Information Security News (Feb-01-2017)
--2.5 million XBOX 360 and PSP ISO forum accounts breached--(Jan-31-2017)
An unidentified hacker reportedly breached the XBOX 360 and PlayStation Portable ISO forums compromising 2.5 million gamer accounts.
The breaches occurred approximately around September 2015 and compromised email addresses, account passwords and IP addresses, according to independent researcher Troy Hunt.
Gamers who use the accounts are advised to reset the passwords for all of their gaming accounts. Although the breaches may have affected a great deal of gamers, some researchers believe the gaming community may not be hit as hard as by the breach as some would think.
Xbox and PSP users are pretty tech savvy bunch with accounts for many different services, Jonathan Sander, vice president at Lieberman Software, told SC Media.
With all of the breaches that have plagued the gaming platforms, Sander said, if the Xbox and PSP crew haven't learned that they can't use the same email and password on every service by now, then likely it's game over for their personal data.
“As breach after breach has shown that using the same username and password for multiple sites is a bad idea, you would have to imagine this group would have gotten that message by now,” Sander said. “When you see a dump of passwords hit a much less techie site, you can be sure that huge number of the victims are going to have to go around changing their credentials on the many sites where they foolishly used the same details over and over.”
Some researchers aren't as optimistic and believe the breaches just serve as another example of consumers needing to practice safer habits with their information.
Unfortunately the damage may have already been done, Jeff Hill, Prevalent Director, Product Management at the security firm, Prevalent told SC Media.
"Like rushing to close the barn door after most of the horses have escaped, changing the passwords at the time of an announcement of a breach may provide some comfort but precious little protection," Hill said. "The initial breach occurred in September 2015, giving the attackers 17 months to operate undetected, more than enough time to find and exfiltrate enough data to profit greatly from their efforts."
Hill added that at this point its not even clear that the breaches were detected rather than the attacker milked the stolen information for what it was worth and rendered the rest useless. Other researchers weren't as pessimistic as Hill but expressed a similar lack of optimism for those affected by the breaches.
“While this site is mostly used to distribute pirated copies of games, DVD's and BluRays, consumers who use the forums need to make sure that they are vigilant, NuData Security Vice President of Business Development Robert Capps told SC Media. “Keep alert to any phishing scams that may appear in email as a result of this hack, changing passwords on any site where the passwords or usernames used on these sites are used.”
He went on to say that they data will likely be sold on the dark web and used for future cybercrime and that it's a good reminder for users to choose unique passwords on all sites that require registration.
SC Media attempted to reach out to Sony for comment but they have yet to respond and Microsoft has declined to comment.
--"Charger" ransomware removed from Google Play--(Jan-27-2017)
Researchers at Check Point detected and quarantined a zero-day mobile ransomware on the Android device of a customer, according to a company blog post.
The suspect malware, dubbed "Charger," was found embedded in an app called EnergyRescue downloaded from Google Play. The polluted app is capable of siphoning out contacts and SMS messages from the user's device and requests admin permissions, that, if awarded, will trigger the ransomware to lock the device and display a threatening message demanding payment.
All files will be restored once payment 0.2 Bitcoins (around $180) is received, the ransom note promises, otherwise portions of the victim's personal data will be put up for sale on underground forums every 30 minutes. And, that data includes social network contacts, bank accounts, credit cards and other information of the victim's friends and family. The attackers even go so far as to offer a "100% guarantee" that once payment is received, all control will be restored to the targeted owner.
The security vendor reported their findings to Android's Security team who removed the infected app and added the malware to its white list.
Charger might portend further types of this malware to issue from mobile malware developers, the researchers said.
The fact that Charger checks local settings on the device and won't trigger if the device is located in Ukraine, Russia or Belarus, leads the researchers to believe that the malware creators reside in that region and are looking to avoid prosecution there.
"Attackers develop new tactics to evade detection, or simply implement tactics which were used by other malware," Daniel Padon, part of the research team at Check Point, told SC Media on Friday. "There are endless ways in which an attacker can write a code which will achieve the same purpose. This renders most signature-based protections ineffective against new or adapted threats."
When asked what's so different about the delivery mechanism used in this iteration of the ransomware, Padon explained that most malware which manage to infiltrate Google Play, such as the recent HummingWhale, do so by uploading only a slim version of the malware which, to itself, has no malicious properties. This component is called the dropper. Once installed on a user's device, it downloads the actual malicious components. This procedure is necessary to evade Google's protections.
"Charger uses a different approach," he said. "Instead of using a dropper, it hides the malicious sections of its code under several layers of packing and encryption."
For example, it encodes strings into binary arrays, obscuring inspection attempts, and dynamically loads code from encrypted resources, another strategy to evade detection by analysts and security tools. That code is further disguised with meaningless commands to add to the evasive techniques.
"This can be seen as someone who manages to cross the border with illegal contraband by hiding it in his dirty laundry," Padon explained. "By doing so, Charger managed to pass by Google's defenses, and into Google Play.
This level of sophistication illustrates that the attackers behind this ransomware have given it advanced evasion capabilities, says Padon. And, is a portent of things to come. "These could be improved in the future to allow additional samples of malware to evade detection, endangering all users."
While the ransom demand is much higher than has previously been seen in mobile malware (DataLust ransomware demanded $15), no evidence has yet surfaced of anyone paying up to the Bitcoin address, Padon said.
--Ransomware crime bill goes into effect in California--(Jan-04-2017)
Beware perpetrators of ransomware in California: Under a new bill that went into effect on Jan.1, you will now face four years in a state prison.
Senate Bill 1137, which was signed in September, took effect on the first of the year. It updates the state's penal code to differentiate the crime of ransomware from existing extortion statutes. Ransomware is generally malware downloaded into a computer or network that enables cyberthieves to lock systems up until a ransom is paid, usually via Bitcoin.
Pointing out the explosion in cases of ransomware, Sen. Bob Hertzberg (D-Van Nuys), who authored the bill, said in a statement when the law was passed that prosecutors will now have "the clarity they need to charge and convict perpetrators of ransomware.” He noted that there has been “a dramatic increase in the use of ransomware," which the new law treats what is "essentially an electronic stickup, with the seriousness it deserves.”
Between April 2015 and March 2016, Kaspersky Labs reported that more than two million individuals were affected, an 18 percent spike from the previous year. Further, the FBI reported that victims across the U.S. lost more than $209 million in ransomware payouts in the first three months of 2016, compared with $25 million in the entire previous year.
The California bill, Hertzberg said, regards the crime "which is essentially an electronic stickup, with the seriousness it deserves.”
Wyoming passed similar legislation in 2014.