Subtitle Hack Leaves 200 Million Vulnerable to Remote Code Execution*:
- A proof of concept attack using malicious video subtitle files reveals how adversaries can execute remote code on PCs, Smart TVs and mobile devices using popular video players and services such as VLC Media Player, Kodi, Stremio and Popcorn Time.
- Each media player that was examined has a unique vulnerability that allows a remote attacker to ultimately execute code and gain control of the targeted system.
- VLC developers were contacted and made aware of four separate vulnerabilities, each one of the vulnerabilities (CVE-2017-8310, CVE-2017-8311, CVE-2017-8312 and CVE-2017-8313) has been patched.
- Check Point is basing the scope of affected users on publicly disclosed numbers provided by vendors.
- Bad coding of subtitle parsing implementation is at the heart of the vulnerability according to Check Point.
- In one attack scenario, a victim plays a video that is pre-programmed to automatically download a subtitle file from an online repository, and an attacker can upload malicious subtitle files to those repositories and artificially inflate the file’s ranking so the video player downloads it.
*Source: Threat Post, May 23, 2017
Hackers Hit Russian Bank Customers*:
- Russian cyber criminals used malware planted on Android mobile devices to steal from domestic bank customers and were planning to target European leaders before their arrest.
- Their campaign raised a relatively small sum by cyber-crime standards – more than $892,000 USD – but they had also obtained more sophisticated malicious software to go after the clients of banks in France and possibly a range of other western nations.
- Russia's relationship to cyber-crime is under intense scrutiny after U.S. intelligence officials alleged that Russian hackers had tried to help Republican Donald Trump win the U.S. presidency by hacking democratic party servers.
- The gang members tricked the Russian banks' customers into downloading malware via fake mobile banking applications, as well as via pornography and e-commerce programs.
- The criminals infected more than a million smartphones in Russia.
- The hackers targeted customers of state lender Sberbank, and also stole money from accounts at Alfa Bank and online payments company Qiwi
- The gang exploited the bank service in Russia that allows users to transfer small sums to other accounts by sending an SMS message.
- The findings illustrate the dangers of using SMS messages for mobile banking, a method favoured in emerging countries with less advanced internet infrastructure.
*Source: Reuters, May 22, 2017
Credential-Stuffing Threat Intensifies Amid Password Reuse*:
- Password reuse poses a tremendous security risk as attackers increasingly employ leaked credentials to search for other accounts to compromise via reused passwords.
- There’s no shortage of leaked credentials for attackers to employ – nearly all of the world’s 1,000 largest companies have had corporate credentials exposed.
- Credential stuffing is the process of using automated systems to brute-force a website with login information stolen from another site, hoping it will match with an existing account.
- Many credentials are publicly available and cost varies depending on their age.
- Attackers use a few different tools to launch credential stuffing attacks, but the main ones are SentryMBA, Vertex Cracker, and Account Hitman.
- Gaming and technology businesses were most frequently targeted, but attackers also went after gift card companies, hotels, pizza shops, and online retailers.
- Multi-factor authentication is one means of fighting account takeover attacks, but it is not considered a “silver bullet” to get full protection.
- Organizations are advised to learn more about credential-stuffing tools and inform staff and consumers of the dangers of reusing passwords and corporate email addresses for personal accounts.
*Source: Dark Reading, May 23, 2017
WannaCry Successor Is New 'Doomsday' SMB Worm That Uses 7 NSA Hacking Tools*:
- WannaCry has a new highly malicious successor, which has been identified as a worm spreading via SMB (Server Message Block).
- Unlike WannaCry, which leveraged two of the leaked alleged NSA hacking tools, EternalRocks uses seven of the spy agencies’ leaked cyberweapons.
- Although EternalRocks shares several similarities with WannaCry, it has been designed to function far more secretly, in order to ensure that it remains undetectable.
- The NSA tools were leaked by the Shadow Brokers hacker group earlier this year, and security experts linked one of the exploits they leaked to the WannaCry attacks.
- EternalRocks does not currently spread malicious content and can be considered less dangerous than WannaCry, but some consider it far more dangerous than its predecessor.
- EternalRocks uses a two-stage installation process as part of its attack, with the second stage coming with a delayed initiation so the worm can function more secretively.
- EternalRocks has no kill switch and can be weaponized; at present, there is no simple way to stop potential EternalRocks attacks.
- SMB vulnerabilities have been increasingly targeted by hackers recently to launch large-scale attacks.
- It is essential that systems be patched immediately to run the most recent and updated version of operating systems.
*Source: IB times, May 22, 2017
The People Who Fight Hacking And Cybercrime Are Turning To Designers For Help*:
- In Austin, Texas a team of 30 designers are enthusiastically parsing malware threats, viruses, hacks and malicious IP addresses to visualize the veins of cyber-attacks all over the world.
- Using a design process called “observe-reflect-make” and great data visualization, the team makes products used by thousands of law-enforcement agencies and private security firms.
- In the recent WannaCry malware attacks, for instance, a platform for sharing threat intelligence that designers shaped helped analyze the paths by which the virus was quickly spreading; so instead of poring through pages and pages of Excel reports, security researchers were able to take the data in visual form and share information swiftly.
- Visualization tools help analysts detect attacks faster, find historical patterns, and make better-informed decisions.
- Security analysts have to sift through 200,000 security alerts a day on average and track some 60,000 security blog posts published every month.
- While intelligence agencies like the CIA have in-house design departments that create peripheral briefing documents, it’s only recently that designers have been asked to collaborate with analysts to crack cybercrime incidents.
- There are many opportunities for intrepid designers and visual thinkers who want to work in security.
*Source: Quartz, May 19, 2017
Target Will Pay $18.5 Million in Settlement with States Over 2013 Data Breach*:
- Target Corp. will pay $18.5 million to 47 states, including California, and the District of Columbia as part of a settlement over a 2013 data breach that compromised tens of millions of customers’ credit and debit card information.
- California will receive more than $1.4 million from the settlement, the largest amount of any state.
- California Attorney General said, “This should send a strong message to other companies: You are responsible for protecting your customers’ personal information.”
- As part of the settlement, the Minneapolis-based retailer will also be required to employ an executive to manage a “comprehensive information security program” and advise the company’s chief executive and its board of directors.
- Target must hire an independent third party to do a comprehensive security assessment.
- It has to add other cybersecurity measures, including encrypting payment card information so the data are useless if stolen, separating its cardholder data from the rest of its computer network and instituting password rotation policies and two-factor authentication for certain accounts.
- Target has overhauled its security systems since the 2013 breach and settled other lawsuits related to the breach, including one from credit card company Visa Inc.
- A $10-million settlement for a class-action lawsuit brought by consumers is still going through the court system, though it received approval from a federal judge in 2015.
*Source: Los Angeles Times, May 26, 2017