<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=156961&amp;fmt=gif">
Threat Thursday Halloween 2019

#ThreatThursday | 31st October 2019 | Cyber Security Updates

How apt that this week’s Threat Thursday should land on All Hallow’s Eve; as if there aren’t enough horrors being flung at us from the darkest corners, there’s a whole new batch of technical terrors threatening our cyber security this week too. 

 So let’s lock the doors, hide behind the sofa, and read up on some of the spookiest cyber threats set to haunt our Hallowe’en season. 

DDoS Attacks: Smarter than the Average Bear?

Imitation, so they say, is the sincerest form of flattery. That might be why a group of cybercriminals are posing as everyone’s favourite Russian ruffians, the hacking collective “Fancy Bear”, in their recent spate of DDoS attacks.

The criminals are specifically targeting financial institutions, overloading the servers and demanding a ransom of 2 bitcoins to make the problem magically disappear. A bit of perspective; one bitcoin is worth $9,300.

While they’re not the only fake bears in existence (I’m looking at you, Koala), the hackers are certainly not without merit. They’re not just compromising the institution’s websites. The DDoS attacks are going right for the jugular – or in this case, the back-end servers. These are easier to attack and much more likely to result in major downtime. While the attacks are mostly located in Scandinavian countries, it’s not hard to imagine the DDoS campaign targeting larger global institutions. More reason to provide adequate DDoS protection for your back-end servers.

What’s most disappointing about these efforts is that the hackers have made nothing of their “Bear” personas. Extorting victims for marmalade, honey or “pic-a-nic baskets” might not be profitable, but the demands are far more consistent with those of imaginary bears .

Oh, I Wish that We Could Stop this D-Link Router R-C-E

Anyone still using unsupported D-Link routers leaves their network open to Remote Code Execution exploits, according to the Carnegie Mellon University Software Engineering Institute.

A list of the unsupported routers follows after this sharp intake of breath: the DIR-655, DIR-886L, DIR-652, DHP-1565, DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835 and the DIR-825.

The vulnerabilities exist owing to one line of code which is exposed to unauthenticated users, and another that fails at authenticating newline characters.

Given that D-Link no longer supports the vulnerable routers, no patches exist to fix the flaws, and no manual configuration can be performed to work around them. Anyone still using these routers who’s concerned about the potential risks has no choice but to upgrade to a more recent router.

And then, the Adobe Creative Clouds Opened….

Adobe has unwittingly exposed the details of over 7million of its Creative Cloud users.

The breach was discovered – all together now! – on an unprotected public webpage accessible to anyone with a browser and not protected by passwords - a recurring, embarrassing blunder for a number of these breaches lately. The page was discovered by security researcher Bob Diachenko in partnership with Comparitech. Bob immediately notified Adobe and, as of the 19th of October, the page is secured.

Luckily, no payment data or sensitive information was exposed in the leak; the details were mostly mundane details on subscription statuses, products used, email addresses and login times. Yet this doesn’t mean it’s not valuable to phishing campaigns, which could be use these details to curate victims.

Instances of customer data being publicly available aren’t exactly unique, and it’s surprising how many companies are still making the same mistake. It’s a lot like plain text passwords – everyone knows they’re insecure, yet companies as big as Facebook still seem to think they’re adequate. 

As a cloud based ‘Software as a Service’, Adobe Creative Cloud users likely expect better security than this. That’s why protection such as Datto SaaS still comes as a highly recommended protective measure.

Shock Twist! The ‘xHelper’ Malware isn’t Very Helpful at all

Now here’s a nasty one. A new strand of Android malware is practically immune to removal efforts, with an ingenious (if infuriating) mechanism that means it can reinstall itself – even after a full factory reset.

According to Malwarebytes, this trojan app hijacks the package name of other, more reputable applications. But in something of a twist, xHelper hides its true form behind rarely downloaded and barely known puzzle games. That’s a rare tactic for Trojans, who rely on renowned and popular app names to spread to as many users as possible.

