News Stories (Feb-12-2016)
-- F-Secure: New malvertising campaign delivers ransomware via Skype, browsers (Feb-11-2016)
Researchers at F-Secure have detected a malvertising campaign that delivers phony online ads to not only traditional browser platforms but also the Skype video chat application.
The malicious ads are distributed via the AppNexus ad platform (adnxs.com). Users who click on them are redirected to a landing page for the Angler exploit kit, which then downloads TeslaCrypt ransomware. Historically, TeslaCrypt ransom demands have asked victims for $500 in bitcoins in order to unlock encrypted files.
F-Secure initially noted in a blog post that the campaign ended very quickly, peaking over a period of five hours spanning Feb. 9 and 10. However, Karmina Aquino, senior manager of threat research at F-Secure, told SCMagazine.com in a Thursday email correspondence, “I checked our telemetry again this afternoon and the activity has resumed, which still show[s] evidence of Skype displaying the malicious ads.”
Users who have been victimized via their browsers encountered the malicious advertising while visiting one of several targeted websites, including Italian online marketplace eBay.it, gaming sites Wowhead, GSN.com, ZAM and Wikia.com, the news site Daily Mail Online and the MSN.com Internet portal.
Clicking the ad from Skype, on the other hand, launches the user's default browser, and so the effect would be the same, explained Aquino, adding, “These activities have not led us to conclude that Skype is the main target of the attackers; rather, the infection that happened through Skype is just a side effect because Skype uses the same ad platform that the attackers compromised.
--Microsoft's February Patch Tuesday: 13 bulletins addressing 36 vulnerabilities (Feb-09-2016)
Microsoft's February Patch Tuesday contains 13 bulletins, six rated critical – all of which can allow remote code execution if exploited.
None of the vulnerabilities have been spotted in the wild, however, they do impact almost all of Microsoft's product areas including, Windows, Internet Explorer (IE), Edge and Office.
“The common thread amongst almost all the vulnerabilities is the system loading up untrusted files or content, which for certain formats seems to be a very regular issue,” Jon Rudolph, principal software engineer at Core Security, told SCMagazine.com Tuesday in an email.
The standout patch for this cycle, according to several industry insiders, is the critical-rated MS16-022 for Adobe Flash Player. It addresses 20 specific vulnerabilities on all supported versions of Windows Server 2012, 8.1, Server 2012 R2, RT 8.1 and 10.
“MS16-022 leads our priority list at Qualys for this month. None of the vulnerabilities described is in the use in the wild, but many are rated as easily exploitable by both Microsoft and Adobe, so you should address them quickly,” Wolfgang Kandek, Qualys CTO wrote in his blog.
Tyler Reguly, a Tripwire researcher, noted that for the first time Adobe Flash Player embedded within IE and Edge received its own, stand-alone bulletin.
“Previously, Microsoft updated the same KB on a month by month basis with no defining elements. This is a welcome change and hopefully it bodes well for other areas where Microsoft continues to do this,” Reguly told SCMagazine in a Tuesday email.
Bulletin MS16-015 was also highlighted by Kandek and other industry executives as being of particular interest. This issue focuses on Microsoft Office that could affect a user who opens a specially crafted word file possibly allowing the attacker to run arbitrary code.
“There is a Sharepoint update included in the Office bulletin, MS16-015. This is a critical bulletin and has a publicly disclosed vulnerability, CVE-2016-0039. One of the complicating factors with Sharepoint is the fact that rollback is not an easy thing if something breaks. If you have not already done so, we highly recommend virtualizing your Sharepoint servers so you can take advantage of snapshot capabilities to roll back to a good state, in case something goes wrong,” said Chris Goettl, product manager with Shavlik.
The other critical patches are MS16-009, MS16-011, MS16-012 and MS16-013. The remaining seven bulletins are rated as important by Microsoft.
Lane Thames, a Tripwire researcher, said consumers and enterprise users that are still using the now unsupported IE 7 and 8 need to upgrade their systems as soon as possible. Thames believes reverse engineers and exploit kit developers will be looking at bulletin MS16-009 to target the now vulnerable browsers.
