Month: February 2016

Faulty Update From Microsoft, “KB3126446” Puts Windows 7 /8.1 In A Reboot Loop

Posted on

Microsoft’s KB3126446 update for Windows 7 /8.1 makes PCs and Laptops go in a reboot loop.

Botching up updates has become a habit for Microsoft and its engineers. The new update, KB3126446 released yesterday as part of February 2016 Patch Tuesday seems to be pushing Windows 7 computers into a longer reboot loop.

KB3126446 update was issued by Microsoft to fix security vulnerabilities in Microsoft Windows, as part of bulletin MS16-017 and is available for Windows 7/8.1 and Windows Server 2012 R2. However, when users of Windows 7 Service Pack 1 apply the patch, their PC/laptop goes on a reboot loop.

Faulty Update From Microsoft, "KB3126446" Puts Windows 7 /8.1 In A Reboot Loop

“This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an authenticated attacker uses Remote Desktop Protocol (RDP) to log on to the target system and sends specially crafted data over the connection. By default, RDP is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk,” Microsoft says.

Basically, what it could happen after installing the update is for your PC to reboot several times, but the number of restarts is not yet specified. But once this reboot loop comes to an end, you should be able to start re-using the computer normally, with no other issues likely to be caused by this update.

Microsoft has acknowledged the problem and explained that “you may have to restart the computer multiple times after you install this security update on a Windows 7-based computer that is running RDP 8.0.”



LA hospital coughs up $17,000 to free PCs held to ransom by hackers

Posted on Updated on

How to make an infection go away in US healthcare system – throw money at it.

A hospital in Los Angeles, California, has paid a US$17,000 (£11,900, AU$23,800) ransom to hackers who injected its computers with malware that scrambled its files.

It appears PCs at the Hollywood Presbyterian Medical Center were infected and paralyzed by ransomware, which silently encrypts documents and refuses to hand over the decryption key until a sum is paid.

Allen Stefanek, the hospital’s CEO, said in a statement on Wednesday that the 40 Bitcoin ransom was coughed up as it was “the quickest and most efficient way to restore our systems and administrative functions.”

The malware started poisoning the Tinseltown center’s computers on February 5, we’re told, forcing some patients to be treated elsewhere and pushing medics back to the era of fax machines and pen and paper. On Monday, systems were back to full health, and it was stressed that people’s private records were not harmed by the software nasty.

The $17,000, though a decent wedge, is somewhat lower than the earlier reported $3.6m ransom of 9,000 BTC. The infection has been described as “random” rather than targeted, suggesting a staffer opened a dodgy email or visited a malicious website that caused the network to be laid low.


Experiment tracks what happens to stolen credentials

Posted on

We all know that hackers are looking to steal credentials and get their hands on sensitive data, but exactly how does this process work?

Researchers at data protection company Bitglass carried out its second ‘Where’s Your Data’ experiment, creating a digital identity for an employee of a fictitious retail bank, a functional web portal for the bank, and a Google Drive account, complete with real credit-card data.

The team then leaked ‘phished’ Google Apps credentials to the Dark Web and tracked activity across the fictitious employee’s online accounts. Within the first 24 hours, there were five attempted bank logins and three attempted Google Drive logins. Files were downloaded within 48 hours of the initial leak. Bitglass’ Cloud Access Security Broker (CASB) monitoring showed that over the course of a month, the account was viewed hundreds of times and many hackers successfully accessed the victim’s other online accounts.

Faceless cyber criminal hacker

Over 1,400 visits were recorded to the Dark Web credentials and the fictitious bank’s web portal and one in ten hackers attempted to log in to Google with the leaked credentials. 94 percent of hackers who accessed the Google Drive uncovered the victim’s other online accounts and attempted to log into the bank’s web portal.

In addition 12 percent of hackers who successfully accessed the Google Drive attempted to download files with sensitive content. Hackers came from more than 30 countries, though 68 percent all logins came from Tor-anonymized IP addresses, of non-Tor visits to the website 34.85 percent came from Russia, 15.67 percent from the US and 3.5 percent from China.

“Our second data-tracking experiment reveals the dangers of reusing passwords and shows just how quickly phished credentials can spread, exposing sensitive corporate and personal data,” says Nat Kausik, CEO of Bitglass. “Organizations need a comprehensive solution that provides a more secure means of authenticating users and enables IT to quickly identify breaches and control access to sensitive data”.

More detail of the experiment and its findings is available in the full report which can be downloaded from the Bitglass website.


South Korea raises cyber attack warning amid heightened regional tensions

Posted on Updated on

Following the North Korean long-range missile launch and the subsequent closing of the Kaesong Industrial Complex, South Korean government offices have again raised the InfoCon cyberthreat warning level.

South Korea increased its cyberthreat level for a second time in less than a month on Sunday in response to what it said was a growing danger posed by North Korean cyber attacks.

