Issue 42 - Week of Dec 7th

1.       Daily Motion served Angler exploit kit to visitors, over 128 million users placed at risk: Popular streaming website Daily Motion has become the latest victim of malicious advertisements (Malvertising) and has delivered malware payloads to potentially millions of visitors. The hacker bought ad space in the Daily Motion website and placed a decoy ad that initiates a series of redirections and ultimately loads the Angler exploit kit. The bogus advertiser used a combination of SSL encryption, IP blacklisting and JavaScript obfuscation. In addition, Angler Exploit Kit also fingerprints potential victims before launching its exploits to ensure the user is not a security researcher, honeypot or web crawler. This case is a reminder that any legitimate website can become an attack vector - such as  Yahoo in the past.

2.       Business E-Mail Compromise (BEC)- An Emerging Global Threat: The accountant for a U.S. company recently received an e-mail from her CEO, who was on vacation, requesting a transfer of funds on a time-sensitive acquisition that required  quick completion. It was not unusual for the accountant to receive such emails from the CEO, so she went ahead and made the transfer of $737,000 to a bank in China. The next day, when the CEO happened to call, he was shocked to learn about the transfer and alleged acquisition. Earlier this year the FBI reported that such scams cost victims more than $750 million and has impacted more than 7,000 people between Oct 2013 to Aug 2015 and these scams are still ongoing.

3.       Content Theft Websites Delivering More Than Just Content: In the dark reaches of the Internet are thousands of sites that offer users stolen entertainment content for free. This content is used as bait to lure users with malware delivery being the objective. The malware may or may not require user interaction. The malware need not be high end Zero day exploits, it could be known exploits leveraging unpatched systems. Such sites are paid by malware advertising agencies at the rate of about 10-20 cents per malware install. No free meals indeed!

4.       Spy Banker Trojan Being Hosted On Google Cloud: The Trojan is spreading through Brazil via malicious links posted on social networks. The hackers are using Google Cloud Servers to host the initial Spy Banker Downloader Trojan, which in turn installs the payload (Dropper file). The Lures used in social media range from coupon vouchers to free AV software applications. The Trojan has some stealthy capabilities, while it is designed to steal banking passwords, one of the first things it does is check a machine for the presence of a virtual environment.

5.       Hello Barbie toy security issues disclosed and fixed quickly: With the recent VTech breach exposing millions of parents and children to risk, there is increased sensitivity and awareness around the security of Internet-connected toys this holiday season. Last week, researchers revealed flaws in the Hello Barbie connected toy manufactured by ToyTalk. The good news, though, is that the issues were responsibly disclosed and ToyTalk acted quickly to remediate them. ToyTalk now also has a bug-bounty program. Hello Barbie is an interactive device that makes use of WiFi to listen and respond to a child's voice.

6.       .Cyber and .Criminal are Coming for Your .Money and .Computer: We are all accustomed to the old Internet of .com, .co.in, .edu, .gov, .net, .org, and .info; With the implementation of expanded new generic top level domains (gTLD) by ICANN, we will now need to get accustomed to many new URLs ending in .club, .xyz, .guru, etc. This will only increase in frequency, because as of November 2015, the number of new gTLDs available is over 800. A quick look at the new approved and delegated TLD provided by ICANN reveals both big brands like .Tatamotors, .bmw, which are used by everyday consumers and common words (including .car, .wine, .mom, .family). Attackers are often early adopters of new opportunities and will rapidly colonize new avenues of attack, including new domains.

7.       Microsoft warns of possible attacks after Xbox certificate leaked: The private keys for xboxlive.com were "inadvertently disclosed," Microsoft said, which could be used to impersonate the Xbox Live website and carry out a so-called "man-in-the-middle" attacks, which allows the attacker to intercept the website's secure connection. This could trick Xbox users into handing over their username and password, potentially leading to further attacks on the user. The company has revoked trust in the certificate, which more often than not is an automatic process for all supported versions of Windows and users do not have to take any action.

8.       Cyber Insurance Moves Toward “Must Have” and “Evidence Based”: 2015 was a tough year for breaches and the trend for 2016 looks to be no better. Against this backdrop is the gradual realization within corporations that the value of their company’s data is a large part of corporate assets, and a huge potential cost during a cyber-event. Indeed, for some information-centric companies, a data breach can be the largest single risk for business continuity, especially when considering the potential of downstream liability from loss of PII. Such losses comprise not only that data related to customers, but also to employees. Over time, cyber insurance will drive improvements in company security posture to better handle threats.

9.       FBI Tweaks Stance On Encryption BackDoors, Admits To Using 0-Day Exploits:  It seems the Bureau has backed off the idea of a "government backdoor" per se, as long as technology companies themselves can still access customers' data (and thus surrender it to law enforcement when legally subpoenaed). FBI also admitted to use 0-day exploits for public safety. In India - government's draft encryption policy, unveiled in September, was booed off stage because it sought to weaken standards rather than boost them. It had heavy-handed specifications on encryption algorithms, mandatory registration of encryption products, and the retention of unencrypted user information for 90 days. Now, as the government reworks its stand on encryption, it can include global opinion, learn from other's mistakes and keep in mind that undermining security standards just leaves everyone vulnerable.

10.   49% of CIOs feel budget hampers Information Security operations: 49% of CIOs feel a budget constraint is the main obstacle or reason that challenge Information Security operations followed by lack of skilled labor, says EY's study on Global Information Security Survey 2015 called 'Creating trust in the digital world'. 65% of the responses from more than 200 Indian organizations believe their information security structure does not fully meet the organization's needs.