Security Bulletin #119 – 2 June 2017
Fireball Malware Infects 250 Million Computers
Dubbed Fireball, the malware can take over the targeted browser, run arbitrary code on a victim’s computer, and spy on victims. Thus, its operators can download any file or malware onto the machine, and can also manipulate the infected user’s web traffic to generate ad revenue. The campaign, the security company reveals, is run by a large digital marketing agency based in Beijing, called Rafotech. With the help of this malware, the agency manipulates the victims’ browsers to turn search engines and home-pages into fake search engines, redirect queries to Yahoo.com or Google.com, and collect victims’ private information via tracking pixels included in the fake search engines. Rafotech’s fake search engines have high popularity, with 14 of them ranked among the top 10,000 websites, some occasionally reaching top 1,000. Despite denying the use of browser-hijackers and fake search engines, Rafotech claims to have 300 million users worldwide, a number similar to the estimated infections. To date, Fireball has infected over 250 million computers worldwide, being distributed mainly bundled with legitimate programs. While this is not a typical malware attack, the campaign has a huge potential to cause harm, and should be blocked. Check Point also provides instructions on how users can remove the malware and add-ons from their machines (for both Windows and Mac users).
Vault7: CIA Pandemic implant turns file servers into malware infectors
WikiLeaks released a new batch of documents belonging to the Vault7 archive related to the CIA project codenamed ‘Pandemic.’ The Pandemic CIA project refers a Windows persistent implant that share files (programs) with remote users in a local network. Pandemic is used by the cyber spies to infect remote users by replacing application code on-the-fly with a trojaned version if the application that is retrieved from the infected machine. The implant transforms file servers into machines that infect PCs which access them remotely. A computer on a local network with shared drives that is infected with the Pandemic implant is the medical equivalent of a Patient Zero in Medical science that spreads a disease. It will compromise remote computers if the user executes applications stored on the pandemic file server. The Pandemic tool doesn’t change the file on the infected system when victims request a file from it, they will receive a trojanized replacement of the legitimate application. The Pandemic implant can replace up to 20 programs, with a maximum size of 800MB.
Top Defense contractor left Pentagon docs unsecured on Amazon server
The popular security expert Chris Vickery discovered more than 60,000 sensitive files belonging to a US military project for the National Geospatial-Intelligence Agency (NGA) left on Amazon cloud storage server without authentication. The documents were reportedly left unsecured on a public Amazon server by one of the nation’s top intelligence defense contractor. The files contain passwords to a US government system containing sensitive information and the security credentials of a senior employee of the top defense contractor Booz Allen Hamilton. Vickery discovered the documents included login credentials for code repositories that could contain classified files and other credentials. Digging the 28GB archive, the expert discovered the private Secure Shell (SSH) keys of a Booz Allen employee, and a half dozen plain text passwords belonging to government contractors with Top Secret Facility Clearance. The most disconcerting part of the discovery is that of the archive. The exposed data even contained master credentials granting administrative access to a highly-protected Pentagon system. The files are no more available online but someone could have downloaded those sensitive documents with serious consequences for the US intelligence