Ransomware attacks in Spain leave radio station in “hysteria”

By Danny Bradbury

A ransomware attack has ransacked at least two Spanish companies, leaving their employees without computer access.

The ransomware hit radio broadcaster Sociedad Española de Radiodifusión (Cadena SER), which released a statement about the attack. The company said that it was maintaining its radio service from its Madrid headquarters with the help of autonomous teams. A technician there said that the company was in “hysteria mode”, according to local media.

Local press also reported that the Radio Systems Department at SER’s parent company PRISA issued a circular to staff which reads (translated):

We are immersed in a computer security incident. It is mandatory to comply with the following guidelines:

• Under no circumstances can PRISA computer equipment be used (neither desktops nor laptops)
• Under no circumstances can the Wi-Fi network be accessed.

There is no problem in using Outlook 365 email from your mobile phone and from private computers (desktops or laptops) and connecting to your One Drive, Share Point applications…

Please extend this statement to all your colleagues. We will keep you updated with any news.

The ransomware also hit IT services and consulting company Everis, which is a subsidiary of Japanese telco NTT. It came with a €750,000 ransom demand, according to Spanish site bitcoin.es.

Both companies have reportedly warned staff to switch off computers.

Read more at https://nakedsecurity.sophos.com/2019/11/06/spanish-ransomware-hits-two-companies/

Founders of ‘worthless cryptocurrency’ ATM Coin fined over $4.25m scam

By Lisa Vaas

The US Commodity Futures Trading Commission (CFTC) on Friday announced that it’s fining the founders of a “worthless cryptocurrency” that ran a $4.25m, so-called “binary options” scam involving a virtual currency known as ATM Coin.

Their pie-in-the-sky financial promises were rigged with software that put a finger on the scale to tip it away from a customer’s chance to make a profit on their binary-options gamble. Add a dollop of “Let’s stash your money in St. Kitts and Nevis where it’s conveniently tough to trace funds,” and the equation balances out to that $4.25m fine for fraud and misappropriation of client funds.

Binary options give the buyer the right to buy or sell an asset for a specified price on or before a certain date. See below for the CFTC’s detailed explanation of how they work. TL;DR: suffice it to say that these financial contracts tend toward the slimy, right along with initial coin offerings (ICOs).

Facebook banned ads for both ICOs and binary options back in 2018, on top of ads for cryptocurrency in general, or, really, anything that combines exclamation marks, full capitals and/or deceptive financial promises, like, say, these real-world examples:

• “Start binary options trading now and receive a 10-risk free trades bonus!”
• “Click here to learn more about our no-risk cryptocurrency that enables instant payments to anyone in the world.”
• “New ICO! Buy tokens at a 15% discount NOW!”
• “Use your retirement funds to buy Bitcoin!”

This is what Facebook product management director Rob Leathern had to say at the time:

There are many companies who are advertising binary options, ICOs and cryptocurrencies that are not currently operating in good faith.

Clearly, the ATM Coin lot were not operating in good faith. Rather, they were operating in something about as valuable as pocket lint.

Read more at https://nakedsecurity.sophos.com/2019/11/06/founders-of-worthless-cryptocurrency-atm-coin-fined-over-4-25m-scam/

Google patches bug that let nearby hackers send malware to your phone

By Danny Bradbury

Google has patched a bug in the Android operating system that could have allowed attackers to install a rogue application on a victim’s phone – but only if they were able to invade their personal space.

Nightwatch Security found the flaw, numbered CVE-2019-2114, and described it in an advisory. The problem lies in Android Beam, a feature in the mobile operating system that lets people transfer large files directly between phones. It uses near field communications (NFC), a communications mechanism enabled by default in most Android phones, often used for contactless payments.

Users can send each other files using Android Beam by placing their phone within an inch or two of another. If the phone is able to send the content, an option will appear to transfer it.

One file type that can be sent using this technology is an APK file, which is an application installable on an Android device. If it receives an APK, the Android Beam service will automatically try to install it. This is where an attacker could exploit the vulnerability.

For security reasons, Android treats APKs that don’t stem from the official Google Play Store as unknown applications. Android version 8 (codenamed Oreo) and above ask the user’s permission before installing any unknown application. That is supposed to stop users unwittingly installing rogue applications that have made their way onto the device, perhaps via email or an unknown App Store.

Read more at https://nakedsecurity.sophos.com/2019/11/05/google-patches-dont-stand-so-close-to-me-bug/

Office for Mac 2011 users warned about SYLK file format

By John E Dunn

Any Apple users out there still running Microsoft Office for Mac 2011? If so, there are at least two reasons why that might not be a good idea.

The first is that Microsoft stopped supporting this version with bug and security fixes in October 2017, which means that any vulnerabilities in the software are essentially there forever.

