Information Security News
Google has shut down an operation that combined malicious AdSense advertisements with a zero-day attack exploiting Chrome for Android to force devices to download banking fraud malware.
Over a two-month span, the campaign downloaded the Banker.AndroidOS.Svpeng banking trojan on about 318,000 devices monitored by Kaspersky Lab, researchers from the Moscow-based anti-malware provider reported in a blog post published Monday. While the malicious installation files weren't automatically executed, they carried names such as last-browser-update.apk and WhatsApp.apk that were designed to trick targets into manually installing them. Kaspersky privately reported the scam to Google, and engineers from the search company put an end to the campaign, although the timing of those two events wasn't immediately clear.
"So far, those behind Svpeng have limited their attacks to smartphone users in Russia," Kaspersky Lab researchers Nikita Buchka and Anton Kivva wrote in Monday's post. "However, next time they push their 'adverts' on AdSense they may well choose to attack users in other countries; we have seen similar cases in the past. After all, what could be more convenient than exploiting the most popular advertising platform to download their malicious creations to hundreds of thousands of mobile devices?"
by Sean Gallagher
Madison County, Indiana, suffered a widespread ransomware attack that shut down virtually all county services last week. Over the weekend, the county government leadership decided to pay the ransom demands of the ring running the malware, which has not yet been identified publicly.
“We’re following the directions of our insurance carrier,” Madison County Commissioner John Richwine told the Herald-Bulletin this morning. He did not reveal the amount of the ransom but said that it was not as much as residents might have thought it would be—and is being covered by the county's cyber-insurance with Travelers, minus a deductible.
While the ransomware did not apparently affect emergency services or voting systems, an Indiana State Police captain told a local television station that the rest of the county's business had been knocked out. Courts and some county offices were closed, and employees were given the option of taking personal or vacation time in other offices where no work was possible.
Microsoft today released 13 bulletins (plus one bulletin from Adobe for Flash). 5 of the Microsoft bulletins, and the Adobe Flash bulletin are rated critical. There are a number of vulnerabilities that have either already been known, or have already been exploited:
MS16-129 andMS16-142(Internet Explorer): An informationdisclosure(%%cve:2016-7199%%) has already been publicly disclosed, but not been exploited yet. The vulnerability canleak information cross-origin. In addition there is a spoofing vulnerability that only affects Microsoft Edge that has been publicly disclosed ( %%cve:2016-7209%%).
MS16-132 (Microsoft Graphics Component): This is yet another open type font issue (%%cve:2016-7256%%). IT has already been exploited and I labeled this bulletin as Patch Now . The vulnerability can be used for remote code execution.
MS16-135 (Kernel Mode Drivers): A Win32kpriviledge escalation vulnerability (%%cve:2016-7255%%) has already been publicly disclosed and exploited. This one is a bit odd in that it sounds like what Google released as %%CVE:2016-7855%%. Trying to clarify if this is a typo.
Note that Microsoft didnt use the first two bulletins for the usual Internet Explorer and Edge cumulative updates. Instead, the first bulletin (MS16-129) is used for Edge, and the last one (MS16-142) is used for Internet Explorer. The Flash update uses the next to last bulletin (MS16-141).
Android users waiting for a fix for a newly discovered flaw that allows apps to bypass key operating-system security protections will have to wait at least another month. The just released patch batch for November, inexplicably, won't include it.
The so-called escalation-of-privilege vulnerability, dubbed Dirty Cow, was introduced into the core of the Linux kernel in 2007, shortly before Google engineers incorporated the open source operating system into Android. That means the bug, formally indexed as CVE-2016-5195, affects every version of Android since its inception. The flaw remained hidden from public view until October 19, when it was disclosed under a coordinated release that was designed to ensure a fix was ready before most people knew about it. The Android Security Bulletin scheduled to be automatically pushed to select handsets sometime this month, however, won't fix the flaw.
"It's a pretty big deal because it's very easy to exploit," Daniel Micay, a developer of the Android-based CopperheadOS for mobile phones, told Ars. "Unlike a memory corruption bug, there are not really any mitigations for it. [Google] can't claim that mitigations stand in the way of easy exploitation for this bug (that's a dubious claim when they do make it, but for this they can't do it)."