CCleaner accidentally includes Floxif malware to its latest version
Disk cleaner tool CCleaner offered a free download for its newest version but also accidentally included the Floxif malware. The free app download ran from Aug.15 to Sept. 12. This official report from Cisco Talos stated that the installer for the v5.33 of CCleaner contained an executable that was captured by their malware protection system. Upon this discovery, legitimate download servers have already delivered the installer to its various and specific endpoints. A digital certificate that contained the Floxif Trojan replaced the legitimate CCleaner v5.33 app on its website by compromising the supply chain of Avast. Information about infected systems is downloaded by the Floxif malware and is then sent back to its Command and Control servers. Data will be leaking out from these infected machines. However, the malware will shut down automatically if it doesn’t receive permission from the administrator to run is programs. Mac addresses (for the first three network interfaces), running processes, installed software, the computer’s name and unique ID tag that identifies it from other computers are some of the information that the malware will download. However, this malware can only run on 32-bit systems. Piriform Vice President of Products, Paul Yung, extended his apologies to their customers on a company blog post. He further stated that the rogue server is now down and all threats have been resolved. All existing CCleaner v5.33.6162 users are being moved to the latest version of cleaner tool app and that the attacker of the system no longer has any control on servers. Updating to the recent versions of the CCleaner app will automatically remove the malware, according to an e-Mail to Bleeping Computer by Avast CTO Ondrej Vlcek. Vlcek further added, “There is no indication or evidence that any additional malware has been delivered through the backdoor.” About 2.27 million machines installed the v5.33 but the issues can be fixed by removing the one malware embedded in the CCleaner binary.
66% of SMBs would shut down or close if they experienced a data breach
In the event of a serious data breach, 66% of SMBs would either go out of business completely, or be forced to shut down for at least a day, according to a Monday report from VIPRE. This would happen regardless of whether systems or data were compromised, according to a press release announcing the report. Another surprising data point was how regularly SMBs were dealing with attacks: Some 23% said they were experiencing cyber-attacks every day. The survey commissioned by VIPRE took responses from some 250 SMB IT managers. In 2016, the US National Cyber Security Alliance presented similar findings. The organization found that 60% of small businesses can’t sustain their business over six months after an attack. It also found that most small businesses have to pony up $690,000 to mitigate the damage after an attack, while mid-market companies are paying more than $1 million. The VIPRE report also noted that 68% of these IT managers were tasked with delivering security reports to upper management. However, 47% said they needed to collect the data manually and many didn’t have access to an online dashboard. Despite the fact that they may not have the potential resources of an enterprise giant, it seems as though attacks against SMBs are increasing. As such, spending in that area is increasing as well. According to a new report from Cyren and Osterman Research, 63% of SMBs are increasing their security spending, but many are still experiencing breaches regardless. The Cyren and Osterman Research report found that many SMBs were beginning to show an interest in cloud-based security, with 29% of IT managers expressing a “strong preference” for cloud-based tools. Usman Choudhary, vice president of product development at VIPRE, echoed those thoughts in the VIPRE press release. “The surge in cloud-hosted and as-a-service anti-malware solutions is undeniable, and our partners and business users are increasingly looking to move services to the cloud to capitalize on various benefits like decreased cost, increased performance and access from anywhere,” Choudhary said in the release.
SEC data breach: hackers accessed personal information
In an update on the breach, first disclosed last month, SEC chairman Jay Clayton says that a test filing accessed by the hackers contained the names, dates of birth and social security numbers of the two unnamed people, who have been informed and offered ID theft protection. Clayton initiated an assessment of the SEC’s cybersecurity risk profile upon taking office in May. I am focused on getting to the bottom of the matter and, importantly, lifting our cybersecurity efforts moving forward. On 20 September, Clayton revealed that the infiltration of the Edgar system – which houses non-public filings on upcoming corporate earnings statements and pending mergers and acquisitions – was detected in 2016 but that the watchdog only realised in August that data stolen may have been used for illicit trading. Components of this initiative have included the creation of a senior-level cybersecurity working group to coordinate information sharing, risk monitoring, and incident response efforts throughout the agency. “Chairman Clayton has authorised the immediate hiring of additional staff and outside technology consultants to aid in the agency’s efforts to protect the security of its network, systems and data,” says the regulator. Meanwhile, the SEC says that it is increasing resources for modernization of Edgar, bringing in outside consultants and increasing the focus on cyber security. The watchdog was hauled over the coals by the US Government Accountability Office (GAO) in July, in a report which accused the agency of failing to consistently protect its network boundaries, authenticate users and encrypt sensitive information while in transmission. The Securities and Exchange Commission says that crooks may have accessed the personal information of two people during the 2016 breach at its Edgar corporate disclosure database. In his update today, the chairman says: “The 2016 intrusion and its ramifications concern me deeply.
