The following is this week’s sample of ThreatScape® Media Highlights – an email roundup of security headlines augmented by insights and analysis from iSIGHT Partners. Our cyber threat intelligence clients receive this update daily.
Wednesday, 6 April 2016
Firefox Add-on Flaw Leaves Apple and Windows Computers Open to Attack
From The Media
Researchers with Northeastern University have found that hundreds of Firefox browser extensions are vulnerable to a flaw that could allow an attacker to gain control of both Windows and OS X machines. According to the researchers, the flaw is associated with Mozilla Foundation’s plug-in vetting process and Firefox’s support for an older browser extension platform. A harmless looking extension authored by an attacker could exploit a second extension to download malware.
Read the Story: Threat Post
iSIGHT Partners Analyst Comment
We believe this flaw poses a potential threat to Firefox users as successful attacks can result in the compromise of a user’s system, but we are unsure whether actors will have genuine interest in leveraging it in the wild. Many users utilize browser add-ons due to the improved functionality they offer. However, these add-ons also can introduce risk into user environments. Therefore, we recommend limiting the use of unnecessary browser add-ons and only using trusted or vetted add-ons. While this will not prevent such attacks, we believe it can greatly reduce a user’s potential exposure.
Related iSIGHT Partners Reports
16-00003446(ChristmasBreaker Bot Utilizes Firefox Add-On Files), 16 March 2016
15-00012378(Myanmar Election Commission Website Distributing Malicious Firefox Add-Ons), 18 Nov. 2015
New Variant of TinyPOS Discovered
From The Media
Foregenix has discovered a new version of the TinyPOS malware. TinyPOS functions by
scraping memory of point-of-sale (POS) devices before encryption of sensitive data
takes place. The malware is connected to command and control servers in Eastern
Europe. According to Foregenix, TinyPOS has not successfully compromised any
organization.
Read the Story: Security Week
iSIGHT Partners Analyst Comment
Given the claimed lack of TinyPOS threat activity conducted to date and the lack of any information on
this malware type aside from that provided by Foregenix, we assess with low confidence that TinyPOS
does not currently increase the threat posed by POS malware targeting organizations globally. It is
typical for PoS malware to scrape RAM for Track or Track equivalent data before being encrypted and
transmitted.
Related iSIGHT Partners Reports
15-00007274 (Threats to the Retail Sector), 29 July 2015
15-00010218 (Overview of Threats to EMV Payments), 16 Dec. 2015
15-00013604 (Cyber Criminal Targeted Intrusions as a Threat to Financial Institutions), 30 Dec. 2015
Trump Hotels Investigating Possible Payment Card Breach
From The Media
The Trump Hotel Collection has announced that it is working with authorities
investigating a possible payment card breach. The breach was reported first by security
researcher Brian Krebs. Krebs claims to have learned of the incident via banking and
financial sector employees who indicated that a pattern of fraudulent charges were
made among accounts tied to the Trump hotels.
Read the Story: CSO Online
iSIGHT Partners Analyst Comment
While hotels are commonly targeted with point-of-sale (POS) malware, it remains unclear what type of
breach, if any, Trump Hotels has suffered. In addition to POS malware, hotels are sometimes targeted
with other types of malware such as remote access Trojans (RATs). For example, throughout 2015 we
observed members of the hospitality industry be targeted in a persistent spam campaigns that
distributed the Netwire RAT.
Related iSIGHT Partners Reports
15-00013604 (Cyber Criminal Targeted Intrusions as a Threat to Financial Institutions), 30 Dec. 2015
15-00009360 (Update: Campaign Targeting the Hospitality Industry Using NetWire Remote Access Trojan Continues in August and
September 2015), 5 Oct. 2015
Bangladesh Bank Hackers ‘Possibly Chinese,’ Says Philippines Senator
From The Media
Philippines Senator Ralph Retco indicated that Chinese hackers were possibly behind
the Bangladesh central bank hack. Retco did not specify why he thinks the Chinese
were behind the hack, but the senate was advised in a previous session that two
Chinese individuals brought the money into the Philippines.
Read the Story: Reuters
iSIGHT Partners Analyst Comment
It is unclear on what information the Senator was basing his claim. While at least one China-born
individual participated in physically transferring approximately $30 million USD to a casino in the
Philippines, it remains unclear if the individual was a Chinese national, had any ties to China, or was
connected to any Chinese cyber crime communities and groups.
Related iSIGHT Partners Reports
ThreatScape Media Highlights (Bangladesh Central Bank Says US Account Hacked: Fed Denies Breach), 8 March 2016
16-00002784 (Overview: Money Laundering and Monetization Services in Financial eCrime Communities), 4 April 2016
iPhone 6s Lockscreen Bypass Allows Access to Photos and Contacts
From The Media
iPhone 6s and 6s Plus models running the latest version of iOS (9.3.1) possess a flaw
that could allow attackers to compromise a device’s stored photos and contacts.
Security firm Vulnerability Lab reported the issue to Apple before the release of 9.3.1.
However, after the latest version was released without fixing the flaw, they decided to
release a description publicly. Allegedly, an attacker could use Siri on a locked phone to
conduct a web search for e-mail addresses and then save that e-mail under contacts,
which—as it allows the user to assign a picture—would grant access to the device’s
photo album. If the searched e-mail already exists in the phone’s contacts, the actor
could also send SMSs and e-mails.
Read the Story: Security Week
iSIGHT Partners Analyst Comment
We consider Vulnerability Laboratory’s public disclosure to be irresponsible, as the researchers gave
Apple less than three weeks to provide a patch for the vulnerability before releasing details publicly.
However, we judge this vulnerability to be low-risk, as only an attacker with physical access to the
device can exploit the vulnerability, using it to obtain contacts and photos on a targeted device, but only
under certain circumstances.
Related iSIGHT Partners Reports
ThreatScape Media Highlight (Apple’s iMessage Has a Security Hole That Can Allow Photo Theft), 22 March 2016
16-00004300 (Weekly Vulnerability Exploitation Report), 4 April 2016
The post ThreatScape Media Highlights Update – Week Of April 6th appeared first on iSIGHT Partners.
