December 2016 Internet Security Report

Merry Christmas and a Happy New Year! December 2016 was full of the usual Phishing, Malvertising, weak security of IoT devices and large breaches of user accounts that the rest of the year had delivered. If you have a Yahoo email account or an email service that is run through Yahoo’s mail service, please change your passwords for those accounts and consider moving to another provider as Yahoo has had two major publicly disclosed breaches in 2016 alone.

If you are still thinking of a new year’s resolution, please consider “changing your passwords to passphrases”.

Threats

• Phishing isn’t a new threat by any means. However, some interesting facts have emerged about the life span of a phishing site with the Webroot announcing that on average a typical phishing website will last less than 24 hours with approximately 13,000 new sites being observed daily. With reactive domain filtering through the use of web proxies being the most common mitigation to users accessing phishing websites. These numbers provide a reason to think about what other detection capabilities are deployed in your organisation for the phishing threat and what your goals are when it comes to mitigating the risk (stop it at the source with spam filters? heuristic POST detection through IDS? Anomaly detection using DNS records? Detect leaked credentials using pastebin alerts?).
  http://www.infosecurity-magazine.com/news/84-of-phishing-sites-last-for-less/
• In ransomware news, December saw an interesting variant called Popcorn Time which offers users the chance to unlock their files by sending ransomware links to at least 2 other people. Towards the close of 2016, there was also an observed increase in corporate ransomware infections with it being estimated that every 40 seconds a new compromise is detected somewhere in the world.
  http://www.infosecurity-magazine.com/news/popcorn-time-ransomware-urges/
  https://blogs.technet.microsoft.com/mmpc/2016/12/21/no-slowdown-in-cerber-ransomware-activity-as-2016-draws-to-a-close/
• Brian Krebs has also offered an excellent survival guide on what to do if you get a ransomware infection at home and also how to avoid becoming a victim in the first place.
  https://krebsonsecurity.com/2016/12/before-you-pay-that-ransomware-demand/
• A large scale malvertising campaign called Stegano was observed compromising end users without interaction with the intention of using an exploit kit to take advantage of a combination of internet explorer and flash vulnerabilities. With this being a persistent risk to end users it serves as a timely reminder to ensure that systems are up to date and patching plans are in place and enforced.
  http://arstechnica.com/security/2016/12/millions-exposed-to-malvertising-that-hid-attack-code-in-banner-pixels/http://www.welivesecurity.com/2016/12/06/readers-popular-websites-targeted-stealthy-stegano-exploit-kit-hiding-pixels-malicious-ads/

Breaches

• Yahoo released in December that there was another breach, separate from the previously disclosed breach earlier in the year. In this newly disclosed breach, the thieves stole more than a billion user accounts’ data. Yahoo states that “potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or un-encrypted security questions and answers.”
  If you have a Yahoo account please change your password for this account. If you have used your Yahoo account password for anything else, please change that password too.
  https://krebsonsecurity.com/2016/12/yahoo-one-billion-more-accounts-hacked/

Patches and Updates

• Netgear asked users to stop using 2 of their routers after a rather critical code injection vulnerability was discovered on r6400 and r7000 devices. Netgear has since released a firmware update to resolve the issue. This comes only weeks after a similar vulnerability was found in a German ISP’s routers which were exploited to knock almost 1 million users offline. Router and network facing device vulnerabilities that are made public prior to patching are known to flood the internet with attempted exploit traffic.
  http://www.zdnet.com/article/two-netgear-routers-are-vulnerable-to-trivial-to-remote-hack/http://kb.netgear.com/000036386/CVE-2016-582384