Fraud Alert Message Center

Tips for Safe Banking Over the Internet

As use of the Internet continues to expand, more banks are using the Web to offer products and services or otherwise enhance communications with customers.

The internet offers the potential for safe, convenient new ways shop for financial services and conduct banking business, any day, any time. However, safe banking online involves making good choices - decisions that will help you avoid costly surprises or even scams.

Current Online Threats

Please be aware of any email you receive from the following organizations FDIC, FFIEC, NACHA, EPCOR, Federal Reserve and the Better Business Bureau.  None of these organizations should ever send you unsolicited emails regarding your bank or your bank accounts.  If you receive an email purporting to be from any of the above organizations or other emails you are unsure about, do not open it.  The email could potentially contain a virus or malware.

For more information regarding email and phishing scams, please visit: http://onguardonline.gov/

Online Shopping Tips for Consumers. Click Here for Information.

ATM and Gas pump skimming information. Click Here for Article.

Target Card Breach - A breach of credit and debit card data at discount retailer Target may have affected as many as 70 million shoppers.  The Secret Service, which is charged with safeguarding the nation's financial infrastructure and payment systems, confirmed it was investigating the breach. Please be assured we are aware of the breach. As we receive additional information from Visa, we will notify any client whose card has potentially been compromised. Customers should monitor their account activity online if they have used their card at Target and report any fraudulent activity to the bank.

11/25/2014

Fraud service uses charity websites to validate stolen credit card data. Researchers with PhishLabs reported November 21 that it had found online fraudsters using a bot and an IRC channel to conduct transactions on the Web sites of charity or non-profit organizations in order to test the validity of stolen payment card information and related personal information.

Symantec uncovers stealthy nation- state cyber attack platform. Symantec researchers reported the discovery of a piece of sophisticated cyber espionage malware dubbed Regin that works as a backdoor to steal information from compromised systems and appears to have been created by a nation-state actor. The malware is modular in design and has predominantly targeted small businesses, individuals, and telecoms companies, as well as the hospitality, energy, and airline industries and research organizations.

Sony quietly POODLE-proofs Playstations. Sony released a patch for its Playstation 3 and Playstation 4 gaming consoles that adds Transport Layer Security to the consoles’ apps and browsers and removes the use of SSL 3.0 to protect against POODLE attacks.

Facebook bug remains unpatched, risk is partially mitigated. A researcher who reported a flaw in Facebook that could allow posting to a user’s timeline without permission in 2013 reported that the proof-of-concept for the attack still works in some cases where certain third-party Facebook apps do not implement the new content share model Facebook developed to address the issue.

11/21/2014

Attackers using compromised Web plug-ins in CryptoPHP blackhat SEO campaign. Researchers with Fox-IT identified a group of attackers using compromised WordPress themes and plugins to deliver a piece of malware dubbed CryptoPHP that engages in fraudulent search engine optimization (SEO) operations. The malware can also inject content into sites using the compromised plugins and themes, update itself, and perform other tasks.

Developers fix XSS vulnerability in jQuery Validation Plugin script. The developers of the jQuery Validation Plugin issued a fix for a vulnerability present in the plugin’s demo code that could have allowed an attacker to engage in session hijacking using a reflected cross-site scripting (XSS) attack. The code appeared to be first reported in 2007.

Angler exploit kit adds new Flash exploit for CVE-2014-8440. A security researcher reported that the Angler exploit kit has been equipped with an exploit for the CVE-2014-8440 vulnerability in Adobe Flash that can be used to take control of target systems. The vulnerability was patched by Adobe November 11 but unpatched systems remain vulnerable.

Drupal patches denial of service vulnerability; details disclosed. Researchers who identified a denial of service (DoS) vulnerability in the Drupal content management system published details of the vulnerability that could also expose user names following the release of a patch by Drupal November 19 to close the vulnerability.

Chrome 39 includes 42 security fixes, disables fallback to SSL 3.0. Google released version 39 of its Chrome browser, closing 42 security issues, 11 of which were rated as high-severity, adding features, and disabling fallback to SSL 3.0 which could be exploited in POODLE attacks.

FTC gets federal court to shut down $120M tech support scam. The Federal Trade Commission (FTC) announced November 19 that a federal court granted its request to temporarily shut down two telemarketing operations that allegedly defrauded consumers out of more than $120 million by convincing them to grant the marketers remote access and deceiving them into paying for services and products to solve nonexistent computer problems. The companies involved include PC Cleaner, Boost Software, and Inbound Call Experts, and the defendants are the targets of separate cases filed by the FTC and the State of Florida.

Privilege escalation risk fixed in Android Lollipop, lower versions vulnerable. A researcher who identified and reported a flaw in the Android operating system that could allow an attacker to execute arbitrary code released a proof-of-concept for the vulnerability following the November 3 release of a patch that closes the vulnerability in Android Lollipop (also known as Android 5.0). The vulnerability is still present on previous Android versions.

Citadel variant targets password managers. Researchers with IBM Trusteer notified the makers of the nexus Personal Security Client, KeePass, and Password Safe password managers that a new variant of the Citadel malware is targeting the three services in an attempt to steal users’ logins and passwords.

11/20/2014

Advanced variant of “NotCompatible” Android malware a threat to enterprises. Researchers with Lookout identified a new variant of the NotCompatible Trojan for Android dubbed NotCompatible.C which includes several changes to avoid detection by security software, including encrypted communications and geographically distributed command and control (C&C) servers. The malware is being spread by spam emails and compromised Web sites and acts as a proxy on infected systems.

Microsoft fixes critical Kerberos flaw under attack with out-of-band patch. Microsoft released an out-of-band patch November 18 to close a vulnerability in Microsoft Windows Kerberos KDC that could allow an attacker to elevate unprivileged domain user account privileges to domain administrator privileges. The vulnerability has been exploited in limited, targeted attacks and users were advised to apply the patch as soon as possible due to the critical nature of the vulnerability.

Apple releases OS X Yosemite and iOS updates. Apple released updates November 18 for its OS X Yosemite operating system and iOS 8 mobile operating system, adding improvements and closing an unlimited passcode attempt vulnerability in iOS 8.

