trojan. However, the hackers responsible for developing RAA ransomware have been working on making the file-encrypting, information stealing malware more effective. The new variant – called Trojan-Ransom.JS.RaaCrypt.ag – contains a number of new functions that make it far more effective at attacking businesses. The primary method of delivery is the same as RAA1. The ransomware is delivered to end users via email. However, in order to bypass spam filers, the latest version of the ransomware is...

Read More
Critical MySQL Database Vulnerability Discovered
Sep12

Critical MySQL Database Vulnerability Discovered

A critical MySQL database vulnerability has been discovered which could allow hackers to gain full control of MySQL servers and MariaDB and Percona DB databases. The critical MySQL database vulnerability (CVE-2016-6662) has also been disclosed publicly by Dawid Golunski, the security researcher who found the flaw. The critical MySQL database vulnerability could be exploited by an attacker via SQL injection, although a successful attack could also take place if the attacker has an authenticated connection to the MySQL service. The flaw would allow the attacker to modify the MySQL configuration file. This would allow an attacker-controlled library to be executed with root privileges, if the MySQL process is started with the mysqld_safe wrapper script. Golunsky claims that the vulnerability...

Read More
USB Killer Uses Electrical Attacks to Destroy Devices
Sep12

USB Killer Uses Electrical Attacks to Destroy Devices

Researchers in Hong Kong have developed a USB device – USB Killer –  that appears to be just like any other Flash drive. However, plugging in the device into a USB port on a computer will result in power surge being delivered that will fry the circuits of the device into which it is plugged. While many organizations have implemented controls that prevent USB devices from being used to install malware, the researchers note that computers and other devices with USB ports are not protected against electrical attacks. These attacks can be conducted by saboteurs. Public-facing computers are especially at risk, and even more so since the USB Killer is now being sold online. The device – Termed USB Killer 2.0 – was developed by Hong Kong-based company, USBKill.com. The device collects...

Read More
Plug and Play USB Attack Technique That Opens Locked PCs and Macs
Sep08

Plug and Play USB Attack Technique That Opens Locked PCs and Macs

An alarming new hacking has been discovered that will let an individual gain access to a locked computer within 20 seconds: The plug and Play USB attack is also surprisingly simple and only costs around $50 to pull off. Because it can be performed so quickly, it could easily be used to gain access to a computer while the user visits the restroom. In order for the hack to be pulled off, the victim must be logged in to their device; however, the lock screen will not prevent the computer from being accessed, no matter how complex the password is. Security Researcher Rob Fuller discovered that it is possible to obtain system credentials using the Plug and Play USB attack in as little as 13 seconds on devices running Windows 98, XP SP3, Windows 7 SP1, and Windows 10 Enterprise/Home, as well...

Read More
CryLocker Ransomware Claims 8,000 Victims in Two Weeks
Sep08

CryLocker Ransomware Claims 8,000 Victims in Two Weeks

CryLocker ransomware is spreading fast. In the past two weeks, the malicious file-encrypting crypto-ransomware variant has infected more than 8,000 computers. According to MalwareHunterTeam researchers, approximately 3,200 individuals had been infected with CryLocker ransomware by September 2, 2016. By September 4, the number had more than doubled with 6,800 confirmed victims. On September 5, there were more than 8,000 victims. CryLocker ransomware encrypts a very long list of file types, including images, videos, databases, documents, spreadsheets, and project files. Encrypted files are given the .cry extension. Windows shadow copies are also deleted to make it harder for victims to recover their files without paying the ransom. The ransomware also performs a backup of desktop...

Read More
US-CERT Warns of Increased Threat to Network Infrastructure Devices
Sep07

US-CERT Warns of Increased Threat to Network Infrastructure Devices

The United States Computer Emergency Readiness Team (US-CERT) has issued a warning about the rising threat to network infrastructure devices following a spate of attacks. As US-CERT points out in the warning, protecting the network infrastructure is critical if the the confidentiality, integrity, and availability of data and communication services are to be preserved. While organizations have perimeter defences in place to protect their networks from attack, it is no longer sufficient to just employ firewalls and intrusion detection systems. The capabilities of organized hacking groups have increased considerably in recent years. In addition to installing perimeter defenses, organizations must also be able to protect internal systems from attack and implement the necessary policies and...

