Table of Contents

1. Technology news and Security updates: ...................................................... 2

1.1 New Android malware can secretly root your phone and install programs

2

1.2 HTML5 Won't Stop Malvertising, Brings New Threats .....................................2

1.3 Conficker Remains Top Malware by Number of Attacks .................................3

1.4 Several Vulnerabilities Patched in Libarchive Library .....................................4

1.5 Google Simplifies Two-Factor Authentication for Biz Apps ...........................4

1.6 Apple fixes serious flaw in AirPort wireless routers ........................................5

1.7 FedEx Delivery Notices Dropping Zeus and Fareit Trojans ............................5

1.8 Apple Disables Old Flash Player Versions Due to Security Vulnerabilities

6

1.9 World’s first true Android PC coming to South Africa .....................................7

1.10 Why Microsoft Edge is better than Chrome and Firefox .................................7

1.11 Nemucod Ransomware Uses JavaScript and PHP Concoction to Infect

Users 8

2. Cyber Crime and Intelligence in the news: ................................................... 9

2.1. Top website domains are vulnerable to email spoofing ..................................9

2.2. Botnet-powered account takeover campaign hit unnamed bank .................9

3. Technical Security Alerts: ............................................................................ 11

3.1 Vulnerabilities, Malware and exploits..................................................................... 11

1. Technology news and Security updates:

1.1 New Android malware can secretly root your phone and install programs

Android users beware: a new type of malware has been found in legitimate-looking apps

that can “root” your phone and secretly install unwanted programs.

The malware, dubbed Godless, has been found lurking on app stores including Google

Play, and it targets devices running Android 5.1 (Lollipop) and earlier, which accounts for

more than 90 percent of Android devices, Trend Micro said Tuesday in a blog post.

Godless hides inside an app and uses exploits to try to root the OS on your phone. This

basically creates admin access to a device, allowing unauthorized apps to be installed.

Godless contains various exploits to ensure it can root a device, and it can even install

spyware, Trend Micro said.

A newer variant can also bypass security checks at app stores like Google Play. Once

the malware has finished its rooting, it can be tricky to uninstall, the security firm said.

Trend Micro said it found various apps in Google Play that contain the malicious code.

Source: http://www.computerworld.com/article/3087003/security/new-android-malware-can-

secretly-root-your-phone-and-install-programs.html#tk.rss_security

1.2 HTML5 Won't Stop Malvertising, Brings New Threats

Flash is one of the most abused pieces of software in use. Flexera Software's

Vulnerability Review 2016 counts 457 vulnerabilities in 2014 and 2015 (second only to

Chrome with 516 vulnerabilities). But Flash is the attacker's tool of choice. For example,

as recently as late May 2016 Malwarebytes reported on a malvertising campaign

exploiting Flash and redirecting users to the Angler exploit kit.

Such abuse is behind current browser campaigns to deprecate the use of Flash while

browsing. In April 2016 Microsoft announced that Flash content not central to the page

itself (such as games) would be automatically paused in Windows 10 (Edge browser).

The intent is to spur the adoption of HTML5 for animated content. In May 2016 Google

announced that it would deprecate Flash and promote HTML5 within Chrome by the end

of this year.

Such actions are likely to fuel a move from Flash to HTML5 for the display of web-

delivered advertising. This however, will have little effect on preventing malvertising.

Source: http://www.securityweek.com/html5-wont-stop-malvertising-brings-new-threats

1.3 Conficker Remains Top Malware by Number of Attacks

As one of the oldest active threats, Conficker continues to lead the malware landscape

by number of registered attacks, accounting for 14 percent of recognized incidents,

Check Point researchers say.

Seven years after it emerged, the Confiker worm is the most prominent malware family,

trailed by Tinba and Sality, each with 9 percent of recognized attacks. Although it rarely

made it to the headlines the past half a year, Confiker was seen in a noteworthy infection

during fall last year, when researchers found it shipping inside police body cameras.

According to Check Point, the number of active global malware families increased 15

percent in May, and the security firm detected a total of 2,300 unique and active malware

families targeting business networks. In April, the researchers observed an increase of

50 percent in the number of unique malware families.

“The continued rise in the number of active malware variants highlights the wide range of

threats and scale of challenges security teams face in preventing an attack on their

business critical information,” Check Point says.

The top ten malware families worldwide in May included Conficker, Tinba (also known as

Tiny Banker or Zusy), Sality, JBossjmx, Hummingbad, Zeroaccess, Zeus, Angler EK,

Virut, and Cutwail. The security researchers explain that these ten malware families

were responsible for 60 percent of all recognized attacks worldwide during May.