Flashpack exploit kit uses ad networks to deliver Cryptowall, Dofoil malware. Trend Micro researchers identified a malicious advertisement campaign that uses free ads to attempt to redirect users to a page hosting the Flashpack exploit kit, which then attempts to serve a variant of the Dofoil Trojan or the Cryptowall ransomware.

Legit Windows Phone apps can be replaced by malicious ones through copy/paste. A researcher reported that rogue versions of legitimate apps can be installed onto Windows Phone mobile devices after the installation of the legitimate app by replacing the files with the rogue app files.

11/18/2014

BusyBox devices compromised through Shellshock attack. Researchers with Trend Micro identified a new version of the Bashlite malware that identifies devices on an infected system’s network that use the BusyBox software for Linux, including routers, and can then attempt to compromise them using the Shellshock vulnerability.

Steam password stealer is stored on Google Drive. A researcher with Panda Security analyzed and reported a piece of malware designed to steal passwords for the Steam gaming service that is being delivered from a Google Drive account. The account was still active when the researcher reported the malware November 16 and targets victims via a fraudulent link in Steam chat that downloads an executable file.

WinShock PoC clocked: But DON’T PANIC… It’s no Heartbleed. Researchers released a proof-of-concept (PoC) exploit for a SChannel crypto library flaw that was patched the week of November 10 in a Microsoft patch release. The flaw can still be exploited in unpatched Windows Server 2012, 2008 R2, and 2003 installations to run arbitrary code.

Attack reveals 81 percent of Tor users but admins call for calm. A paper released by researchers at the Indraprastha Institute of Information Technology outlined a traffic confirmation attack method that the researchers stated could be used to identify users of the Tor anonymity network in 81 percent of cases if an attacker has sufficient resources.

Alleged creators of WireLurker malware arrested in China. Authorities in China arrested three individuals for allegedly creating and distributing the WireLurker malware targeting Mac OS X, iOS, and Windows devices and shut down the Web site used to distribute the malware.

Majority of top 100 paid iOS, Android apps have hacked versions: Report. Arxan Technologies released their annual State of Mobile App Security report which found that there were cloned or repackaged versions of 97 percent of the top 100 paid Android apps and 87 percent for top 100 paid iOS apps, and that repackaged or cloned financial services apps existed for 95 percent of apps on Android and 70 percent in iOS, among other findings.

New variant of Dofoil trojan emerges with strong evasion features. Fortinet researchers identified a new variant of the Dofoil botnet malware that contains several changes aimed at preventing the malware from being detected and analyzed.

New encryption ransomware offers file decryption trial. Researchers at Webroot identified a new piece of encryption ransomware dubbed CoinVault that encrypts victims’ files using AES-256 encryption, demands a ransom, and offers a free trial of the decryption performed if a ransom is paid.

Google misses trojan SMS app in Play Store for more than a year. An SMS trojan named Thai Fun Content was identified by Malwarebytes researchers on the Google Play Store and was available for download for over 1 year. The app subscribes victims to a paid SMS service and charges victims $0.37 per day.

11/14/2014

Mobile Pwn2Own 2014: iPhone 5s, Galaxy S5, Nexus 5, Fire Phone hacked. Researchers participating in the Mobile Pwn2Own mobile device hacking competition in Tokyo November 12-13 were able to compromise several popular smartphones and mobile devices, achieving a full sandbox escape on an iPhone 5s, successful near field communications (NFC) attacks on the Galaxy 5S, and several other successful compromises.

Coast Guard contractor pleads guilty to stealing personal information. A Pawcatuck man who ran a computer repair business and also worked as a contractor for the U.S. Coast Guard pleaded guilty November 12 to stealing personal information and data over 250 times from computers and other devices brought to him for repairs.

11/13/2014

18-year-old remotely exploitable vulnerability in Windows patched by Microsoft. Microsoft released a patch November 11 for a data manipulation vulnerability that has existed in Windows operating systems starting with Windows 95. Researchers with IBM’s X-Force discovered and reported the vulnerability in May, which could have been used by attackers to gain control of affected systems for the last 18 years.

Microsoft patches Windows, IE, Word, SharePoint and IIS. Microsoft released its monthly Patch Tuesday round of updates for its products, which includes 14 bulletins including one patching a zero-day vulnerability in the Windows OLE packager for Windows Vista and newer Windows operating systems.

18 critical vulnerabilities patched in Flash Player 15.0.0.223. Adobe released a new version of its Flash Player software, closing 18 critical security issues, 15 of which could allow an attacker to execute arbitrary code.

Google DoubleClick down, leaving sites ad-free. The Google DoubleClick for Publishers service experienced an outage November 12, preventing ads from being displayed on several Web sites. Google stated that the company was working to resolve the issue.

Air-gapped systems targeted by Sednit espionage group. Researchers with ESET stated that the Sednit espionage group (also known as APT28 or Sofacy) have employed a tool known as Win32/USBStealer since at least 2005 that can exfiltrate data from air gapped systems. The tool is added to a compromised system connected to the Internet and then plants the tool on any removable storage device, collects information on the air gapped system, and then transmits it back to the attackers whenever the storage device is next connected to an Internet-connected system.

Uroburos espionage group is still active, relies on new remote access trojan. G Data researchers found that the Uroburos espionage group (also known as Turla or Snake) remains active and is using two similar versions of a new remote access trojan (RAT) known as ComRAT that includes increased obfuscation and anti-analysis capabilities.

SQL injection vulnerability patched in IP.Board forum software. Invision Power Services released patches for its IP.Board forum software November 9, closing a SQL injection vulnerability several hours after its discovery on versions 3.3.x and 3.4.x.

iOS security issue allows attackers to swap good apps for bad ones: FireEye. Researchers with FireEye identified a new attack dubbed a Masque Attack that can allow attackers to replace a legitimate iOS app with a malicious one if both applications use the same bundle identifier. Victims targeted by the attack must be lured into installing the malicious app which can then be replaced by the malicious app on jailbroken and non-jailbroken iOS devices.