Yet the tactic is working; in the short time since its discovery in May this year, xHelper has gone on to become one of Malwarebytes’ 10 most detected malwares; at its current trajectory, it could be infecting as many as 45,000 devices this month.

Once installed, xHelper creates pop-up notifications on the infected device, which curious users click on – doing so redirects them to a website which, researchers speculate, profits from pays-per-click on each redirect.

The origin of the Malware remains a mystery. It has thus far been traced to ip addresses in New York and Texas, but its spread is being blamed on web redirects and the usual shady websites. Until it can be located and stopped in its tracks, xHelper is cyber security’s Villain of the Week. Get your Android devices as well protected as you can, lest it be promoted to “of the Month” status.

Now it’s Apple’s Turn for a Mass Malware Exodus

In an occurrence so common it could soon be given its own segment, a number of malicious apps have once again been removed from a popular mobile app store. This time, however, the Google Play store shoulders its share of the problem, as these apps appear on both the Google Play and Apple stores.

The 17 offending apps are infected with Malware, specifically a trojan which silently enacts fraud and ad-related shenanigans in the background. This might see users inundated in continually-opening webpages from links the user didn’t click onto. Not cool.

The offending apps include:

Around Me Place Finder
BMI Calculator
CrickOne – Live Cricket Scores
Daily Fitness – Yoga Poses
Dual Accounts Pro
Easy Contacts Backup Manager
EMI Calculator & Loan Planner
File Manager – Documents
FM Radio PRO – Internet Radio
Islamic World PRO – Qibla
My Train Info – IRCTC & PNR
Ramadan Times 2019 PRO
Restaurant Finder – Find Food
RTO Vehicle Information
Smart GPS Speed Monitor
Smart Video Compressor
Video Editor – Mute Video

It’s not known how many iPhones have been infected by the apps, but the 1.06 million combined installs on Android alone suggest potentially higher numbers for Apple’s devices. As we’ve come to expect, these apps are all the work of the same developer, whose pop-up spewing malware is likely the efforts of a shady ‘pay-per-click’ scheme.

You know the drill by now – delete the apps, install a reputable anti-virus, and only download from trusted developers.

Home Group Opens Doors to Intrusion

Newcastle-based charity The Home Group has unwittingly leaked the names, addresses and contact information of roughly 4,000 people.

While details of how the breach occurred are yet to be divulged, a spokesman for The Home Group assured BBC News that the culprit would likely have "expert cybersecurity knowledge". Whether or not that's true will probably be for the GDPR to decide, as it's likely they'll want to conduct a full security review of the incident.

Still, the charity responded swiftly and appropriately, emailing affected customers and closing the breach within 90 minutes of discovery. The breach affects roughly 3.4% of customers but, thankfully, would not have compromised any payment details.

Still, affected customers are now far more likely to be targeted in phishing attacks, with their names, addresses and emails already compromised and probably available on the Dark Web. It might help to check https://haveibeenpwned.com/ if you're worried that your details have been compromised, and amend your passwords accordingly.

Well, that wraps up another Threat Thursday. Few business-specific threats this week, thankfully, but a heck of a lot of Malware and device vulnerabilities to be aware of. We’ll see you next month, where the howls of the dead will have made way for the screaming of fireworks.

Til then, why not talk to Mirus about your Cyber Security needs? We can help get your company certified with Cyber Essentials Plus, provide regular Phishing Training for teams, and with the prestigious “Blue Partner” accreditation, our support for Datto’s backup solutions are among the industry’s best.

If you want to learn more about our award-winning services, why not ask about our FREE Cyber Security Assessment?


Learn More about Preventing and Recovering from Phishing Attempts in our FREE eBook.

Filled with useful information regarding preventing and recovering from phishing attempts along with other cyber threats.

Click below to download. 

How to Recover from Common Cyber Attacks eBook

Would you like to comment, or leave your thoughts?

Recent Posts