Source: http://www.securityweek.com/conficker-remains-top-malware-number-attacks

1.4 Several Vulnerabilities Patched in Libarchive Library

The developers of Libarchive have released a new version of the open-source library to

address several potentially serious vulnerabilities.

Libarchive is a programming library that can be used to create and read several

streaming archive formats. Originally developed for FreeBSD, the library is currently

used in many software products, including Linux package managers, archiving tools and

file browsers.

Researchers at Cisco Talos discovered that the library is plagued by three severe flaws.

One of them, tracked as CVE-2016-4300, is an integer overflow that allows an attacker

to execute arbitrary code using specially crafted 7-Zip files. The attacker can exploit the

vulnerability by getting the target to process a malicious 7-Zip file via Libarchive.

The other vulnerabilities, identified as CVE-2016-4301 and CVE-2016-4302, are a stack-

based buffer overflow and a heap corruption – both of which can lead to arbitrary code

execution via specially crafted files.

Source: http://www.securityweek.com/several-vulnerabilities-patched-libarchive-library

1.5 Google Simplifies Two-Factor Authentication for Biz Apps

Google is taking steps to simplify the process of using two-factor verification for Google

apps for businesses.

There are multiple ways end users can approve sign-in requests via 2FA in Google

apps, including tapping a security key or entering a verification code sent to their phone.

The internet giant has now added the capability to have employees approve a prompt

that simply pops up on their phones

“We know that security is one of your top concerns as a Google Apps admin and that

many of you require your employees to turn on 2-Step Verification (2SV) to keep their

accounts safe,” Google said via blog. “Your employees can now choose any of these

options in the Sign-in & Security > Signing in to Google > 2-Step Verification section of

My Account.”

There are a few caveats: Admins can't have Security Keys and the Google prompt

enabled at the same time for now, and a data connection is required to use the latter.

Android users will need updated Google Play Services to use it, and iOS users will need

the Google Search app installed on their phone.

Source: http://www.infosecurity-magazine.com/news/google-simplifies-twofactor/

1.6 Apple fixes serious flaw in AirPort wireless routers

Apple has released firmware updates for its AirPort wireless base stations in order to fix

a vulnerability that could put the devices at risk of hacking.

According to Apple security, the flaw is a memory corruption issue stemming from DNS

(Domain Name System) data parsing that could lead to arbitrary code execution.

The company released firmware updates 7.6.7 and 7.7.7 for AirPort Express, AirPort

Extreme and AirPort Time Capsule base stations with 802.11n Wi-Fi, as well as AirPort

Extreme and AirPort Time Capsule base stations with 802.11ac Wi-Fi.

The AirPort Utility 6.3.1 or later on OS X or AirPort Utility 1.3.1 or later on iOS can be

used to install the new firmware versions on AirPort devices, the company said in an

advisory.

Source: http://www.computerworld.com/article/3086725/apple-mac/apple-fixes-serious-flaw-in-

airport-wireless-routers.html#tk.rss_security

1.7 FedEx Delivery Notices Dropping Zeus and Fareit Trojans

Not all FedEx deliveries contain packages that users expect.

Security researchers at AppRiver have observed an uptick in spam messages that

appear to be shipping notifications from FedEx, but in fact contain Fareit malware, an

information stealer that targets email passwords and browser-stored passwords, as well

as FTP credentials.

During AppRiver’s analysis, the malware also downloaded a copy of the ever-popular

Zeus Trojan onto the infected machine.

According to Troy Gill, manager of security research, the messages appear to contain a

shipping receipt for a package that the courier was unable to deliver. The attached file,

while it does have .PDF in the name, is actually a file archive utilizing the open source

file archiver 7zip. Inside the compressed archive, you will find an executable file (.exe)

that contains the Fareit malware.

“During our dynamic analysis, we observed all of the above being performed after the

malware disabled local security tools,” he said, in a blog. “After scrapping the machine

for the before mentioned credentials, it established an outbound connection and pulled

down a copy of the ever-popular Zeus Trojan. Once the Zeus infection is in place, the

attacker can gather more credentials such as banking information. In addition to having

their data stolen, the victim’s machine is also vulnerable to being used to perpetuate

more attacks or in future DDoS attacks.”