11/12/2014

Darkhotel attackers target business travelers via hotel networks. Kaspersky Lab researchers identified an advanced persistent threat (APT) group dubbed Darkhotel APT that has targeted travelers in the Asia-Pacific region in addition to the U.S. using malicious hotel WiFi networks, spear phishing, and malicious torrent files. The group’s hotel attacks involve prompting users with a software update notice that installs a backdoor, and the group has targeted guests associated with industries and sectors including government organizations, the defense industry, energy industry, pharmaceutical industry, electronics manufacturers, medical providers, and non-governmental organizations.

BrowserStack HACK ATTACK: Service still suspended after rogue email. Browser testing service BrowserStack stated that it was temporarily suspending service to recover after an attacker managed to gain access to a list of email addresses and the company’s official email account, using it to send out a fake message to developers.

Emoticons blast three security holes in Pidgin :-(. Researchers at Cisco reported that the instant messaging client Pidgin contained three security vulnerabilities that could have allowed attackers to overwrite files or cause a denial of service (DoS) situation. The vulnerabilities have since been patched.

11/10/2014

Belkin flings out patch after Metasploit module turns guests to admins. Belkin recently released a patch for its N750 dual-band router to close a vulnerability demonstrated in a Metasploit module that could allow attackers on guest networks to gain root access. Users were advised to update their firmware to close the vulnerability.

WireLurker: Apple blocks Trojanized apps, revokes certificate. Apple stated that it blocked apps identified as containing the WireLurker malware for OS X and iOS and revoked the certificate used to sign the malware.

Metasploit module released for new UXSS vulnerability in Android browser. An independent researcher in coordination with Rapid7 identified and reported a universal cross-site scripting (UXSS) vulnerability in the default Android browser that could allow an attacker to scrape page contents and cookie data. A Metasploit module for the vulnerability was released, and although Google fixed the issue September 30 many Android users may not receive the fix due to lack of Android version updates.

After Silk Road 2, global law enforcement seizes other dark markets. U.S. and European law enforcement agencies undertook joint action against several other underweb marketplaces following actions against the Silk Road 2.0 marketplace, resulting in 17 arrests and the takedown of over 410 hidden services. Authorities also seized around $1 million in cash, illegal drugs, and precious metals.

Cisco patches three out of four buggy small business RV series routers. Cisco posted an advisory November 5 stating that three vulnerabilities in four routers intended for small business use could allow attackers to execute arbitrary commands and upload files to the devices. The company issued patches for the RV120W Wireless-N VPN Firewall, RV180 VPN Router, and RV 180W Wireless-N Multifunction VPN Router, while a patch for the RV220W Wireless Network Security Firewall is expected by the end of November.

11/6/2014

Crypto attack that hijacked Windows Update goes mainstream in Amazon Cloud. A researcher stated that he was able to replicate the MD5 hash collision method used in the Flame cyberespionage attacks using a GPU instance on Amazon Web Service to cause two images to have the same MD5 hash. The method was used in the Flame campaign to cause compromised Windows Update certificates to be recognized as valid on targeted systems, allowing malware to be downloaded undetected.

New technique makes phishing sites easier to create, more difficult to spot. Trend Micro researchers identified a new phishing site technique targeting an e-commerce site that uses a proxy to relay user traffic to a legitimate site and then redirects users to a phishing site once they make a purchase and enter payment information. The method was observed in an attack on an online store in Japan but could be used for other sites.

Compromised EDU domain used to send out ZeuS-laden emails. Researchers with PhishMe detected a spam email campaign distributing the Zeus (also known as Zbot) information-stealing Trojan through email addresses belonging to an undisclosed U.S. educational organization with around 25,000-30,000 enrolled students.

Spin.com redirects to Rig Exploit Kit, infects users with malware, Symantec observes. Symantec researchers stated November 4 that the music news Web site Spin.com was redirecting users to a page hosting the Rig Exploit Kit October 27 and that the issue has been closed. The researchers were unsure of how the compromise occurred but found that the attackers injected an iFrame into the site in order to redirect visitors.

11/5/2014

New version of Backoff PoS malware appears: Fortinet. Researchers with Fortinet recently reported finding a new version of the Backoff point-of-sale (PoS) malware with the version name ROM that includes changes designed to make the malware more difficult to detect and analyze.

BlackEnergy cyberespionage group targets Linux systems and Cisco routers. Researchers with Kaspersky Lab reported that the cyberespionage group that uses the BlackEnergy malware has developed several modules for the malware that can be downloaded to infected systems to add the ability to perform port scanning, disk wiping, digital certificate theft, and other actions. The malware has compromised routers, Linux systems, and Windows systems and the group behind it targets organizations in the energy, manufacturing, banking, and education sectors as well as government agencies.

227,747 new malware samples created daily. PandaLabs reported that around 20 million new strains of malware were created during the third quarter (Q3) of 2014, with Trojans the most common type of malware at 78.08 percent, among other findings.

11/4/2014

Upatre malware dropper sent to Bitstamp exchange users. Researchers with ThreatTrack identified an email campaign targeting users of the Bitstamp digital currency exchange that uses sophisticated social engineering to attempt to trick users into opening an attachment containing the Upatre malware dropper. The dropper then adds the Dyre (also known as Dyreza) banking malware to compromised systems.

VMware: Yep, ESXi bug plays ‘finder’s keepers’ with data backups. VMware confirmed an issue reported by users of its ESXi 4.x and ESXi 5 hypervisor where virtual machines with Changed Block Tracking (CBT) enabled and that have been increased in size by more than 128GB show an inaccurate list of allocated virtual machine disk sectors, which could cause backed-up data to be unrecoverable. VMware recommended that users disable and then re-enable CBT and stated that the company is working on a permanent solution.

Researchers notice uptick in ‘Poweliks’ Trojan infections. Symantec researchers observed an increase in reported Poweliks Trojan infections, with the malware delivered by spam emails, exploit kits, and a spam campaign that impersonates the U.S. Postal Service and Canadian Post.

