Tor Browser zero-day strikes again

Update (12/2): According to Forbes, this zero-day was sold by Exodus Intel earlier this year and somehow got leaked. Additional coverage here from Motherboard.

A newly found vulnerability (CVE-2016-9079) in the Firefox web browser was found to be leveraged in the wild. It is not the first time this has happened, as some of you may recall back in 2013, the FBI used a nearly identical one to expose some users running the Tor Browser.

The Tor Browser (based on Mozilla Firefox Extended Support Release) is used worldwide by all people who want greater anonymity online which includes political activists or dissidents wanting to bypass limitations or surveillance put in place by oppressive regimes.

According to Mozilla, “the exploit took advantage of a bug in Firefox to allow the attacker to execute arbitrary code on the targeted system by having the victim load a web page containing malicious JavaScript and SVG code“.

Via this exploit, an attacker can collect the victim’s IP and MAC addresses, as well as their hostname which it sends to a remote server ( This server is now down, but we were able to reproduce the exploit and observe the TCP packets where the data would be sent.


It’s worth noting that not all exploits are meant to infect the target machine. In this case, for example, the goal is to leak user data with as minimal of a footprint as possible. There’s no malicious code downloaded to disk, only shell code is ran directly from memory.


It would be very easy for attackers to change the payload and instead of trying to identify a user via their IP address they could push anything they wish. Watch this proof of concept launching calc.exe.

This zero-day can be thwarted by adjusting the security slider to ‘High’ within Tor Browser’s Privacy and Security Settings, but that is not the default option. Alternatively, people running Malwarebytes Anti-Exploit were already protected against this 0day.

This latest attack continues to increase the concern over the Tor Brower’s efficacy against exploits and how other browsers such as Google Chrome or Edge work to handle memory corruption and sandboxing. One thing is for sure, browsers and their plugins remain the best attack vector to deliver malware or leak data via drive-by attacks.

Both Mozilla and Tor have released a patch to address this zero-day.

Read More »

What You Need to Know: Ransomware

And we’re back!

In this edition of the FixMeStick news round up, learn all about ransomware: what it is, why it’s on the rise, and how to protect yourself. Plus, info on cyber attacks on ATMs and heating systems.

FixMeStick ransomware blogRansomware guide

What is ransomware? How does it work? And why are attacks increasing?

Here’s what you need to know.



Left out in the coldfixmestick

Internet-enabled heating systems 

could be vulnerable to cyber attacks.




fixmestickRansomware in action

Wonder how a ransomware attack can occur?

Here’s a real-life play-by-play.




The future of ransomware?feature image slow computer

Ransomware is getting more sophisticated.

These viruses may soon be able to steal information as well as block access to it.




credit-cards-1411613Cashing in

Cyber attacks on ATMs which cause them to fraudulently dispense cash are spreading across the world.

Read More »

Mamba ransomware allows riders free entry to San Francisco Muni

This past weekend, November 26 and 27, people traveling on the San Francisco Municipal Railway were surprised to find out that they didn’t have to pay for their rides. Everyone rode free both days. A socialist dream come true? Nope. The SF Municipal Railway, aka the Muni, lost the ability to sell tickets because it was attacked by ransomware.

Mamba ransomware allows riders free entry to San Francisco Muni

Some media outlets claim that the problem manifested a few days earlier, just before Thanksgiving Day, when station ticket machines and schedule monitors started displaying a message saying “You Hacked” — as usual, ransomware announced itself with a lot of grammatical mistakes. It seems that the ransomware, called Mamba, which is a variant of HDDCryptor, knocked more than 2,000 computers belonging to the San Francisco Municipal Transport Agency (SFMTA) out of commission.

Mamba (and HDDLocker; let’s just consider them one and the same for the rest of this post) is a piece of ransomware that encrypts the whole hard drive and changes the master boot record (MBR) to prevent infected computers from loading their operating systems, displaying the malefactors’ message instead.

The creators of Mamba used open-source utilities as parts of the Trojan, and that, among other things, helped them create a strong algorithm. So there is no known way to get back files encrypted by Mamba without paying the criminals.

The Mamba perpetrators urged the SFMTA to contact them at, and using this e-mail address, a journalist from the San Francisco Examiner was able to talk to the criminals, who introduced themselves as “Andy Saolis.” As Saolis’ story went, the attack on Muni was not a targeted one; the system got infected simply because someone with admin privileges downloaded an infected torrent file.

