Security Bulletin #124 – 9 June 2017
A new Linux Malware targets Raspberry Pi devices to mine Cryptocurrency
Malware researchers at the Russian antivirus maker Dr.Web have discovered a new Linux Trojan, tracked as Kinux.MulDrop.14 that is infecting Raspberry Pi devices with the purpose of mining cryptocurrency. The researchers discovered a script containing a compressed and encrypted application. The Kinux.MulDrop.14 malware targets unsecured Raspberry Pi devices that have SSH ports open to external connections. Once the Linux malware infects the device, it will first change the password for the “pi” account. Afterwards, the malware shuts down several processes and installs libraries like ZMap and sshpass that it uses for its operations. The malware then starts a cryptocurrency mining process and uses ZMap to scan the Internet for other devices to infect. Every time the Linux malware finds a Raspberry Pi device on the Internet it uses sshpass to attempt to log in using the default username “pi” and the password “raspberry.” The malicious code only attempts to use this couple of values, this suggests the malware only targets Raspberry Pi devices. Experts believe the malware could be improved and could be used in the next weeks to targets other platforms.
Apple’s Safari is going to use AI to track who’s tracking you
Apple used its Worldwide Developers Conference (WWDC) this week to announce a couple of new features for Safari running on macOS High Sierra. The first of these will see the browser able to automatically pause annoying auto-playing video on websites it detects serving such things. The second is an eye-catching technology called Intelligent Tracking Prevention. This will protect users from being tracked and sensitive data about their web activity will not be acquired for purposes that they never agree to. The company wants to tame cross-site tracking used by websites and advertisers to profile a person’s browsing behavior across lots of websites using third-party cookies. Apple could just block them all, but that would cause problems with websites visited on a regular basis. Instead, Safari will use machine learning built into its WebKit browser engine to prioritize ones used every day, partitioning cookies from domains visited less frequently. Any visited less than once in 30 days will have their cookies deleted.
First Android-Rooting Trojan with Code Injection Ability Found On Google Play Store
A new Android-rooting malware with an ability to disable device’ security settings in an effort to perform malicious tasks in the background has been detected on the official Play Store. Security researchers at Kaspersky Lab discovered the Android rooting malware that was being distributed as gaming apps on the Google Play Store, hiding behind puzzle game ``colourblock,`` which was being downloaded at least 50,000 times prior to its removal. Dubbed Dvmap, the Android rooting malware disables device's security settings to install another malicious app from a third-party source and also injects malicious code into the device system runtime libraries to gain root access and stay persistent. Dvmap Trojan works on both 32-bit and 64-bit versions of Android, which once installed, attempts to gain root access on the device and tries to install several modules on the system including a few written in Chinese, along with a malicious app called ``com.qualcmm.timeservices.`` To make sure the malicious module gets executed with system rights, the malware overwrites system's runtime libraries depending on which Android version the device is running. To finish, the Trojan with system rights turns off ``Verify Apps,`` feature and modify system setting to allow app installation from 3rd party app stores.
CERTFR-2017-AVI-172 : Vulnerability in Citrix XenMobile Server (08 June 2017)
CERTFR-2017-AVI-171 : Multiples vulnerability in Cisco products (08 June 2017)