New RAT hijacks COM objects for persistence, stealthiness. Researchers at G DATA Software’s SecurityLabs identified a new remote access Trojan (RAT) dubbed COMpfun that hijacks legitimate Component Object Model (COM) objects to evade detection by security software. The RAT is capable of executing code, logging keystrokes, downloading or uploading files, and other tasks.

11/3/2014

Phishing attack leads to title firm breach. Fidelity National Financial notified an unspecified number of customers that personal and financial information including payment card, driver’s license, and Social Security numbers may have been compromised when attackers gained access to employees’ email accounts via a phishing attack. The company stated that an investigation showed that the attackers’ goal was to obtain information in order to redirect scheduled money transfers.

RIG Exploit Kit used in Drupal CMS exploit incidents. RiskIQ researchers observed the RIG Exploit Kit being used in attacks that exploit a critical SQL injection vulnerability in the Drupal content management system (CMS) to redirect users to the exploit kit. The researchers found that all instances of the exploit kit are hosted on a machine at a Selectel datacenter in Russia.

iOS app vulnerability exposed GroupMe accounts. A researcher identified and reported vulnerability in the GroupMe app for iOS that could have allowed an attacker to hijack the account of another user due to the sign-up process for new accounts lacking rate limiting or a security lockout mechanism on a phone number verification process. The issue was reported August 28 and patched September 17, and the researcher stated that there was no evidence it was exploited before being fixed.

Android dialer hides, resists attempts to remove it. Researchers with Dr. Web identified a malicious dialer for Android dubbed Android.Dialer.7.origin that places calls to a paid service at regular intervals after infecting devices disguised as an app. The malware attempts to hide itself by deleting its shortcut, disabling the device earpiece during calls, and removing evidence of the calls from the call and system logs.

Danish court finds Pirate Bay cofounder guilty of hacking CSC servers. A court in Denmark found a cofounder of the Pirate Bay Web site guilty of working with an anonymous accomplice to compromise servers belonging to U.S. Company CSC that contained data for European governments between February and August 2012.

 

Advisory of “Shellshock” Vulnerability

On September 24, 2014, multiple security experts began reporting on a security vulnerability, Shellshock, which affects an application called Bash.

The vulnerability:

1. Bash, which stands for the GNU Bourne Again Shell exists in the GNU Operating System (free software) that is distributed with most versions of Linux and Unix free software;

2. Could enable attackers, without authentication, to obtain information, modify authentication parameters, and disrupt service; and

3. Is currently given the highest possible ratings (“10”) for Severity, Impact, and Exploitability based on the Common Vulnerability Scoring System (CVSS).

In response, it is recommended that business clients work with their IT professionals to:

1. Identify, filter and block internet protocol (IP) addresses that may be maliciously scanning systems.

2. Review all systems and services to identify any systems that may be vulnerable to this exploit.

3. Actively work to identify effective patching for this vulnerability, and patch any systems and services that are vulnerable.

Shellshock known vulnerabilities and vendor statues: http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=252743&SearchOrder=4

10/30/2014

Vulnerability found in firmware update process of ASUS routers. A researcher identified and reported a vulnerability in ASUS RT-series routers that could have allowed attackers to use a man-in-the-middle (MitM) attack to trick users into downloading older, vulnerable firmware versions or potentially malicious code due to the firmware request being sent in HTTP instead of HTTPS. ASUS closed the vulnerability in its 3.0.0.4.367.1123 update.

10/28/2014

‘Replay’ attacks spoof chip card charges. Three undisclosed U.S. banks reported receiving fraudulent payment card charges emanating from Brazil that disguise the fraudulent charges as charges using the Europay, MasterCard, and Visa (EMV) chip-and-pin system even though the banks have not yet issued EMV cards. The attacks disguised the charges as originating from EMV cards since some banks with misconfigured systems may not use the full range of security checks on EMV card transactions.

Tor exit node found maliciously modifying files. A researcher with Leviathan Security Group identified and reported an exit node on the Tor network that wraps binary files with malware as the files move through the node. The Tor Project stated that they set a “BadExit” flag on the node to protect users after it was reported

Backoff PoS malware boomed in Q3. Damballa released a report which found that detections of the Backoff point-of-sale (PoS) malware increased by 57 percent between August and September.

10/27/2014

iMessage SPAM floods US mobile networks. CloudMark researchers reported that China-based designer goods counterfeiters are using the Apple iMessage platform to spam users with advertisements, the largest mobile spam campaign in the U.S. so far this year and accounting for over 80 percent of all reported mobile messages in the U.S.

Cisco fixes 3-year-old vulnerability affecting security appliances. Cisco released patches to close a vulnerability in its AsyncOS used in several of the company’s security appliances that could allow a remote, unauthenticated attacker to execute arbitrary code with elevated privileges. The vulnerability affects all models of Cisco Email Security Appliances (ESA), Cisco Web Security Appliances (WES) and Cisco Content Security Management Appliances (SMA) running affected versions of AsyncOS.

Adobe Digital Editions now encrypts data collected from users. Adobe stated that its Adobe Digital Editions ebook software would begin using encryption to send data on users to Adobe’s servers starting October 23. Researchers previously discovered the transmission of user data and found that it was not encrypted, posing a security risk.

Akamai sees record-setting spikes in size and volume of DDoS attacks. Akamai released their Q3 2014 State of the Internet report and found that distributed denial of service (DDoS) attacks increased in average bandwidth by 389 percent over the past year, among other findings.

10/24/2014

CryptoWall 2.0 delivered through malvertising on Yahoo and other large sites. Proofpoint researchers observed a recent campaign using malicious advertisements on Yahoo, 9gag, and other popular Web sites to deliver the CryptoWall 2.0 ransomware via the FlashPack Exploit Kit. The exploit kit exploits vulnerabilities in Adobe Flash Player to deliver the ransomware that encrypts users’ files and demands a ransom to decrypt them.

1.2 million Networking devices vulnerable due to NAT-PMP issues. A security researcher with Rapid7 reported October 21 that the company identified around 1.2 million Internet-connected devices that are vulnerable to various attacks due to poor implementation or configuration of the Network Address Translation – Port Mapping Protocol (NAT-PMP). The vulnerabilities could allow attackers to perform denial of service (DoS) attacks, intercept traffic, or perform other malicious actions.

