Viry a Červi

Navy names new attack sub HMS <i>Agincourt</i>

The Register - Anti-Virus - 14 Květen, 2018 - 16:11
The last one was named after a Dickensian thief, to be fair

The Royal Navy, always keeping up with the times, has named its newest attack submarine HMS Agincourt, after the 1415 battle where an English army beat French troops led by its nobility.…

Kategorie: Viry a Červi

Wah, encryption makes policing hard, cries UK's National Crime Agency

The Register - Anti-Virus - 14 Květen, 2018 - 15:35
Ever since Snowden it's been the default – report

Encryption is making it more difficult for law enforcement agencies to detect dangerous offenders, according the the National Crime Agency's (NCA) yearly assessment of serious organised crime in Britain.…

Kategorie: Viry a Červi

Nest turns up the temperature on password reusers

Sophos Naked Security - 14 Květen, 2018 - 14:41
Nest's advice to its users gets a thumbs-up from the Online Trust Alliance.

Warehouse full of digital copiers yields truckloads of secrets

Sophos Naked Security - 14 Květen, 2018 - 14:36
Copiers' hard drives aren't typically encrypted or wiped. One result: a used copier with 300 people's medical records: just hit "print!"

Is Google’s Duplex AI helpful or plain creepy?

Sophos Naked Security - 14 Květen, 2018 - 14:19
Last week, Google CEO Sundar Pichai used the company’s annual I/O event to demo an experimental new feature of Google Assistant: Duplex.

Remote code execution bug found in GPON routers, but how bad is it really?

Sophos Naked Security - 14 Květen, 2018 - 14:07
An anonymous researcher recently disclosed two vulnerabilities in several older models of Dasan-made GPON routers.

2 million lines of source code left exposed by phone company EE

Sophos Naked Security - 14 Květen, 2018 - 13:22
What should be secret AWS and API keys were (un)secured with the default password credentials: "admin" as the name, "admin" for a password.

IT threat evolution Q1 2018. Statistics

Kaspersky Securelist - 14 Květen, 2018 - 12:00

Q1 figures

According to KSN:

  • Kaspersky Lab solutions blocked 796,806,112 attacks launched from online resources located in 194 countries across the globe.
  • 282,807,433 unique URLs were recognized as malicious by Web Anti-Virus components.
  • Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 204,448 users.
  • Ransomware attacks were registered on the computers of 179,934 unique users.
  • Our File Anti-Virus logged 187,597,494 unique malicious and potentially unwanted objects.
  • Kaspersky Lab products for mobile devices detected:
    • 1,322,578 malicious installation packages
    • 18,912 installation packages for mobile banking Trojans
    • 8,787 installation packages for mobile ransomware Trojans
Mobile threats Q1 events

In Q1 2018, DNS-hijacking, a new in-the-wild method for spreading mobile malware on Android devices, was identified. As a result of hacked routers and modified DNS settings, users were redirected to IP addresses belonging to the cybercriminals, where they were prompted to download malware disguised, for example, as browser updates. That is how the Korean banking Trojan Wroba was distributed.

This malicious resource shows a fake window while displaying the legitimate site in the address bar

It wasn’t a drive-by-download case, since the success of the attack largely depended on actions by the victim, such as installing and running the Trojan. But it’s interesting to note that some devices (routers) were used to attack other devices (smartphones), all sprinkled with social engineering to make it more effective.

However, a far greater splash in Q1 was caused by the creators of a seemingly legitimate app called GetContact.

Some backstory to begin with. Various families and classes of malicious apps are known to gather data from infected devices: it could be a relatively harmless IMEI number, phone book contents, SMS correspondence, or even WhatsApp chats. All the above (and much more besides) is personal information that only the mobile phone owner should have control over. However, the creators of GetContact concocted a license agreement giving them the right to download the user’s phone book to their servers and grant all their subscribers access to it. As a result, anyone could find out what name GetContact users had saved their phone number under, often with sad consequences. Let’s hope that the app creators had the noble intention of protecting users from telephone spam and fraudulent calls, but simply chose the wrong means to do so.

Mobile threat statistics

In Q1 2018, Kaspersky Lab detected 1,322,578 malicious installation packages, down 11% against the previous quarter.

Number of detected malicious installation packages, Q2 2017 – Q1 2018

Distribution of detected mobile apps by type

Distribution of newly detected mobile apps by type, Q4 2017 and Q1 2018

Among all the threats detected in Q1 2018, the lion’s share belonged to potentially unwanted RiskTool apps (49.3%); compared to the previous quarter, their share fell by 5.5%. Members of the RiskTool.AndroidOS.SMSreg family contributed most to this indicator.

Second place was taken by Trojan-Dropper threats (21%), whose share doubled. Most detected files of this type came from the Trojan-Dropper.AndroidOS.Piom family.

Advertising apps, which ranked second in Q4 2017, dropped a place—their share decreased by 8%, accounting for 11% of all detected threats.

On a separate note, Q1 saw a rise in the share of mobile banking threats. This was due to the mass distribution of Trojan-Banker.AndroidOS.Faketoken.z.

TOP 20 mobile malware

Note that this malware rating does not include potentially dangerous or unwanted programs such as RiskTool and Adware.

  Verdict %* 1 DangerousObject.Multi.Generic 70.17 2 Trojan.AndroidOS.Boogr.gsh 12.92 3 Trojan.AndroidOS.Agent.rx 5.55 4 Trojan-Dropper.AndroidOS.Lezok.p 5.23 5 Trojan-Dropper.AndroidOS.Hqwar.ba 2.95 6 Trojan.AndroidOS.Triada.dl 2.94 7 Trojan-Dropper.AndroidOS.Hqwar.i 2.51 8 Trojan.AndroidOS.Piom.rfw 2.13 9 Trojan-Dropper.AndroidOS.Lezok.t 2.06 10 Trojan.AndroidOS.Piom.pnl 1.78 11 Trojan-Dropper.AndroidOS.Agent.ii 1.76 12 Trojan-SMS.AndroidOS.FakeInst.ei 1.64 13 Trojan-Dropper.AndroidOS.Hqwar.gen 1.50 14 Trojan-Ransom.AndroidOS.Zebt.a 1.48 15 Trojan.AndroidOS.Piom.qmx 1.47 16 Trojan.AndroidOS.Dvmap.a 1.40 17 Trojan-SMS.AndroidOS.Agent.xk 1.35 18 Trojan.AndroidOS.Triada.snt 1.24 19 Trojan-Dropper.AndroidOS.Lezok.b 1.22 20 Trojan-Dropper.AndroidOS.Tiny.d 1.22

* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab’s mobile antivirus that were attacked.