Three government offices that track cyber threats — the Ministry of Defense; the National Information Service; and the Ministry of Science, ICT and Future Planning — raised the cyberthreat level as tensions on the Korean peninsula ratchet up.

“We believe there’s a larger possibility that North Korea may launch cyber attacks on the South, and recently upgraded our Information Operation Condition (InfoCon),” a defense ministry official was quoted as saying in the local media.

The Defense Ministry raised the InfoCon warning one notch to level three. The five-tier threat level system is used by the military to assess threats to the government’s IT network.

South Korea’s Ministry of Science, ICT and Future Planning (MSIP) also increased its cyberthreat assessment one notch from “moderate” or level one, to “substantial”, the equivalent of level two, following a week of escalating tensions in East Asia after North Korea launched a space rocket on February 7 and put a small weather satellite into orbit.

The Korea Internet & Security Agency (KISA), an arm of the science ministry, said cyberthreats to the nation increased from moderate to substantial for private sector websites, ecommerce sites, and email addresses “because of [the] North Korean long-range missile launch and closing of Kaesong Industrial Complex”.

“In substantial cyberthreat level [to the] private sector, KISA and MSIP recommend that every corporation raise cybersecurity monitoring, people update their PC software, and don’t open unknown emails,” a KISA official said.

South Korea’s National Intelligence Service, its spy agency, could not be reached for comment on its cyberthreat assessment.

On February 11, North and South Korea cut off an emergency “hot line” between the military of the two countries as hundreds of staff were repatriated to the South, days after Seoul announced it will withdrawal its participation in the Kaesong Industry Complex, the last remaining inter-Korean economic cooperation project.

Late last month, the science ministry increased the cyberthreat level from normal to “moderate” about one week after computers in South Korea received a barrage of malicious emails, around the same time North Korea tested a nuclear device.

The Defense and Science ministries both said that no new series of cyber attacks have been detected this time around. “We believe North Korea is more likely to launch cyber attacks than before and we’re keeping close tabs on potential signs,” said one Defense ministry official, according to local media reports.

South Korea is the target of many cyber attacks, and in particular, its government offices, financial and IT sectors, and the accounts of its personnel get hit by advanced persistent threats (ATP), phishing, and smishing attacks frequently.

The last time the cyberthreat level was this high was in 2013, following a wave of attacks that downed scores of government, banking, and media sites including the website of the presidential office. That attack took place on the 63rd anniversary of the start of the Korean War, on June 25.

Malware used in the 2013 attack has been dubbed by cyber professionals as DarkSeoul. The attack was tracked by officials who linked it to a single IP address in China. South Korea blames the North for that attack.

North Korea was also blamed by South Korea and the US for the Sony Pictures hack in November 2014, which forced the company to pull its film,The Interview, from theatrical release. But conclusive evidence that the country was indeed behind the attack remains to this day scant at best. That incident employed a phishing attack.


The security review: Remtasu and Facebook cheat sheet

Posted on

From an outbreak of malicious spyware to the UK’s bill on investigatory powers, here’s our comprehensive breakdown of cybersecurity news from the past week.

Remtasu is disguised in Facebook hacking tool

ESET’s Camilo Gutierrez Amaya reported how Remtasu, a well-known piece of spyware, which first surfaced almost four years ago, is now appearing in disguise on an app to hack into Facebook accounts. Whereas previous incarnations of Remtasu were spread in email attachments, this strain is coming from direct download sites and is installed when a user downloads and executes the file themselves after seeing adverts for it’s capabilities. Mr. Amaya noted that “although having security software can help in detecting malicious content, taking care of what you click on will bring further protection against such threats”.

How to isolate VBS of JScript malware with visual studio


ESET’s Diego Perez detailed how you can use Microsoft Visual Audio to isolate malware and debug a computer. “This is one of the methods we use at the ESET Laboratory to analyze a file written in JavaScript,” explains Mr. Perez. “Using these processes and tools, we can study each step in a possible malware infection, understand its goals and grab the original code from samples which are strongly obfuscated.”

Facebook security cheat sheet

Social sharing on networking sites has become commonplace, but many users still aren’t fully utilizing Facebook’s security features, and, furthermore, do not understand the implications of sharing personal information publicly online. ESET released its Facebook cheat sheet to coincide with Safer Internet Day detailing how to customize privacy settings and avoid compromising personal information.

Southwest Airlines flight giveaway scams spread on Facebook

Southwest Airlines

Once again Facebook users have been duped into liking and sharing a Facebook page, in the belief that they might be rewarded with a first class plane ticket. A page purporting to be Southwest airlines received 23,000 shares and 14,500 likes on one such post. “The end result of all these shenanigans, of course is to trick Facebook users into poor decisions – whether it be taking online surveys which earn affiliate cash for the scammers, signing up for expensive premium rate mobile services, or spamming the unwary with unwanted (and sometimes malicious) messages,” noted security analyst Graham Cluley.