Apple warns users of attack targeting iCloud site. Apple confirmed reports of man-in-the-middle (MitM) attacks against its iCloud service that employed an insecure certificate and advised users not to dismiss browser warnings regarding the security of content. The attacks trigger warnings in the Chrome and Firefox browsers but not in Qihoo, the most popular Web browser in China.

10/23/2014

Windows zero-day exploited in targeted attacks through PowerPoint. Microsoft reported that it has observed limited targeted attacks exploiting a zero-day vulnerability in the company’s Object Linking and Embedding (OLE) technology which could allow an attacker to perform remote code execution if a user opens a specially-crafted Microsoft Office file. The vulnerability affects all current Microsoft Windows releases except Windows Server 2003 and Microsoft advised users to apply a series of workarounds until a patch can be released.

Koler worm spreads via SMS, holds phones for ransom. Researchers at AdaptiveMobile identified a new variant of the Koler worm for Android that spreads via a bitly link that directs users to a Dropbox page where the malware is disguised as an app. The malware then blocks infected devices’ screens with a fake law enforcement page and demands a ransom to be paid via Money Pak Voucher.

Attackers change home routers’ DNS settings via malicious code injected in ads. Sucuri Security researchers identified a malvertising campaign that embeds malicious code into an ad hosted on the googlesyndication.com network and attempts to change the DNS settings on users’ home routers in order to lead them to potentially malicious Web sites.

Malware directs stolen documents to Google Drive. Researchers with Trend Micro identified a new piece of information-stealing malware dubbed Drigo that uploads any .PDF, text, and Microsoft Word, Excel, and PowerPoint files to a Google Drive account. The researchers reported that the malware appears to be targeting government agencies and reported the Google Drive account associated with the malware to Google.

Apple fixes security flaws with release of iOS 8.1. Apple released an update to its iOS 8 mobile operating system, closing several vulnerabilities and adding new features.

10/22/2014

One week after patch, flash vulnerability already exploited in large-scale attacks. Researchers identified an exploit kit sold on underweb forums known as Fiesta that is bundled with an exploit for a recently-patched Flash Player vulnerability. Users were advised to apply the patch that was issued October 14.

Cisco products vulnerable to POODLE attacks. Cisco is analyzing its products to determine which may be affected by the POODLE vulnerability in Secure Sockets Layer (SSL) and released a list of confirmed vulnerable products, which includes Cisco Webex Social, Cisco ACE, Cisco Wireless LAN Controller, and several other products.

Palo Alto Networks boxes spray firewall creds across the net. A researcher found that misconfigured Palo Alto Networks firewalls could allow attackers to gain user and domain names and passwords, potentially exposing customer services such as VPNs and webmail. Palo Alto Network advised users to apply best practice guidelines developed by the company.

10/21/2014

Microsoft pulls another dodgy patch. Microsoft stated that it is investigating a patch for Windows 7 and Windows Server 2008 R2 after some users reported experiencing issues with their systems after installation. Microsoft advised users experiencing problems to uninstall the patch.

Dropbox users are served a phishing page delivered over SSL. A researcher with Symantec stated that attackers are using a phishing campaign with a page hosted on Dropbox to attempt to steal users’ Dropbox and email credentials. The phishing page uses the secure sockets layer (SSL) protocol of its host in order to appear legitimate.

Apple releases MEGA security patch round for OS X, Server and iTunes. Apple released a round of patches for several of its products, including OS X, OS X Server, and iTunes, addressing 150 issues including patches to close the POODLE and Shellshock vulnerabilities.

Modular malware for OS X relies on open-source keylogger code. Kaspersky Lab researchers identified a piece of modular malware for Apple OS X known as Ventir that uses the legitimate LogKext keylogging software in order to steal information from infected systems.

Sandworm vulnerability seen targeting SCADA-based systems. An advisory issued by Trend Micro stated that researchers have identified attackers using the Sandworm vulnerability to target systems running the GE Intelligent Platform’s CIMPLICITY human-machine interface (HMI) solution used in supervisory control and data acquisition (SCADA) systems. The attackers appear to be using the vulnerability in the first stage of an advanced persistent threat (APT) targeted attack and use the vulnerability to install the Black Energy malware.

10/20/2014

SAP patches DoS flaw in Netweaver. SAP released a patch for its Netweaver platform that closes a remotely exploitable denial of service (DoS) vulnerability reported by Core Security researchers in June. The vulnerability could allow an unauthenticated attacker to use a specially crafted SAP Enqueue Server packet to create the DoS condition.

New technique allows attackers to hide stealthy Android malware in images. Two researchers presenting at the Black Hat Europe conference October 16 revealed a technique dubbed AngeCryption that could allow an attacker to hide malicious Android applications inside image files in order to avoid detection by antivirus programs and potentially the Google Play store’s malware scanner.

XSS risk found in links to New York Times articles prior to 2013. A student reported and published a proof of concept for a vulnerability in articles on the New York Times Web site published before 2013 that could allow attackers to hijack browser sessions, direct users to phishing sites, or steal cookies by exploiting a cross-site scripting (XSS) flaw. The vulnerability exists on pages containing certain buttons and does not affect the most recent versions of popular Web browsers.

Bad news, fandroids: He who controls the IPC tool, controls the DROID. Researchers with Check Point presenting at the Black Hat Europe conference October 16 detailed a flaw in the Android inter-process communication (IPC) tool Binder that could allow attackers to override in-app security features to tamper with apps and steal passwords and other information.

All-in-one printers can be used to control infected air-gapped systems from far away. A cryptographer and two researchers from Ben-Gurion University presenting at the Black Hat Europe conference October 16 demonstrated how an all-in-one printer could be used to issue commands to infected systems on an air-gapped network by shining infrared or visible light at the scanner lid when open, issuing commands to malware already planted on the system via USB drive or other method. The researchers were able to successfully test the method at a target printer inside a building at 200, 900, and 1,200 meters and stated that a more powerful laser could produce reliable results from up to 5 kilometers.

