A take on the security news, week 45 2015

Mon 02 November 2015

A take on the security news, week 45 / 2015. I summarize some of the news that I considered noteworthy related to information security this week.
Ransomware decryptor, Android security update, iOS 9 hack, vBulletin vulnerabilities and a new version of Cryptolocker.

Monday

Kaspersky Ransomware Decryptor

Kaspersky in cooperation with the Netherland’s police and Prosecutors office have seized decryption keys from the people behind Coinvault and Bitcryptor.

The authors of the ransomware are arrested and all the keys are added to the database that you can download for free.

The How-To decrypt your files (https://noransom.kaspersky.com/static/CoinVault-decrypt-howto.pdf) explains in an easy-to-follow way how you can see if you are infected, and if infected, how to decrypt the files.

https://noransom.kaspersky.com

Tor Messenger beta

Instead of reinventing chat services, Tor Messenger can use Jabber (or other existing messaging services) and provide Off-The-Record Off-The-Record (OTR) messaging capabilities around it. All the traffic is also routed through the TOR network.

It is based on Instantbird, a messenger application developed by the Mozilla community.

https://blog.torproject.org/blog/tor-messenger-beta-chat-over-tor-easily

Tuesday

Google release Android update

This months Android update contains patches for 2 critical, 4 high and 1 moderate vulnerabilities. Where mediaserver, libutils and libstagefreight is among the components that is patched. Two of the patched vulnerabilities are remote code execution vulnerabilities. More details of the update is available from the Google groups link below.

If you have a Nexus device you should be prompted to update very soon (if not already). If you have another brand you have to wait for your manufacturer to release an update.

https://groups.google.com/forum/#!topic/android-security-updates/n1aw2MGce4E

Zerodiums finally got their iOS 9 hack

Zerodium is claiming that they now have a remobe browser-based iOS 9.1 / 9.2b jailbrack hack. This means that someone is able to pick up the $1 million USD bounty that Zerodium setup.

What Zerodiums will do with the hack is not known. There is a big market for such 0-day exploits, so there is a lot of possibilities.

Pagefair Anti-Ad blocker compromised to spread fake Flash update

At 31.oktober someone succeded with at Spearfishing attack against a key-account at Spearfish. The attackers got login details to one of the CDNs that Pagefair is using, and replaced the Pagefair javascript with malicious javascript.

This intentionally harmful javascript prompted visitors to install a fake Adobe Flash update, which appears to be a botnet trojan that targets Windows.

Although many virus scanners will have prevented this file from executing, others may not have been able to correctly detect it.

The problem was detected after 5 minutes, and corrected after 83 minutes, according to Pagefair.

http://blog.pagefair.com/2015/halloween-security-breach/

Lucrative ransomware attacks: Analysis of the Cryptowall version 3 threat

The Cyberthreatalliance has published an anylysis of the Cryptowall threat.

Some of the key-findings:

  • An estimated $325 of damages is done by the Cryptowall version 3
  • Most of the infections are seen in nort-america and india / south asia
  • 67.3 % of the infections comes from phishing attacks
  • bot.exe and *.scr is the most used malwareexecutables
  • Exploit kits that were used: Angler, Magnitude, Neutrino and RIG

more details can be found in the report.

http://cyberthreatalliance.org/cryptowall-report.pdf

Wednesday

Firefox 42 update

This update has 3 critical vulnerabilites patch, along with a few other marked as high and below. One of the critical vulnerabilities was found in NSS (Firefox own SSL library).

https://www.mozilla.org/en-US/security/advisories/

vBulletin security patch

A security issue has been reported that affect version 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.1.8 and 5.1.9. The issue has been patched so go patch your vBulletin forum as soon as possible.

http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4332166-security-patch-release-for-vbulletin-5-connect-versions-5-1-4-through-5-1-9

Empirical analysis of email delivery security

In this work, the researchers present the first report on global adoption rates of SMTP security extensions, including: STARTTLS, SPF, DKIM, and DMARC.

The researchers analyzed the global adoption of these technologies using data from two perspectives: Internet-wide scans and logs of SMTP connections to and from one of the world’s largest mail providers over a sixteen month period.

Their measurements show that the use of these secure mail technologies has surged over the past year. However, much of this growth can be attributed to a handful of large providers, and many smaller organizations continue to lag in both deployment and proper configuration.

http://conferences2.sigcomm.org/imc/2015/papers/p27.pdf

Thursday

XCodeGhost still active

XCodeGhost is still active, and have been updated to a new version that infects iOS9. Fireeye have found that the botnet is still active (partially), and that U.S Enterprises have been infected too.

The majority of infected devices are running older version of iOS, and the top infected apps are “Music 163” and “Weechat”.

https://www.fireeye.com/blog/threat-research/2015/11/xcodeghost_s_a_new.html

Friday

Windows phase out SHA-1 as codesigning algorithm

After 1.january 2016 Windows 7 (or higher) and Windows Server will no longer trust kode that is signed with SHA-1 certificates.

Notice that this is about code signed with SHA-1 and not websites protected with SHA-1. Your websites certificate will still be valid until 1.january 2017 as originally planned.

http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx

Cryptowall 4.0 is out

A new version of Cryptowall is on out with a new redesigned ransom note and new filenames. Cryptowall 4.0 also encrypt the filenames, in addition to the data itself. The files that is encrypted changes filename to some random unique string.

Analysis show that the new version use the same installation characteristics and way of communicating as the earlier versions.

More details in tjhe link below.

http://www.bleepingcomputer.com/news/security/cryptowall-4-0-released-with-new-features-such-as-encrypted-file-names/

Comments