As before, first place in our TOP 20 went to DangerousObject.Multi.Generic (70.17%), the verdict we use for malware detected using cloud technologies. Cloud technologies work when the anti-virus databases lack data for detecting a piece of malware, but the cloud of the anti-virus company already contains information about the object. This is basically how the latest malicious programs are detected.

In second place was Trojan.AndroidOS.Boogr.gsh (12.92%). This verdict is given to files recognized as malicious by our system based on machine learning.

Third was Trojan.AndroidOS.Agent.rx (5.55%). Operating in background mode, this Trojan’s task is to covertly visit web pages as instructed by its C&C.

Fourth and fifth places went to the Trojan matryoshkas Trojan-Dropper.AndroidOS.Lezok.p (5.2%) and Trojan-Dropper.AndroidOS.Hqwar.ba (2.95%), respectively. Note that in Q1 threats like Trojan-Dropper effectively owned the TOP 20, occupying eight positions in the rating. The main tasks of such droppers are to drop a payload on the victim, avoid detection by security software, and complicate the reverse engineering process. In the case of Lezok, an aggressive advertising app acts as the payload, while Hqwar can conceal a banking Trojan or ransomware.

Sixth place in the rating was taken by the unusual Trojan Triada.dl (2.94%) from the Trojan.AndroidOS.Triada family of modular-designed malware, which we have written about many times. The Trojan was notable for its highly sophisticated attack vector: it modified the main system library libandroid_runtime.so so that malicious code started when any debugging output was written to the system event log. Devices with the modified library ended up on store shelves, thus ensuring that the infection began early. The capabilities of Triada.dl are almost limitless: it can be embedded in apps already installed and pinch data from them, and it can show the user fake data in “clean” apps.

The Trojan ransomware Trojan-Trojan-Ransom.AndroidOS.Zebt.a (1.48%) finished 14th. It features a quaint set of functions, including hiding the icon at startup and requesting device administrator rights to counteract deletion. Like other such mobile ransomware, the malware is distributed under the guise of a porn app.

Another interesting resident in the TOP 20 is Trojan-SMS.AndroidOS.Agent.xk (1.35%), which operates like the SMS Trojans of 2011. The malware displays a welcome screen offering various services, generally access to content. At the bottom in fine print it is written that the services are fee-based and subscription to them is via SMS.

Geography of mobile threats

Map of attempted infections using mobile malware in Q1 2018 (percentage of attacked users in the country)

TOP 10 countries by share of users attacked by mobile malware:

  Country* %** 1 China 34.43 2 Bangladesh 27.53 3 Nepal 27.37 4 Ivory Coast 27.16 5 Nigeria 25.36 6 Algeria 24.13 7 Tanzania 23.61 8 India 23.27 9 Indonesia 22.01 10 Kenya 21.45

* Excluded from the rating are countries with relatively few users of Kaspersky Lab’s mobile antivirus (under 10,000).
** Unique users attacked in the country as a percentage of all users of Kaspersky Lab’s mobile antivirus in the country.

In Q1 2018, China (34.43%) topped the list by share of mobile users attacked. Note that China is a regular fixture in the TOP 10 rating by number of attacked users: It came sixth in 2017, and fourth in 2016. As in 2017, second place was claimed by Bangladesh (27.53%). The biggest climber was Nepal (27.37%), rising from ninth place last year to third.

Russia (8.18%) this quarter was down in 39th spot, behind Qatar (8.22%) and Vietnam (8.48%).

The safest countries (based on proportion of mobile users attacked) are Denmark (1.85%) and Japan (1%).

Mobile banking Trojans

In the reporting period, we detected 18,912 installation packages for mobile banking Trojans, which is 1.3 times more than in Q4 2017.

Number of installation packages for mobile banking Trojans detected by Kaspersky Lab, Q2 2017 – Q1 2018

Verdict %* 1 Trojan-Banker.AndroidOS.Asacub.bj 12.36 2 Trojan-Banker.AndroidOS.Svpeng.q 9.17 3 Trojan-Banker.AndroidOS.Asacub.bk 7.82 4 Trojan-Banker.AndroidOS.Svpeng.aj 6.63 5 Trojan-Banker.AndroidOS.Asacub.e 5.93 6 Trojan-Banker.AndroidOS.Hqwar.t 5.38 7 Trojan-Banker.AndroidOS.Faketoken.z 5.15 8 Trojan-Banker.AndroidOS.Svpeng.ai 4.54 9 Trojan-Banker.AndroidOS.Agent.di 4.31 10 Trojan-Banker.AndroidOS.Asacub.ar 3.52

* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab’s mobile antivirus that were attacked by banking threats.

The most popular mobile banking Trojan in Q1 was Asacub.bj (12.36%), nudging ahead of second-place Svpeng.q (9.17%). Both these Trojans use phishing windows to steal bank card and authentication data for online banking. They also steal money through SMS services, including mobile banking.

Note that the TOP 10 mobile banking threats in Q1 is largely made up of members of the Asacub (4 out of 10) and Svpeng (3 out of 10) families. However, Trojan-Banker.AndroidOS.Faketoken.z also entered the list. This Trojan has extensive spy capabilities: it can install other apps, intercept incoming messages (or create them on command), make calls and USSD requests, and, of course, open links to phishing pages.

Geography of mobile banking threats in Q1 2018 (percentage of attacked users)

TOP 10 countries by share of users attacked by mobile banking Trojans

  Country* %** 1 Russia 0.74 2 USA 0.65 3 Tajikistan 0.31 4 Uzbekistan 0.30 5 China 0.26 6 Turkey 0.22 7 Ukraine 0.22 8 Kazakhstan 0.22 9 Poland 0.17 10 Moldova 0.16

* Excluded from the rating are countries with relatively few users of Kaspersky Lab’s mobile antivirus (under 10,000).
** Unique users attacked by mobile banking Trojans in the country as a percentage of all users of Kaspersky Lab’s mobile antivirus in this country.

The Q1 2018 rating was much the same as the situation observed throughout 2017: Russia (0.74%) remained top.

The US (0.65%) and Tajikistan (0.31%) took silver and bronze, respectively. The most popular mobile banking Trojans in these countries were various modifications of the Trojan-Banker.AndroidOS.Svpeng family, as well Trojan-Banker.AndroidOS.Faketoken.z.

Mobile ransomware Trojans

In Q1 2018, we detected 8,787 installation packages for mobile ransomware Trojans, which is just over half the amount seen in the previous quarter and 22 times less than in Q2 2017. This significant drop is largely because attackers began to make more use of droppers in an attempt to hinder detection and hide the payload. As a result, such malware is detected as a dropper (for example, from the Trojan-Dropper.AndroidOS.Hqwar family), even though it may contain mobile ransomware or a “banker.”