Read More
Emergency OS X Security Updates Released by Apple
Sep02

Emergency OS X Security Updates Released by Apple

Apple has released emergency OS X security updates to tackle three zero-day vulnerabilities which are being actively exploited. The Emergency OS X updates tackle the “Trident vulnerabilities” which are currently being used by the Israeli firm, NSO Group Technologies. According to security researchers from Lookout Security and Citizen Lab, the exploits, which were discovered last week, could well have been weaponized and used to attack iOS and OS X devices. All users have been advised to install the emergency OS X security updates as soon as possible to ensure their devices are protected from attack. In order for the vulnerabilities to be exploited, a targeted user must be convinced to visit a malicious webpage. As recent research by Wombat has shown, phishing campaigns can be highly...

Read More
EXTRABACON Flaw Patched by Cisco
Aug26

EXTRABACON Flaw Patched by Cisco

After being alerted to the EXTRABACON flaw on August 13, 2016, Cisco has begun issuing software updates for its Adaptive Security Appliance devices, and other affected devices including its Firepower products. The EXTRABACON flaw was brought to the attention of Cisco by a group called Shadow Brokers. A couple of weeks ago, Shadow Brokers claimed to have stolen code and exploits from a nation-state spying group called the Equation Group, which is believed to have links to the NSA’s Tailored Access Operations team. EXTRABACON is a zero-day exploit that is understood to have been developed by the Equation Group. It can be used to attack a range of Cisco security products including its ASA devices. However, the exploit cannot be used to attack all Cisco ASA devices, only those that have SNMP...

Read More
Qualcomm Chip Vulnerabilities Affect Close to 1 Billion Android Phones
Aug09

Qualcomm Chip Vulnerabilities Affect Close to 1 Billion Android Phones

Android smartphones and tablets are at risk of compromise due to four recently discovered Qualcomm chip vulnerabilities, according to security researchers at Check Point. The so-called QuadRooter vulnerabilities affect approximately 900 million Android devices, including some of the most popular smartphones on the market. Owners of a Google Nexus phone (5X, 6, and SP), Blackberry (Priv), OnePlus (One, 2 or 3), HTC (One, M9 or 10), Samsung (Galaxy S7 or S7 Edge), Motorola (Moto X), Sony (Experia Z Ultra), LG (G4, G5, or V10), or a Blackphone (1 or 2) are at risk of their device being attacked. The Qualcomm chip vulnerabilities allow attackers to escalate privileges on the affected devices and gain root access. This would give the attacker full control of the device. The Qualcomm chip...

Read More
Wireless Keyboard Vulnerabilities Discovered
Jul28

Wireless Keyboard Vulnerabilities Discovered

Researchers at Bastille have discovered wireless keyboard vulnerabilities that can be exploited to inject keystrokes into targeted PCs, but worse still, armed with a $12 radio device hackers could record the keystrokes from wireless keyboards. Furthermore, close proximity to the keyboard is not necessary. Attackers could conceivably pick up keystrokes or inject them from as far away as 250 feet. Previously the same researchers uncovered serious vulnerabilities with the dongles used to receive signals from wireless mice and keyboards. The attack methods they developed have now been applied to hundreds more devices. The researchers published their findings of their study of wireless keyboard vulnerabilities this Tuesday. They will be presenting their research at the upcoming Defcon hacker...