10/17/2014

Botnets used in “Wolf of Wall Street” spam campaign. Researchers with Bitdefender identified a spam campaign dubbed “Wolf of Wall Street” that uses botnets to send out promotional emails encouraging penny stock investors to purchase stocks of Canada-based Confederation Minerals Ltd., which has resulted in the transaction volume of the company increasing to 1,620,000 shares from 10,000 shares within 3 days. The spam campaign is the largest recorded in 2014 and the attackers behind it stand to profit by selling stocks after inflating the prices.

Attackers abuse UPnP devices in DDoS attacks, Akamai warns. Researchers at Akamai Technologies reported that attackers have increasingly used the Simple Service Discovery Protocol (SSDP) that comes enabled on Universal Plug and Play (UPnP) devices to launch reflection and amplification distributed denial of service (DDoS) attacks starting in July. The researchers found that 4.1 million Internet-facing devices could be used in this type of DDoS attack.

New OpenSSL updates fix POODLE, DoS bugs. The OpenSSL Project released updates to OpenSSL that close four serious vulnerabilities, including the POODLE issue and two memory leak issues that could be used to launch denial of service (DoS) attacks against servers.

FireEye, Microsoft, Cisco team up to take down RAT-flinging crew. A group of security and IT firms led by Novetta began a coordinated campaign to detect and remediate malware installations belonging to a cyberespionage campaign targeting policy groups, governments, financial services institutions, the education sector, and think tanks since 2010. The cyberespionage group uses several tools including Moudoor, a derivative of the Gh0st RAT remote access Trojan, and the Hikiti malware used to control compromised systems.

Drupal fixes highly critical SQL injection flaw. Drupal issued a patch for its popular content management system (CMS) that closes a critical SQL injection vulnerability affecting version 7.x. The vulnerability could allow an unauthenticated user to perform arbitrary SQL execution and all users were advised to update their installations as soon as possible.

 10/16/2014

Microsoft patches two more 0-days actively used by attackers. Microsoft released its monthly Patch Tuesday round of patches for October, closing several critical vulnerabilities including the SandWorm vulnerability and others exploited by attackers.

Flash Player 15 update plugs remote code execution bugs. Adobe released patches for three critical vulnerabilities in its Flash Player consisting of two memory corruption issues and one integer overflow vulnerability.

Mozilla fixes critical bugs in Firefox 33. Mozilla released the latest version of its Firefox browser, closing 33 critical vulnerabilities and adding improved functionality.

SSL 3.0 falls in the face of POODLE attack, needs to be disabled. Researchers with Google designed an attack named POODLE that can exploit a flaw in the design of the Secure Sockets Layer 3.0 (SSL 3.0) protocol that can allow the extraction of data from secure connections using the protocol. SSL 3.0 has been superseded by several other protocols but is still used in some clients and servers and as a backup protocol by Web browsers if modern protocols are unavailable.

Malware-like browser pop-ups used by advertisers to push apps on Android. A researcher at Malwarebytes reported that some advertisers are using fake warning or update notifications directed at Android users in an attempt to get them to download legitimate but potentially unwanted programs in an affiliate marketing scheme.

BlackBerry 10 devices open to bug that allows malicious app installation. BlackBerry released a patch for a vulnerability in BlackBerry 10 devices that could allow an attacker with a man-in-the-middle position to replace legitimate apps downloaded through the BlackBerry World app store with malicious apps.

Malicious YouTube ads lead to exploits, ransomware. Trend Micro researchers identified and reported a malvertising campaign where attackers appeared to have bought traffic from legitimate ad providers in order to place malicious ads on popular YouTube videos to redirect users through several sites to a server hosting the Sweet Orange exploit kit. The exploit kit then attempts to infect users with the Kovter ransomware via an Internet Explorer vulnerability.

Massive Oracle security update lands on Microsoft Patch Tuesday. Oracle released over 150 patches for several of its products, closing critical vulnerabilities in several products including Oracle Database and Java SE.

10/15/2014

Russian espionage group used Windows 0-day to target NATO, EU. iSIGHT Partners discovered a zero-day vulnerability used in a cyber-espionage campaign dubbed SandWorm targeting the North Atlantic Treaty Organization, the European Union, Ukrainian and Polish government organizations, and several European telecommunications and energy sectors. Microsoft is expected to release a patch for the zero-day which exploits supported versions of Microsoft Windows and Windows Server 2008 and 2012.

Dropbox denies being hacked, points to third-party services. Dropbox announced that its servers were not breached after a list of 420 username and password pairs were publicized on Pastebin with a poster claiming that more would be published with Bitcoin donations. The company reported that the information was stolen from other Web services used by the victims, who had identical usernames and passwords for Dropbox.

The snappening: Snapsaved admits to hack that leaked SnapChat photos. Snapchat’s third-party app Snapsaved was hacked involving the release of 500MB of images containing between 90,000 and 200,000 photos and videos due to a misconfiguration in their Apache server. Snapsaved subsequently deleted the entire Web site and database associated with the breach.

Multiple vulnerabilities found in BMC Track-It! help desk software. Researchers with the Computer Emergency Response Team Coordination Center at Carnegie Mellon University (CERT/CC) and Agile Information Security found that Track-It! version 11.3.0.355, the IT helpdesk solution created by BMC Software, contains three vulnerabilities related to permissions, privileges, and access control, missing authentication for critical function, and an exploitation using blind SQL injection. The company is working on addressing the issues.

New mobile Trojan masquerading as Tic-tac-toe game targets Android devices. Kaspersky Lab researchers found that a Tic-tac-toe game available on Android devices houses the Gomal Trojan which allows hackers to record audio from the microphone, steal incoming SMS messages, steal data from the device log, and obtain root privileges, among other things. Good for Enterprise researchers determined that the app was a proof-of-concept app presented at Black Hat 2013 and used only in Samsung Exynos memory access vulnerability, which has since been patched.