Number of installation packages for mobile ransomware Trojans detected by Kaspersky Lab (Q2 2017 – Q1 2018)

Note that despite the decline in their total number, ransomware Trojans remain a serious threat — technically they are now far more advanced and dangerous. For instance, Trojan-Trojan-Ransom.AndroidOS.Svpeng acquires device administrator rights and locks the smartphone screen with a PIN if an attempt is made to remove them. If no PIN is set (could also be a graphic, numeric, or biometric lock), the device is locked. In this case, the only way to restore the smartphone to working order is to reset the factory settings.

The most widespread mobile ransomware in Q1 was Trojan-Ransom.AndroidOS.Zebt.a — it was encountered by more than half of all users. In second place was Trojan-Ransom.AndroidOS.Fusob.h, having held pole position for a long time. The once popular Trojan-Ransom.AndroidOS.Svpeng.ab only managed fifth place, behind Trojan-Ransom.AndroidOS.Egat.d and Trojan-Ransom.AndroidOS.Small.snt. Incidentally, Egat.d is a pared-down version of Zebt.a, both have the same creators.

Geography of mobile ransomware Trojans in Q1 2018 (percentage of attacked users)

TOP 10 countries by share of users attacked by mobile ransomware Trojans:

  Country* %** 1 Kazakhstan 0.99 2 Italy 0.64 3 Ireland 0.63 4 Poland 0.61 5 Belgium 0.56 6 Austria 0.38 7 Romania 0.37 8 Hungary 0.34 9 Germany 0.33 10 Switzerland 0.29

* Excluded from the rating are countries where the number of users of Kaspersky Lab’s mobile antivirus is relatively small (fewer than 10,000)
** Unique users in the country attacked by mobile ransomware Trojans as a percentage of all users of Kaspersky Lab’s mobile antivirus in the country.

First place in the TOP 10 again went to Kazakhstan (0.99%); the most active family in this country was Trojan-Ransom.AndroidOS.Small. Second came Italy (0.64%), where most attacks were the work of Trojan-Ransom.AndroidOS.Zebt.a, which is also the most popular mobile ransomware in third-place Ireland (0.63%).

Vulnerable apps used by cybercriminals

In Q1 2018, we observed some major changes in the distribution of exploits launched against users. The share of Microsoft Office exploits (47.15%) more than doubled compared with the average for 2017. This is also twice the quarterly score of the permanent leader in recent years — browser exploits (23.47%). The reason behind the sharp increase is clear: over the past year, so many different vulnerabilities have been found and exploited in Office applications, that it can only be compared to amount of Adobe Flash vulnerabilities found in the past. But lately the share of Flash exploits has been decreasing (2.57% in Q1), since Adobe and Microsoft are doing all they can to hinder the exploitation of Flash Player.

Distribution of exploits used in attacks by type of application attacked, Q1 2018

The most frequently used vulnerability in Microsoft Office in Q1 was CVE-2017-11882 — a stack overflow-type vulnerability in Equation Editor, a rather old component in the Office suite. Attacks using this vulnerability make up approximately one-sixth of all exploit-based attacks. This is presumably because CVE-2017-11882 exploitation is fairly reliable. Plus, the bytecode processed by Equation Editor allows the use of various obfuscations, which increases the chances of bypassing the protection and launching a successful attack (Kaspersky Lab’s Equation file format parser easily handles all currently known obfuscations). Another vulnerability found in Equation Editor this quarter was CVE-2018-0802. It too is exploited, but less actively. The following exploits for logical vulnerabilities in Office found in 2017 were also encountered: CVE-2017-8570, CVE-2017-8759, CVE-2017-0199. But even their combined number of attacks does not rival CVE-2017-11882.

As for zero-day exploits in Q1, CVE-2018-4878 was reported by a South Korean CERT and several other sources in late January. This is an Adobe Flash vulnerability originally used in targeted attacks (supposedly by the Scarcruft group). At the end of the quarter, an exploit for it appeared in the widespread GreenFlash Sundown, Magnitude, and RIG exploit kits. In targeted attacks, a Flash object with the exploit was embedded in a Word document, while exploit kits distribute it via web pages.

Large-scale use of network exploits using vulnerabilities patched by the MS17-010 update (those that exploited EternalBlue and other vulnerabilities from the Shadow Brokers leak) also continued throughout the quarter. MS17-010 exploits account for more than 25% of all network attacks that we registered.

Malicious programs online (attacks via web resources)

The statistics in this chapter are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are specially created by cybercriminals; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected.

Online threats in the financial sector Q1 events

In early 2018, the owners of the Trojan Dridex were particularly active. Throughout its years-long existence, this malware has acquired a solid infrastructure. Today, its main line of activity is compromising credentials for online banking services with subsequent theft of funds from bank accounts. Its accomplice is fellow banking Trojan Emotet. Discovered in 2014, this malware also belongs to a new breed of banking Trojans developed from scratch. However, it was located on the same network infrastructure as Dridex, suggesting a close link between the two families. But now Emotet has lost its banking functions and is used by attackers as a spam bot and loader with Dridex as the payload. Early this year, it was reported that the encryptor BitPaymer (discovered last year) was developed by the same group behind Dridex. As a result, the malware was rebranded FriedEx.

Q1 saw the arrest of the head of the criminal group responsible for the Carbanak and Cobalt malware attacks, it was reported by Europol. Starting in 2013, the criminal group attacked more than 40 organizations, causing damage to the financial industry estimated at more than EUR 1 billion. The main attack vector was to penetrate the target organization’s network by sending employees spear-phishing messages with malicious attachments. Having penetrated the internal network via the infected computers, the cybercriminals gained access to the ATM control servers, and through them to the ATMs themselves. Access to the infrastructure, servers, and ATMs allowed the cybercriminals to dispense cash without the use of bank cards, transfer money from the organisation to criminal accounts, and inflate bank balances with money mules being used to collect the proceeds.

Financial threat statistics

These statistics are based on detection verdicts of Kaspersky Lab products received from users who consented to provide statistical data. As of Q1 2017, the statistics include malicious programs for ATMs and POS terminals, but do not include mobile threats.

In Q1 2018, Kaspersky Lab solutions blocked attempts to launch one or more malicious programs designed to steal money from bank accounts on the computers of 204,448 users.

Number of unique users attacked by financial malware, Q1 2018

Geography of attacks

To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky Lab products that faced this threat during the reporting period out of all users of our products in that country.


