The first case of fully functional ransomware designed to infect and forcibly encrypt Apple OS X systems has been discovered in the wild, researchers at security vendor Palo Alto Networks warn. The ransomware, which they've dubbed "KeRanger," first appeared March 4, disguised as an RTF document inside installers for a popular, open source BitTorrent client called Transmission.
Apple has also added the ransomware signatures to XProtect, a basic OS X anti-malware feature, while the Transmission Project removed the Trojanized installers from its website March 5, the researchers add. They've also published technical instructions to help ascertain if a Mac is infected with the ransomware.
But anyone who downloaded and installed Transmission version 2.90 - either from the software's dedicated website or from third-party sites - is at risk and has just 72 hours to ensure that they have removed the software from their system, they say. That's because once it gets installed, the ransomware is set to begin encrypting all files - including Time Machine backups - after three days. It then demands 1 bitcoin - currently worth about $400 - in exchange for an encryption key to decrypt the files.
The Transmission Project, meanwhile, has pushed a new, ransomware-free version and warned all 2.90 users to upgrade. "Everyone running 2.90 on OS X should immediately upgrade to and run 2.92, as they may have downloaded a malware-infected file. This new version will make sure that the 'OSX.KeRanger.A' ransomware ... is correctly removed from your computer," according to an alert posted to its website. "Users of 2.91 should also immediately upgrade to and run 2.92. Even though 2.91 was never infected, it did not automatically remove the malware-infected file."
For more details please review
Java users are being warned to beware of a flaw that attackers could exploit to fully compromise a user's system, and to only use newly released installers.
Eric P. Maurice, director of Oracle's software security assurance group, says in a blog post that the vulnerability - designated CVE-2016-0603 - can be exploited whenever users install Java 6, 7 or 8. "Though considered relatively complex to exploit, this vulnerability may result, if successfully exploited, in a complete compromise of the unsuspecting user's system," he adds.
Oracle says the flaw can only be exploited during installation, and it has urged users to delete any previous installers and replace them with Java 6 version 113, Java 7 version 97 or Java 8 version 73, or later versions, which have been patched.
All users of the OpenSSL crypto library should upgrade immediately to eliminate a serious flaw that attackers could exploit to decrypt Web traffic, security experts warn.
OpenSSL provides open source implementations of the Secure Sockets Layer and Transport Layer Security protocols that enable communications between Web browsers and servers to be encrypted, via what's known as HTTPS.
But a newly disclosed critical security flaw centers on how OpenSSL uses the Diffie-Hellman algorithm for TLS connections. In some cases, the numbers generated by the algorithm - designed to secure communications between two systems - may be "non-safe primes," leaving them susceptible to an attacker potentially identifying them and then decrypting related communications, the OpenSSL project warns in a Jan. 28 security advisory.
The U.S. Computer Emergency Response Team recommends all OpenSSL version 1.0.2 users upgrade immediately to get a related fix. "OpenSSL prior to 1.0.2f will by default reuse this [private] number for the life of the process," US-CERT vulnerability analyst Garret Wassermann says in a related security alert. "Such a number, particularly if reused, severely weakens applications of the Diffie-Hellman protocol such as TLS, allowing an attacker in some scenarios to possibly determine the Diffie-Hellman private exponent and decrypt the underlying traffic."
For more details please review - http://www.databreachtoday.com/openssl-flaw-enables-https-decryption-a-8834
Britain's HSBC, which is one of the world's largest banks, is warning customers that it's been targeted by distributed denial-of-service attacks that continue to disrupt customers' access to online banking services.
Read More -
The Linux-based Moose worm is infecting routers and other network devices to commit social media fraud. How does this malware work, and what can be done to prevent and detect it?.
One of computing's most critical infrastructures is the network. Without it, we might as well turn off our computers. Despite using individual computers, we rarely use a computer not connected to some sort of network. Because of our reliance on them, the security and availability of networks is critical to operations. Enterprises understand the importance of networks, but consumers, consumer networking companies and consumer networking divisions of enterprise network companies are still catching up.
It targets consumer network devices to set up a proxy service that perpetuates social media fraud. The Moose worm doesn't exploit any vulnerabilities, but it uses unchanged default passwords and enabled remote management to compromise the device. The attack is performed using DNS hijacking and man-in-the-middle attacks (MitM) to steal cookies. The code starts by scanning for systems listening on port 10073/TCP and then scanning and logging in with the default password. Once it finds a vulnerable system, it uploads the code to the remote system and then executes it to perform the MitM attack and scan for other systems to infect.
Enterprises can detect and prevent the Moose worm, and the resulting social media fraud, by implementing security controls in the network itself. A vulnerability scanner could be used to identify potential at-risk devices on an enterprise network. The enterprise could then disconnect the device from the network until the default password is changed, or it could change the default password. Enterprises could also monitor the network for devices scanning on 10073/TCP.
* Article by Nick Lewis in Tech Target
Arabic Threat Group Targets IT, Incident Response Teams in MENA region (Reproduced from SecurityWeek.com)
The politically motivated threat actor, known as “Gaza cybergang” and “Gaza Hackers Team,” has been active since at least 2012, but its activities have intensified in the second quarter of 2015.
Experts believe the attackers are targeting IT and IR teams because hacking the computers of such personnel can give them deep access into the targeted organization’s network.
“IR people are also known for having access to sensitive data related to ongoing cyber investigations in their organizations, in addition to special access and permissions enabling them to hunt for malicious or suspicious activities on the network,” Kaspersky’s Global Research & Analysis Team explained in a blog post.
According to researchers, the Gaza cybergang’s efforts currently appear to focus on government entities, particularly embassies, in countries such as Egypt, the United Arab Emirates, and Yemen
The Arabic group relies on common remote access Trojans (RATs) such as PoisonIvy and XtremeRAT to gain access to valuable information stored on the targeted organization’s systems. The hackers attempt to trick victims into downloading and executing the malware by giving the malicious files politics-related names written in Arabic, such as “Signs of a new dispute between the UAE and Saudi Arabia” and “Scandalous pictures of Egyptian militants, judges and consultants.”
When targeting IT and IR teams, the attackers disguise the malware as common tools and security software used by such personnel.
The group has also launched phishing attacks aimed at tricking the targets into handing over their Google login credentials. In an effort to improve its social engineering tactics, the Gaza cybergang has used official-looking domain names (e.g. gov.uae.kim).