A Week in Security (May 01 – May 07)

Last week, we gave a comprehensive introduction about Process Explorer, analyzed an Amazon Prime spam, and presented our readers some telltale signs that show their systems are infected with malware. We also stressed our stand against paying the ransom if users find their system has ransomware.

Malware Intelligence Analyst Jovi Umawing published a malicious Skype chat spam that primarily made rounds in Asian countries before spilling out to other countries. The malware, which purported to be an image, is actually a screensaver—essentially, another kind of executable file. We saw this done in a number of Steam chat spam campaigns in the past.

Hasherezade, our resident reverse engineer, took a brilliant stab at 7ev3n-HONE$T, an notably improved version of the 7ev3n ransomware that was initially spotted at the beginning of this year. She hypothesized that “the new name refers to the added feature of decrypting test files before the payment – as a proof of the authors’ ‘honesty’ in giving files back.”

Senior Security Researcher Jérôme Segura found and reported about a malvertising campaign that temporarily plagued a couple of official websites belonging to CBS-affiliated TV stations. Visitors are redirected to the Angler exploit kit.

For our first PUP Friday post in the month of May, we took a look at the next-generation Yontoo browser hijackers.

Notable news stories and security related happenings:

  • Online Payment Fraud Could Hit $25 Billion by 2020. “The reason behind this growth is the implementation of CHIP and PIN at outlets, which drives thieves to look for other methods of stealing money. The report claims ‘the greater security afforded by CHIP and PIN would persuade fraudsters to switch their attention from the in-store environment to the CNP (Card Not Present) space’.” (Source: IT Pro Portal)
  • Valve Fixes Steam Crypto Bug That Exposed Passwords in Plaintext. “Security researcher Nathaniel Theis (XMPPwocky) is the one who discovered the issue and also came up with an advanced technical write-up detailing the attack’s steps. To understand the attack, users first need to know how Steam’s cryptography works. Valve designed the Steam crypto module to keep data secret and to authenticate connections so that nobody can pass as another user.” (Source: Softpedia)
  • Living An A Password Free World In The Modern Enterprise. “Let’s be honest. Passwords in the enterprise were never really that secure in the first place. But in the absence of anything else, they were long the de facto standard. IT administrators first began by issuing passwords that required a minimum length of characters. This next evolved into requiring letters, numbers and special characters. But these were all variations on the same, largely ineffective and high risk theme.” (Source: Help Net Security)
  • Loss of confidential information key to understanding interactions between crime and cyber coverage: conference speaker. “Matthew Davies, assistant vice president of Chubb Insurance Company of Canada, said that one major difference between crime and cyber policies is that the former doesn’t address the loss of confidential information, especially one’s own confidential information or clients’ confidential information in the care or control of the company.” (Source: Canadian Underwriter)
  • Samsung Smart Home Flaws Let Hackers Make Keys To Front Door. “Computer scientists have discovered vulnerabilities in Samsung’s Smart Home automation system that allowed them to carry out a host of remote attacks, including digitally picking connected door locks from anywhere in the world.” (Source: Ars Technica)
  • Opportunistic Cybercriminals Tweaking Old Threats For New Targets: Forcepoint. “Medium-sized businesses face a surging threat from opportunistic cybercriminals who are changing their strategies as large enterprises become more complex to penetrate, a security-strategy director has warned as new figures correlate declines in spam email with a resurgence in time-honoured document-based macro malware. ” (Source: CSO Australia)
  • Ransomware Enters Companies Through RDP Servers. “Attackers wielding ransomware are targeting enterprises through an often-found hole in the corporate network: Internet facing, poorly secured remote desktop servers […] The attackers can also try to discover when back-ups are made in order to decide when to execute the ransomware for maximum effectiveness. They are usually successful in keeping their presence in the corporate network secret until they trigger the malware.” (Source: Help Net Security)
  • Navy Sees Increase in ‘Sextortion’ Cases; NCIS Warns Sailors About Online Behavior. “Sextortion is a crime in which someone requests money in exchange for not releasing sexually explicit images or information. Both the number of cases and incidents is growing, according to NCIS, which says that since August 2012, perpetrators have targeted at least 160 sailors and marines across the country, resulting in the loss of about $45,000.” (Source: The Day)
  • So…Now The Government Wants To Hack Cybercrime Victims. “The changes, to a federal court procedure known as Rule 41, were announced last week by the Supreme Court. They would let magistrate judges routinely issue search warrants to hack into computers outside their jurisdiction. The changes would also let magistrates issue a single search warrant for numerous computers in multiple jurisdictions, saving law enforcement the burden of having to obtain a separate warrant for each computer. This means a judge in Virginia could issue a single warrant for computers in California, Florida, Illinois and even overseas.” (Source: Wired)
  • Daisy-chained Research Spells Malware Worm Hell For Power Plants And Other Utilities. “A world-first proof-of-concept worm – if unleashed – could spell disaster for the world’s critical infrastructure, including power utilities by making attacks exponentially more difficult to detect and stop. It is a stand-alone attack but The Register has confirmed a realistic stealthy end-to-end attack scenario can be produced by combining two independent research efforts.” (Source: The Register)
  • Google Turns On HTTPS For All Blogspot Blogs. “All blogs hosted on Google’s blogspot.com domain can now be accessed over an encrypted HTTPS connection. This puts more control into the hands of blog readers who value privacy. Google started offering users of its Blogger service the option to switch their blogspot.com sites to HTTPS in September, but now that setting was removed and all blogs received an HTTPS version that users can access.” (Source: CSO)
  • Major Security Breaches Found In Google And Yahoo Email Services. “Hundreds of millions of hacked usernames and passwords for email accounts and other websites are being traded in Russia’s criminal underworld, a security expert told Reuters.” (Source: Huffington Post)
  • Crooks Go Deep With ‘Deep Insert’ Skimmers. “ATM maker NCR Corp. says it is seeing a rapid rise in reports of what it calls ‘deep insert skimmers,’ wafer-thin fraud devices made to be hidden inside of the card acceptance slot on a cash machine.” (Source: KrebsOnSecurity)

Safe surfing, everyone!

The Malwarebytes Labs Team