May 8, 2019
Latest Android security updates, and Google to fix patch delays for Pixel
By John E Dunn
Google released its May security update for Android this week – but how many Android users will be lucky enough to get it this week, or even this month?
If you own one of Google’s Pixel devices, the answer is immediately. If you’re among the bulk of Android users who own smartphones made by other vendors, that security update could be anytime between this month and several months hence.
It’s a confusing and unsatisfactory situation Google’s been trying to solve for several years, and this week it detailed how it plans to improve things in the next version of Android, currently known as ‘Android Q’.
Currently, Google’s security updates arrive via phone makers as updates that incorporate elements proprietary to each model and vendor. Inevitably, this takes time.
According to details released at the Google I/O 2019 developer conference and in an interview with The Verge, the company’s ‘Project Mainline’ for Q will adopt a radically different approach, updating a list of 14 OS modules over-the-air straight from the Play Store.
Read more at https://nakedsecurity.sophos.com/2019/05/08/latest-android-security-updates-and-google-to-fix-patch-delays-for-pixel/
Malvertiser behind 100+ million bad ads indicted in the US
By Lisa Vaas
The Netherlands has extradited a Ukrainian man to the US to face charges of taking part in a multi-year, international malvertising campaign in which conspirators allegedly attempted to smear malware onto victims’ computers on more than 100 million occasions.
31-year-old Oleksii Petrovich Ivanov was indicted in a court in Newark, New Jersey, on Friday, according to the US Justice Department.
He’s facing one count of conspiracy to commit wire fraud, four counts of wire fraud, and one count of computer fraud. Dutch police have had Ivanov since his arrest on 19 October 2018, after an international investigation led by the US Secret Service in coordination with Dutch law enforcement. Indicted on 3 December 2018, Ivanov arrived in the US last Thursday and has been detained without bail.
A plate of bogus fed to online ad platforms
According to the indictment, between around October 2013 and on through May 2018, Ivanov and a group of unnamed accomplices allegedly launched online advertising campaigns that came off as legit but which tried to direct unsuspecting visitors toward malware, unwanted ads, and on to other computers that could install malware.
He and his co-conspirators allegedly hid behind fake online personas and phony companies to place ads on third-party sites, such as shopping, news, entertainment, or sports websites. Ivanov and his buddies allegedly told advertising companies they were distributing ads for real products and services and even cooked up false banners and websites showing purported ads. Those advertisements purchased by the ad companies were, however, used to push malware out onto the computers of whoever viewed or clicked on them.
Read more at https://nakedsecurity.sophos.com/2019/05/08/malvertiser-behind-100-million-bad-ads-indicted-in-the-us/
School lunch company exec arrested for skewering rival’s site
By Lisa Vaas
When it comes to school lunch, you’ve got choices.
You can get 1) the French toast sticks, 2) the baked fish sandwich with lettuce and tomato, or 3) to be a ruthless school concession tycoon who hacks into your competition, rips off student data, and tries to anonymously frame them for having crappy security.
Keith Wesley Cosbey, the chief financial officer of a Bay Area company in the student lunch business called Choicelunch, was arrested in April on two felony counts of allegedly choosing menu item No. 3. Or, in legal terms, for “illegal acquisition of student data” from the website of Choicelunch’s archrival, The LunchMaster, of San Carlos, California.
Vishal Jangla, the San Mateo County deputy district attorney, says that Cosbey, 40, is looking at more than three years in prison if he’s convicted of charges of hacking into The LunchMaster’s site to get data about hundreds of students, including their names, their meal preferences, information about allergies, their grades, and more, according to the San Francisco Chronicle.
Cosbey’s been charged with unlawful computer access and fraud, as well as identity theft. Jangla said he hasn’t encountered anybody at the executive level who’s pulled something like this:
Someone who’s an executive, that’s surprising. It’s a first for me.
Cosbey’s accused of not just hacking the data, but also sending it anonymously to the California Department of Education and claiming that The LunchMaster wasn’t appropriately protecting student privacy.
Read more at https://nakedsecurity.sophos.com/2019/05/08/school-lunch-company-exec-arrested-for-skewering-rivals-site/
Researchers’ Evil Clippy cloaks malicious Office macros
By Danny Bradbury
Office macros have long been a vehicle for malicious code. Now, a team of security researchers has exploited Microsoft’s patchy macro documentation to hide malicious code inside innocent-looking macros. Researchers at Netherlands-based cybersecurity consultancy Outflank created a tool they say stops most major antivirus tools from detecting malicious macro code.
In Microsoft Office, macros are small helper programs written in Visual Basic for Applications (VBA). They automate repetitive tasks like dropping a company letterhead into a document or formatting tables. Just as with other programs, attackers can make macros that do malicious things like drop malware onto your computer.
Named after Microsoft’s ill-fated Office assistant from the late nineties, Outflanks ‘Evil Clippy’ uses some undocumented features in the way Microsoft stores its macros.
Office stores macros in a file format called Compound File Binary Format (CFBF). Evil Clippy compromises macros stored in this format using a technique called VBA stomping.
VBA stomping uses an undocumented feature within CFBF. The format stores the VBA source code for the Office macro, but it also stores a version of that code compiled into pseudo-code (also known as p-code) that is easier for the VBA engine to run.
Read more at https://nakedsecurity.sophos.com/2019/05/08/researchers-cloak-malicious-office-macros-with-evil-clippy/
MegaCortex ransomware distracts victims with Matrix film references
By John E Dunn
It’s easy to forget that malware authors are regular human beings with hobbies and interests – not that different from their many victims, in fact.
Take the contrived tendency to embed references to popular culture in malware – as the creator behind a new type of ransomware called MegaCortex has done.
Film buffs will recall that MetaCortex is the faceless software corporation that employs Neo, the hero-hacker who swallows the red pill in The Matrix, itself a veiled pop-philosophical reference to notions of choice and free will.
In the case of MegaCortex, instances of which SophosLabs has noticed ticking up significantly in the last week, the idea of choice-under-pressure is apt. Anyone infected is confronted with a ransom note written in the style reminiscent of The Matrix’s Morpheus character:
Your companies (sic) cyber defense systems have been weighed, measured and have been found wanting. The breach is the result of grave neglect of security protocols.
And:
We can only show you the door. You’re the one who has to walk through it.
The posturing pomposity is, of course, all part of a psychological game in which the attackers attempt to project the idea that they, not the victim, are in control.
One moment, the defenders’ network looked secure. The next, as if out of nowhere, the ransom note pops up. For any organization that isn’t anticipating this sort of attack, it’s easy to be put at a disadvantage by such a surprise tactic.
The tactic is to keep defenders in this state for as long as possible using distraction, ideally until they pay up. If that means bombarding them with gratuitous film references, so be it.
Read more at https://nakedsecurity.sophos.com/2019/05/07/megacortex-ransomware-distracts-victims-with-matrix-film-references/