Saolis also told the Examiner that the SFMTA had to pay them 100 bitcoins (about $73,000) to get its computers back in operation. But it seems the SFMTA was able to deal with the problem without paying ransom; later on Sunday, the ticket machines were functioning again.

Kaspersky Lab’s antimalware researchers are keeping close track of the threat actor responsible for the attack. It seems that Mamba is typically used to attack businesses and organizations: The Muni attack is not the first notch on Mamba’s belt — and actually, 100 bitcoins is a rather small sum by these criminals’ standards. Usually they demand much more.

So, Mamba seems like a really nasty threat. What can you do protect yourself and your organization from it?

1. The SFMTA was able to get Muni up and running relatively quickly because it had backups. It’s worth mentioning that these backups were not on network shares; otherwise, Mamba would’ve encrypted them as well.

The lesson here: Be like the SFMTA and back up your data regularly. Keep the backups either in the cloud or on external hard drives, not on your computer or network-attached devices.

2. Be even smarter than the SFMTA and avoid getting infected by Mamba, or any other ransomwware, at all. Instead, use a good security solution. Kaspersky Internet Security detects Mamba (and HDDCryptor, and others like them) as HEUR:Trojan.Win32.Generic and doesn’t give them a chance to encrypt anything.

Read More »

Cyber News Rundown: Edition 12/2/16


Between a handful of high profile network hacks and the steady stream of ransomware attacks, the last week of November didn’t pull any punches in the constant sparring match that is cybersecurity. In the wake of headlines about a US Navy breach, large scale network outages across Germany, and more, internet users across the globe must stay watchful and wary of their next click.


US Navy Sees Massive System Compromise

Officials in the US Navy have been notified of a security breach stemming from a Hewlett Packard Enterprise contractor whose laptop had been compromised. Currently, the Navy is contacting those who may be a part of the nearly 140,000 names and social security numbers that were affected, though it is still unclear on exactly how the breach occurred. With the steady rise in cyberattacks, the stress on IT departments of all sizes is mounting to defend against future attacks.

Tech Support Scammers Using Ransomware to Boost Income

Researchers have discovered an unsettling evolution to the traditional cold-calling tech support scams: executing ransomware on their victims’ computers to ensure payment for their “cleaning services”. While typical scammers will attempt nearly anything to get personal information, the use of ransomware takes the threat one step further by maliciously forcing payment regardless of any services rendered. Even worse for victims of VindowsLocker—as the ransomware is dubbed–the authors failed to properly setup the ransom transactions and thus, users may be unable to regain their files even if the ransom is paid.

UK National Lottery User Accounts Hacked

Major website hacks are occurring regularly due to reused login credentials, and it’s still a shock when a large site operator has to begin notifying tens of thousands of users about a possible data breach. Now we’re adding the UK National Lottery to the list. Only a small fraction of the National Lottery’s users were compromised, but Camelot, the operator for the lottery, has been forcing password resets for any potentially compromised individuals. While password re-use is the likely cause of the breach, it is still uncertain why the Lottery didn’t offer any additional authentication prior to the user accounts that were taken over.

San Francisco Train System Brought Down By Ransomware

In recent days, it has been discovered that the San Francisco Municipal Transit Agency was taken offline with only a poorly worded ransom message displaying for customers and employees alike. The attack led to the SFMTA providing free rides to customers while the issue was being resolved. In a surprising stance, the excessive ransom demanded–100 bitcoins totaling over $70,000 USD—was not paid to the attackers. For many public utilities and services, having the capability to promptly return to normal functions after such an attack is extremely important, and fortunately the SFMTA have announced that no customer information was compromised.

German Telecom Provider Hit with Mirai Variant

There is no doubt the world is now more attentive after the last Mirai botnet attack that took down several prominent sites. Yet, a similar variant has been deployed keeping DSL customers in Germany disconnected. Recently, nearly 900,000 telecom customers have been unable to access anything reliant on their DSL routers, which have been under attack for several days. By scanning for commonly open ports on routers, the attackers are able to remotely execute code resulting in a widespread DDoS attack.



The post Cyber News Rundown: Edition 12/2/16 appeared first on Webroot Threat Blog.

Read More »

What You Need to Know About the ImageGate Ransomware

Ransomware is a form of malware that encrypts a user’s data and prevents them from accessing their personal files until they pay the hacker for their files back. Sometimes users are requested to pay hundreds of dollars in order to receive a decryption key. Usually, ransomware is transmitted through infected email links, malicious websites or popup …

The post What You Need to Know About the ImageGate Ransomware appeared first on ZoneAlarm Security Blog.

Read More »