Hacker puts info of over 6,000 Indian businesses up for sale in massive data breach
According to Seqrite, some of the organisations whose services could have been disrupted included the Unique Identification Authority of India (UIDAI), the Reserve Bank of India, the Indian Space Research Organisation (ISRO), various Indian state government portals, telecom giants Idea, Aircel and BSNL, the Bombay Stock Exchange, Mastercard/Visa, the State Bank of India, HDFC, ICICI Prudential Mutual Fund, and companies like Ernst & Young, Flipkart and Zoho. The researchers identified the affected agency as India’s National Internet Registry – Indian Registry for Internet Names and Numbers (IRINN) which falls under the National Internet Exchange of India (NIXI. “In the sample, the team noticed the email address of a prominent Indian technology firm and another email address was from Indian government,” Seqrite said in a blog post. Eventually, the actor agreed to share a text file containing the emails of users/organisations affected, allegedly from the compromised database(s. “The hacker has no capacity to cause any damage or initiate distributed denial of service to any entity who has been allocated Internet resources through IRINN System,” NIXI said. Seqrite Cyber Intelligence Labs and seQtree InfoServices discovered an advertisement on DarkNet allegedly selling access to the servers and database dump of an unspecified “internet registry”, the Economic Times first reported. The login credentials and other confidential data of more than 6,000 Indian ISPs, government departments and private businesses were put up for sale on DarkNet, security researchers found. The team said the hackers were selling the allegedly stolen data for 15 Bitcoins ($64,557, £48,676) or, for an unspecified amount, offered to take down one of the organisation’s entire networks. The threat actor claimed to have the ability to tamper with the IP allocation pool that could potentially result in a major outage and denial-of-service situation for users and organisations. Posing as a potential buyer, the research team contacted the threat actor and received a small sample of the email list from the reportedly compromised database.
Yahoo admits security hack was three times worse than believed, hitting all 3bn accounts
Verizon’s chief information security officer Chandra McMahon said in a statement: “Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats. Yahoo says the the security breach that affected the company earlier in 2017 was three times worse than previously thought. It had originally said that only one billion of its accounts had been affected and had contacted those who had been additionally affected. “The revelation of the extent of the Yahoo breach came on the same day that the ex-head of credit agency Equifax was grilled in Congress over a breach in its systems of data of over 145 million people. “Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon’s experience and resources. Yahoo also said it had invalidated unencrypted security questions and answers. Data that had been stolen did not include bank details, passwords in text or card data and that it was “continuing to work closely with law enforcement. This included accounts that were opened and only briefly used. A probe has shown that all of its three billion user accounts were impacted in the attack which dated back to 2013. Verizon has combined its AOL subsidiary and Yahoo into a new business called Oath.
Equifax data breach was due to one person’s error says former CEO
Of the 225 people employed by the company, Smith said one person made a mistake. “In a written testimony, Smith said on 9 March an internal email was sent out to the security team to apply the patch within 48 hours, following a communication from the Department of Homeland Security. In a testimony before the Digital Commerce and Consumer Protection subcommittee of the House Energy and Commerce committee on Tuesday (3 October), he noted that the security vulnerability Apache’s Struts software had a patch that was made available to them long before the breach took place. Equifax’s outgoing CEO Richard Smith has blamed one employee for the massive data breach which exposed the personal information of close to 146 million Americans. Without naming the employee, Smith said: “The human error was that the individual who’s responsible for communicating in the organisation to apply the patch, did not. Smith said a single human error and oversight resulted in failure to deploy a security patch that could have prevented the hack. Smith said the vulnerability was discussed by the company’s computer emergency response team (CERT) on 8 March this year. Apart from Smith, who stepped down as CEO last week, the chief security officer and chief information officer of Equifax have also retired from their posts. The state of New York has reportedly issued a subpoena against Smith and San Francisco has filed a lawsuit on behalf of its citizens, over 15 million of whom were affected by the breach. Smith will have to attend a few more hearings this week, including the financial services and banking committees.
New phishing emails claiming to be ‘secure message’ from private banks secretly deliver malware
“While these threats appear to be real messages from actual banks, it’s important to understand that the financial institutions mentioned in the emails below haven’t been hacked; however, their names are being used by criminals to persuade recipients to act on the messages,” Barracuda Networks explained in a blog post. They also use legitimate-looking bank domains, the institution’s logo and even a confidentiality statement at the bottom of the email to trick the user into believing these are secure message from their bank. The spoof emails claim to be secure messages from a legitimate banking institution and instruct the user to either download an attached document, reply to the sender or follow a set of instructions. Cybercriminals are using a new phishing campaign that impersonates “secure messages” from private financial institutions such as Bank of America and TD Commercial banking to deliver malware to unsuspecting victims, security researchers have found. “Depending on the script in the attachment, there’s a potential for typical anti-virus software to miss the threat altogether because the Word documents contained in these ‘secure messages’ could be benign and allowed to be downloaded or opened when they’re first received. “In some instances, these messages have an attached Word document that contains a malicious script that will rewrite the files in the users’ directory on Windows machines once the victim opens the document,” Fleming Shi, senior vice president of technology at Barracuda, wrote. Criminals also like that in order for targets to act on these messages, they need to be connected to the internet because the viewing happens in a web portal, which means that they are now vulnerable to downloading malicious content. User training and awareness to identify phishing attempts, a security solution that offers sandboxing and advanced threat protection against malware, as well as anti-phishing protection.
