MalwareLuaBot author argues his malware is harmlessWhile analysis of the LuaBot [1] malware has shown it to be capable of launching DDoS attacks and infecting IoT architecture, the malware’s author has stated that it is ‘not harmful’. A French researcher named ‘x0rz’ interviewed the author, who insisted he was not running a DDoS stresser service, and did not state what type of activity he was profiting from. For now, the purpose of the malware remains a mystery. More information [2].Mamba RansomwareAlso known as HDD Encrypt [3], this ransomware was discovered by researcher Renato Marinho, and is believed to be the first Full Disk Encryption (FDE) ransomware to be identified. Using disk-level encryption the ransomware runs as a process called ‘DiskCryptor’ on infected PCs and is delivered by spam email and the RIG Exploit Kit. Analysis of its vulnerabilities is hindered by the encryption which hides most of Mamba. Running in the system background it will encode files that are rarely accessed first. Then, Mamba proceeds to lock other data and tightens its grip on the drive by encrypting the files opened during your last session or on the next system boot. More information [4].Overseer SpywareGoogle Play has become the target of spyware once again. The Overseer spyware [5] was found in four apps (since removed) and is able to extract information from android devices including contact details, user accounts and all previously downloaded software. Due to the encrypted communications used by Overseer it is difficult for researchers and AV programs to detect. More information [6].Quant Loader TrojanEarlier in September, a trojan called ‘Quant Loader’ [7]was spotted on sale in Russian marketplaces. A Forcepoint report has now identified it as a new distribution channel for Locky ransomware, distributed via a malicious email campaign. The program has been attributed to the Russian cybercrime organisation “C++ GURU” or “CPPGURU”. As Forcepoint notes, the Quant Trojan shares a great deal of code with malware previously attributed to CPPGURU and as such is often spotted by anti-virus solutions under the terms “Pliskal” or “Crugup”. More information [8]. H1N1 malware evolvesThe infamous H1N1 malware [9] is developing a host of new features, according to reports from both Proofpoint and Cisco. Instead of simply infecting a user’s system in order to downloading more malicious software, H1N1 has now developed information stealing capabilities. New features include user controls and the ability to collect information and send it to a central C&C server. More information [10]. Ongoing CampaignsRogue Pokemon GO guide app downloaded over 500,000 timesA Pokemon GO guide for Android installs malware that could give attackers access to victims’ phones and has been downloaded in excess of half a million times. The sophisticated trojan embedded in the app has infected at least 6000 phones, according to Kaspersky Labs. The trojan will wait a couple of hours after infection in order to target the right users. With such a huge player base to target, malware authors will continue to try and take advantage of Pokemon GO’s popularity. More information [11].Blizzard DDoS AttackBlizzard Entertainment, creator of a range of popular video games, suffered a denial-of-service attack on Sunday that hit its Battle.net servers. This was the third time that Blizzard’s servers had gone down in a week. The hacking group responsible was Poodle Corp, a splinter group of the well-known Lizard Squad, which stated that it would release Blizzard’s servers if 2,000 retweets were made. Not long after, Poodle Corp [12]halted its attack. More information [13]. Trending VulnerabilitiesWindows Safe Mode can be used as attack vectorResearch conducted by CyberArk has uncovered a vulnerability in Windows Safe Mode which could potentially be used by hackers to steal PC login credentials and disable security software, all the while going undetected. CyberArk further explored the various ways in which Windows Safe Mode can be leveraged by hackers, which includes the ability to convert endpoints into launching points for new attacks. The problem originates from the nature of Safe Mode itself, which was purposely designed to be lean, restricting third-party software such as security tools. Attackers can exploit this by remotely rebooting compromised machines into Safe Mode in order to disable and evade endpoint defences and subsequently launch their attacks. Windows has yet to respond to the flaw, as they do not deem it a valid vulnerability. More information [14].Smart Cities are vulnerable to attack, new research revealsDigital kiosks and interactive terminals used in modern “smart cities” have multiple vulnerabilities which can expose private user data, a report by Kaspersky has revealed. Urban cities are built on a chain of complicated ecosystems, composed of different types of digital infrastructure that pose significant threats to private data. More information [15].Mozilla Firefox Zero-Day VulnerabilityMozilla have announced that they will patch a flaw in the Firefox browser that attackers could exploit to “impersonate Mozilla’s servers and to deliver a malicious extension update”. The vulnerability is