Geography of banking malware attacks in Q1 2018 (percentage of attacked users)

TOP 10 countries by percentage of attacked users

Country* % of users attacked** 1 Cameroon 2.1 2 Germany 1.7 3 South Korea 1.5 4 Libya 1.5 5 Togo 1.5 6 Armenia 1.4 7 Georgia 1.4 8 Moldova 1.2 9 Kyrgyzstan 1.2 10 Indonesia 1.1

These statistics are based on Anti-Virus detection verdicts received from users of Kaspersky Lab products who consented to provide statistical data.
Excluded are countries with relatively few Kaspersky Lab’ product users (under 10,000).
** Unique users whose computers were targeted by banking Trojans as a percentage of all unique users of Kaspersky Lab products in the country.

TOP 10 banking malware families

TOP 10 malware families used to attack online banking users in Q1 2018 (by share of attacked users):

Name Verdicts* % of attacked users** 1 Zbot Trojan.Win32. Zbot 28.0%   2 Nymaim Trojan.Win32. Nymaim 20.3%   3 Caphaw Backdoor.Win32. Caphaw 15.2%   4 SpyEye Backdoor.Win32. SpyEye 11.9%   5 NeutrinoPOS Trojan-Banker.Win32.NeutrinoPOS 4.5%   6 Emotet Backdoor.Win32. Emotet 2.4%   7 Neurevt Trojan.Win32. Neurevt 2.3%   8 Shiz Backdoor.Win32. Shiz 2.1%   9 Gozi Trojan.Win32. Gozi 1.9%   10 ZAccess Backdoor.Win32. ZAccess 1.3%  

* Detection verdicts of Kaspersky Lab products. The information was provided by Kaspersky Lab product users who consented to provide statistical data.
** Unique users attacked by this malware as a percentage of all users attacked by financial malware.

In Q1 2018, TrickBot departed the rating to be replaced by Emotet (2.4%), also known as Heodo. Trojan.Win32.Zbot (28%) and Trojan.Win32.Nymaim (20.3%) remain in the lead, while Trojan.Win32.Neurevt (2.3%), also known as Betabot, suffered a major slide. Meanwhile, Caphaw (15.2%) and NeutrinoPOS (4.5%) climbed significantly, as did their Q1 activity.

Cryptoware programs Q1 events

Q1 2018 passed without major incidents or mass cryptoware epidemics. The highlight was perhaps the emergence and widespread occurrence of a new Trojan called GandCrab. Notable features of the malware include:

  • Use of C&C servers in the .bit domain zone (this top-level domain is supported by an alternative decentralized DNS system based on Namecoin technology)
  • Ransom demand in the cryptocurrency Dash

GandCrab was first detected in January. The cybercriminals behind it used spam emails and exploit kits to deliver the cryptoware to victim computers.

The RaaS (ransomware as a service) distribution model continues to attract malware developers. In February, for example, there appeared a new piece of ransomware called Data Keeper, able to be distributed by any cybercriminal who so desired. Via a special resource on the Tor network, the creators of Data Keeper made it possible to generate executable files of the Trojan for subsequent distribution by “affilate program” participants. A dangerous feature of this malware is its ability to automatically propagate inside a local network. Despite this, Data Keeper did not achieve widespread distribution in Q1.

One notable success in the fight against cryptoware came from Europe: with the assistance of Kaspersky Lab, Belgian police managed to locate and confiscate a server used by the masterminds behind the Trojan Cryakl. Following the operation, Kaspersky Lab was given several private RSA keys required to decrypt files encrypted with certain versions of the Trojan. As a result, we were able to develop a tool to assist victims.

Number of new modifications

In Q1 2018, there appeared several new cryptors, but only one, GandCrab, was assigned a new family in our classification. The rest, which are not widely spread, continue to be detected with generic verdicts.

Number of new cryptoware modifications, Q2 2017 – Q1 2018

The number of new modifications fell sharply against previous quarters. The trend indicates that cybercriminals using this type of malware are becoming less active.

Number of users attacked by Trojan cryptors

During the reporting period, Kaspersky Lab products blocked cryptoware attacks on the computers of 179,934 unique users. Despite fewer new Trojan modifications, the number of attacked users did not fall against Q3.

Number of unique users attacked by cryptors, Q1 2018

Geography of attacks

TOP 10 countries attacked by Trojan cryptors

Country* % of users attacked by cryptors** 1 Uzbekistan 1.12 2 Angola 1.11 3 Vietnam 1.04 4 Venezuela 0.95 5 Indonesia 0.95 6 Pakistan 0.93 7 China 0.87 8 Azerbaijan 0.75 9 Bangladesh 0.70 10 Mongolia 0.64

* Excluded are countries with relatively few Kaspersky Lab users (under 50,000).
** Unique users whose computers were attacked by Trojan cryptors as a percentage of all unique users of Kaspersky Lab products in the country.

The makeup of the rating differs markedly from 2017. That said, most positions were again filled by Asian countries, while Europe did not have a single representative in the TOP 10 countries attacked by cryptors.

Despite not making the TOP 10 last year, Uzbekistan (1.12%) and Angola (1.11%) came first and second. Vietnam (1.04%) moved from second to third, Indonesia (0.95%) from third to fifth, and China (0.87%) from fifth to seventh, while Venezuela (0.95%) climbed from eighth to fourth.

TOP 10 most widespread cryptor families

Name Verdicts* % of attacked users** 1 WannaCry Trojan-Ransom.Win32.Wanna 38.33   2 PolyRansom/VirLock Virus.Win32.PolyRansom 4.07   3 Cerber Trojan-Ransom.Win32.Zerber 4.06   4 Cryakl Trojan-Ransom.Win32.Cryakl 2.99   5 (generic verdict) Trojan-Ransom.Win32.Crypren 2.77   6 Shade Trojan-Ransom.Win32.Shade 2.61   7 Purgen/GlobeImposter Trojan-Ransom.Win32.Purgen 1.64   8 Crysis Trojan-Ransom.Win32.Crusis 1.62   9 Locky Trojan-Ransom.Win32.Locky 1.23   10 (generic verdict) Trojan-Ransom.Win32.Gen 1.15  

* Statistics are based on detection verdicts of Kaspersky Lab products. The information was provided by Kaspersky Lab product users who consented to provide statistical data.
** Unique Kaspersky Lab users attacked by a particular family of Trojan cryptors as a percentage of all users attacked by Trojan cryptors.

This quarter, the rating is again topped by WannaCry (38.33%), extending its already impressive lead. Second place was claimed by PolyRansom (4.07%), also known as VirLock, a worm that’s been around for a while. This malware substitutes user files with modified instances of its own body, and places victim data inside these copies in an encrypted format. Statistics show that a new modification detected in December immediately began to attack user computers.

The remaining TOP 10 positions are taken by Trojans already known from previous reports: Cerber, Cryakl, Purgen, Crysis, Locky, and Shade.

