Latest cyber threats, vulnerabilities, data breaches and security updates
Friday August 18, 2017:
A hacker going by the name of xerub claims to have published the decryption key that could be used to unlock the Apple iOS’ Secure Enclave Processor (SEP) firmware. As of Thursday, Apple has not yet confirmed that the stolen key is legitimate, but did confirm that user data would not be affected if the key is valid. In the report, Threatpost describes the potential threat: 
"Publishing of the key now exposes the Secure Enclave to researchers and attackers alike, both of which will be able to examine the previously walled-off processor for vulnerabilities and gain insight into how it operates."

Apple further describes Secure Enclave in the iOS Security Guide
"The Secure Enclave is a coprocessor fabricated in the Apple S2, Apple A7, and later A-series processors. It uses encrypted memory and includes a hardware random number generator. The Secure Enclave provides all cryptographic operations for Data Protection key management and maintains the integrity of Data Protection even if the kernel has been compromised. Communication between the Secure Enclave and the application processor is isolated to an interrupt-driven mailbox and shared memory data buffers."

Trend Micro's Threat Response Team has uncovered an auto-clicking GhostClicker adware in up to 340 apps in Google Play, to include one mobile app "Aladdin’s Adventure’s World" that was downloaded five million times. As of August 7, there were still 101 affected apps that could be downloaded. Trend Micro describes the adware in recent report
"Trend Micro detects these adware as GhostClicker (ANDROIDOS_GHOSTCLICKER.AXM) given its auto-click routine and the way it hides itself in Google Mobile Services (GMS), the set of Google’s most popular applications and application program interfaces (APIs). GhostClicker also hides in Facebook Ad’s software development kit (SDK). It embeds itself into these two services disguised as a package named “logs”, possibly to avoid rousing suspicion by pretending to be a legitimate app component."

Hackers have struck self-service kiosks of South Korean LG Electronics service centers and infected with ransomware. The actors may have exploited unpatched Windows vulnerabilities as one possible vector of attack, Tripwire reports. It is not clear yet whether this is another WannaCry infection.

Thursday August 17, 2017:
Cisco released new security updates for Cisco Application Policy Infrastructure Controller (APIC) and Cisco Virtual Network Function (VNF) Element Manager. Two high severity issues were fixed in Cisco's APIC product to include an SSH privilege escalation vulnerability (CVE-2017-6767) and a custom binary privilege escalation vulnerability (CVE-2017-6768) that could allow an authenticated, local attacker to gain root-level privileges. Another high severity arbitrary command execution vulnerability was fixed in Cisco's VNF Element Manager (CVE-2017-6710) product. 

Drupal issued security updates to fix multiple security vulnerabilities as part of maintenance release Drupal 8.3.7. The security update (SA-CORE-2017-004) includes several critical or moderately critical Access Bypass related vulnerabilities. Drupal strongly recommends site admins upgrade to latest release as soon as possible. 

Trend Micro detected a new exploit kit dubbed "Disdain" in the wild and distributed through a malvertising campaign. The Disdain exploit kit was used by at least one malvertising group to deliver Smoke Loader Trojan, which in turn installs a cryptocurrency miner. Trend Micro first detected Disdain on August 9 and then observed the activity spike on August 12, before dropping. Disdain shares similar features or styles to other exploit kits such as Terror and Nebula. The kit targets older exploits (one as old as 2013) as well as newer exploits, but most have been patched.

HBO social media accounts were hacked to include the "Game of Thrones" Twitter account, CNBC reports. The hacking group OurMine claimed responsibility and is the same group behind the hacking of Facebook CEO Mark Zuckerberg's Pinterest account. This comes after a previous cyberattack that led to the leaking of scripts from hit HBO shows, such as Game of Thrones. 

Wednesday August 16, 2017:
Researchers at Kaspersky Lab have discovered a backdoor planted in connectivity tools made by NetSarang, to include popular products Xshell, Xmanager, Xftp and Xlpd. The discovery came after suspicious DNS requests appeared to be coming from NetSarang software. The malicious activity was revealed by one of Kaspersky's customers in the financial industry. Investigation by Kaspersky later confirmed that NetSarang software was compromised, SecurityWeek reports. The malware also communicates to command and control (C&C) servers over DNS queries every eight hours. 

Kaspersky identified the malware as ShadowPad, as described in a technical paper:

"ShadowPad is a modular cyber-attack platform that attackers deploy in victim networks to gain flexible remote control capabilities. The platform is designed to run in two stages. The first stage is a shellcode that was embedded in a legitimate nssock2.dll used by Xshell, Xmanager and other software packages produced by NetSarang. This stage is responsible for connecting to 'validation' command and control (C&C) servers and getting configuration information including the location of the real C&C server, which may be unique per victim. The second stage acts as an orchestrator for five main modules responsible for C&C communication, working with the DNS protocol, loading and injecting additional plugins into the memory of other processes."

