Week in security: Bash Bug, BlackEnergy and hoax attacks

This week, a serious software vulnerability – which rapidly became known as the ‘Bash Bug’ or ‘Shellshock’ – dominated the headlines and highlighted the fact that many media organizations were not entirely sure what it was, just that the ‘Bash bug’ was ‘bigger than Heartbleed’.

For those still mystified, ESET’s Stephen Cobb and Cameron Camp offer a crash course in Shellshock (or the Bash Bug) here. Meanwhile, security hit the mainstream press again, thanks to a hoax site threatening to expose (non-existent) nude shots of Emma Watson, in a PR stunt which may or may not have been an attempt to discredit 4chan. ESET’s David Harley takes a sober look at what 4chan is, and what it isn’t, in a blog post this week.

Meanwhile, a familiar malware family reared its head in the Ukraine and Poland, with some new tweaks, and the Home Depot saga trundled on, with employees coming forward to say that staff at the home improvement giant had repeatedly ignored warnings about security. A recorded video presentation by ESET’’s Stephen Cobb offers some thoughts about the rise in large scale cyber thefts such as the Target and Home Depot breaches.

Shellshock/Bash Bug: What is it? Why two names?

If you are reading this, the internet is still functioning, which means that at least one of the wilder predictions about the software vulnerability dubbed the ‘Bash Bug’ or ‘Shellshock’ has not come to pass.

The vulnerability, which came to light late this week, generated many sensational headlines because of the sheer number of machines potentially affected by the bug, from home routers and smart meters, smart appliances to smart cars, to servers and computers.

ESET’s Stephen Cobb and Cameron Camp offer a back-to-basics explanation of what the Bash Bug/Shellshock is and isn’t, and what users can actually do in a detailed blog post here.

BlackEnergy is back

State organizations and businesses in the Ukraine and Poland have been hit with new variants of a familiar malware family – BlackEnergy.

The malware is built for data collection among other purposes, and distributed using a variety of techniques. ESET’s Robert Lipovsky discusses the new attacks, and how BlackEnergy evolved from being used for fraud and spam campaigns to a tool for targeted attacks.

Lipovsky writes, “The BlackEnergy malware family has served many purposes throughout its history, including DDoS attacks, spam distribution, and bank fraud. The malware variants that we have tracked in 2014 – both of BlackEnergy and of BlackEnergy Lite – have been used in targeted attacks.

“This fact is demonstrated both by the plugins used and the nature and targets of the spreading campaigns. The purpose of these plugins was mainly for network discovery and remote code execution and for collecting data off the targets’ hard drives.”

Emma Watson hoax

Mainstream media leapt on a countdown site which purported to offer a timer counting seconds until images of the Harry Potter actress Emma Watson were released, which turned out (inevitably) to be a hoax, as predicted in We Live Security’s report.

Gawker reported that the site had appeared in the wake of a feminist speech the actress made at the U.N.

The Emma Watson images countdown site was announced in now-deleted discussion threads on 4chan, but comments were posted by the blog Death and Taxes.

The ensuing demonisation of 4chan threw up interesting questions. ESET Senior Research Fellow David Harley discusses hoaxes, with special reference to 4chan in a blog post this week, “The threatened misogynistic revelation of photographs of Emma Watson in ‘retaliation’ for her feminist speech at the UN, attributed to 4chan, turns out to be not only a hoax. Not only (as expected) in terms of the existence of the photographs, but in terms of the complicity of users of 4chan. In fact, Business Insider describes the story as ‘[not] a marketing stunt at all, but a social experiment run by the most notorious gang of pranksters on the internet’, and it’s not referring to 4chan, or the (apparently fake) Rantic Marketing, but SocialVEVO.”

Home Depot ‘ignored warnings’

The story of the Home Depot breach got a shade more bitter and personal this week, as ex-staff revealed that managers at the chain had been repeatedly warned about security issues over several years.

A New York Times report found that the chain relied on outdated software which was scanned ‘rarely’ by employees. The New York Times suggests that according to some estimates, the card details stolen in the home depot data breach could be used to make up to $3 billion in illegal purchases.

The warnings stretched back to 2008, according to Ars Technica. One employee said his concerns over credit card security at the store were so great he warned friends to use cash, rather than cards, in the store.

ESET’s Stephen Cobb discusses the current trend for large scale cybercrime and why it’s rising up the public agenda in many countries in a recorded webinar here.

Hoax: ‘Facebook to start charging $2.99 per month’

A widely circulating hoax story on Facebook showed that the barrier to fooling the public is indeed pretty low these days, with a bogus news story from a non-existent news outlet, starring a made-up dolphin, being Shared and Liked despite the fact it was clearly nonsense.

Veteran security researcher and writer Graham Cluley says, “Will Facebook start charging you to access the world’s most popular social network? Of course not. But that isn’t stopping thousands of Facebook addicts from feverishly sharing a link to what they believe is a news report claiming that from November 1st you’ll be paying $2.99 every month.”

 

 

Author , We Live Security

Follow us

Copyright © 2016 ESET, All Rights Reserved.