Source: http://www.infosecurity-magazine.com/news/fedex-delivery-notices-dropping/

1.8 Apple Disables Old Flash Player Versions Due to Security Vulnerabilities

Apple is now blocking older versions of Adobe’s Flash Player because of security

vulnerabilities that were patched in the most recent release, prompting users to update

as soon as possible to continue using the plug-in in Safari.

Flash Player has become one of the most insecure parts of the web, and although it’s

still in use right now, the percentage of websites and tech companies supporting is

falling dramatically as everyone searches for safer browsing.

Apple announced in a June 20 advisory that it was disabling old versions of Adobe Flash

Player in Safari because of the security vulnerabilities that could expose users to online

attacks. Adobe launched Flash Player 22.0.0.192 last week to fix flaws in the application,

after it discovered active exploits launched against targets in countries such as Russia,

South Korea, China, India, and others.

As a result, Safari users need to update to this latest version in order to continue loading

Flash content in the browser, otherwise, they’ll see the notification pictured in this article.

“Adobe Flash Player is out-of-date. The version of this plug-in on your computer does

not include the latest security updates and is blocked. To continue using Adobe Flash

Player, download an update from Adobe,” the notification reads, giving users an option

to quickly download the latest Flash version from Adobe.

Source: http://news.softpedia.com/news/apple-disables-old-flash-player-versions-due-to-security-

vulnerabilities-505476.shtml

1.9 World’s first true Android PC coming to South Africa

Pinnacle will distribute the Remix Mini Android PC from Jide in South Africa, the

company has announced.

Jide advertises the Remix Mini as the world’s first true Android PC.

It is powered by Remix OS, a customised version of Android Lollipop that is built by Jide

Technology.

Remix Mini lets you use the Android app ecosystem while offering PC features such as a

taskbar, multi-window multi-tasking, and mouse and keyboard support.

Pinnacle and Jide said the Remix Mini will launch in South Africa at a price roughly half

that of a traditional entry-level PC.

Source: http://mybroadband.co.za/news/hardware/169141-worlds-first-true-android-pc-coming-to-

south-africa.html

1.10 Why Microsoft Edge is better than Chrome and Firefox

Microsoft’s Edge Internet browser is more power efficient than Chrome, Firefox, and

Opera on Windows 10 devices, said the company.

Microsoft conducted power-efficiency tests on the browsers, with the aim of showing

laptop and tablet users that they can get more out of their battery life with Edge.

“Our testing and data show that you can simply browse longer with Microsoft Edge,” said

Microsoft.

Microsoft measured the browsers’ power consumption across three dimensions:

In a controlled lab environment.

Using real-world energy telemetry.

Using time-lapse videos of each browser performing the same tasks until the

battery dies.

Edge won in all three, said Microsoft.

Source: http://mybroadband.co.za/news/software/169073-why-microsoft-edge-is-better-than-

chrome-and-firefox.html

1.11 Nemucod Ransomware Uses JavaScript and PHP Concoction to Infect

Users

The latest version of the Nemucod ransomware uses a combination of JavaScript and

PHP code to infect users and encrypt their files.

Nemucod first appeared in March 2015, and at its base, the malware is a simple

dropper. Droppers, also called malware downloaders, infectors, or loaders, are simplistic

malware families specialized in the "infection" process and nothing more. After this

occurs, they then download more potent malware.

For this article, when we say Nemucod, we are referring to a custom ransomware variant

that researchers observed delivered via the Nemucod dropper alone.

Nemucod is distributed in the same way as before. Users receive spam emails that

contain ZIP files, which, in turn, hold a JavaScript file. Executing this file starts the

ransomware's malicious process.

The JS file will download five files on the user's PC: a.exe, a1.exe, a2.exe, a.php, and

php4ts.dll.

As soon as the file downloads end, the JS file launches into execution a.exe, which is

the PHP 4.4.9.9 interpreter, and php4ts.dll, which contains various dependencies.

Source: http://news.softpedia.com/news/nemucod-ransomware-uses-javascript-and-php-

concoction-to-infect-users-505486.shtml

2. Cyber Crime and Intelligence in the news:

2.1. Top website domains are vulnerable to email spoofing

Don’t be surprised if you see spam coming from the top websites in the world. Lax

security standards are allowing anyone to "spoof" emails from some of the most-visited

domains, according to new research.

Email spoofing a common tactic of spammers basically involves forging the sender’s

address. Messages can appear as if they came from Google, a bank, or a best friend,

even though the email never came from the actual source. The spammer simply altered

the email’s "from" address.