Countries that are sources of web-based attacks: TOP 10

The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky Lab products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks.

To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.

In Q1 2018, Kaspersky Lab solutions blocked 796,806,112 attacks launched from Internet resources located in 194 countries worldwide. 282,807,433 unique URLs were recognized as malicious by Web Anti-Virus components. These indicators are significantly higher than in previous quarters. This is largely explained by the large number of triggers in response to attempts to download web miners, which came to prominence towards the end of last year and continue to outweigh other web threats.

Distribution of web attack sources by country, Q1 2018

This quarter, Web Anti-Virus was most active on resources located in the US (39.14%). Canada, China, Ireland, and Ukraine dropped out of TOP 10 to be replaced by Luxembourg (1.33%), Israel (0.99%), Sweden (0.96%), and Singapore (0.91%).

Countries where users faced the greatest risk of online infection

To assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky Lab users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.

This rating only includes attacks by malicious programs that fall under the Malware class; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.

Country* % of attacked users** 1 Belarus 40.90 2 Ukraine 40.32 3 Algeria 39.69 4 Albania 37.33 5 Moldova 37.17 6 Greece 36.83 7 Armenia 36.78 8 Azerbaijan 35.13 9 Kazakhstan 34.64 10 Russia 34.56 11 Kyrgyzstan 33.77 12 Venezuela 33.10 13 Uzbekistan 31.52 14 Georgia 31.40 15 Latvia 29.85 16 Tunisia 29.77 17 Romania 29.09 18 Qatar 28.71 19 Vietnam 28.66 20 Serbia 28.55

These statistics are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky Lab products who consented to provide statistical data.
* Excluded are countries with relatively few Kaspersky Lab users (under 10,000).
** Unique users targeted by Malware-class attacks as a percentage of all unique users of Kaspersky Lab products in the country.

On average, 23.69% of Internet user computers worldwide experienced at least one Malware-class attack.

Geography of malicious web attacks in Q1 2018 (percentage of attacked users)

The countries with the safest surfing environments included Iran (9.06%), Singapore (8.94%), Puerto Rico (6.67%), Niger (5.14%), and Cuba (4.44%).

Local threats

Local infection statistics for user computers are a very important indicator: they reflect threats that have penetrated computer systems by infecting files or removable media, or initially got on the computer in an encrypted format (for example, programs integrated in complex installers, encrypted files, etc.).

Data in this section is based on analyzing statistics produced by Anti-Virus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media.

In Q1 2018, our File Anti-Virus detected 187,597,494 malicious and potentially unwanted objects.

Countries where users faced the highest risk of local infection

For each country, we calculated the percentage of Kaspersky Lab product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.

The rating includes only Malware-class attacks. It does not include File Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.

Country* % of attacked users** 1 Uzbekistan 57.03 2 Afghanistan 56.02 3 Yemen 54.99 4 Tajikistan 53.08 5 Algeria 49.07 6 Turkmenistan 48.68 7 Ethiopia 48.21 8 Mongolia 46.84 9 Kyrgyzstan 46.53 10 Sudan 46.44 11 Vietnam 46.38 12 Syria 46.12 13 Rwanda 46.09 14 Laos 45.66 15 Libya 45.50 16 Djibouti 44.96 17 Iraq 44.65 18 Mauritania 44.55 19 Kazakhstan 44.19 20 Bangladesh 44.15

These statistics are based on detection verdicts returned by OAS and ODS Anti-Virus modules received from users of Kaspersky Lab products who consented to provide statistical data. The data include detections of malicious programs located on user computers or removable media connected to computers, such as flash drives, camera and phone memory cards, or external hard drives.
* Excluded are countries with relatively few Kaspersky Lab users (under 10,000).
** Unique users on whose computers Malware-class local threats were blocked, as a percentage of all unique users of Kaspersky Lab products in the country.

On average, 23.39% of computers globally faced at least one Malware-class local threat in Q1.

The figure for Russia was 30.92%.

The safest countries in terms of infection risk included Estonia (15.86%), Singapore (11.97%), New Zealand (9.24%), Czech Republic (7.89%), Ireland (6.86%), and Japan (5.79%).

IT threat evolution Q1 2018

Kaspersky Securelist - 14 Květen, 2018 - 12:00

Targeted attacks and malware campaigns Skygofree:  sophisticated mobile surveillance

In January, we uncovered a sophisticated mobile implant that provides attackers with remote control of infected Android devices.  The malware, called Skygofree (after one of the domains it uses), is a targeted cyber-surveillance tool that has been in development since 2014.  The malware is spread by means of spoofed web pages that mimic leading mobile providers.  The campaign is ongoing and our telemetry indicates that there have been several victims, all in Italy.  We feel confident that the developer of Skygofree is an Italian IT company that works on surveillance solutions.

The latest version of Skygofree includes functionality that has so far not been seen in the wild.  Features include the ability to eavesdrop on conversations when the victim moves into a specific location; using Accessibility Services to capture WhatsApp messages and the ability to force an infected device to Wi-Fi networks controlled by the attackers.  The malware includes multiple exploits for root access and is capable of stealing pictures and videos, capturing call records, SMS, geo-location, calendar events and business-related data stored in the device’s memory.  The Skygofree implant puts itself in the list of ‘protected apps’, so that it doesn’t get switched off when the screen is off (this is to work around a battery-saving technique that has been implemented by one of the top device vendors.)

Our investigation also uncovered several spyware tools for Windows that form an implant for stealing sensitive data from a target computer.  The version we found was created at the start of 2017:  at the moment, we do not know if this implant has been used in the wild.

Since then we have also found a version for iOS that uses a rogue MDM (Mobile Device Management) server in order to infect devices.

Olympic Destroyer… but who did the ‘destroying’?

The issue of attribution was thrown into sharp relief following the malware attack on the Olympic infrastructure just before the opening of the games in February.  Olympic Destroyer shut down display monitors, killed Wi-Fi and took down the Olympics web site – preventing visitors from to printing tickets.  The attack also affected other organizations in the region – for example, ski gates and ski lifts were disabled at several South Korean ski resorts.

Olympic Destroyer is a network worm, the main purpose of which is to deliver and start a wiper payload that tries to destroy files on remote network shares in the following 60 minutes. In the meantime, the main module collects user passwords from the browser and Windows storage and crafts a new generation of the worm that contains old and freshly-collected compromised credentials.  This new generation worm is pushed to accessible local network computers and starts using the PsExec tool, drawing on the stolen credentials and current user privileges.  Once the wiper has run for 60 minutes it cleans Windows event logs, resets backups, deletes shadow copies from the file system, disables the recovery item in the Windows boot menu, disables all services on the system and reboots the computer.  Those files on the network shares that it was able to wipe within 60 minutes remain destroyed.  The malware doesn’t use any persistence and even contains protection against recurring reinfection.

