Svpeng Behind a Spike in Mobile Ransomware

The sting of mobile ransomware grew more painful in 2017 with attacks increasing a whopping 3.5 times in the first quarter compared to the same time a year ago. Behind those attacks were a quarter million Trojan installation packages targeting Android devices that sought to extort between $100 to...

Anthem Agrees to Settle 2015 Data Breach for $115 Million

Like many companies hit by data breaches, Anthem, the United States’ largest for-profit health care company, has been forced to watch from the sidelines while the incident plays out in court. An end finally appears to be in sight however. Late Friday the company agreed to settle a series of...

New EU Privacy Laws Will Complicate B2B Data Sharing

NEW YORK – United States companies doing business abroad are grumbling over new European privacy laws set to take effect in less than one year. The EU privacy rules are far more stringent than U.S. laws, and are meant to give consumers the upper hand when it comes to controlling what data is stor...

Siemens Patches Two Vulnerabilities in SIMATIC CP and XHQ

Siemens patched two vulnerabilities in products commonly found in industrial control system setups this week. If exploited the flaws could allow an attacker to perform administrative actions or gain read access to sensitive data on affected systems. Siemens patched one issue .PDF on Tuesday and t...

Few Victims Reporting Ransomware Attacks to FBI

Ransomware may have been the most prevalent internet threat of 2016, and WannaCry certainly made it a mainstream conversation, but that doesn’t mean people are reporting incidents to law enforcement. The FBI’s Internet Crime Complaint Center’s annual report published this week counted only 2,673...

On GhostHook, Fireball, WannaCry, and more

Mike Mimoso and Chris Brook discuss the news of the week, including Citizen Lab’s latest report, WannaCry hitting Honda, GhostHook, and Fireball. Download: ThreatpostNewsWrapJune232017.mp3 Music by Chris Gonsalves Show notes: GhostHook attack bypasses Windows 10 PatchGuard Say Goodbye to SMBv1 in...

NSA Advocates Data Sharing Framework

NEW YORK–The economics of cybersecurity are skewed in favor of attackers, who invest once and can launch thousands of attacks with a piece of malware or exploit kit. That’s why Neal Ziring, technical director for the NSA’s Capabilities Directorate, wants to flip the financial equation on bad guys...

Cisco Patches XXE, DOS, Code Execution Vulnerabilities in Software

Cisco patched three vulnerabilities in three products this week that if exploited, could have resulted in a denial of service, crash, and in some instances, arbitrary and remote code execution. According to security advisories published Wednesday, each of the vulnerabilities are branded “high”...

Average Cost of Breach Goes Down, For the First Time Ever

NEW YORK–The global average cost of a data breach last year dropped 11.4 percent from 2015 to $3.6 million. The reduction is attributed mostly to a strong U.S. dollar, with wins also offset by a 1.8 percent increase in the size of breaches in 2016. The numbers come from Peter Allor, senior cyber...

Microsoft Says Fireball Malware Threat 'Overblown'

Check Point has ramped down its projections on the impact of the recently disclosed Fireball malware after Microsoft called its initial numbers into question. Details on Fireball were published June 1 by Check Point, which said the malware was the work of a Chinese digital marketing agency called...

Drupal Patches Three Vulnerabilities in Core

Developers with Drupal patched three vulnerabilities, one critical, one being exploited in the wild, in Drupal’s core engine on Wednesday. Drupal 7.56 and 8.3.4 are security releases. Update your sites. — Drupal Security @drupalsecurity June 21, 2017 The most pressing issue addressed by the updat...

GhostHook Attack Bypasses Windows 10 PatchGuard

A bypass of PatchGuard kernel protection in Windows 10 has been developed that brings rootkits for the latest version of the OS within reach of attackers. Since the introduction of PatchGuard and DeviceGuard, very few 64-bit Windows rootkits have been observed; Windows 10’s security, in particula...

