Karpeles walks, Google and Microsoft board up Windows hole, and Android AV still sucks
Plus, BlackBerry wants to be Uncle Sam's go-to security firm, thousands of legal docs pill online, and more
Let's kick start this week with some extra bits and bytes from the infosec world.
Certs still foiling AV detectors
We may be a bit jaded after this year's RSA Conference hype-fest, but it's less than shocking to learn that antivirus suites, for all their marketing budgets, still struggle with some basic elements of malware detection.
Researchers with MalwareHunterTeam came a across a piece of ransomware called LockerGoga that, on its face, should have been easy to spot and remove. But it apparently evaded detection across the spectrum in VirusTotal tests, thanks to carrying a valid certificate.
Let me present you, in 2019 March, a signed LockerGoga ransomware sample that is not crypted/packed/etc & it is still FUD on VT: https://t.co/CWytrhYKIf— MalwareHunterTeam (@malwrhunterteam) March 8, 2019
And of course, cert is given by Sectigo...
cc @SwitHak pic.twitter.com/thwopGZAQf
To be fair, it was noted that the malware would still have been spotted by apps running decent heuristics tools that can spot the malicious behavior while in progress. But still, it's not a good look that such infections don't get spotted right away.
BlackBerry courts the US government
If you haven't heard the name BlackBerry since 2011, let us get you up to speed. The one-time smartphone king has since been driven out of the market by iOS and Android and has since reshuffled itself as a mobile security specialist.
That effort has been re-upped this week with the launch of a new subsidiary known as BlackBerry Government Solutions. The brand will, as its name suggests, focus on pitching BlackBerry's mobile and IoT security products to the US government in hopes of landing lucrative agency contracts.
The plan is not a bad one. Entire sectors of the IT industry thrive on nothing but government contracts, and BlackBerry's remaining product lines are uniquely suited for government agencies that can't exactly pop down to the mall if they want equipment that meets federal security regulations.
Mt. Gox boss walks despite conviction
It looks like infamous Mt Gox head Mark Karpeles will be able to avoid any time behind bars for his role in the cryptocoin exchange's $480m collapse in 2014. A Japanese court found Karpeles guilty of falsifying data about the exchange's financial state, but acquitted him on the more serious charges of embezzlement.
In sentencing, Karpeles was given a 2.5 year prison term that will be suspended for four years. If Karpeles can keep his nose clean during that four year period, he won't have to spend a day behind bars. Prosecutors had sought a 10-year sentence.
Microsoft and Google patch the bug that never was
We use the term "zero day" for a vulnerability that gets reported before a patch can be issued, but what is the term for a patch that gets released before any practical bug can even be found?
This was the feat pulled off by Microsoft and Google this week when the two tech giants issued a report on a new class of vulnerability they had discovered in Windows before the bug had even been able to get into an actual product.
The two firms said that the flaw is a type of elevation of privilege bug that would allow a logged-in attacker or malware to get kernel mode access by exploiting the way Windows IO Manager handles requests.
Interestingly, Microsoft says that the flaw, discovered by Google's James Forshaw, was never actually exposed in any public versions of Windows: the code pairings needed to pull off a proof-of-concept could not be found. In other words, the type of bug is there, it would likely work, but as luck would have it the software components never quite aligned.
Still, Microsoft said it will ensure future releases of Windows, starting with Windows 10 19H1 due out any moment now, will not feature this class of elevation of privilege.
Another week, another misconfigured database spaffing sensitive documents
Stop us if you've heard this one before: researcher Bob Diachenko has uncovered a public-facing database containing tens of thousands of confidential documents holding sensitive data.
This time the insecure AWS instance belongs to a company called LexSphere, and the exposed data is a cache of 250,000 court documents from cases handled by a law firm known as LexVisio.
As with others, this database had been improperly configured to allow access to the general internet, rather than walled off to only allow in those with proper clearance. With the advent of search tools like Shodan, finding these sort of exposed servers has become trivial to those who know what they're doing, and few are better at it than Diachenko.
"Danger of having exposed Elasticsearch or similar NoSql databases is huge. I have previously reported that the lack of authentication allowed the installation of malware or ransomware on the MongoDB servers," the researcher writes.
"The public configuration allows the possibility of cybercriminals to manage the whole system with full administrative privileges."
Separately, another Elasticsearch database, deployed by US-based Meditab to handle faxed data, was reportedly found open to the internet, exposing thousands of doctor's notes, medical records, and prescriptions.
Navy swamped by Chinese hackers
It is no secret that China was looking to hack US military agencies and contractors in hopes of getting blueprints and tech to boost its navy, but if a recent report from the Wall Street Journal is to be believed, the problem is even more severe than first feared.
Citing a leaked report from the US Navy, the WSJ says that Chinese hackers have put naval networks "under cyber siege" as infiltrators have been trying to lift critical documents and data from its systems and, more importantly, those of the private contractors it partners with.
"We are under siege," the article quotes one official as saying. "People think it’s much like a deathly virus — if we don’t do anything, we could die."<
Counter-Strike struck by Belonard trojan
Gamers beware, a nasty piece of malware has been targeting players of the iconic FPS Counter-Strike 1.6.
Researchers with Dr Web say (PDF) that a trojan called Belonard (named for the in-game handle of its creator) has been infecting the game clients of players and then using the resulting botnet to advertise gaming servers that Belonard operated for money.
"Once set up in the system, Trojan.Belonard replaces the list of available game servers in the game client and creates proxies on the infected computer to spread the Trojan,"
As a rule, proxy servers show a lower ping, so other players will see them at the top of the list. By selecting one of them, a player gets redirected to a malicious server where their computer become infected with Trojan.Belonard. "
Pretty devious. Imagine if he would have done it on a game released this decade.
Android AV: mostly useless
If you're relying on an antivirus app to protect your Android device, there's a very good chance you're only fooling yourself.
That's because a recent test from AV Comparatives showed that of 250 top Android security Apps, 138 were able to accurately detect less than 30 per cent of the malware samples presented, and another 32 were so bad that Google actually pulled them from the play store.
"We consider those apps to be risky, that is to say, ineffective or unreliable. In some cases the apps are simply buggy, e.g. because they have poorly implemented a third-party engine," AV Comparatives explained.
"Others detect only a handful of very old Android malware samples, and allow any apps that contain certain strings, making them likely to pass some quick checks and thus be accepted by the app stores."
That means only 80 of the 250 anti-malware apps were even anything close to effective. The good news is, those good apps were the ones developed by known and reputable security firms. Vendors like F-Secure, AVG, Kaspersky, Symantec, McAfee, and Sophos all scored 100 per cent. Stick with a familiar name and you should be all right. ®