Skip to content ↓ | Skip to navigation ↓

This Week in Security: Adobe 0-Day Exploit, Dridex Disrupted, Vulnerable Androids

Previous Contributors

Our security roundup series covers the week’s trending topics in the world of InfoSec. In this quick-read compilation, we’ll let you know of the latest news and controversies that the industry has been talking about recently.

Here’s what you don’t want to miss from the week of October 12, 2015:

  • Dow Jones & Co., the publisher of The Wall Street Journal, recently disclosed that hackers gained unauthorized access to its systems, potentially exposing the personal and financial information of some former and current subscribers. In a notice to customers, the company said the incident impacted fewer than 3,500 individuals, although it has yet to discover evidence that the information was in fact stolen. According to NBC News, intruders had access to the system from August 2012 up until July 2015 when the company was notified.
  • Security researchers warned of a new zero-day exploit in Adobe Flash Player that attackers behind the long-running Pawn Storm espionage campaign are leveraging to install malware on high-profile targets’ computers. Adobe released a security advisory for the critical vulnerability stating, “Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.” The researchers noted that in this most recent campaign, Pawn Storm targeted several foreign affairs ministries from around the world.
  • The UK’s National Crime Agency (NCA) alerted online users of the resurgence of a sophisticated strain of malware, known as Dridex, which enabled cyber criminals to drain more than £20 million from British bank accounts. The NCA said it estimates there could be thousands of computers infected in the UK­ – the majority being Windows users.

“In addition to its primary function of harvesting banking credentials, this particular strain of malware also exploits systems to send out phishing emails with infected attachments in an effort to compromise more systems,” explained Ken Westin, senior security analyst at Tripwire.

Law enforcement agencies in the US and UK have been working to disrupt the botnet, following the arrest of the alleged botnet administrator, Andrey Ghinkul, earlier this year.

  • About 85 percent of Android devices are exposed to at least one of 13 critical vulnerabilities, according to a new study from the University of Cambridge. A group of security researchers examined more than 20,000 Android devices from a variety of carriers and manufacturers, revealing that the lack of updates to consumer’s devices is likely to blame.

Unfortunately something has gone wrong with the provision of security updates in the Android market. Many smartphones are sold on 12–24 month contracts, and yet our data shows few Android devices receive many security updates, with an overall average of just 1.26 updates per year, leaving devices unpatched for long periods of time,” read the report.

  • Uber inadvertently leaked the personal information of nearly 700 drivers, including Social Security numbers, tax forms and copies of driver licenses, following the launch of the company’s new “Uber Partner” app. According to reports, a bug in the software was discovered by an Uber driver, who began alerting others on Reddit and other forums. The company has since resolved the issue.

Title image courtesy of Shutterstock.com