NEWS - December 01, 2016

A new variant of Shamoon, the malware that wiped hard drives at Saudi Aramco and other energy companies in 2012, has struck multiple organizations in Saudi Arabia in a new campaign that researchers call a "carefully planned operation."

The new variant, which is almost identical to the version used in the 2012 attacks, has replaced the message it previously displayed—which included an image of a burning American flag—with the photo of the body of Alan Kurdi, the 3-year-old Syrian refugee boy who drowned as his family tried to cross from Turkey to Greece.

New versions of Shamoon, also known as Disttrack, have been detected by multiple information security companies, including McAfee, Symantec, Palo Alto Networks, and FireEye.

Continued: http://arstechnica.com/security/2016/12/shamoon-wiper-malware-returns-with-a-vengeance/

Attackers are targeting DSL routers this week with what’s being called a potent new variant of the Mirai malware that knocked offline major Internet companies like Twitter and Spotify last month. According to Germany’s Deutsche Telekom 900,000 of its DSL router customers have already been targeted by attackers.

According to the telecommunications company impacted customers are unable to connect to the Internet; phone and video services that rely on infected modems are inoperable as well.

Continued: https://threatpost.com/new-mirai-variant-targets-routers-knocks-900000-offline/122155/

A global research team has hacked 10 different types of implantable medical devices and pacemakers finding exploits that could allow wireless remote attackers to kill victims.

Eduard Marin and Dave Singelée, researchers with KU Leuven University, Belgium, began examining the pacemakers under black box testing conditions in which they had no prior knowledge or special access to the devices, and used commercial off-the-shelf equipment to break the proprietary communications protocols.

Continued: http://www.theregister.co.uk/2016/12/01/denial_of_life_attacks_on_pacemakers/

Related:
Under attack: How hackers could remotely target your pacemaker
https://www.tripwire.com/state-of-security/featured/under-attack-how-hackers-could-remotely-target-your-pacemaker/

A recently observed piece of multifunctional malware can be used to mine for crypto-currencies, log user keystrokes, and download additional malware onto compromised machines, Fortinet security researchers have discovered.

Dubbed Proteus, this threat has been written in .NET and is being distributed through the Andromeda botnet. The malware, Fortinet researchers say, can act as a proxy, but its authors can also use it as an e-commerce merchant account checker, coin miner, keylogger, and malware downloader.

Continued: http://www.securityweek.com/multifunctional-proteus-malware-emerges

Researchers have found a bug that can be used to bypass Apple’s Activation Lock feature and gain access to the homescreen of locked iPhones and iPads running the latest version of iOS.

There seem to be at least two variations of the vulnerability – one of them works on iOS 10.1 and the second has also been reproduced on the latest 10.1.1 version of Apple’s mobile operating system.

Continued: http://www.securityweek.com/bug-allows-activation-lock-bypass-iphone-ipad

The San Francisco Municipal Transportation Agency (SFMTA) was hit with a ransomware attack on Friday, causing fare station terminals to carry the message, “You are Hacked. ALL Data Encrypted.” Turns out, the miscreant behind this extortion attempt got hacked himself this past weekend, revealing details about other victims as well as tantalizing clues about his identity and location.

On Friday, The San Francisco Examiner reported that riders of SFMTA’s Municipal Rail or “Muni” system were greeted with handmade “Out of Service” and “Metro Free” signs on station ticket machines. The computer terminals at all Muni locations carried the “hacked” message: “Contact for key (cryptom27@yandex.com),” the message read.

Continued: https://krebsonsecurity.com/2016/11/san-francisco-rail-system-hacker-hacked/

In what’s being billed as an unprecedented global law enforcement response to cybercrime, federal investigators in the United States, United Kingdom and Europe today say they’ve dismantled a sprawling cybercrime machine known as “Avalanche” — a distributed, cloud-hosting network that for the past seven years has been rented out to fraudsters for use in launching countless malware and phishing attacks.

According to Europol, the action was the result of a four-year joint investigation between Europol, Eurojust the FBI and authorities in the U.K. and Germany that culminated on Nov. 30, 2016 with the arrest of five individuals, the seizure of 39 Web servers, and the sidelining of more than 830,000 web domains used in the scheme.

Continued: https://krebsonsecurity.com/2016/12/avalanche-global-fraud-ring-dismantled/