The Software Engineering Institute (SEI) just published a new CERT Guide to Coordinated Vulnerability Disclosure (CVD) on Tuesday. The guide provides an "introduction to the key concepts, principles, and roles necessary to establish a successful CVD process" and also can help with guidance when disclosures can go awry and how to respond if it does. 

Researchers from Fortinet have discovered a new variant of the Locky ransomware family dubbed Diablo6 spreads though spam. Further investigation revealed that new samples are being pushed with different configurations and hashes used to potentially evade specific file signatures and detection.

The McAfee Mobile Research team spotted an active smishing campaign that uses SMS messages to target online banking users in the United States. The messages try to scare victims with a notice such as "MSG:Account will soon close!" Once the victim clicks on the malicious link, he or she is redirected to a fake banking site used to steal credentials.

Hackers are targeting WordPress sites with malware called "EV Ransomware" that encrypts WordPress website files. The activity was discovered by Wordfence, a WordPress security firm. Website owners should be wary of paying the ransom as decryption may not be possible given the code is so poorly written and no decryption mechanism was identified, Help Net Security reports.  

Researchers at Proofpoint have identified a number of additional Chrome extensions that have been hijacked. In particular, the company examined “Web Developer 0.4.9” as well as “Chrometana 1.1.3”, “Infinity New Tab 3.12.3”, “CopyFish 2.8.5”, “Web Paint 1.2.1”, “Social Fixer 20.1.1”, and VPNs TouchVPN and Betternet. Each had evidence of compromise or modifications by the same external actor. This comes on the heal of another well known extension Web Developer for Chrome was hacked using similar methods. According to Proofpoint, compromised versions of these extensions attempt to hijack advertising traffic and expose users to potentially malicious popups and credential theft.

Tuesday August 15, 2017:
A new banking trojan campaign is using Trickbot to redirect users to a fake website, claiming to be Lloyds Bank that displays the correct URL and has a valid SSL certificate. The login page appears genuine but is used to steal user's credentials and money, ZDNet reports. According to researchers at Cyren, the attackers have sent over 75,000 phishing emails, each containing a malicious attachment named 'IncomingBACs.xlsm', in just under a half hour. Once victims open the attachment and enable macros, the Trickbot payload installs and waits for the user to visit their banking website and then is redirected to the counterfeit login page. 

Readers should be aware that the phishing emails are sent from a different domain, instead of the legitimate domain It goes without saying, users should not open up attachments sent from financial institutions as well as from untrusted sources. The campaign also comes after recent Symantec report that shows how Trickbot was used to spread to systems on the same network as the infected host and spread fake financial company invoices via spam.

In another cyber campaign, a Nigerian national targeted thousands of companies in the energy, mining, banking and construction industries, resulting in 14 successful infections and stealing thousands of dollars. According to Check Point, the attacker used a remote access trojan called NetWire to take full control over an infected system. He further used a keylogger dubbed Hawkeye

Monday August 14, 2017:
A vulnerability in PostgreSQL leaks passwords to users lacking server privileges. The vulnerability (CVE-2017-7547) is further described by security researcher Adam Mariš in a RedHat advisory

"An authorization flaw was found in the way PostgreSQL handled access to the pg_user_mappings view on foreign servers. A remote authenticated attacker could potentially use this flaw to retrieve passwords from the user mappings defined by the foreign server owners without actually having the privileges to do so."

PostgreSQL, an open source object-relational database system, posted more details in a security update release that includes fixes for three security issues and patches for over 50 bugs. Fixes are available in vulnerable versions 9.2 through 9.6. PostgreSQL version 9.2 will be End-of-Life in September, 2017. Affected Red Hat software packages include Red Hat Enterprise Linux 7, Software Collections for Red Hat Enterprise Linux and Satellite 5 versions.

The Check Point Threat Prevention Team posted a blog warning users to be vigilant and apply Microsoft patches to prevent the “the next WannaCry” attack. One vulnerability in particular called out by the team was the high severity Windows Search bug (CVE-2017-8620) that was patched last Tuesday. According to Check Point, an attacker could exploit this vulnerability and "spread a contagious attack between computers in the network," similar to how attackers used the EternalBlue exploit in the WannaCry attacks just two months after Microsoft issued patches to fix the vulnerability. 

Palo Alto security researchers have discovered a new attack that uses weaponized Microsoft Office documents to target individuals involved with United States defense contractors. After further analysis of malware, tools, source code and techniques behind the recent attacks, the researchers have determined the North-Korean linked campaign is the same group responsible for or linked to the group that conducted Operation Blockbuster Sequel and related campaigns. The activity has continued through July 2017, according to the Palo Alto report.

Google added anti-phishing checks for the iOS Gmail to warn users before they visit suspicious links, such as untrusted sites or websites involved in phishing or forgery, Help Net Security reports. This comes on the heals after the company released a similar Gmail anti-phishing checking feature for the Android platform this May.

Malware & Security Threat ResourcesRecent Patch and Security Updates