HP to remove digital signature that code-signed malware. Symantec discovered that an HP digital certificate was used to cryptographically sign (code-sign) malware shipped through HP products in May 2010. HP will revoke the digital certificate October 21 after researchers found an apparent signature on a four-year-old Trojan that may have been included in the software.

10/14/2014

New Rovnix variant targets users in EU countries. Researchers with CSIS Security Group identified a new variant of the Rovnix malware currently targeting users in European Union countries that includes a new domain generation algorithm (DGA), changes to avoid detection, and removes a bootkit component.

Shellshock exploits spreading Mayhem botnet malware. Researchers at Malware Must Die reported detecting a number of Linux and UNIX systems infected by several IP addresses belonging to the Mayhem botnet. The botnet was found to be pinging Internet-facing systems looking for the Shellshock vulnerability in order to drop a new remote installer written in Perl.

10/10/2014

Flaw in PayPal authentication process allows access to blocked accounts. A researcher with Vulnerability Laboratory identified and reported a flaw in the mobile authentication process for PayPal that can allow an attacker to attempt to input passwords an unlimited number of times without causing the account to be locked. The issue reported in March 2013 affects the iOS mobile app for PayPal and a fix is not currently available.

ATM programmer's reference manual leaked online. F-Secure researchers found a document online using the Baidu search engine that contains API documentation for ATM cashpoints manufactured by NCR Corporation during an investigation into ATM malware. The programming reference materials could be used by attackers to inform their development of ATM malware.

Aggressive Selfmite SMS worm variant goes global. Researchers with AdaptiveMobile identified a new variant of the Selfmite SMS worm for Android that spreads via malicious links in SMS messages that lead to a trojanized Google Plus app. The worm uses compromised devices to send the malicious SMS messages to every contact on the device several times and redirect users to unsolicited subscription Web sites.

Multiple vulnerabilities found in SAP enterprise software. Researchers at Onapsis published seven advisories for flaws in SAP HANA, SAP BusinessObjects, and SAP NetWeaver Business Warehouse enterprise software, including a remotely exploitable command injection vulnerability in HANA that could allow an unauthenticated attacker to completely compromise the SAP system and the information it handles and stores.

Several Siemens industrial products affected by ShellShock bug. Siemens released an advisory warning that variants of the Shellshock vulnerability can be leveraged by attackers against several of its products including some versions of Rugged Operating System on Linux (ROX) 1 and ROX 2 and APE Linux versions. The company is working on developing patches for the affected products.

There is anti-BadUSB protection, but it's a bit sticky. The researchers who revealed the details for infecting USB devices via the BadUSB vulnerability released a patch and instructions for preventing the reprogramming of USB devices by disabling the "boot mode" state of the device. The researchers stated that a patched device could be tampered with to reset it and remove the patch, and suggested physically securing the device with glue or similar substances to prevent undetected access.

10/9/2014

Tyupkin is new ATM malware that allows cash extraction without card. Researchers with Kaspersky Lab identified and analyzed a new piece of ATM malware known as Tyupkin that is installed on ATMs through a bootable CD and can allow attackers to withdraw currency without a card. The malware includes several security features to prevent access and analysis and was mostly found in Eastern Europe as well as some cases in the U.S., Asia, and Western Europe.

Google fixes 159 security bugs with release of Chrome 38. Google released the latest version of its Chrome browser for Windows, Linux, Mac, and iOS, closing 159 security vulnerabilities.

Adobe spies on reading habits over unencrypted web because your ‘privacy is important.’ Adobe confirmed October 8 that its Digital Editions software collects information on users’ ebooks and sends it to Adobe servers as part of digital rights management (DRM) practices after a researcher reported finding the traffic being sent from Digital Editions. The company also confirmed that the information was sent in an unencrypted format and would be corrected, and stated that it was investigating the researcher’s claims that the program collected additional information on ebooks files stored on users’ systems.

SSDP reflection attacks spike in Q3: Arbor Networks. Arbor Networks released its report on distributed denial of service (DDoS) attacks during the third quarter (Q3) of 2014 and found that Simple Service Discovery Protocol (SSDP) reflection attacks grew significantly during Q3, with almost 30,000 such attacks during the quarter, among other findings.

Siemens swats security bugs affecting PCS 7. Siemens released an update for its PCS 7 supervisory control and data acquisition (SCADA) product that addresses five issues with the WinCC product, including a hard coded encryption key and another issue that could lead to privilege escalation.

Belkin says router outages should be resolved. Belkin stated October 7 that it fixed an issue in some older wireless routers that caused the routers to experience problems around midnight October 7 when pinging a Belkin-hosted service in order to check network connectivity. Belkin advised users still experiencing issues to restart their routers.

 10/8/2014

Monster banking trojan botnet claims 500,000 victims. Researchers with Proofpoint identified a new banking trojan botnet known as Qbot or Qakbot that has infected 500,000 systems and stolen data from users including 800,000 online banking transactions, with 59 percent of the stolen sessions taken from accounts in major U.S. banks. The researchers found that the malware for the botnet was launched from compromised WordPress sites using drive-by download attacks.

Bugzilla vulnerability exposes undisclosed bugs. The developers of the Bugzilla bug-tracking software released an update to address several security issues, including one reported by Check Point Software Technologies researchers that could allow an attacker to bypass the email validation process and potentially receive information on undisclosed security issues.

Yahoo! changes tune after saying servers were hacked by Shellshock. Yahoo reported October 6 that some servers that were recently compromised were not compromised using the Shellshock vulnerability but instead by a bug in a parsing script used on some servers.

Trojans-SMS are top threat on Android, INTERPOL and Kaspersky say. Kaspersky Labs and INTERPOL released the results of a study of mobile security threats over a 1 year period and found that Android users were the most targeted by attackers, with SMS trojans accounting for 57.08 percent of all detections, among other findings.

Bash bug payload downloads KAITEN DDoS malware source code. Trend Micro researchers detected a payload being delivered via attacks exploiting the Shellshock vulnerability that downloads the source code for the KAITEN distributed denial of service (DDoS) malware.