NSA-Backed OpenC2.org Aims to Defend Systems at Machine Speed

NEW YORK–The dynamics of a cyberattack often include speed, automation and adaptive tradecraft. Mounting an effective defense, however, isn’t always fast enough. To help even the score, a group led by the National Security Agency called OpenC2.org is developing an open, standardized computer...

Microsoft Extends Edge Bug Bounty Program Indefinitely

Microsoft said Wednesday it would no longer impose a time limit for its Edge bug bounty program. The Redmond, Wash. based company announced the Edge on Windows Insider Preview WIP program in August 2016 as a means to incentivize researchers to find and report vulnerabilities in the browser...

Trump's Cybersecurity Executive Order Under Fire

NEW YORK–President Donald Trump’s Cybersecurity Executive Order needs an overhaul, specifically a shift from planning and proposals to the pragmatic. According to Ed Amoroso, former AT&T CSO, there are dire consequences to the U.S. critical infrastructure if the U.S. government pursues its curren...

Honda Shut Down Plant Impacted by WannaCry

Honda, one of the largest automobile manufacturers in the world, announced Wednesday that it was forced to shut down production at one of its Japanese plants after it was hit by the WannaCry ransomware. The manufacturer said it powered down a plant on Monday in Sayama, a city in the Saitama...

OpenVPN Patches Critical Remote Code Execution Vulnerability

OpenVPN has this week patched four vulnerabilities, including a critical remote code execution bug, a little more than a month after the results of two security audits of the open source VPN software were published. The patches were released after private disclosures in May and June by researcher...

Avaya Patches Remote Code Execution Flaw in Aura

Internet telephony company Avaya has patched a high-severity vulnerability in its Aura Application Enablement Services product that put phone call and API data running through the server at risk for interception. Researchers at Digital Defense found a vulnerability where an attacker could, withou...

TP-Link Fixes Code Execution Vulnerability in End of Life Routers

Router manufacturer TP-Link recently fixed a vulnerability in a discontinued line of routers that if exploited could have been used to execute code on the device. Researchers at Senrio, a firm that specializes in IoT security, uncovered a logic vulnerability in a configuration service present in...

Internet-Enabled Drill Demonstrates IoT Security Done Right

To Mark Loveless, an internet-enabled cordless drill seemed like a perfect recipe for an IoT security nightmare. Duo Security’s senior security researcher confessed that it sounded silly and quite possibly part of a push by the electronics maker to inject “smarts” into devices that ultimately...

UCL Ransomware Linked to AdGholas Malvertising Group

A ransomware attack that closed off access to personal and shared drives at University College London last week has been linked to a malvertising campaign spreading Mole, a variant of CryptoMix ransomware. Kafeine, a white-hat who works for Proofpoint and is known for his research into exploit...

ProtonMail Launches Free VPN Service

Encrypted email service ProtonMail announced today it was launching a free VPN service called ProtonVPN. Developers said the move comes following one year of development and four months of beta testing by 10,000 ProtonMail community members. According to Proton Technologies AG, the company behind...

Google Removes Two Ztorg Trojans from Play Marketplace

Google, for the second time this month, has removed malicious apps from Google Play that could have laid the groundwork for an attacker to root infected devices. A researcher with Kaspersky Lab on Tuesday described how attackers managed to evade settings set in place by Google Play’s VerifyApps...

SMBv1 to be Disabled in Windows Fall Creators Update

The crusty SMBv1 file-sharing protocol, abused by a NSA exploit last month that spread WannaCry, will be removed from Windows 10 starting with the upcoming Redstone 3 update. “We can confirm that SMBv1 is being removed for Redstone 3,” a Microsoft representative told Threatpost. Redstone 3, a...

FIN10 Extorting Canadian Mining Companies, Casinos

Cybercriminals targeting casinos and mining firms in North America have extorted as much as $620,000 per theft during a four-year run in which they threaten victims with the destruction or public release of stolen data. Between 2013 and 2016, mostly Canadian firms were hit with nearly a dozen...

