Premera cyberattack could have exposed information for 11 million customers

Health care provider Premera Blue Cross said on Tuesday that the identifying, financial, and medical information for millions of customers could have been revealed in a cyberattack.

In a statement on their website, Premera said that issues related to their network have been resolved and the company is working to strengthen security measures. The initial attack occurred on May 4, 2014, but the intrusion was not discovered until Jan. 29, according to Premera.

The attack potentially affects 11 million customers. About 6 million of those live in Washington state, where some customers are employees at companies like Amazon and Microsoft, Reuters reported.

Read 5 remaining paragraphs | Comments

HTTPS-crippling FREAK exploit hits thousands of Android and iOS apps

While almost all the attention paid to the HTTPS-crippling FREAK vulnerability has focused on browsers, consider this: thousands of Android and iOS apps, many with finance, shopping, and medical uses, are also vulnerable to the same exploit that decrypts passwords, credit card details, and other sensitive data sent between handsets and Internet servers.

Security researchers from FireEye recently examined the most popular apps on Google Play and the Apple App Store and found 1,999 titles that left users wide open to the encryption downgrade attack. Specifically, 1,228 Android apps with one million or more downloads were vulnerable, while 771 out of the top 14,079 iOS apps were susceptible. Vulnerable apps were those that used—or in the case of iOS, could use—an affected crypto library and connected to servers that offered weak, 512-bit encryption keys. The number of vulnerable apps would no doubt mushroom when analyzing slightly less popular titles.

"As an example, an attacker can use a FREAK attack against a popular shopping app to steal a user's login credentials and credit card information," FireEye researchers Yulong Zhang, Zhaofeng Chen, Hui Xue, and Tao Wei wrote in a blog post scheduled to be published Tuesday afternoon. "Other sensitive apps include medical apps, productivity apps and finance apps." The researchers provided the screenshots above and below, which reveal the plaintext data extracted from one of the vulnerable apps after it connected to its paired server.

Read 3 remaining paragraphs | Comments

Teslacrypt Joins Ransomware Field

A newly crafted ransomware, Teslacrypt, has arrived in the malware genre that encrypts user files using AES encryption and demands money to decrypt the files. This ransomware infects systems from a compromised website that redirects victims to a site running the Angler exploit kit. (For more on Angler, read the McAfee Labs Threats Report, February 2015.) This ransomware, like many others, encrypts document files including text, pdf, etc. to force victims to pay a ransom to have their files restored.


Upon execution, this malware copies itself to the AppDataRoaming folder.

  • C:UsersAdministratorAppDataRoamingiylipul.exe
  • C:UsersAdministratorAppDataRoamingkey.dat
  • C:UsersAdministratorAppDataRoaminglog.html

Teslacrypt is compiled with C++. After executing, victims see the following window:



The malware asks victims to follow certain steps to obtain the private key from the server to decrypt the encrypted files.

Teslacrypt uses the following icons to confuses users into thinking that this threat is the same as CryptoLocker. Earlier the malware’s icon was called Teslacrypt, but now it is called CryptoLocker.

  • Windows XP


  • Windows 7



The malware’s parent file creates another process and also starts a thread that performs other malicious activities on the system after resuming the thread. The name of the thread is the same as of the parent file. This variant also uses debugging functions to check the context of the thread.


In the preceding screenshot “GetThreadContext” and “SetThreadContext” are the debugging functions that check the context of the thread.

After creating the thread, the malware terminates the following running processes:

  • ProcessExplorer
  • Cmd.exe
  • Regedit.exe
  • taskmgr
  • msconfig

The malware then tries to delete shadow copies of the system through vssadmin.exe, so that the victim cannot return to previous system restore points. Also it targets the Zone.Identifier NTFS stream to delete the downloaded-files history from the system.


We found the following strings in memory; these are the targeted file extensions that the malware will encrypt.



Some of the affected games and gaming software:

  • Bethesda Softworks settings file
  • F.E.A.R. 2 game
  • Steam NCF Valve Pak
  • Call of Duty
  • EA Sports
  • Unreal 3
  • Unity scene
  • Assassin’s Creed game
  • Skyrim animation
  • Bioshock 2
  • Leagues of Legends
  • DAYZ profile file
  • RPG Maker VX RGSS
  • World of Tanks battle
  • Minecraft mod
  • Unreal Engine 3 game file
  • Starcraft saved game
  • S.T.A.L.K.E.R. game file
  • Dragon Age Origins game

The malware sends the victims’ information to its control server:


It also stores information about the encrypted files in HTML format for later use.


We have seen the following network activity for this ransomware:


The following table describes the commands sent to the control server:


The encryption of this ransomware has not yet been cracked. The only apparent way to recover the files is to pay the ransom. (However, not all ransomware attackers decrypt files, even after receiving payment.) The attackers also offer “free” decryption, which is a fake offer.



The attacker demands a payment of either BTC1.5, or US$1,000 if victims use PayPal. The attacker prefers Bitcoins because they are harder to trace; thus payment by Bitcoin is cheaper than by PayPal.

Intel Security advises users to keep their antimalware signatures up to date at all times. McAfee products detect this threat as Ransom-Tescrypt! and Ransom-FXX!

I would like to thank my colleague Lenart Brave, who helped research this malware.

The post Teslacrypt Joins Ransomware Field appeared first on McAfee.

Hertz puts cameras in some of its rental cars, but it never meant to be creepy

Last week, Fusion reported that Hertz had been updating the navigational devices in its rental cars to include cameras that have a full view of the interior of the vehicle. The update, which began in mid-2014, happened quietly and so far has only impacted about thirteen percent of Hertz' fleet. Still, that number troubled those who noticed the tiny unblinking eye staring back at them.

But Hertz has maintained that the cameras are nothing for customers to fear. Last week, a representative told Fusion that the cameras will eventually be used for customers to video chat with a customer service representative in the event that they get into an accident or have other issues. At that time, the camera would only be turned on by the push of a button from the car driver. But at the moment, that feature is not functional, the company said.

“We do not have adequate bandwidth capabilities to the car to support streaming video at this time,” Hertz said. Instead Hertz began installing cameras on its navigational devices, called NeverLost, to prepare for an indeterminate time in the future when activating such a feature makes economic sense.

Read 6 remaining paragraphs | Comments