The following is this week’s sample of ThreatScape® Media Highlights – an email roundup of security headlines augmented by insights and analysis from iSIGHT Partners. Our cyber threat intelligence clients receive this update daily.
Wednesday, 23 September 2015
FORBES.COM SERVED MALICIOUS ADS TO VISITORS
FROM THE MEDIA
Researchers discovered a malvertising campaign running on Forbes.com, directing users to the Angler and Neutrino exploit kits, according to FireEye. For example, one of the articles loaded a JavaScript file containing an iframe that redirected users to the predetermined exploit kit. The malicious ads were removed on Sept. 15, seven days after they were first detected.
Read the Story: CSO Online
iSIGHT PARTNERS ANALYST COMMENT
Although not necessarily the main method of driving traffic to exploit kits, actors continue to find ways to distribute malicious ads through legitimate advertising platforms. Placing malicious ads on high-profile websites can potentially drive high volumes of traffic to exploit kits; however, the ads associated with this particular campaign were reportedly not shown on recent articles, most likely limiting its success. Due to its high-profile nature and clientele, Forbes.com is a desirable target for malicious actors. Most notably, Forbes.com was found to be compromised and serving a Flash exploit for malicious activity tied to Chinese cyber espionage operators in late 2014.
RELATED iSIGHT PARTNERS REPORTS
15-00000226 (Angler Exploit Kit Overview), 23 April 2015
14-00000074 (Neutrino Waves Exploit Kit Overview), 16 Jan. 2015
14-00000101 (Flash Exploit Used by Chinese Cyber Espionage Operators on Forbes.com), 12 Dec. 2014
ADVANCED MALWARE GETS INTO GOOGLE PLAY STORE TWICE, POSSIBLY 1M DOWNLOADS
FROM THE MEDIA
Malware disguised as the Android game, Brain Test has potentially one million downloads. According to Check Point, the malware has allegedly only been observed pushing advertisements; however, it possess the ability to bypass Google Play store app vetting and uses privilege escalation to obtain root access on target devices.
Read the Story: SC Magazine
iSIGHT PARTNERS ANALYST COMMENT
The distinction between malware and adware is a fine line, as some entities instead consider adware a “potentially unwanted program” due to its ubiquity and relatively low threat. While the observed activity of Brain Test does not appear to include credential collection or other malicious behavior beyond annoying advertisements, the application shares advanced anti-detection and persistence techniques with more capable mobile malware. Users should always be sure to download applications from official app stores and to vet suspicious apps before downloading.
RELATED iSIGHT PARTNERS REPORTS
ThreatScape Media Highlights (Apple’s App Store Infected with XcodeGhost Malware in China), 21 Sept. 2015
15-00002136 (Google’s Play Store Implements Human Review of Apps Prior to Publication, Will Have Positive but Limited Impact on Android App Security), 30 March 2015
15-00002124 (Administrative Access to Website of Third-Party App Store ‘AppChina’ Sold in Chinese Underground), 30 March 2015
ISLAMIC STATE THREATENS CYBER ATTACK AGAINST UK
FROM THE MEDIA
The Islamic State has threatened to execute an attack against the UK on Wednesday, according to SITE Intel Group. SITE Intel Group observed a video posted by the Islamic State, making the cyber attack threat. UK government officials noted that action has been taken to defend networks from attacks.
Read the Story: Bloomberg
iSIGHT PARTNERS ANALYST COMMENT
We have observed no concrete evidence suggesting the “Islamic Cyber Army” (ICA), the pro-ISIS hacktivist group that stated its intention to conduct cyber threat activity against the UK, is officially supported, directed or endorsed by leaders or members of the ISIS terrorist organization as claimed in the media. On Sept. 21, 2015, the pro-ISIS hacktivist group ICA announced it would conduct cyber threat activity against the United Kingdom in a campaign dubbed “#BritainUnderHacks.” We believe that #BritainUnderHacks presents a low-level threat to well-maintained and patched UK Government and corporate websites. This campaign appears similar to the ICA’s Sept. 11, 2015 “#AmericaUnderHacks” campaign, which targeted U.S. Government entities and financial institutions but had only a limited impact.
RELATED iSIGHT PARTNERS REPORTS
15-00010034 (Alert: Islamic Cyber Army Threatens Cyber Attacks Against the UK in #BritainUnderHacks), 22 Sept. 2015
15-00009448 (ICA Gains Unauthorized Access to Bank Sites, e-Learning Portal; ISHD Posts New List of US Military Personnel PII on Anniversary of Sept. 11 Attacks Against the US), 16 Sept. 2015
15-00009384 (Pro-ISIS Hacktivists Threaten Cyber Threat Activity Against the U.S. Government, Financials on September 11), 9 Sept. 2015
ATTACKERS COULD HAVE WIPED MOBILE DEVICES IN AN SAP AFARIA NETWORK WITH ONE SMS
FROM THE MEDIA
Several security flaws were discovered in SAP Afaria, a BYOD software platform. According to researchers at ERPScan, the software had several flaws, which have since been patched, that could have allowed an attacker to take control of all mobile devices connected to it. Furthermore, attackers would have been able to delete all data with one crafted SMS message.
Read the Story: Softpedia
iSIGHT PARTNERS ANALYST COMMENT
All software platforms, especially large ones such as SAP Afaria’s, inherently contain numerous vulnerabilities, both known and undiscovered. We have rated all of these vulnerabilities as low-risk, mostly due to the limited impact of exploitation or required level of user interaction. ERPScan’s responsible disclosure and delayed public disclosure also greatly mitigates the threat of exploitation, as enterprises have had ample time to apply most of the patches before details were made public. Additionally, we have not historically observed actor interest in exploiting vulnerabilities affecting SAP Afaria platforms.
RELATED iSIGHT PARTNERS REPORTS
15-00002320 (SAP Afaria Buffer Overflow Vulnerability CVE-2015-2820), 2 April 2015
15-00002338 (SAP Afaria Authentication Bypass Vulnerability CVE-2015-2816), 2 April 2015
15-00008130 (SAP Afaria Cross-Site Scripting Vulnerability CVE-2015-6663), 25 Aug. 2015
The post ThreatScape Media Highlights Update – Week Of September 23rd appeared first on iSIGHT Partners.
