In the Know - Cyber Security Update - Week of August 7th - August 13th
Eric Brown 08/14/2017
3 Minutes

User targeted malware picks up this week – the latest variant of ransomware-as-a-service, Cerber, steals bitcoin, and browser passwords before encrypting systems.  Free is not always free, Hotspotshield Free VPN is in some hot water as researchers discover that ads and tracking data is injected into its users’ browsing streams.  NIST (National Institute of Standards and Technology) releases new password guidelines – It says previous guidance of frequent changes and random numbers and characters leads to weaker passwords.  The international SMS messaging app SMS Touch compromises its users by sending authentication data and conversations in the clear.  And researchers discover thousands of Android apps are spying on their users.

1.  Cerber Malware gets more malicious
Cerber a popular ransomware of 2016, in part due to its Ransomware–as-a-service operating model where the author of the ransomware receives 40% of the ransom, and the distributor receives 60%, is back in the news.  The latest Cerber variant scans systems for cryptocurrency wallets, and attempts to steal the coins before encrypting the system.

Bitcoin Core, Electrum, and Multibit software wallets are currently targets.  In addition, Cerber also steals browser passwords from Chrome, FireFox, and Internet Explorer. 

The most common infection vector for Cerber continues to be compressed JavaScript files that the user must execute.  Prevention methods include blocking all JavaScript attachments from email, not storing passwords in browsers, and moving cryptocurrency wallets to hardware wallets.

Some variants of Cerber have a VBscript with an audio recording.  This is what it sounds like:
More details on the attack:

2.Hotspotshield Free VPN – Injects Ads & Malware
A digital rights advocacy group, The Center for Democracy & Technology, is investigating claims that Hotspot Shield VPN (Virtual Private Network) services failed to maintain its promise to keep customer data private, secure and anonymous. 

It seems that in order to pay for the free service, ads and tracking data is injected into the user’s browser stream.

Federal Trade Commission Complaint against AnchorFree Inc, parent company of Hotspot Shield VPN
More info:

3. NIST (National Institute of Standards and Technology) does a 180 on it’s previous password guidelines. 
We’ve all heard the guidance to change passwords regularly and to have separate passwords for each online account that you own.  NIST is reversing its stance on this practice as studies have shown that frequent password changes lead to weaker passwords.  Additionally, forcing complexity into passwords such as a mixture of upper and lower case letters, symbols and numbers has also resulted in weaker passwords.

The new guidance recommends selecting a phrase or moniker that means something only to you.  For example, a long password such as: My mother’s name is Jane and my Father was born in 1940 could be used on sites that allow for 64 character passwords, or it could be shortened to: (MmniJamFwbi1940).  According to both of these would take millions of years to crack.

NIST Digital Identity Guidelines: claims to test passwords against a list of previously compromised passwords and may be a good resource to test passwords against:

4.  SMS touch texting app sends messages in clear text 
A popular international texting app, SMS touch, is sending login credentials and messages in the clear. 

Zscalers security research team discovered the app which is available on both the Google Play Store and the iTunes App Store for $1.99 (+ $.09 per text) is sending customer data in the clear open to interception by malicious actors.

Full write-up by Zscaler with example messages sent in the clear:

5.  Thousands of malicious Android apps that spy on users reported in the last 6 months
Three messaging apps Soniac, Hulk Messanger and Troy Chat were all available (now removed) on the Google Play Store have been discovered to spy on users.  Researchers have discovered that these and a purported 4,000 other Andriod applications have the ability to execute remote commands that surreptitiously take pictures, record audio, retrieve logs, contact information and send text messages

Lookout researcher Michael Flossman says that these apps are all part of a family of malware Lookout calls SonicSpy.

"What's commonly seen in all SonicSpy samples is that once they compromise a device they beacon to command and control servers and wait for instructions from the operator who can issue one of seventy three supported commands," Flossman wrote in the e-mail. "The way this has been implemented is distinct across the entire SonicSpy family."

More details from Michael Flossman’s blog:






Related Posts

It is a long established fact that a reader will be distracted by the readable content of a page when looking at its layout.

Cole Goebel 26 March, 2024

Why Your Cybersecurity's Biggest Risk Likes Coffee Breaks: The Human Element

Discover how the human element can be the biggest threat to cybersecurity and how tools like…

Matt Kanaskie 16 January, 2024

Minnesota’s Whole of State Cyber Security Plan

The state of Minnesota has delivered, alongside some bitter cold, a new initiative aimed at helping…