A take on the security news, week 45 2015
Monday
Kaspersky Ransomware Decryptor
Kaspersky in cooperation with the Netherland's police and Prosecutors office have seized decryption keys from the people behind Coinvault and Bitcryptor.
The authors of the ransomware are arrested and all the keys are added to the database that you can download for free.
The How-To decrypt your files (https://noransom.kaspersky.com/static/CoinVault-decrypt-howto.pdf) explains in an easy-to-follow way how you can see if you are infected, and if infected, how to decrypt the files.
https://noransom.kaspersky.com
Tor Messenger beta
Instead of reinventing chat services, Tor Messenger can use Jabber (or other existing messaging services) and provide Off-The-Record Off-The-Record (OTR) messaging capabilities around it. All the traffic is also routed through the TOR network.
It is based on Instantbird, a messenger application developed by the Mozilla community.
https://blog.torproject.org/blog/tor-messenger-beta-chat-over-tor-easily
Tuesday
Google release Android update
This months Android update contains patches for 2 critical, 4 high and 1 moderate vulnerabilities. Where mediaserver, libutils and libstagefreight is among the components that is patched. Two of the patched vulnerabilities are remote code execution vulnerabilities. More details of the update is available from the Google groups link below.
If you have a Nexus device you should be prompted to update very soon (if not already). If you have another brand you have to wait for your manufacturer to release an update.
https://groups.google.com/forum/#!topic/android-security-updates/n1aw2MGce4E
Zerodiums finally got their iOS 9 hack
Zerodium is claiming that they now have a remobe browser-based iOS 9.1 / 9.2b jailbrack hack. This means that someone is able to pick up the $1 million USD bounty that Zerodium setup.
What Zerodiums will do with the hack is not known. There is a big market for such 0-day exploits, so there is a lot of possibilities.
Pagefair Anti-Ad blocker compromised to spread fake Flash update
At 31.oktober someone succeded with at Spearfishing attack against a key-account at Spearfish. The attackers got login details to one of the CDNs that Pagefair is using, and replaced the Pagefair javascript with malicious javascript.
This intentionally harmful javascript prompted visitors to install a fake Adobe Flash update, which appears to be a botnet trojan that targets Windows.
Although many virus scanners will have prevented this file from executing, others may not have been able to correctly detect it.
The problem was detected after 5 minutes, and corrected after 83 minutes, according to Pagefair.
http://blog.pagefair.com/2015/halloween-security-breach/
Lucrative ransomware attacks: Analysis of the Cryptowall version 3 threat
The Cyberthreatalliance has published an anylysis of the Cryptowall threat.
Some of the key-findings:
- An estimated $325 of damages is done by the Cryptowall version 3
- Most of the infections are seen in nort-america and india / south asia
- 67.3 % of the infections comes from phishing attacks
- bot.exe and *.scr is the most used malwareexecutables
- Exploit kits that were used: Angler, Magnitude, Neutrino and RIG
more details can be found in the report.
http://cyberthreatalliance.org/cryptowall-report.pdf
Wednesday
Firefox 42 update
This update has 3 critical vulnerabilites patch, along with a few other marked as high and below. One of the critical vulnerabilities was found in NSS (Firefox own SSL library).
https://www.mozilla.org/en-US/security/advisories/
vBulletin security patch
A security issue has been reported that affect version 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.1.8 and 5.1.9. The issue has been patched so go patch your vBulletin forum as soon as possible.
Empirical analysis of email delivery security
In this work, the researchers present the first report on global adoption rates of SMTP security extensions, including: STARTTLS, SPF, DKIM, and DMARC.
The researchers analyzed the global adoption of these technologies using data from two perspectives: Internet-wide scans and logs of SMTP connections to and from one of the world’s largest mail providers over a sixteen month period.
Their measurements show that the use of these secure mail technologies has surged over the past year. However, much of this growth can be attributed to a handful of large providers, and many smaller organizations continue to lag in both deployment and proper configuration.
http://conferences2.sigcomm.org/imc/2015/papers/p27.pdf
Thursday
XCodeGhost still active
XCodeGhost is still active, and have been updated to a new version that infects iOS9. Fireeye have found that the botnet is still active (partially), and that U.S Enterprises have been infected too.
The majority of infected devices are running older version of iOS, and the top infected apps are "Music 163" and "Weechat".
https://www.fireeye.com/blog/threat-research/2015/11/xcodeghost_s_a_new.html
Friday
Windows phase out SHA-1 as codesigning algorithm
After 1.january 2016 Windows 7 (or higher) and Windows Server will no longer trust kode that is signed with SHA-1 certificates.
Notice that this is about code signed with SHA-1 and not websites protected with SHA-1. Your websites certificate will still be valid until 1.january 2017 as originally planned.
Cryptowall 4.0 is out
A new version of Cryptowall is on out with a new redesigned ransom note and new filenames. Cryptowall 4.0 also encrypt the filenames, in addition to the data itself. The files that is encrypted changes filename to some random unique string.
Analysis show that the new version use the same installation characteristics and way of communicating as the earlier versions.
More details in tjhe link below.