One of the most notable aspects of this incident was the ‘attribution hell’ that followed.  In the days after the attack, research teams and media companies around the world variously attributed the attack to Russia, China and North Korea – based on a number of features previously attributed to cyber-espionage and sabotage groups allegedly based in these countries or working for the governments of these countries.

Our own researchers were also trying to understand which group was behind the attack.  At one stage during our research, we discovered something that seemed to indicate that the Lazarus group was behind the attack.  We found a unique trace left by the attackers that exactly matched a previously known Lazarus malware component.  However, the lack of obvious motive and inconsistencies with known Lazarus TTPs (tactics, techniques and procedures) that we found during our on-site investigation at a compromised facility in South Korea led us to look again at this artefact.  When we did so, we discovered that the set of features didn’t match the code – it had been forged to perfectly match the fingerprint used by Lazarus.  So we concluded that the ‘fingerprint’ was a very sophisticated false flag, intentionally placed inside the malware in order to give threat hunters the impression that they had found a ‘smoking gun’ and diverting them from a more accurate attribution.

The problems associated with attribution must be taken seriously.  Given how politicised cyberspace has recently become, incorrect attribution could lead to severe consequences; and it’s possible that threat actors might try to manipulate the opinion of the security community in order to influence the geo-political agenda.

Sofacy turns eastwards

Sofacy (aka APT28, Fancy Bear and Tsar Team) is a highly active and prolific cyber-espionage group that Kaspersky Lab has been tracking for many years.  In February, we published an overview of Sofacy activities in 2017, revealing a gradual moved away from NATO-related targets at the start of 2017, towards targets in the Middle East, Central Asia and beyond.  Sofacy uses spear-phishing and watering-hole attacks to steal information, including account credentials, sensitive communications and documents.  This threat actor also makes use of zero-day vulnerabilities to deploy its malware

Sofacy uses different tools for different target profiles.  Early in 2017, the group’s ‘Dealer’s Choice’ campaign was used to target military and diplomatic organizations (mainly in NATO countries and Ukraine).

Later in the year, the group used other tools from its arsenal, ‘Zebrocy’ and ‘SPLM’, to target a broader range of organizations, including science and engineering centers and press services, with more of a focus on Central Asia and the Far East.

Sophisticated threat actors such as Sofacy continually develop the tools they use.  The group maintains a high level of operational security and focuses on making its malware hard to detect.  In the case of groups such as Sofacy, once any signs of their activity have been found in a network, it’s important to review logins and unusual administrator access on systems, thoroughly scan and sandbox incoming attachments, and maintain two-factor authentication for services such as e-mail and VPN access. The use of APT intelligence reports, threat hunting tools such as YARA and advanced detection solutions such as KATA (Kaspersky Anti Targeted Attack Platform) will help you to understand their targeting and provide powerful ways of detecting their activities.

Our research shows that Sofacy is not the only threat actor operating in the Far East and this sometimes results in a target overlap between very different threat actors.  We have seen cases where Sofacy’s Zebrocy malware has competed for access to victim’s computers with the Russian-speaking Mosquito Turla clusters; and where its SPLM backdoor has competed with the traditional Turla and Chinese-speaking Danti attacks. The shared targets included government administration, technology, science and military-related organizations in or from Central Asia.

The most intriguing overlap is probably that between Sofacy and the English-speaking threat actor behind The Lamberts. The connection was discovered after researchers detected the presence of Sofacy on a server that threat intelligence had previously identified as compromised by Grey Lambert malware.  The server belongs to a Chinese conglomerate that designs and manufactures aerospace and air defense technologies.  However, in this case the original SPLM delivery vector remains unknown. This raises a number of hypothetical possibilities, including the fact that Sofacy could be using a new and as yet undetected exploit or a new strain of its backdoor, or that Sofacy somehow managed to harness Grey Lambert’s communication channels to download its malware. It could even be a false flag, planted during the previous Lambert infection.  We think that the most likely answer is that an unknown new PowerShell script or legitimate but vulnerable web app was exploited to load and execute the SPLM code.

Slingshot: a route[r] into the network

One of the presentations at this year’s Kaspersky Security Analyst Summit was a report on a sophisticated cyber-espionage platform that has targeted victims in the Middle East and Africa since 2012.

Slingshot uses an unusual (and, as far as we know, unique) attack vector.  Many of the victims were attacked by means of compromised MikroTik routers.  The exact method for compromising the routers is not clear, but the attackers have found a way to add a malicious DLL to the device.  This DLL is a downloader for other malicious files that are then stored on the router.  When a system administrator logs in to configure the router, the router’s management software downloads and runs a malicious module on the administrator’s computer.

Slingshot loads a number of modules onto the victim’s computer, including two huge and powerful ones:  Cahnadr, a kernel mode module, and GollumApp, a user mode module.  The two modules are connected and support each other in gathering information, persistence and data exfiltration.  GollumApp is the most sophisticated of the modules:  it contains nearly 1,500 user-code functions and provides most of the routines for persistence, file system control and C2 (Command-and-Control) communications.  Cahnadr (also known as NDriver) contains low-level routines for network, IO operations and so on. Its kernel-mode program is able to execute malicious code without crashing the whole file system or causing a blue screen – a remarkable achievement.  Cahnadr, written in pure C language, provides full access to the hard drive and operating memory, notwithstanding device security restrictions, and carries out integrity control of various system components to avoid debugging and security detection.

Slingshot incorporates a number of techniques to help it evade detection.  These include encrypting all strings in its modules, calling system services directly in order to bypass security-product hooks, using a number of anti-debugging techniques and selecting which process to inject depending on the installed and running security solution processes.

Further information on targeted attack activity in the first quarter of 2018 can be found in the APT trends report for Q1 2018.

Malware stories A Spectre is haunting Europe – and anywhere else with vulnerable CPUs

Two severe vulnerabilities affecting Intel CPUs were reported early in 2018. Dubbed ‘Meltdown’ and ‘Spectre’, they respectively allow an attacker to read memory from any process and from its own process.  The vulnerabilities have been around since at least 2011.

Rumours of a new attack on Intel CPUs emerged at the start of December 2017 when e-mails on the LKML (Linux kernel mailing list) appeared about adding the KAISER patches to the Linux kernel.  These patches, designed to separate the user address space from the kernel address space, were originally intended to ‘close all hardware side channels on kernel address information’. It was the impact of this seemingly drastic measure, with its clear performance impact, that had prompted the rumours.