not thought to be severe, as a successful attack would require a valid (faked) certificate, which many experts believe only nation states or APTs could obtain. More information [16]. Leaks and BreachesThird Round of WADA LeaksYet again the Fancy Bears Hack Team [17] has released athletes’ medical information from WADA detailing the use of various substances. Eleven athletes were targeted from five different European countries, including Nicola Adams and Laura Trott. This series of leaks highlights the failure of WADA to secure its medical data, but has also sparked wider debates over the Therapeutic Use Exemption (TUE) system. More information [18]. General NewsMan convicted for creating child porn site PlaypenA Florida man was convicted on Friday for creating Playpen, one of the largest child pornography sites on the dark web. Steven W. Chase was exposed after the real IP address of Playpen, which usually ran on the anonymity of the Tor, was revealed together with evidence that Chase paid for the site's upkeep himself. The case achieved much attention after it was revealed that the FBI continued to run Playpen after arresting Chase, deploying a network investigative technique (NIT) to unmask the site’s users. More information [19].Hacker loses appeal in UK courtLauri Love, a hacker accused of breaking into high-profile systems including those of the FBI and the US Missile Defense agency in 2013, has lost his appeal against extradition to the US. The judge informed Love that he could appeal the verdict to the Secretary of State, and for now he remains on bail. Love has garnered much international support, including from former hacker Jake “Topiary” Davis, who claimed there was no real evidence against Love. If extradited, Love, who has been diagnosed with Aspergers, faces up to 99 years in prison if he is found guilty in a US court. More information. [20]FBI San Bernardino BlunderA University of Cambridge researcher, Sergei Skorobogatov, has suggested that the FBI overpaid $999,900 for their hack of the San Bernardino shooter’s phone. Skorobogatov was able to perform exactly the same hack using a $100 NAND mirroring rig. The setup allowed Skorobogatov to clone the iPhone’s NAND memory chip and then carry out brute-force attacks until the password was breached. The method allowed him to bypass the limit to password re-try attempts, the very same problem that the FBI paid a security firm over $1 million to solve. More information. [21]The NSO’s Lucrative iPhone HackMore details have been released on the NSO’s hacking operations. The group, hailing from Israel, claim that their program can hack into a victim’s phone and relay sensitive information including texts, emails, location and even microphone recordings in real-time. This news follows reports that the group are marketing the software to governments with a price tag of $650,000 to hack just ten iPhones. More information [22]. The Silobreaker TeamDisclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.
[1] https://my.silobreaker.com/view360.aspx?item=11_1062253271#?q=Keyphrase:%22LuaBot%22&rd=true
[2] https://medium.com/@x0rz/interview-with-the-luabot-malware-author-731b0646fc8f#.u8srr7aup
[3] https://my.silobreaker.com/view360.aspx?item=11_1068223813#?q=Keyphrase:%22Mamba%20Ransomware%22&rd=true
[4] https://www.enigmasoftware.com/hddencryptransomware-removal/
[5] https://my.silobreaker.com/view360.aspx?item=11_1070830632#?q=Keyphrase:%22Overseer%20Spyware%22&rd=true
[6] https://blog.lookout.com/blog/2016/09/16/embassy-spyware-google-play/
[7] https://my.silobreaker.com/view360.aspx?item=11_1067639186#?q=Keyphrase:%22Quant%20Loader%22&rd=true
[8] http://www.scmagazine.com/quant-loader-trojan-downloader-spotted-in-the-wild/article/522939/
[9] https://my.silobreaker.com/view360.aspx?item=11_1069710659#?q=Keyphrase:%22H1N1%20Malware%22&rd=true
[10] https://latesthackingnews.com/2016/09/18/h1n1-malware-got-infostealing-features/
[11] http://usa.kaspersky.com/about-us/press-center/press-releases/2016/Kaspersky_Lab_Discovers_Rogue_Pokemon_Go_App_that_Takes_Control_of_Android_Phones
[12] https://my.silobreaker.com/view360.aspx?item=11_1030735411#?q=Organization:%22PoodleCorp%22&rd=true
[13] http://www.ibtimes.co.uk/blizzards-battle-net-servers-knocked-offline-by-another-ddos-attack-claimed-by-hacker-group-1582024
[14] http://www.ibtimes.co.uk/windows-safe-mode-can-be-used-conduct-undetectable-cyberattacks-putting-billions-pcs-servers-1581832
[15] https://securelist.com/analysis/publications/76060/fooling-the-smart-city/
[16] http://www.theregister.co.uk/2016/09/18/mozilla_tor_flaws/
[17] https://my.silobreaker.com/view360.aspx?item=11_1065889835#?q=Organization:%22Fancy%20Bears%20Hack%20Team%20(Anonymous)%22&rd=true
[18] https://www.theguardian.com/sport/2016/sep/16/nicola-adams-laura-trott-fancy-bears
[19] http://motherboard.vice.com/read/playpen-founder-guilty
[20] http://www.theinquirer.net/inquirer/news/2471066/lulzsec-s-topiary-slams-horrible-decision-to-extradite-lauri-love-to-the-us
[21] http://www.theregister.co.uk/2016/09/19/fbi_overpaid_999900_to_crack_san_bernardino_iphone_5c_password/
[22] http://equilibrioinformativo.com/2016/09/israeli-company-nso-charges-650000-to-hack-10-iphones-report/