Roundup While this week was dominated by news of a new Spectre variant, the VPNFilter botnet, and TalkTalk’s badbad routersrouters, plenty of other stories popped up.
Here are a handful of security happenings that you may have missed.
Starbucks brews double-whip grande mocha pwnage
“Exploitation would have been rather unlikely as the attack could only work if the potential victims would had followed a malicious link created by the attacker (it was reflected XSS).”
IRS warns beancounters over phishing scams
US tax officials are sounding an alert over a wave of spear phishing attacks targeting professional accountants.
The campaigns go after the high-value target in tax scams: the pros who would handle dozens of personal and corporate tax filings.
“Cybercriminals specifically targeted tax professionals in Iowa, Illinois, New Jersey and North Carolina. The IRS also received reports about a Canadian accounting association,” the IRS explained
“The awkwardly worded phishing email states: ‘We kindly request that you follow this link HERE and sign in with your email to view this information from (name of accounting association) to all active members. This announcement has been updated for your kind information through our secure information sharing portal which is linked to your email server’.”
Needless to say, accountants and the IT staff and admins who work with them should be on the lookout for this scam.
Comcast site spaffs Wi-Fi keys
US cable giant Comcast has confirmed reports that its Xfinity home site was leaking some customer information including Wi-Fi passwords. The bug, spotted in the customer portal, would have allowed an attacker with an account number to obtain the person’s home address, Wi-Fi network name, and password.
“There’s nothing more important than our customers’ security. Within hours of learning of this issue, we shut it down. At no time did this site enable anyone to access customers’ personal usernames and passwords and we have no reason to believe that any account information was accessed,” Comcast told The Register.
“We are conducting a thorough investigation and will take all necessary steps to ensure that this doesn’t happen again.”
I wish I knew how to quit you Eugene
Weeks after supposedly banning all Kaspersky Lab software from government sysytem, the US Department of Homeland Security is said to still be running the security vendor’s code on many of its computers.
According to The Daily Beast, the problem is that a number of “routers, firewalls, and other hardware” rely on Kaspersky products for their security and, short of replacing, will be unable to comply with the December directive.
“It’s messy, and it’s going to take way longer than a year,” the report quotes one official as saying.
“Congress didn’t give anyone money to replace these devices, and the budget had no wiggle-room to begin with.”
D-Link routers leave the back door open
Stop us if you’ve heard this one before: a home router vendor has left serious security vulnerabilities wide open in its devices.
This time, it’s D-Link who have messed up by using a bug-riddled firmware that contains no fewer than four serious remotely exploitable vulnerabilities, including data disclosure and remote code execution.
According to Kaspersky Lab, the routers are largely concentrated to a few ISPs in Russia, but may also be in use by customers in other parts of the world.
“The latest versions of the firmware have hardcoded default credentials that can be exploited by an unauthenticated attacker to gain privileged access to the firmware and to extract sensitive data, e.g., configuration files with plain-text passwords,” says the security vendor.
Mac Monero malware menaces millions
Lest you thought rogue coin creators were only a problem for the Windows world (and we have no idea why you would think that), here is a new piece of Mac malware that turns your beloved iThing into a coin-generating machine for hackers.
Malwarebytes has an analysis of a piece of malware spotted by a number of Mac users that hijacks CPU time to run XMRig, a Monero-mining tool. They’re not sure how the malware is being installed, but it’s likely not anything more sophisticated than a dodgy download site.
Fortunately, all this malware seems to do is waste your CPU cycles.
“This malware is not particularly dangerous, unless your Mac has a problem like damaged fans or dust-clogged vents that could cause overheating,” Malwarebytes explains.
Russia breaks up malware bank heist
Earlier this week, members of Russia’s Group-IB announced the arrest of a 32 year-old man they believe to be behind a massive malware operation.
According to the group’s release, the unnamed man had used a set of Android malware packages to lift the bank account credentials of people in Russia and send them to a command server. From there, withdrawals were made from the accounts, with the same malware infections intercepting SMS notifications on the victims’ phones.
The Group-IB statement indicates the man had been acting as part of a larger operation.
“The investigation by authorities identified a member of the criminal group, who was responsible for transferring money from user accounts to attacker’s cards, a 32 year old unemployed Russian national who had previous convictions connected to arms trafficking,” Group-IB said.
“During the suspects arrest in May 2018, authorities identified SIM cards and fraudulent bank cards to which stolen funds were transferred. The suspect has confessed to his actions and the investigation/prosecution continues.”
What time is it? Xenotime
Security company Dragos says it has found what it thinks is “easily the most dangerous threat activity publicly known” in a piece of industrial malware it has dubbed “Xenotime”.
The malware, according to Dragos, is highly sophisticated and it spreads through both industrial controllers and Windows systems alike. The ultimate target of the worm appears to be safety control systems. Were it to live, Dragos warns, the malware could cause serious physical danger.
Fortunately, it looks like at least one major attack from the malware’s controllers has already failed.
“The group created a custom malware framework and tailormade credential gathering tools, but an apparent misconfiguration prevented the attack from executing properly,” Dragos said.
“As Xenotime matures, it is less likely that the group will make this mistake in the future.”
Now there’s happy note to enjoy the long weekend on. Stay safe people. ®