The second is that the US CERT Coordination Center (CERT/CC) has issued a warning prompted by new research. The warning details the risky way Office for Mac 2011 handles a forgotten macro format called XML (no relation to XML markup) when embedded inside a Microsoft spreadsheet exchange format called SYLK (SYmbolic LinK).

Its unlikely many people will have heard of either but as with so many formats from the distant past, support for them lingers on inside today’s software as something attackers might exploit in certain circumstances.

Last year, Dutch researchers noticed that SYLK’s .slk file format was a great “candidate for weaponization on Mac” for reasons that have been underestimated.

First, Office’s ‘be careful’ protected mode sandbox warnings weren’t triggered when trying to open files in this format.

More seriously, in Office for Mac 2011, the default macro execution warning – disable all macros without notification – could allow an attack exploiting XML inside .slk files to slip through unnoticed.

The only alternatives to this are the clearly unwise enable all macros or disable macros with notification which stops any macros from running automatically but informs the user each time it has to intervene.

Disable all macros without notification should be safer but, ironically disable macros with notification is the option that would warn of a malicious XML/SYLK file.

Read more at https://nakedsecurity.sophos.com/2019/11/05/office-for-mac-2011-users-warned-about-sylk-file-format/

Florida city sends $742K to fraudsters as it bites the BEC hook

By Lisa Vaas

We’re changing our banking information, said the sham email purporting to be from a construction company working on an international airport in the Florida city of Ocala.

The message pretended to come from Ausley Construction, a bona fide firm that’s working on the $6.1m project of constructing a new terminal at the 17,500-square foot Ocala International Airport – and included the proper form to change the routing and account number, plus a copy of a voided check from the account.

It was all right and proper-looking, as are the most sophisticated Business Email Compromise (BEC) scams, and, of course, utterly bogus.

The spearphishing email worked. As reported by local paper Ocala Star Banner, the city is now $742,376.73 lighter.

According to reports from Ocala Mayor Kent Guinn and the Ocala Police Department, in September, a city senior accounting specialist got the phishing email in September. The next month, Ausley Construction submitted a legitimate invoice for nearly $250K.

The next day, on 18 October, the city paid the invoice. Ausley never saw that money, though. On 22 October, the firm let the city know that it was still waiting to be paid, and that’s when the fraud came to light.

Read more at https://nakedsecurity.sophos.com/2019/11/05/florida-city-sends-742k-to-fraudsters-as-it-bites-the-bec-hook/

Police interrogate Alexa for clues in fatal spear-stabbing

By Lisa Vaas

Police in South Florida plan to interrogate a potential witness to a fatal stabbing: Amazon’s Alexa smart speaker app.

Last week, the South Florida SunSentinel reported that police in Hallandale Beach issued a search warrant for anything recorded by two devices – an Echo and Echo Dot – found in the apartment where a woman who was arguing with her boyfriend was killed in July.

Police have accused Adam Reechard Crespo of murdering his girlfriend, Silvia Galva.

When police arrived at the apartment, they found Galva in one of the bedrooms in Crespo’s condo. She was bleeding to death from a stab wound in her chest, as Crespo tried to stanch the bleeding and save her life. Police also found the spear that, as Crespo told them, he had pulled from her chest: a spear with a 12-inch, double-sided blade.

Crespo says that Galva had been drinking, and that he’d tried to kick her out of the bedroom, but she resisted, grabbing onto the spear – at the foot of the bed – for leverage. He says he kept pulling, without turning around, until he heard a snap. That’s when the spear she was holding onto snapped and impaled her, police said.

A friend of Galva’s was in the condo at the time and told police that she’d heard arguing coming from the bedroom but couldn’t make out the details of the fight.

Read more at https://nakedsecurity.sophos.com/2019/11/05/police-interrogate-alexa-for-clues-in-fatal-spear-stabbing/

Apple developers – get this update to protect the rest of us!

By Paul Ducklin

Apple just pushed out an update to its widely used software development toolkit, Xcode.

New Xcode releases are pretty common immediately after updates to macOS or IOS, typically to provide official support and documentation for new programming features in the latest operating system versions.

The Xcode 11.2 release was a bit different, however, even though it followed closely on the heels of the recent macOS 10.15.1 and iOS 13.2.1 updates.

Xcode 11.2 comes with its own security advisory urging you to get (and then to verify that you have correctly installed) the new version, thanks to a pair of security flaws denoted CVE-2019-8800 and CVE-2019-8806.

These flaws are described in Apple’s typically perfunctory fashion in APPLE-SA-2019-11-01-1 (SA stands for security advisory):

Processsing a maliciously crafted file may lead to arbitrary code execution.

In other words, it sounds as though the supposedly innocent task of just compiling, or building, a software project – something that’s supposed to be ‘mostly harmless’ – could inject malware onto your system.

Read more at https://nakedsecurity.sophos.com/2019/11/04/apple-developers-get-this-update-to-protect-the-rest-of-us/