This attack, now known as Meltdown (CVE-2017-5754), is able to read data from any process on the host system.  While code execution is required, this can be obtained in various ways – for example, through a software bug or by visiting a malicious website that loads JavaScript code that executes the Meltdown attack.  This means that all the data residing in memory (passwords, encryption keys, PINs, etc.) could be read if the vulnerability is exploited properly.  Meltdown affects most Intel CPUs and some ARM CPUs.

Vendors were quick to publish patches for the most popular operating systems.  The Microsoft update, released on 3 January, was not compatible with all anti-virus programs – possibly resulting in a BSoD (Blue Screen of Death) on incompatible systems.  So updates could only be installed if an anti-virus product had first set a specific registry key, to indicate that there were no compatibility problems.

Spectre (CVE-2017-5753 and CVE-2017-5715) is slightly different.  Unlike Meltdown, this attack also works on other architectures (such as AMD and ARM).  Also, Spectre is only able to read the memory space of the exploited process, and not that of any process.  More importantly, aside from some counter-measures in some browsers, no universal solution is readily available for Spectre.

It became clear in the weeks following the reports of the vulnerabilities that they are not easily fixable.  Spectre in particular opened new ways of exploitation that might affect different software in the months and years to come.  Most of the released patches have reduced the attack surface, mitigating against known ways of exploiting them, but do not eradicate it completely.  Since the problem is fundamental to the working of the vulnerable CPUs, it’s likely that vendors will have to deal with new ways of exploiting the vulnerabilities for years to come.

O smart new world…

These days we’re surrounded by smart devices.  This includes everyday household objects such as TVs, smart meters, thermostats, baby monitors and children’s toys.   But it also includes cars, medical devices, CCTV cameras and parking meters.  We’re even seeing the emergence of smart cities.  However, this offers a greater attack surface to anyone looking to take advantage of security weaknesses – for whatever purpose.  Securing traditional computers is difficult.  But things are more problematic with the Internet of Things, where lack of standardization leaves developers able to ignore security, or to consider it as an afterthought.  There are plenty of examples to illustrate this.

We’ve looked before at vulnerabilities in smart devices around the home.  But some of our researchers recently explored the possibility that a smart hub might be vulnerable to attack.  A smart hub lets you control the operation of other smart devices in the home, receiving information and issuing commands.  Smart hubs might be controlled through a touch screen, or through a mobile app or web interface.  If it’s vulnerable, it would potentially provide a single point of failure.  While the smart hub our researchers investigated didn’t contain significant vulnerabilities, there were logical mistakes that were enough to allow our researchers to obtain remote access.

Researchers at Kaspersky Lab ICS CERT recently checked a popular smart camera, to see how well protected it is from hackers.  Smart cameras are now part of everyday life.  Many now connect to the cloud, allowing someone to monitor what’s happening at a remote location –to check on pets, for security surveillance, etc.  The model our researchers investigated is marketed as an all-purpose tool – suitable for use as a baby monitor, or as part of a security system.  The camera is able to see in the dark, follow a moving object, stream footage to a smartphone or tablet and play back sound through a built-in speaker.  Unfortunately, the camera turned out to have 13 vulnerabilities – almost as many as it has features – that could allow an attacker to change the administrator password, execute arbitrary code on the device, build a botnet of compromised cameras or stop it functioning completely.

Before buying any connected device, it’s important to keep security in mind.

  • Consider if you really need the device. If you do, check the functions available and disable any that you don’t need, to reduce your attack surface.
  • Look online for information about any vulnerabilities that have been reported.
  • Check to see if it’s possible to update the firmware on the device.
  • Always change the default password and replace it with a unique, complex password.
  • Don’t share serial numbers, IP addresses and other sensitive data relating to the device online.

You can use the free Kaspersky IoT Scanner to check your Wi-Fi network and tell you if the devices connected to it are safe.

Potential problems are not limited to consumer devices.  Recently, Ido Naor, a researcher from our Global Research and Analysis Team and Amihai Neiderman, then at Azimuth Security, discovered a vulnerability in an automation device for a gas station.  This device was directly connected to the Internet and was responsible for managing every component of the station, including fuel dispensers and payment terminals.  Even more alarming, the web interface for the device was accessible with default credentials.  Further investigation revealed that it was possible to shut down all fueling systems, cause fuel a leakage, change the price, circumvent the payment terminal (in order to steal money), capture vehicle license plates and driver identities, execute code on the controller unit and even move freely across the gas station network.

It’s no less important for vendors to improve their security approach to ensure that security is considered when products are being designed.  Kaspersky Lab, as a member of the ITU-T Study Group 20, was a contributor to the development of Recommendation ITU-T T.4806, designed to classify security issues, examine potential threats and determine how cyber-security measures can support the safe execution of IoT systems tasks.  This applies mostly to safety-critical IoT systems such as industrial automation, automotive systems, transportation, smart cities, and wearable and standalone medical devices.

IoT-medicine under siege

Technology is driving improvements in healthcare.  It has the power to transform the quality and reduce the cost of health and care services. It can also give patients and citizens more control over their care, empower carers and support the development of new medicines and treatments.  However, new healthcare technologies and mobile working practices are producing more data than ever before, at the same time providing more opportunities for data to be lost or stolen.  We’ve highlighted the issues several times over the last few years – for example, in the articles ‘Hospitals are under attack in 2016‘, ‘The mistakes of smart medicine‘ and ‘Connected medicine and its diagnosis‘.

The number of medical data breaches continues to increase:

Over the last year we’ve continued to track the activities of cybercriminals, looking at how they penetrate medical networks, how they find data on publicly available medical resources and how they exfiltrate it.  This includes open ports:

And the services that sit behind them:

More than 60 per cent of medical organizations had some kind of malware on their computers:

We saw even more attacks on organizations closely connected to hospitals, clinics and doctors – that is, in the pharmaceutical industry:

It’s vital that medical facilities remove all nodes that process personal medical data, update software and remove applications that are no longer needed, and do not connect expensive medical equipment to the main LAN.  You can find more detailed tips here.

Crypto-currency mining is the new black

In the legitimate economy, capital tends to flow into areas where it will be most profitable.  It’s no different with cybercrime.  Malware development is focused in areas that are likely to be more lucrative.  So it’s no surprise that, as crypto-currencies become a mainstream feature of society, we’ve seen a growth in the number of malicious crypto-currency miners.  In 2017, we blocked malicious miners on the computers of 2.7 million Kaspersky Lab customers – compared to 1.87 million in 2016.  This is now beginning to eclipse ransomware as a way of making money illegally.