R6DB hacked: Rainbow Six Siege gaming service’s databases wiped by hackers and held for ransom
In a Medium post on Sunday (1 October), the company said an automated bot managed to access their databases on Saturday since it still had remote connections enabled for the database server from its development phase. The company is still working to restore player data and estimates the process will be completed by Monday. R6DB, a fan-powered online gaming service that provides statistics for players of Ubisoft’s tactical FPS Rainbow Six Siege, was hit by hackers over the weekend who wiped its databases and held the data for ransom. The company noted that it does not store players’ personal data. ” R6DB said they are currently working to restore as much of the data as possible. As of Sunday afternoon, the team said, “PC restore is done, PS4 at 25%. “The team said they are currently working on getting a new server up and running. We basically lost all our historical data though,” the team wrote. “We don’t store any personal data, so you don’t have to be concerned about any privacy issues. “They left a nice ransom message, but we have no reason to believe that they kept any data.
Saudi Arabia’s entertainment authority hit by ‘subversive’ cyberattacks from outside the kingdom
Saudi Arabia’s General Entertainment Authority (GEA) said on Friday (29 September) its website was hit by “subversive” cyberattacks from outside the kingdom this week. The Saudi telecoms authority issued an alert warning against the destructive software that was used in cyberattacks targeting Saudi Aramco and other energy companies back in 2012 and wiped out hard drives, leaving behind images of a burning US flag on infected machines. The GEA said on Twitter that it was working to halt the attacks that began early on Thursday and prevent any impact to its website or social media accounts, Reuters reports. To commemorate the 87th Saudi National Day, the authority recently organised a slew of concerts and performances across the country last weekend, including a pageant operetta that saw women entering the King Fahd Stadium in Riyadh for the first time. In December last year, Saudi Arabia’s central bank was reportedly targeted by a version of the malware. Set up in 2016, the authority was created by royal decree, as part of Saudi Arabia’s Vision 2030 programme for economic and social reforms, to offer entertainment options for Saudis and diversify the economy away from its dependence on oil. The GEA has not specified any details regarding the type of cyberattack, suspected perpetrators behind the attacks or how it is mitigating the attack. In August, Kaspersky Lab reported that the Mamba ransomware that hit the San Francisco Municipal Transportation Agency in November 2016 had reemerged in Saudi Arabia and Brazil. In January, the nefarious disk-wiping malware Shamoon resurfaced, targeting several Saudi organisations including the Saudi labour ministry and a chemicals company. “The source of the subversive attacks, which aim to harm the authority and its efforts, is being identified,” the GEA tweeted.
UIDAI assures Aadhaar data safe after security threat
The UIDAI constantly strengthens and reviews its infrastructure and ecosystems in line with the best international security practices and technological standards and have multi-layered security and privacy considerations built into the core strategy of Aadhaar with three basic doctrines of minimal information, optimal ignorance and federated database which give higher level of security,” the statement said. The statement comes after global IT security firm Quick Heal’s Enterprise Security brand Seqrite discovered an advertisement on DarkNet forum that claims to have access to data of over 6,000 Indian businesses that include Internet Service Providers (ISPs), some key government organisations, banks and enterprises. The organisations whose services were said to be at risk were UIDAI, Idea Telecom, Bombay Stock Exchange (BSE), Flipkart, DRDO, Aircel, Reserve Bank of India, BSNL, SBI, TCS, ISRO, ICICI Prudential Mutual Fund, VMWare, Employees’ Provident Fund Organisation and various Indian state government portals. The Unique Identification Authority of India (UIDAI) on Wednesday denied there has been a security breach of its database, following reports that data of some 6,000 Indian businesses and government agencies was up for sale on Internet. Over 117 crore Indians were said to have enrolled for Aadhaar till August 14 this year for direct transfer of financial benefits and other subsidies and services by the government. The reported breach “does not contain any confidential data of UIDAI and has not affected any services provided by the authority”, said a statement from the UIDAI, a statutory authority collecting and maintaining the world’s largest biometric ID system. The UIDAI, however, said it had robust security controls and protocols to counter any attempts or malicious designs of data breach or hacking. “Security of Aadhaar is of critical importance to the government and the UIDAI has given it paramount significance.