Read More
New PowerWare Ransomware Variant Mimics Locky
Jul23

New PowerWare Ransomware Variant Mimics Locky

Palo Alto Networks’ Unit 42 team has reported the discovery of a new PowerWare ransomware variant that pretends it is Locky in an attempt to fool users into paying the ransom demand. At present there is no decryption tool available to unlock files that have been locked by Locky ransomware, although decryption tools do exist to unlock PowerWare ransomware infections. PowerWare ransomware was first discovered in March 2016, although it has been around in a different format since 2014 when it was known as PoshCoder. PoshCoder also mimicked other ransomware variants in an attempt to get users to think that there was no way of recovering files without paying the ransom. In the past, PoshCoder has used the same ransom notes that were used by the gangs behind TeslaCrypt and CryptoWall. The new...

Read More
Ransomware Gang Starts Sending CryptXXX Spam Emails
Jul19

Ransomware Gang Starts Sending CryptXXX Spam Emails

CryptXXX is now one of the most prevalent variants of ransomware. While the ransomware variant has previously been delivered using exploit kits such as Neutrino and Angler, Proofpoint has discovered thousands of CryptXXX spam emails in the past few days. The ransomware gang behind CryptXXX is diversifying and using different delivery mechanisms to install the malicious software on victims’ computers. Proofpoint reports a 96% decline in exploit traffic between April and June, which has been attributed to the disappearance of the Angler exploit kit.  Angler activity was noted to be in steep decline since April, falling to virtually zero by May 22. By June 7, Angler had disappeared. CryptXXX was moved to the Neutrino EK, although Neutrino EK activity has also fallen dramatically. The fall...

Read More
Ranscam Ransomware: If Infected its Already Too Late to Recover Files
Jul13

Ranscam Ransomware: If Infected its Already Too Late to Recover Files

Ranscam ransomware may appear to be just like any other form of malicious file-encrypting software at first glance.  Victims are informed that their files are encrypted and that they must pay a ransom in order to recover them. A ransom demand of 0.2 Bitcoin is demanded by the attackers to supply the keys to unlock the encryption. The victim is informed that essential files on their computer have been crypted, and that the computer will not function properly. What is different in the case of Ranscam ransomware, is the attacker claims to have moved files to a hidden partition on the hard drive. That is not all that is different. If the victim chooses to pay the ransom payment, they will not be provided with a decryption key to recover their files. The ransom note claims that payment of the...

Read More
New Apple Computer Malware Discovered
Jul07

New Apple Computer Malware Discovered

Because it is relatively rare for new Apple computer malware to be developed. Malware developers prefer to concentrate on malware to target Windows devices. It is easier, and the profits are higher because there are more potential victims. However, in recent years there has been a significant increase in new Apple computer malware. This year, two new forms of malware have been discovered by security researchers. The latest variants of Apple computer malware – Eleanor and KeRanger – could cause certain Mac users serious problems. KeRanger was discovered in March of this year. KeRanger is a form of ransomware that targets the OS X platform. It is only the second ransomware variant discovered that specifically targets Mac users, the first being 2014’s FileCoder ransomware. FileCoder was...

Read More
Satana Ransomware: New Ransomware Threat Prevents OS from Loading
Jul05

Satana Ransomware: New Ransomware Threat Prevents OS from Loading

Windows users face a new and particularly nasty threat: Satana ransomware. The latest ransomware variant prevents the operating system from booting in addition to encrypting user files. An infection will see a wide range of user files encrypted. The ransomware also replaces with master boot record with a new version and encrypts the original. This will prevent the operating system from running next time the computer is rebooted. If the victim wants to recover their files and regain use of their machine, they must restore the locked files and reinstall the operating system. Alternatively, they will need to pay a ransom of 0.5 Bitcoin (Approximately $340). However, since their computer will have been taken out of action, victims must use a second device in order to pay. It may be possible...

