Ransomware gangs now buying zero-day vulnerabilities, a warning about vulnerable memory chips and the Emotet gang is back.
Welcome to Cyber Security Today. It’s Wednesday, November 17th. I’m Howard Solomon, contributing writer on cybersecurity for ITWorldCanada.com.
How lucrative is ransomware to criminal gangs? Big enough for some of them to afford to pay possibly millions for zero-day vulnerabilities. Zero-day exploits, which are holes in applications that software companies haven’t discovered yet, can usually only be afforded by state-sponsored threat groups. But according to researchers at Digital Shadows, some ransomware gangs have amassed so much money they are now bidding for them. This may be the reason those discovering and selling these exploits have moved their auctions to cybercriminal forums, says the report. This is part of the company’s research on the discovery and sale of unpatched vulnerabilities. One major finding: The wide majority of the discussions on cybercriminal forums are on older vulnerabilities that security teams haven’t properly patched yet. One major recommendation: IT departments need a system to prioritize which bugs get fixed first.
Here’s something else for IT managers to worry about: Memory chips in servers, desktops and smartphones may be more vulnerable to data theft than first thought. The tactic is called a Rowhammer attack. Mitigations in DRAM chips are supposed to prevent this kind of attack, but in 2014 researchers discovered a vulnerability. At the time the researchers said a Rowhammer attack could work on 31 per cent of today’s devices. Their new research says a technique has been found that was effective on 100 per cent of the 40 devices that were tested. Memory chip makers have been warned. The thing is, even if the research is accurate, DRAM chips can’t be patched. One expert at the SANS Institute said it puts a dent into the myth that processes can be separated on highly integrated hardware. Organizations may have to avoid shared systems like cloud computing for sensitive workloads, he wrote.
More bad news: The Emotet malware botnet is back. Not anywhere near as big as it was at the beginning of the year before law enforcement agencies and cybersecurity researchers knocked out its command and control servers. However, according to a cybersecurity news site called The Record, those behind the TrickBot botnet are helping the Emotet gang get back in business. Emotet is a package of tools and infrastructure hackers could rent as a service for breaking into organizations. It was usually spread by infected Microsoft Word attachments by email. It seems the Emotet gang at this point is relying on TrickBot to help create a new infrastructure and no active distribution of malware has been seen. So far.
UPDATE: The SANS Institute reported seeing spamming using Emotet components in attachments with a Microsoft Excel spreadsheet, a Microsoft Word document, and a password-protected zip archive (with the password BMIIVYHZ) containing a Word document.
I’ve said before that Android device users have to be careful of the apps they download. Here’s another reason: Researchers at a firm called Cleafy have discovered new Android malware aimed at stealing passwords for banks and cryptocurrency exchanges in the U.S., the U.K. and Italy. The malware initiates money transfers in a way that bypasses multifactor authentication in victims’ devices. Victims don’t realize they’ve been hit because the malware puts an overlay on top of their bank login page. The victim thinks they are typing in their password into the bank app; instead it’s being captured by the identical-looking malware. How do victims get infected? By downloading what they think are utilities offering the ability to show live TV, recover data or play video and audio files. One thing this malware needs is the ability to use Android’s Accessibility Services. So after installing the malware it asks the user repeatedly for access to this capability. That’s a sign this is malware. Legitimate apps take no for an answer.
Finally, network administrators who use the Latronix PremierWave 2050 Web Manager for managing Latronix-based Wi-Fi systems should be aware that a number of vulnerabilities have been found. According to researchers at Cisco Systems, as of Monday there were no patches available. Some intrusion detection systems may be able to detect exploitation attempts.
That’s it for now Remember links to details about podcast stories are in the text version at ITWorldCanada.com. That’s where you’ll also find other stories of mine.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.