Smoke Loader uses a new injection technique, Hamas uses social engineering on IDF, and a Facebook bug causes unblocking.
Smoke Loader chokes Windows in a new way
A notorious downloader malware named Smoke Loader has been in use since 2011 but has seen a spike of activity in 2018, including a brand-new method of spreading malware on a Windows system. One of its more widespread and insidious deployments earlier this year found the malware hiding in phony patches for the Meltdown and Spectre vulnerabilities. But just this week, researchers discovered Smoke Loader using a new injection technique known as PROPagate.
The new method abuses the SetWindowsSubclass function to take control of the Windows system, and it has the ability to cover its own tracks. The malware also has built-in defenses designed to complicate any attempt to forensically analyze, scan, or debug the malicious program. “Cybercrime is a very profitable business,” says Avast Security Evangelist Luis Corrons. “Cybercriminals have professionalized, and this is a great example. They keep up to date with any new techniques that are discovered and implement it in their attacks, always with the same goal: trying to evade all the security layers that the user has in place to steal his information.” Avast urges everybody to understand how to identify and avoid phishing and to keep all their software updated.
NHS processing error shares patients’ private data
From March 2015 through June 2018, an error in the recording and management of 150,000 National Health Services GP patients in the UK led to the misuse of their data. In the NHS official statement, Parliamentary Under-Secretary of State for Health Jackie Doyle-Price reveals that mismanagement kept the privacy requests for patients asking that their data not be used in NHS studies from being honored. The problem was in the processing of the patient-selected “Type 2 objections,” a privacy preference that limits the use of the patient’s specific info.
The Under-Secretary apologizes and assures all patients that the error has been rectified. She goes on to praise the newly-enacted national data opt-out, which is replacing Type 2 objections. “The new settings give patients direct control over setting their own preferences for the secondary use of their data,” writes Doyle-Price, adding, “The Government has the highest regard for data standards and is committed to ensuring patients can express a preference over how health data is shared for purposes beyond their own care.”
Dating app malware used as war tactic
The Israeli Defense Force (IDF) has launched a cyber-awareness effort called Operation Broken Heart to help soldiers identify and block a new kind of attack by Hamas — social engineering. Phony profiles have been contacting Israeli soldiers on social media, attempting to provoke them into chats. When the soldier is interested, the chat moves to WhatsApp. The love interest then urges the soldier to download a malicious app posing as a dating site. Once the soldier downloads the app, Hamas has control of that device.
“These are typical social engineering tricks we have seen in the past,” Luis Corrons observes, “now targeted to very specific types of people in a cyberwarfare campaign. But while most users may think this has nothing to do with them, the truth is that these cyberwarfare strikes usually leave behind collateral victims. We have seen this in the past with Stuxnet, for example, the worm designed to sabotage Iran’s nuclear program but ended up infecting other companies from different countries that were completely unrelated to the original target.”
The IDF reports that because news of the dating app trick emerged early and security measures were taken, no damage has been done to Israel security.
Facebook bug unblocks the blocked
On Monday, Facebook began notifying 800,000 users that they may have been infected by a bug that potentially unblocked someone on their blocked list. The bug was active from May 29 through June 5 this year. Users affected were not reconnected as friends to the unblocked profile, but they were open to being contacted by them on Messenger. Facebook apologizes in their official statement and reports that 83% of those infected had only one blocked profile unblocked. Content remained hidden from the unblocked profile if the user shared it only with friends. If it was shared with friends of friends, however, or anything wider, the unblocked profile could have seen it. “The issue has been fixed and everyone has been blocked again,” announced Facebook Chief Privacy Officer Erin Egan.
Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world. Learn more about products that protect your digital life at avast.com. And get all the latest news on today's cyberthreats and how to beat them at blog.avast.com.