Read More
New Ransomware Variant Prevents OS Boot
Jul04

New Ransomware Variant Prevents OS Boot

A new ransomware strain has been discovered that not only encrypts user files, it prevents the device from booting. Satana ransomware encrypts the master boot record preventing thus disabling the computer it has infected. The new ransomware strain appears to still be under development, yet it is active and poses a serious threat to businesses and individuals. At present, there is no fix for a Satana ransomware infection. If files are encrypted they can only be recovered from a backup or by paying the attacker’s ransom demand. If no backup exists and the ransom is not paid, a victim will permanently lose their files. Most ransomware variants do not encrypt key operating system files and prevent booting. They only target users’ files. Documents, spreadsheets, databases, images, and a host...

Read More
US-CERT Issues Warning About the Resurgence of Malicious Macros
Jun06

US-CERT Issues Warning About the Resurgence of Malicious Macros

The use of malicious macros as a method of spreading malware fell out of favor by the start of the new millennium, although over the past few months, malicious macros have made something of a comeback. The malicious macro is now back and is being used by cybercriminals to rapidly spread malware and ransomware on unsuspecting end users. On Thursday last week, the United States Computer Emergency Readiness Team (US-CERT) issued an advisory warning of the increased risk of attack via macro-based malware, and urged companies and consumers to take steps to reduce risk. The advisory came after a number of successful macro-based malware attacks, some of which caused widespread disruption and extensive damage. In late December, 2015, cyberattacks were conducted on Ukrainian energy companies...

Read More
Phishing Threat Greater Than Any Other Time in History
May26

Phishing Threat Greater Than Any Other Time in History

The Anti-Phishing Working Group (APWG) has released a new report on phishing that shows, during the first three months of 2016, phishing activity was greater than at any other time in history. APWG defines phishing as a criminal mechanism that employs technical subterfuge and social engineering techniques to steal personal identity data and financial credentials. APWG therefore includes CEO scams or business email compromise attacks, fraudulent and spoofed websites, phishing emails, malware that logs keystrokes, and websites that have been infected with keylogging malware. For the report, APWG studied data from member companies from around the globe from a wide range of industry sectors. The study showed that the worst hit country was China, where 57.24% of computers are infected,...

Read More
Adobe Warns of Actively Exploited Zero-Day Flash Vulnerabilities
May11

Adobe Warns of Actively Exploited Zero-Day Flash Vulnerabilities

Adobe has issued a warning about a new critical security vulnerability that is being actively exploited by hackers. The vulnerability affects Adobe Flash 21.0.0.226 and all previous versions for Windows, Linux, Mac, and Chrome OS. Adobe plans to address the vulnerability in its next monthly security update, although until that update is released all users are potentially at risk. The monthly update is expected to be released as early as May 12. Adobe rates the vulnerability – APSA16-02 (CVE-2016-4117) as critical. The vulnerability was detected by security firm FireEye on May 8, 2016. FireEye reported that while the vulnerability affected multiple operating systems, the active exploit it discovered was targeting Windows users with Microsoft Office installed. The exploit had been embedded...

Read More
Threat from Ransomware Prompts FBI to Issue a Warning to Healthcare Organizations
May05

Threat from Ransomware Prompts FBI to Issue a Warning to Healthcare Organizations

The threat from ransomware has increased considerably over the course of the past few months, and healthcare organizations are in cybercriminals’ cross-hairs. Attacks on healthcare providers have been occurring with increasing regularity, prompting the FBI to issue a warning. Ransomware is not new, but it is increasingly being used by cybercriminals to attack large organizations. In 2015, the FBI saw a sharp upward trend in the use of ransomware to attack organizations. Healthcare organizations are being targeted because they hold large volumes of data which are needed for day to day operations. If cybercriminals can break through security defenses and lock data files, organizations may be forced to give in the attackers’ ransom demands. The FBI warns that as long as cybercriminals are...

