NSA code backported, crims cuffed, leaky AWS S3 buckets, and more

Roundup Here's a roundup of this week's security news, beyond what we've already covered, to kickstart your weekend.

You dirty RAT

Scumbags could, once upon a time, buy a remote access trojan called Luminosity Link for about $40, and get a piece of malware that, when installed on victims' PCs, would spy on their activities, disable security software, and install further malicious code. It's the sort of stuff miscreants purchase to snoop on their partners, spouses, employees, rivals, and so on. But now that's over, for Luminosity Link that is, because Brit cops have shutdown the software's distribution, and are hunting for those that bought it.

“The sale and deployment of this hacking tool were uncovered following a single arrest and the subsequent forensic examination of the computer," said Detective Inspector Ed Heath, head of the UK's South West Regional Cyber Crime Unit. “More than a year’s complex work with international policing partners led us to identify a large number of offenders.”

Infraud 'kingpin' nabbed

There was more good news in international cooperation this week with the takedown of the Infraud Organization, a group accused of selling and exploiting stolen data online. Thirteen people were cuffed and 36 indicted after an international police operation.

According to the cops, the alleged kingpin of the operation, who's motto was "In fraud we trust," was Sergey Medvedev, 31, a Russian national who was nabbed during a holiday in Thailand. Police seized a lot of electronic gear and shortly afterwards took control of the crime gang's forum.

We've seen cops and government agents use this tactic – snaring people on vacation – before against Russian operators. Basically, there aren't a lot of nice getaway destinations in Russia during winter, and if nationals head to a country that has the right extradition treaties, they're going to get cuffed.

Two steps forward, several steps back

OK, so the police had some luck, but there's still a lot of nasty stuff out there.

Chinese researchers have spotted an Android worm in circulation in Asia and now spreading fast around the world. The ADB.Miner, it is believed, is being spread by third-party app stores, thanks to code borrowed from the Mirai botnet.

It appears that the main purpose of the malware is to rev up the infected phone's processor core so that it can mine digital currency. As such, the worm will need to spread fast to be effective – most handsets don’t have the hardware grunt (or battery life) to be a serious coinage creators.

Eternal romance in time for Valentine's Day

We're likely going to be seeing more malware infections coming down the line using the NSA's leaked exploit code that attacks Windows network shares. Earlier this week, a security researcher showed it was possible to adapt the exploit code to attack older versions of Windows that were previously spared by the cyber-weapons.

Sean Dillon, a researcher at security shop RiskSense, found a way to port the EternalChampion, EternalRomance, and EternalSynergy exploits – developed by the NSA and then leaked online by the Shadow Brokers – to Microsoft operating systems going all the way back to Windows 2000.

If you have applied the MS17-010 patch from Microsoft, you should be safe from these SMB-based attacks.

It was an interesting piece of research, done to make it easier for other researchers to find new ways to block the code. But it's likely that the malware community is also taking note and so we'll see a lot more hacks using these exploits in the future.

The Shadow Brokers are thought to be a Russian front organization, and there was more news about what Putin and his pals have allegedly been up to this week. Jeanette Manfra, the head of cybersecurity at the Department of Homeland Security, said that he Russians had actually got into voting rolls computers before the 2016 election.

"We saw a targeting of 21 states and an exceptionally small number of them were actually successfully penetrated," she said

That's good news in a way, but as we have seen it's astonishingly easy to hack America's pathetically insecure voting system. Much more work is going to be needed to fix these issues and there's another election round this year.

Buckets, buckets everywhere!

Chris Vickery and the Upguard team have had a busy week, exposing not one but two cases where companies are storing material online in Amazon S3 buckets without proper safeguards.

On Monday, he outed Octoly, a Paris-based brand marketing company that chucks freebie goodies at social media influencers in exchange for getting positive press coverage. Unfortunately, the agency left the contact details for 12,000 of these hipsters-for-hire online for all to see.

(For the record, it should be pointed out that we at El Reg never provide positive coverage in exchange for freebies. We'll happy let a PR buy us a drink or six, or a slap-up steak meal, or a trip to Hawaii, but that's not reflected in our copy.)

On Wednesday, Upguard was at it again, this time reporting on the Maryland Joint Insurance Association in the US. On this occasion, it wasn't an Amazon cloud account issue, just a misconfigured network-attached internet-facing storage device that provided easy access to anyone who found it online.

The device contained customer names, addresses, phone numbers, birth dates, and full Social Security numbers, as well as financial data such as check images, full bank account numbers, and insurance policy numbers. For added fun, the company's admin passwords were also on display.

Upguard has made finding unsecured storage archives and advising companies on how to be more secure into a nice little business. If you don't want to be shown to be a doofus then for goodness' sake lock down your archives – we're getting peeved at having to cover these kinds of cockups. ®