A roundup of the top news stories in information security this week, including the Locky ransomware making a comeback, Adobe releasing a rare out-of-band patch, and tech giants scrambling to patch a nasty WPA2 vulnerability.
RANSOMWARE
Experts Report Uptick in Locky Attacks Worldwide
Researchers at cybersecurity firm Check Point have noticed an uptick in Locky ransomware attacks in September. There has been an 11.5% increase in attacks on organizations globally, according to the company’s latest Global Threat Impact Index. The ransomware dropped out of the top ten “most wanted” malware ranking since November 2016, but seems to be making a resurgence, putting organizations on alert and proving that existing malware can be just as dangerous as new strains.
DDOS
Cloudflare Drops Surge Pricing in DDoS Protection Service
The potential attack damage tied to distributed denial-of-service (DDoS) attacks will not be limited after a notable protection service announced it would end its surge pricing. Cloudflare recently announced that it would no longer charge customers additional fees if they were under attack, meaning its customers could all now access unlimited DDoS billing. Although it’s not the only DDoS protection service to make a similar move, this could drastically limit the damage tied to the attacks.
PATCHES
Lenovo Quietly Addresses Flaw Found in All Android Tablets, Vibe and Zuk Phones
Earlier this month, Lenovo quietly patched a critical vulnerability impacting millions of its devices. The company addressed the flaw on October 5 with patches rolled out for all of its Android tablets, Vibe and Zuk phones, and the Moto M M (Xt1663) and Moto E3 (XT1706) model handsets. The flaws are tied to the Lenovo Service Framework, according to a full report by Threat Post.
SOFTWARE FLAWS
Adobe Releases Out-of-Band Patch for Flash
While Adobe didn’t address any vulnerabilities on Patch Tuesday this month, six days following the monthly cycle the company issued an out-of-band patch for Flash. The vulnerability addressed, CVE-2017-11292, could allow for remote code execution, and was given a “critical” severity rating. The flaw affects Flash on both browsers and desktop players found on Mac, Linux, Windows, and Chrome OS.
KRACK
Tech Companies Rush to Address Seriously WPA2 Vulnerability
The serious vulnerability found in the WPA2 encryption protocol and disclosed by a security researcher this week has tech giants dashing to address it. While Microsoft has already issued a security patch to address the infamous KRACK flaw in Windows 7, Windows 8, Windows 8.1 and Windows 8.2, other tech companies like Apple and Google are still working on it.
EMAIL SECURITY
Google Bolsters Gmail Security for Journalists and Government Officials
Google announced on Tuesday that stronger security protections would be rolled out for a small set of users that include journalists and government officials. The protections for the high-risk users were announced as part of its Advanced Protection Program which the company says are its strongest security features to date. Signing up for the program means continuous security updates and patches for vulnerabilities discovered in the tech giant’s email service.
MALWARE
Sockbot Malware Leverages Google Play Store to Propagate, Grow Botnet
A new strain of mobile malware has made its way into the Google Play Store with the aim of infecting mobile devices and adding them to botnets that launch distributed denial-of-service (DDoS) attacks. Researchers at Symantec discovered the malware, dubbed Sockbot, in malicious found in the store. The apps have been downloaded between 600,000 and 2.6 million times respectively.
BUG BOUNTY
Google’s New Bug Bounty Program Aims to Clean Up Mobile Apps
The Google Play store has seen its fair share of malicious applications, but the tech giant has introduced a new bug bounty program aimed at cleaning up the marketplace. Security experts that identify Android app flaws can earn at least $1,000 for each flaw discovered under the new initiative announced on Thursday. Google has partnered with HackerOne, the popular bug bounty program management website, to target a list of apps and flaws.
PRIVACY
FTC Urged to Investigate Smartwatches for Kids
Research conducted by the Norwegian Consumer Council and security firm Mnemonic reveals that several brands of smartwatches made for kids can be easily compromised. U.S. privacy groups are now urging the Federal Trade Commission (FTC) to look into the makers of the smartwatches. After testing the devices, Mnemonic said that the vulnerabilities found in them are “not technically difficult to exploit.”