Read More
Apple Pulls Plug On QuickTime: Uninstall Recommended
Apr14

Apple Pulls Plug On QuickTime: Uninstall Recommended

Apple has taken the decision to stop providing support for QuickTime 7 for Windows. The QuickTime support page has now been updated to alert users that security updates will no longer be issued, although an official announcement has not yet been made. On its website, Apple suggested users should uninstall QuickTime for Windows as soon as possible. Trend Micro reiterated the urgent need for everyone to remove the application in order to prevent vulnerabilities from being exploited by malicious actors. The urgent need to uninstall QuickTime for Windows was due to the discovery of two new critical vulnerabilities – ZDI-16-241 and ZDI-16-242 – by the Trend Micro Zero Day Initiative. While these two heap corruption remote code execution vulnerabilities are not known to be currently...

Read More
Locky and Samas Attacks Prompt US-CERT to Issue Ransomware Alert
Mar31

Locky and Samas Attacks Prompt US-CERT to Issue Ransomware Alert

The spate of recent ransomware attacks on U.S. healthcare providers and businesses has prompted US-CERT to issue a warning about the destructive ransomware variants, Locky and Samas. The latest alert was issued by the Department of Homeland Security in conjunction with the Canadian Cyber Incident Response Centre (CCIRC) to raise awareness of the threat from ransomware, the mode of action of the malicious software, the variants that are currently proliferating, and the actions that can be taken to reduce the risk of attack. While ransomware has been around for several years, attacks have been limited until recently. Now many malicious actors are turning to ransomware to extort money out of victims and the threat to businesses is growing. Ransomware victims are told that their systems and...

Read More
Microsoft Issues EHR Data Encryption Warning
Sep08

Microsoft Issues EHR Data Encryption Warning

The effectiveness of EHR data encryption has been placed in doubt following the release of a research paper by Microsoft: A stern warning of data encryption security vulnerabilities has also been issued covering all encryption systems based on CryptDB. Researchers are due to present the results from their security study at the ACM Conference on Computer and Communications Security, which is due to take place next month. The paper has however been made available before the presentation, and due to the high risk of the vulnerabilities actually being used by malicious outsiders to gain access to healthcare databases, a warning was issued to all healthcare providers using CryptDB-based encryption systems for their EHRs. Microsoft’s team of researchers discovered that EHR databases have a...

Read More
New Android Smartphone Data Security Warnings Issued
Sep03

New Android Smartphone Data Security Warnings Issued

An Android Smartphone data security warning has recently been issued by IBM’s X-Force Application Security Research Team. CheckPoint has also discovered Android security vulnerabilities which have potential to be exploited by hackers. The new security vulnerabilities have been discovered in the operating system, with IBM’s warning suggesting as many as 55% of Android phone users could be affected by the security flaw. The warning came just a few days after CheckPoint discovered new flaws with Android phones which have potential to affect millions of users around the world. One of the problems with Android Smartphone data security is due to the software installed on the devices by manufacturers. This software cannot be uninstalled without first rooting the device, and even then it is not...

Read More
Social App Security Vulnerabilities Leaves VA Vulnerable to Cyberattacks
Aug29

Social App Security Vulnerabilities Leaves VA Vulnerable to Cyberattacks

The Department of Veteran Affairs (VA) has been warned that social app security vulnerabilities have potential to expose the data of veterans, according to a recent audit conducted by the VA Office of Inspector General (OIG). The warning came after the OIG discovered that a number of VA employees had been using the social media app, Yammer. The app was found to contain security vulnerabilities that could potentially be exploited by hackers seeking access to Social Security numbers and other protected data of veterans. VA Policy Violations Aplenty The main security issue with Yammer is the website lacks an administrator who could remove former VA employers from the site. There was also no automated system in place to ensure contractor employees were removed when access rights should be...

Read More
SMS Text Message Hacking: A Worry for HIPAA Covered Entities
Aug18

SMS Text Message Hacking: A Worry for HIPAA Covered Entities

This summer, two hackers successfully took control of a car – a Jeep Cherokee – by remotely hacking into its computer system and killing the engine; a feat they claimed was possible from a radius of 70 miles. They gained access via an open port in the car’s infotainment system; via its cellular connection. The potential hacking of automobiles may be a worry for drivers; but not a major concern for healthcare providers and other HIPAA-covered entities. However, the incident does demonstrate the skills of the hackers; and hackers are targeting healthcare providers, insurers and other HIPAA covered entities for the data they hold. Worse news for healthcare providers comes from the latest hacking of a vehicle; this time via mobile SMS messages. SMS text message hacking is a new method of...