ICS calls for latest draft investigatory powers bill to go further to protect privacy

The Intelligence and Security Committee in the UK deemed the latest Draft Investigatory Powers Bill as a “missed opportunity”, according to its latest report. The bill aims to give issues such as mass data collection and hacking by British spies a more comprehensive legal framework, but the ICS stated that it “fails to deliver the clarity so badly needed in this area”.

Cybersecurity e-learning course launches in the UK for HR staff


It was reported that a free online course to help HR professionals effectively deal with cybersecurity issues has been launched in the UK. This comes a year after government statistics found that online security breaches can cost businesses up to $2.1 million. The minister for Culture and the Digital Economy, Ed Vaizey, stated that “HR professionals handle sensitive personal data so it’s crucial they are able to protect this properly”.


Warning: Bug in Adobe Creative Cloud deletes Mac user data without warning

Posted on

Adobe has stopped distribution of an update believed to be triggering the deletions.

Adobe Systems has stopped distributing a recently issued update to its Creative Cloud graphics service amid reports a Mac version can delete important user data without warning or permission.

The deletions happen whenever Mac users log in to the Adobe service after the update has been installed, according to officials from Backblaze, a data backup service whose users are being disproportionately inconvenienced by the bug. Upon sign in, a script activated by Creative Cloud deletes the contents in the alphabetically first folder in a Mac’s root directory. Backblaze users are being especially hit by the bug because the backup service relies on data stored in a hidden root folder called .bzvol. Because the folder is the alphabetically top-most hidden folder at the root of so many users’ drives, they are affected more than users of many other software packages.

“This caused a lot of our customers to freak out,” Backblaze Marketing Manager Yev Pusin wrote in an e-mail. “The reason we saw a huge uptick from our customers is because Backblaze’s .bzvol is higher up the alphabet. We tested it again by creating a hidden file with an ‘.a’ name, and the files inside were removed as well.”

Backblaze officials have published three videos that show the deletion bug in action, including the one below.

On Friday morning, Adobe Creative Cloud users flooded Twitter with complaints about the unauthorized data deletions. Many users who don’t use Backblaze (the reporter of this Ars story included) will find the first folder in their Mac root drive is .DocumentRevisions-V100,
a folder that stores data required for Mac autosave and Version history functions to work properly. Deleting its contents could have negative consequences. The Adobe bug could also have dire consequences for users who have important folders with spaces in them, since those also assume a top alphabetically sorted spot on the Mac hard drive (which by default is labeled Macintosh HD).

An Adobe spokeswoman issued a statement that read: “We are aware that some customers have experienced this issue and we are investigating in order to resolve the matter as quickly as possible. We are stopping the distribution of the update until the issue has been resolved.” The version that appears to be causing the deletions is, Pusin said.

Creative Cloud users who have not yet installed the update should hold off doing so until Adobe releases detailed guidance. People who have already installed the update shouldn’t log in for the time being. One work-around for people who have installed the update and want to log in right away is to create a folder that assumes the alphabetically top-most spot in the root folder. A hidden folder with the name “.aaaaa” comes to mind, but the Backblaze guidance, perhaps offering some comic relief for its aggrieved users, suggested creating a folder called “.adobedontdeletemybzvol.”


HummingBad Android Malware Is a Dangerous Rootkit with a Bright Future

Posted on

Android malware comes with rootkit component to show ads. A new Android malware family is targeting users to show unwanted ads and forcibly install dangerous applications, Check Point’s security team has discovered.

Called HummingBad, this threat was first seen packed inside adult-themed applications downloaded from third-party app stores.

The app is part of a trend in the Android malware ecosystem, one that includes malicious applications that were built specifically to show ads and install other apps, for the monetary gain of their creators, who are part of various shady affiliate and referral programs.

HummingBad works just like Brain Test and Ghost Push

Previous Android malware families that employed this tactic include Brain Test and Ghost Push. As with those two, HummingBad is also capable of rooting the device, coming with a special rootkit component that makes sure the malware starts with root privileges every time the device boots.

The rest of HummingBad’s internal structure is split into two, and each part tasked with its own attack routine: showing ads and installing unwanted apps.

HummingBad can be used for much more dangerous attacks

Check Point researchers point out that, by making a few modifications to their code, the authors behind this campaign could find it very easy to perform much more malicious actions, outside just showing ads.

“Moreover, as the malware installs a rootkit on the device, it enables the attacker to cause severe damage if he decides to change his objectives, including installing key-logger, capturing credentials and even bypassing encrypted email containers used by enterprises,” researchers explain.

For now, HummingBad is quite harmless if you think of what it could really be capable of pulling off on its victims.

Security analysts say the malware has been spotted only on a few targets, but that its C&C (command and control) servers are still active, meaning it could still be a large-scale threat, just like Ghost Push and Brain Test, which affected millions of devices, sometimes via the official Google Play Store.

HummingBad attack flow

HummingBad attack flow