Energetic Bear APTs, Bugged Browsers, and Trojaned Extension
Another week, another pile of scary sounding security stories. But don’t freak out… If you know how to protect yourself, you can easily avoid most of these vulnerabilities and issues. Enjoy another episode of WatchGuard Security Week in Review for a quick recap of the Infosec news from the week, and what to do about it. .
Today’s show includes how shady advertisers are booby-trapping Chrome extensions, a speech recognition issue that might allow malicious websites to bug your browser, and news of a Russian APT campaign targeting the foreign energy sector. For all that and more, watch the video below, and don’t forget to peruse the Reference section for links to some extra security stories too!
Keep vigilant and have a great weekend!
(Episode Runtime: 9:31)
Direct YouTube Link: http://www.youtube.com/watch?v=c8N2c1q8TXc
Episode References:
- Google extension auto updates result in adware – The Guardian
- How to Geek’s list of shady extensions – HowtoGeek
- Chrome’s speech recognition can be used to bug your browser – Tal Ater Blog
- Israeli university researcher discover Android VPN vulnerability – The Register
- Researchers discover the first Android bootkit trojan – 360 Technology
- Crowdstrike Global Threat Report highlights Energetic Bear – Crowdstrike
Extras:
- Vietnamese attackers target EFF – EFF
- Insider steals 20 million South Korean customer records with USB key – Mashable
- NSA’s Dishfire campaign collect millions of text messages – The Guardian
- 95% of ATMs use Windows XP… Uh Oh! – Digital Trends
- Russian teens associated with BlackPOS malware (but not necessarily Target attack) – TechWorld
- Ars Technica doubts an Internet of Things botnet – Ass Technica
- China says hackers took down the Internet, Experts say it was the Chinese censors– The Washington Post
- Facebook pays $33K bounty for a major RCE vulnerability – ThreatPost
- Obama’s Privacy Review board says NSA phone data collection is not legal – CNN
- SEA hacks Microsoft blog again! – BBC
- More Foscam Web IP camera vulnerabilities (sigh) – KrebsonSecurity
- Neiman Marcus releases some breach details, 1.1 million cards affected – Neiman Marcus
- New Snapchat verification feature hacked in 30 minutes – Business Insider
- Windows malware moves to Android phones – The Inquirer
- Researchers mass scan for the Sercomm backdoor – Quarks Lab
- Ask Snowden Twitter chat – FreeSnowden.is
- Recent Snowden interview – The New Yorker
- Famous hacker, Guccifer, suspect arrested – Phys.org
- Is the US’s crackdown on hackers the new “War on Drugs?” – Wired
- Microsoft aggressively removes botnet’s from your machine, including Tor service – NetworkWorld
— Corey Nachreiner, CISSP (@SecAdept)
Alexander Kushnarev (Rainbow Security) says
Let me be a little bit skeptical about some points of Qihoo 360 Technology Co. Ltd research, related to Oldboot trojan (“Researchers discover the first Android bootkit trojan” article). Some uncertainty regarding such trojan structure drills my mind…
Let’s analyze what imei_chk module/service can do:
– execute some code which read two data blocks from its read-only data segments
– extract the libgooglekernel.so into /system/lib during the boot process
– extract the GoogleKernel.apk into /system/app during the boot process
– re-check if these files are in place, and if not – extract them once again during the boot process
– creating socket and listening (as a system service) for any other process
– execute the commands from GoogleKernel.apk with root permission
– as the trojan tries to connect to C&C (with a help of procedures, programmed inside the libgooglekernel.so) and download new apps and modules – then, obviously, imei_chk should support more command calls from other parts of the “malicious complex”? Every professional trojan will use the advantages of service, which can execute commands under root…isn’t it?
– as it can’t be removed by AVs due to it;s location – then how it can be updated?
The final question of my uncertainty – isn’t too many “technical magic” for one bootstrap module? What do you think, colleagues?