Read More
Serious Drug Pump Security Risk Uncovered
Aug05

Serious Drug Pump Security Risk Uncovered

Hospira, a manufacturer of drug delivery pumps and medical devices, is the subject of a recent Food and Drug Administration warning about a serious drug pump security risk with one of its products. The company has stopped producing the Symbiq range of drug delivery pumps, although a number of U.S hospitals are still using the medical devices. This is of major concern to the FDA, which has recently issued an alert about the devices, warning healthcare providers to stop using the pumps and make the transition to other models, or brands, which carry a much lower security risk. The Symbiq drug pump security risk is highly serious. The devices have a security flaw that could enable a hacker to take control of the equipment, potentially using the devices to access healthcare provider computer...

Read More
New Study Highlights Healthcare Malware Risks
Jul12

New Study Highlights Healthcare Malware Risks

A new study has highlighted new healthcare malware risks, indicating there is a very real and present danger of cybersecurity attacks. But more worrying than the possibility of an attack, is news that those attacks have already taken place, and hackers are already browsing system data, patient files, and other sensitive material without the healthcare provider’s knowledge. Healthcare Malware Risks are not Just Theoretical – Hackers May Already be Inside Computer Networks Vectra Networks, a provider of network security services, recently analyzed the computer networks of 40 enterprises as part of a new data security study. Over 250,000 separate networked devices were analyzed to check for malware and evidence of targeted attacks by hackers. The company’s report makes for shocking reading....

Read More
FBI Warning Issued over Cryptowall Ransomware Threat
Jun25

FBI Warning Issued over Cryptowall Ransomware Threat

The Cryptowall ransomware threat has now reached a critical level, with the FBI deeming it necessary to issue a warning to allow businesses and individuals to take extra care. Ransomware is a type of malware that disables the target’s computer by encrypting the device. If an attack is successful, the device will be locked until a ransom is paid. Only then will the necessary security fix be provided to unlock the device. There are numerous threats from ransomware, although one variant in particular is causing the most problems: Cryptowall. According to the FBI warning, the number of reported cases of Cryptowall malware in the last two months has reached 992. That figure will now almost certainly be higher as more individuals download the malware. The FBI estimates that the malware is...

Read More
Healthcare Providers Face Medical Device Hacking Risk
Jun13

Healthcare Providers Face Medical Device Hacking Risk

Any healthcare provider believing the risk of a data breach through a medical device is low, should think again; a new white paper suggests the medical device hacking risk to be much higher than expected. Thieves are actually using the devices to gain access to healthcare computer networks. HIPAA-covered entities ignoring the risk do so at their peril. Hackers can use the devices to gain access to much more than the data stored on the devices. Many Security Vulnerabilities Are Missed During Risk Assessments The TrapX Labs white paper suggests that hackers are taking advantage of security vulnerabilities which are often missed by risk assessments. Medical equipment – radiology equipment for example – collects and stores PHI and if access can be gained, that information can be stolen....

Read More

Mobile Data Security Concerns Consumers

A recent study conducted by iReach Insights has highlighted that consumers on both sides of the Atlantic have major mobile data security concerns, and in particular, about the security of the cloud and the data stored on their portable devices. The mobile data security concerns are justified. A Smartphone contains original data such as photographs, text messages, conversations and contact details, many of which are irreplaceable. Smartphones also have access to social media profiles such as Facebook, Twitter and LinkedIn, and webmail services can be accessed through the phones giving the user full access to all received and sent emails. The survey indicates that in the 18-54 age group, 80% of users rated the contents of their phone as equally if not more valuable than the phone itself,...

Read More