Authentication systems have stepped in to try and solve the problem. But many of the

top website domains are failing to properly use them, opening the door for spoofing,

according to Sweden-based Detectify, a security firm.

The company analyzed the top 500 websites ranked by Alexa and found that 276 of the

domains are vulnerable as a result, it said in a blog post on Monday.

Of those vulnerable, 40 percent were news and media sites, and 16 percent were

software-as-a-service sites, Detectify said in an email.

Source: http://www.computerworld.com/article/3086938/security/top-website-domains-are-

vulnerable-to-email-spoofing.html#tk.rss_security

2.2. Botnet-powered account takeover campaign hit unnamed bank

A single attacker has mounted two massive account takeover (ATO) campaigns against

a financial institution and an entertainment company earlier this year, and used a

gigantic botnet comprised of home routers and other networking products to do it.

“ATO attacks (also known as credential stuffing) use previously breached username and

password pairs to automate login attempts. This data may have been previously

released on public dumpsites such as Pastebin or directly obtained by attackers through

web application attacks such as SQLi,” Akamai threat researcher Ryan Barnett

explained.

The goal of the attacks is to identify valid login credential data, and either sell it on

underground forums or use it to gain access to the accounts and, where possible, buy

giftcards, cash out value from reward programs, etc.

The company identified the two campaigns by analyzing web login transactions across

their customer base.

The attacker used an account-checking tool that had proxy capabilities, so that the login

requests can be made to come from many different IP addresses.

Source: https://www.helpnetsecurity.com/2016/06/21/account-takeover-campaign-hit-bank/

3. Technical Security Alerts:

Technical security alerts are the current security issues, vulnerabilities, Malware and exploits provided proactively to provide timely

information about their impact, propagation and remediation. This information is sourced to provide to technical teams to protect their

infrastructure environments.

3.1 Vulnerabilities, Malware and exploits

The table below lists all the recent Vulnerabilities, Malware and exploits identified by ICT Security Monitoring Services team for

today.

Name

Description

Propagation

Technologies and

Software’s affected

Remedy

Severity

Apple AirPort Base Station Firmware DNS Data Parsing Code Execution Vulnerability Source: https://tools.cisco.com/security/center/viewAlert.x?alertId=46770 Vendor Announcements Apple has released a security advisory at the following link: APPLE-SA-2016-06-20-1

A vulnerability in Apple AirPort

Base Station firmware could

allow an unauthenticated,

remote attacker to execute

arbitrary code.

The vulnerability is due to

insufficient bounds checks

by the affected firmware.

An unauthenticated, remote

attacker could exploit this

vulnerability by submitting

crafted input to the affected

firmware on a targeted

system. A successful

exploit could allow the

attacker to execute

arbitrary code on the

system.

Apple AirPort Base Station firmware versions prior to 7.6.7 and 7.7.7 are vulnerable.

Apple has released firmware updates at the following links: AirPort Base Station Firmware Update 7.6.7 AirPort Base Station Firmware Update 7.7.7

Mild damage

Microsoft Internet Explorer Memory Corruption Vulnerability Source: https://tools.cisco.com/security/center/viewAlert.x?alertId=46515 Vendor Announcements Microsoft has released a security bulletin at the following link: MS16-063

A vulnerability in Microsoft

Internet Explorer could allow

an unauthenticated, remote

attacker to execute arbitrary

code.

The vulnerability is due to

improper memory

operations performed by

the affected software when

handling crafted content.

An attacker could exploit

the vulnerability by

persuading a user to follow

a malicious link or open a

malicious file. A successful

exploit could allow the

attacker to execute

arbitrary code with the

privileges of the user. If the

user holds elevated

privileges, the attacker

could completely

compromise the targeted

system.

Microsoft Internet Explorer versions 9, 10, and 11 are vulnerable when running on the following Microsoft platforms: Windows 7 for 32-bit and x64-based Systems SP1 Windows 8.1 for 32-bit and x64-based Systems Windows 10 for 32-bit and x64-based Systems Windows 10 Version 1511 for 32-bit and x64-based Systems Windows RT 8.1 Windows Vista and Vista x64 Edition SP2 Windows Server 2008 for 32-bit and x64-based Systems SP2 Windows Server 2008 R2 for x64-based Systems SP1 Windows Server 2012 and Windows Server 2012 R2

Microsoft customers can obtain updates directly by using the links in the Microsoft security bulletin. These updates are also distributed by Windows automatic update features and are available from the Microsoft Update service.

Moderate damage

End: