The following is this week’s sample of ThreatScape® Media Highlights – an email roundup of security headlines augmented by insights and analysis from iSIGHT Partners. Our cyber threat intelligence clients receive this update daily.
Wednesday, 9 March 2016
North Korea Hacked Government Officials’ Smartphones, South Korea Says
From The Media
The South Korean Government claims that North Korea hacked dozens of top officials’ smartphones over the past several weeks. According to South Korea’s National Intelligence Service (NIS), North Korea sent text messages embedded with malicious code between late February and early March 2016. The NIS has not disclosed what officials have been compromised, but has confirmed that a fifth of the attempts were successful.
Read the Story: CNN
iSIGHT Partners Analyst Comment
While we do not possess evidence at present that North Korean espionage actors have developed and used malware to target mobile platforms, we are currently working on capturing further details related to this activity. However, South Korea represents a key target for North Korean espionage activity, and given that North Korean operators appear skilled (having previously leveraged a Hangul Word Processor zero-day to distribute Volgmer malware) it is possible operators could be employing mobile malware to gain information and establish footholds against targets of interest as tensions increase in the Korean peninsula.
Related iSIGHT Partners Reports
15-00011382 (TEMP.Hermit Leverages Hangul Zero-Day), 15 Oct. 2015
16-00002244 (TEMP.Hermit Leverages New Infrastructure), 19 Feb. 2016
16-00002496 (HTTP Troy Malware Family), 26 Feb. 2016
Facebook Password Reset Bug Gave Hackers Access to Any Account
From the Media
India-based security researcher Anand Prakash discovered a password reset vulnerability that could have allowed him to perform brute-force attacks on any Facebook account. The vulnerability has since been patched, and Prakash received a monetary reward for reporting the bug to Facebook. Prakash was able to brute-force the six-digit reset code on both Facebook’s developer site and its basic-version developer site because they had no invalid attempt cap.
Read the Story: Threat Post
iSIGHT Partners Analyst Comment
Exploitation of this vulnerability poses no ongoing threat to Facebook users as the issue has already been patched. While it is possible that one or more malicious actors had independently discovered and exploited this vulnerability prior to patching, we have not observed any indication of this. Prakash’s responsible disclosure and Facebook’s prompt response resolved a serious potential security risk that could have facilitated myriad malicious activities over the Facebook platform.
Related iSIGHT Partners Reports
15-00008122 (ISHD Compromise of Social Media Accounts Plausible), 19 Feb. 2016
16-00001676 (Cyber Crime Actor Advertises Credit Card Data; May Be Monetized via eCommerce or Uber Fraud), 12 Feb. 2016
16-00001032 (Cracka Continues to Target US Officials, Executives and Their Family Members), 26 Jan. 2016
Google Patches Critical Vulnerabilities in Android
From The Media
Google has patched several critical vulnerabilities in Android, including remote code execution flaws. The patch bulletin contained 16 patches for 19 vulnerabilities, of which seven were critical, ten high and two moderate. Two remote code execution flaws (CVE-2016-0815 and CVE-2016-0816) existed in the Android mediaserver component, which could be exploited during processing of a specially crafted media file.
Read the Story: Security Week
iSIGHT Partners Analyst Comment
iSIGHT Partners considers the most recent Android vulnerabilities to be either low or medium risk. The number and types of vulnerabilities patched by Google this month are within expected values and consistent with previous patches. We surmise that researchers are paying increased attention to Android in recent months due to the high-profile discovery of several vulnerabilities affecting the Stagefright library in mid to late 2015. We observed a similar increase in attention paid to, and a surge of disclosed and patched vulnerabilities for, OpenSSL following the Heartbleed disclosure in 2014.
Related iSIGHT Partners Reports
16-00003096 (Google Android Vulnerability CVE-2016-0815), 8 March 2016
16-00003098 (Google Android Vulnerability CVE-2016-0816), 8 March 2016
Locky Ransomware ‘on the Rampage’ Globally
From The Media
The Locky ransomware’s propagation rate is rising, according to McAfee and Fortinet. Specifically, Fortinet has tracked over three million “hits” from Locky command and control (C&C) servers in two weeks. McAfee has advised that Locky has moved from hiding in Word macros to benign-appearing JavaScript file attachments, designed to evade anti-virus detections. Locky still only attacks computers outside of Russia. If the ransomware detects that the target operating system is Russian, it will delete itself.
Read the Story: SC Magazine
iSIGHT Partners Analyst Comment
While Locky ransomware infections have affected a significant number of devices, the estimate of three million is almost certainly not an accurate representation. This figure appears to be based on a beacon count rather than the actual number of Locky infections, potentially multiplying the infection count several times. We have observed the delivery methods reported, as well as deliveries by Neutrino Exploit kit. Locky is likely operated by the same actors managing Dridex botnets and, barring law enforcement intervention, will highly likely remain a significant threat for the long-term.
Related iSIGHT Partners Reports
16-00002390 (Locky: Malware Behavior, Capabilities and Communications), 25 Feb. 2016
15-00013262 (Dridex: Malware Behavior, Capabilities and Communications), 3 Dec. 2015
15-00007094 (Overview of Ransomware History and Current Trends), 27 July 2015
The post ThreatScape Media Highlights Update – Week Of March 9th appeared first on iSIGHT Partners.