As the name suggests, crypto-currency miners are programs designed to hijack the victim’s CPU in order to mine crypto-currencies.  Like ransomware, the business model is simple:  infect victim’s computer, use the processing power of their CPU or GPU to generate coins and earn real-world money through legal exchanges and transactions.  Unlike ransomware, it’s not obvious to the victim that they are infected – most people seldom use most of their computer’s processing power; and miners harness the 70 to 80 per cent that is not being used for anything else.

Crypto-miners are installed – on the computers of consumers and businesses alike – alongside adware, cracked games and pirated content.  It’s becoming easy for cybercriminals to create miners, because of ready to use partner programs, open mining pools and miner-builders.  Another method is web mining, where cybercriminals insert a script into a compromised web site that mines crypto-currencies while the victim browses the site.  Other criminal groups are more selective, using exploits to install miners on the servers of large companies, rather than trying to infect lots of individuals.

Some of the ways cybercriminals install malicious miners in the network of corporate victims are very sophisticated, resembling the methods of APT attackers.  Our researchers identified a case where the attackers used a process-hollowing technique.  The infection starts with the download of a potentially unwanted application (PUA) that contains the miner.   This miner installer drops the legitimate Windows utility ‘msiexec’ with a random name, which downloads and executes a malicious module from a remote server.   The next step is to install a malicious scheduler task that drops the body of the miner. This executes the legitimate system process and uses a process-hollowing technique whereby the legitimate process code is switched for malicious code.  A special system critical flag is set for this new process:  if the victim tries to kill this process, Windows reboots.


Using such techniques, we estimate that mining botnets generated more than $7,000,000 in the second half of 2017.

You can find tips on securing businesses from malicious miners here.

Our data in their hands

Personal data is valuable.  This is evident from the regular news reports of data breaches.  These include the theft of huge amounts of data and the re-use of stolen credentials.  However, the recent scandal involving the use, by Cambridge Analytica, of Facebook data is a reminder that personal information is not just valuable to cybercriminals.

In many cases, personal data is the price people pay to obtain a product or service – ‘free’ browsers, ‘free’ e-mail accounts, ‘free’ social network accounts, etc.  But not always.  Increasingly, we’re surrounded by smart devices that are capable of gathering details on the minutiae of our lives.  Earlier this year, one journalist turned her apartment into a smart home in order to measure how much data was being collected by the firms that made the devices.  Since we generally pay for such devices, the harvesting of data can hardly be seen as the price we pay for the benefits they bring in these cases.

The issues surrounding security and privacy of data continue to make headlines, not least as we approach 25 May, 2018 and the implementation of the EU General Data Protection Regulation.  It will, of course, be interesting to see what impact the legislation has.  But we should not forget that we should all consider what data we share, with whom, and how it might be used.  It’s vital to take steps to secure our data, by using unique, complex passwords for each account and by using two-factor authentication where it’s available.

Monday review – the hot 18 stories of the week

Sophos Naked Security - 14 Květen, 2018 - 11:39
From the WhatsApp text bomb and iOS 11.4's 7-day USB shutout to the critical bug in 7-zip, and more!

PGP and S/MIME decryptors can leak plaintext from emails, says infosec professor

The Register - Anti-Virus - 14 Květen, 2018 - 08:46
Users advised to stop using and/or uninstall plugins ASAP to stop Pretty Grievous Pwnage

Updated  A professor of Computer Security at the Münster University of Applied Sciences‏ has warned that popular email encryption tool Pretty Good Privacy (PGP) might actually allow Pretty Grievous P0wnage thanks to bugs that can allow supposedly encrypted emails to be read as plaintext.…

Kategorie: Viry a Červi

Family Planning office warns customers private parts may be exposed

The Register - Anti-Virus - 14 Květen, 2018 - 05:59
Contact form data left on server for more than TWO YEARS, then came ransomware

The Australian State of New South Wales' reproductive and sexual health organisation Family Planning NSW has advised users of an April 2018 ransomware attack that may have compromised sensitive information.…

Kategorie: Viry a Červi

Ubuntu sends crypto-mining apps out of its store and into a tomb

The Register - Anti-Virus - 14 Květen, 2018 - 05:08
Developer's dreams of driving off in a Ferrari dashed

Admins of the Ubuntu Store have pulled all apps from a developer who signed himself "Nicholas Tomb", and from his e-mail signature apparently wanted to crypto-mine himself into a Ferrari.…

Kategorie: Viry a Červi

Have you updated your Electron app? We hope so. There was a bad code-injection bug in it

The Register - Anti-Virus - 14 Květen, 2018 - 02:11
Infosec bods remind devs, users to check for patches

Electron – the widely used desktop application framework that renders top programs such as Slack, Atom, and Visual Studio Code – suffered from a security vulnerability that potentially allows miscreants to execute evil code on victims' computers.…

Kategorie: Viry a Červi

When it comes to patches, how urgent is urgent? [Chet Chat Podcast 268]

Sophos Naked Security - 14 Květen, 2018 - 00:30
Chet Chat podcast: Sophos experts Chester Wisniewski and Greg Iddon discuss the latest cybersecurity issues.

Rowhammer strikes networks, Bolton strikes security jobs, and Nigel Thornberry strikes Chrome, and more

The Register - Anti-Virus - 12 Květen, 2018 - 14:00
Hacking laws in the limelight in Georgia and DC, plus new iPhone anti-tampering

Roundup  Here's a roundup of everything that's happened in the world of infosec this week, beyond what we've already covered.…

Kategorie: Viry a Červi

Google Project Zero Calls Windows 10 Edge Defense ‘ACG’ Flawed

VirusList.com - 11 Květen, 2018 - 23:18
Researchers maintain Microsoft’s vaunted Arbitrary Code Guard in the Edge browser can’t stop hackers from mounting attacks.
Kategorie: Viry a Červi

Vega Stealer Malware Takes Aim at Chrome, Firefox

VirusList.com - 11 Květen, 2018 - 21:44
While it’s a simple payload for now, researchers said Vega has the ability to evolve into something more concerning in the future.
Kategorie: Viry a Červi

Panda Banking Trojan Diversifies into Cryptocurrency, Porn, Other Targets

VirusList.com - 11 Květen, 2018 - 19:29
The Panda banking trojan, a spin-off from the infamous Zeus malware, is widening its net to attack more than just financial services targets, as seen in three ongoing campaigns discovered in May.
Kategorie: Viry a Červi

Hacking train Wi-Fi may expose passenger data and control systems

The Register - Anti-Virus - 11 Květen, 2018 - 16:07
Researcher finds security hotspots on some rail networks

Vulnerabilities on the Wi-Fi networks of a number of rail operators could expose customers' credit card information, according to infosec biz Pen Test Partners this week.…

Kategorie: Viry a Červi
Syndikovat obsah