Mexican Journalists, Lawyers Focus of Government Spyware

Dozens of Mexican journalists, lawyers, and even a child, had their devices infected with commercially produced spyware during the past two years as part of an overarching campaign believed to be carried out by the nation’s government. The spyware, Pegasus, came in the form of text messages...

Republican Data Broker Exposes 198M Voter Records

Detailed voter profiles of 198 million voters were left exposed on an Amazon S3 account by Republican Party-affiliated data broker Deep Root Analytics. The discovery was made by Chris Vickery, cyber risk analyst at security firm UpGuard. “This was one of the most data rich datasets I’ve ever...

Stack Clash Vulnerability in Linux, BSD Systems Enables Root Access

Linux, BSD, Solaris and other open source systems are vulnerable to a local privilege escalation vulnerability known as Stack Clash that allows an attacker to execute code at root. Major Linux and open source distributors have made patches available today, and systems running Linux, OpenBSD,...

IoT Malware Activity Already More Than Doubled 2016 Numbers

The number of new malware samples in the wild this year targeting connected internet-of-things IoT devices has already more than doubled last year’s total. Honeypots laid out by Kaspersky Lab researchers mimicking a number of connected devices running Linux have attracted more than 7,200 differen...

Wikileaks Alleges Years of CIA D-Link and Linksys Router Hacking Via 'Cherry Blossom' Program

Wikileaks released details of what it claims is a CIA-developed wireless router hacking program targeting home wireless routers and business wireless networks. The program is called Cherry Blossom and leverages custom router firmware called FlyTrap, according to the organization’s latest leak...

Someone Failed to Contain WannaCry

Coding and implementation mistakes made by the WannaCry developers may have spared a good chunk of the world some grief on May 12, but they also lend credence to the theory that the ransomware wasn’t contained properly and spread before it was meant to be unleashed. Malware expert Jake Williams,...

On Microsoft's XP Patches, Hidden Cobra, MacRansom, and More

Mike Mimoso and Chris Brook discuss the news of the week, including Microsoft’s XP patches, Hidden Cobra, a Nigerian BEC campaign, MacRansom, and more. Download: ThreatpostNewsWrapJune162017.mp3 Music by Chris Gonslaves...

Erosion of ISP Privacy Rules Sparks New Anti-Snooping Efforts

Since Congress voted to prevent the implementation of new ISP privacy protections there has been a committed and sometimes loud call for new rules. The fear is, without adequate safeguards in place, ISPs will be free to build detailed customer profiles that include names, addresses and online...

Nigerian BEC Scams Hit 500 Companies in 50 Countries

Nigerian cybercriminals targeting industrial firms have stolen a slew of sensitive technical drawings, network diagrams, cost estimates, and project plans already this year. The data, exfiltrated by a cocktail of different spyware programs, wasn’t stolen from just executives, but also operators,...

Ransomware Attack Hobbles Prestigious University College London

University College London, one of the U.K.’s prestigious public research universities, has closed off access to personal and shared drives after a ransomware attack was detected late Wednesday afternoon. University officials said this morning that this was a web-based infection, reversing claims...

Metadata Analysis Draws its Own Conclusions on WannaCry Authors

The most intriguing mystery that remains about WannaCry is the identity of the attacker. The theory with the best legs is that North Korea’s Lazarus APT is the entity behind the worldwide ransomware outbreak given the discovery of shared code samples in the malware with older Lazarus attacks. Tha...

Mozilla Fixes 32 Vulnerabilities in Firefox 54

Mozilla fixed 32 vulnerabilities, including a critical bug that could have resulted in a crash, with the release Tuesday of Firefox 54, the latest version of its flagship browser. The critical bug, a use-after-free vulnerability, was dug up by longtime bug hunter Nils. The vulnerability...

Decryption Utility Unlocks Files Encrypted by Jaff Ransomware

A weakness discovered in Jaff ransomware by researchers has led to the creation of decryption keys to unlock files locked by the malware. “We have found a vulnerability in Jaff’s code for all the variants to date. Thanks to this, it is now possible to recover users’ files encrypted with the .jaff...