“Enterprise organizations who require these browsers due to legacy applications must ensure that these systems do not have access to external or untrusted websites,” Thames told SCMagazine.com Tuesday in an email correspondence.
--Oracle patches Java SE vulnerability (Feb-08-2016)
Oracle issued a security alert and patches for CVE-2016-0603 that can affect Java SE 6, 7 or 8 being run on the Windows.
Bad guys looking to take advantage of the vulnerability have to force their victims into a somewhat convoluted process that requires the victim to be lured to a malicious website where the malware is downloaded onto the victim's computer prior to any of the Java versions being installed, according to the Oracle warning. The problem was rated a 7.6, out of 10, on the Common Vulnerability Scoring System.
If not fixed the problem could result in the complete compromise of the victim's computer.
Oracle recommended that Java SE owners who have downloaded older version of Java SE prior to 6u113, 7u97 or 8u73, but have not yet installed them, should discard these old downloads and replace them with versions 6u113, 7u97 or 8u73 or later.
--Remtasu trojan latest tactic: posing as malicious Facebook app (Feb-08-2016)
Remtasu, a Windows-based trojan whose global reach has accelerated over the last year, has switched tactics, disguising itself as a malicious application for accessing people's Facebook account credentials. Ostensibly, the malware is now targeting users who themselves are up to no good, according to a Monday “We Live Security” blog post by IT security company ESET.
The dangerous Win32/Remtasu.Y malware automatically downloads onto machines after victims visit a drive-by download website, then it duplicates and hides itself among other files.
Virus activity is most prevalent in Colombia, but has also been detected in Turkey, Thailand and elsewhere. In previous iterations, the malware was downloaded when victims opened malicious files attached to phishing emails purporting to be from legitimate businesses or government agencies.
Certain variants allow hackers to pull up information stored on a device's clipboard as well as capture keystrokes.
--Skype targeted by T9000 backdoor trojan (Feb-08-2016)
Palo Alto Networks researchers spotted a new, more complex backdoor trojan that is targeting Skype users and which can identify and evade the security software found on the victim's computer.
Palo Alto's Josh Grunzweig and Jen Miller-Osborn, part of the company's Unit 42 research team, dubbed the backdoor T9000 as it is a newer variant of the T5000 backdoor. The researchers noted in a blog post that the T9000's primary function is to gather information on the victim by capturing encrypted data, take screenshots of specific applications
One way the T9000 differs from other backdoor trojans is by being more complicated, using a multi-stage installation program and it has a list of 24 security software products that it checks for during installation enabling the malware to avoid detection.
“The author of this backdoor has gone to great lengths to avoid being detected and to evade the scrutiny of the malware analysis community,” the researchers wrote in the blog.
The primary target for the T9000 has been large organizations, Grunzweig and Osborn said. One reason for this could be the heavy adoption of Skype among businesses that see the face-to-face video software as a useful tool, said Tim Erlin, Tripwire's director of security and risk strategy.
“Users may think of Skype as a valuable channel for exchanging information, but that user value translates into profit for cyber attackers,” he said to SCMagazine.com in an email Monday.
Those Skyping with an infected computer may also find themselves being viewed from afar as the researchers found the trojan periodically snaps images during video calls and just to cover all its bases T9000 also hijacks audio calls storing them as .wav files.
When decrypted, we can see that the malware periodically takes images of the video calls. Audio calls are stored as .wav files.
--Univ. of Central Florida Data Breach (Feb-04-2016)
The University of Central Florida (ECF) has disclosed that its computer systems were breached, compromising the personal information of 63,000 current and former students, staff, and faculty. The breach was detected last month and is being investigated by law enforcement and a digital forensics company.
--Malwarebytes Will Fix Flaws Found by Project Zero (Feb-03-2016)
Google's Project Zero team has disclosed vulnerabilities in Malwarebytes that could be exploited to launch man-in-the-middle attacks. Project Zero discovered that Malwarebytes updates were being downloaded over an unsecure, HTTP channel and that they were not signed. Malwarebytes was notified of the issue in November, but did not fix the issue within Project Zero's 90-day window. A Malwarebytes executive says the issues will be fixed within the next several weeks.