DHS, FBI Warn of North Korea 'Hidden Cobra' Strikes Against US Assets

United States top cybersecurity cops warned Tuesday that North Korean government threat actors are targeting U.S. businesses with malware and botnet-related attacks that are part of concerted effort dubbed “Hidden Cobra.” According to a United States Computer Emergency Readiness Team US-CERT...

Abuse of Apple Search Ads Feature Leading to Fraud

Apple has removed one of its top 10 grossing productivity apps after an independent developer’s story about fraudsters’ abuse of the App Store’s Search Ads functionality went viral. Search Ads is a new feature available to iOS developers that allows them to invest in the promotion of their apps...

Scan of Internet Reveals Millions of Exposed Services

If you thought WannaCry inspired a global wakeup call and a massive crackdown on exposed and dangerous ports, you would be wrong. In its annual National Exposure Index report, Rapid7 found 160 million computers, IoT devices and servers with open ports that should not be exposed to the public...

Rare XP Patches Fix Three Remaining Leaked NSA Exploits

The unusual decision Microsoft made to release patches on Tuesday for unsupported versions of Windows was prompted by three NSA exploits that remained unaddressed from April’s ShadowBrokers leak. The worst of the bunch, an attack called ExplodingCan CVE-2017-7269, targets older versions of...

Microsoft Patches Two Critical Vulnerabilities Under Attack

Microsoft’s Patch Tuesday update today included a massive 95 fixes that tackle vulnerabilities in Windows, Office, Skype, Internet Explorer and its Edge browser. Twenty-seven of Microsoft’s patches fix remote code execution issues, allowing attackers to remotely take control of a victim’s PC...

Risk of 'Destructive Cyber Attacks' Prompts Microsoft to Update XP Again

Fearing destructive attacks precipitated by the availability of the nation-state exploits in the wild that spawned the WannaCry outbreak, Microsoft today announced that its Patch Tuesday updates would include fixes for older versions of Windows, including XP. The move is unusual and mimics a...

Adobe Fixes 21 Critical Vulnerabilities with June Patch Tuesday Update

Adobe fixed 21 vulnerabilities across four products today, releasing patches for Flash, Shockwave Player, Captivate, and Adobe Digital Editions. Most of the vulnerabilities, 15 of the 21, are marked critical by the company because they could lead to code execution. The updates came in the form of...

Patrick Wardle on MacRansom Ransomware-as-a-Service

Patrick Wardle of Synack and the Objective-See blog talks to Mike Mimoso about the emergence of a ransomware service targeting MacOS machines. Wardle explains why he characterizes MacRansom as “lame” and whether this could kick off a wave of copycats vying for the Apple platform. Download:...

FIN7 Hitting Restaurants with Fileless Malware

FIN7, closely associated with the notorious Carbanak group, is behind a targeted phishing campaign singling out restaurants with fileless malware that is difficult to detect. The recent campaign incorporates, “never before seen evasive techniques that allow malware to bypass most security...

Free Mac Ransomware-as-a-Service MacRansom Surfaces

Researchers on Friday began warning of MacRansom, a new and free macOS-based ransomware as a service RaaS that’s been making the rounds over the past several weeks. It leverages a portal hosted on the Tor network, but attackers looking for the malware won’t find it there. Interested parties need ...

Blinking Router LEDs Leak Data From Air-Gapped Networks

Researchers have uncovered a new data extraction hole inside air-gapped networks that takes advantage of the blinking LED lights on top of routers to steal data. In a report published last week, researchers at Ben-Gurion University in Israel demonstrated how a router or switch running malware...

Attackers Mining Cryptocurrency Using Exploits for Samba Vulnerability

Unknown attackers are using a recently patched vulnerability in Samba to spread a resource-intensive cryptocurrency mining utility. To date, the operation has netted the attackers just under $6,000 USD, but the number of compromised computers is growing, meaning that a significant number of Samba...