10/6/2014

76M households hit by JPMorgan data breach. JPMorgan Chase & Co. stated October 2 that a large cyberattack against the company’s systems compromised the customer information of around 76 million households and 7 million small businesses. The attack was discovered in August and began as early as June and compromised customers’ names, addresses, email addresses, and phone numbers but the bank stated that there was no evidence that the breach included account information.

CryptoWall 2.0 available in the wild, has new obfuscator. A 2.0 version of the CryptoWall ransomware has been spotted in the wild by researchers and includes the use of the Tor network for communicating with command and control servers and a new obfuscator to prevent analysis and debugging.

Destructive Android trojan poses as newest Angry Birds game. Researchers with Doctor Web identified a piece of destructive Android malware detected as Android.Elite.1.origin that poses as an unreleased Angry Birds game app and once installed deletes a device’s data, blocks communications programs, and sends out a high volume of messages to all contacts on the device.

“BadUSB” code published. Two researchers presenting at the Derbycon 4.0 conference reverse-engineered USB firmware to launch various attacks and posted the attack code online. The flaw in USB firmware that enables the attack was first revealed at the Black Hat conference but the attack code was not released at that time.

Second same-origin policy bypass flaw haunts Android browser. A researcher identified and reported a same-origin policy bypass vulnerability in the Android browser in versions prior to 4.4 that could allow an attacker to steal data from a user’s browser. Google issued a patch for the vulnerability for users of Android 4.1-4.3 in late September.

 10/3/2014

Major security flaw in Xen hypervisor disclosed. The developers of the Xen hypervisor released a patch after a security vulnerability was disclosed October 1 that could allow an attacker to use a malicious hardware virtual machine to read data from other virtual machines or crash the host machine.

OS X botnet malware uses Reddit to get IPs of control servers. Researchers with Doctor Web found that a piece of botnet malware for OS X known as iWorm uses the search function on Reddit to access a list of command and control (C&C) servers used to receive instructions. Over 17,000 unique IP addresses are associated with systems infected by iWorm and the C&C server addresses are disguised on Reddit by purporting to be addresses for Minecraft servers.

VMware releases software updates to fix ShellShock bug. VMware released patches for several of its products in order to close the Shellshock vulnerability in GNU Bash.

Researchers bypass Redmond’s EMET, again. Researchers with Offensive Security reported that they were able to bypass the fifth version of Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) security tool on several versions of the Windows operating system.

Bash bug flung against NAS boxes. FireEye researchers warned that attackers are attempting to exploit the Shellshock vulnerability in GNU Bash in order to compromise Network Attached Storage (NAS) systems before the systems can be patched. The researchers reported that NAS systems made by QNAP were especially targeted and that attackers were seeking to install backdoors.

Joomla re-issues security update after patches glitch. The developers of Joomla released a second version of a security update October 1 after an initial update designed to close critical vulnerabilities created some technical issues with users.

Data breach on Flinn Scientific server lasted for four months. Flinn Scientific officials notified October 2 customers that made at least one purchase through its online store since May 2 that their financial information, including payment card number and card verification code, may have been compromised after malware was planted on the company’s Web based payment system. The breach was discovered September 8 and the company removed the malicious software from its network.

10/2/2014

Four hackers accused of $100m US military software and gaming IP theft. Four individuals were indicted for allegedly stealing over $100 million worth of intellectual property from game developers and the U.S. Army including data from yet-to-be-released games and training software used to train helicopter pilots. Two of the accused pleaded guilty and reportedly used a SQL injection attack to steal the usernames and passwords of employees and software developers in order to gain access to the data.

Xsser mRAT, advanced spyware for iOS, discovered. Researchers with Lacoon Mobile Security identified a new remote access trojan (RAT) for iOS mobile devices dubbed Xsser that targets jailbroken iOS devices and can exfiltrate personal and device data. The researchers believe that Xsser is linked to the Chinese government and targets protestors in Hong Kong.

High risk vulnerability patched in Joomla. The developers of the Joomla content management system (CMS) released a patch for version 3.x closing two vulnerabilities including a remote file inclusion (RFI) issue that could allow an attacker to run remote files.

OpenVPN open to pre-auth Bash Shellshock bug - researcher. The chief technology officer of Mullvad stated that some configurations of OpenVPN are susceptible to the Shellshock vulnerability if Bash is allowed to run scripts. A proof-of-concept for the issue was identified online.

Asprox botnet malware sent through fake Viber email notification. An analysis from Tech Help List identified a new spam campaign utilizing fake Viber emails to attempt to add new bots to the Asprox botnet. The analysis noted that the attackers were using several techniques to hide their malicious activity and avoid analysis by researchers.

10/01/2014

Variant of Upatre malware dropper seen in bank emails. A security researcher reported finding a new variant of the Upatre malware dropper attached to emails purporting to be from financial institutions. The new variant is distributed as a download through a link in the malicious emails and has a low VirusTotal detection rate.

Apple patches Shellshock bug in OS X. Apple released a security update for its OS X operating system that closes two remotely exploitable vulnerabilities in the GNU Bash UNIX shell known as Shellshock.

‘Shellshock’ attacks could already top 1 billion: Report. Incapsula researchers reported that the company’s Web application firewall deflected over 217,000 attempted exploitations of the Shellshock vulnerability in GNU Bash during the 4 days after the vulnerability was disclosed and estimated that the total number of attacks attempting to exploit the flaw could reach 1 billion.

Seller of StealthGenie mobile spyware app indicted and arrested. The CEO of InvoCode was arrested September 27 in Los Angeles for allegedly selling and advertising the StealthGenie mobile spyware. The Pakistani national allegedly worked with others to develop and market the spyware that is compatible with major mobile operating systems such as Android, Blackberry, and iOS.

Signed CryptoWall delivered via malvertising campaign on top-ranked websites. Researchers with Barracuda Labs identified a variant of the CryptoWall ransomware signed with a valid digital certificate from DigiCert and spread through malicious ads on the Zedo ad network to several popular Web sites. As of September 29, the CryptoWall variant was detected by 12 of 55 security solutions on VirusTotal.

RadEditor web editor vulnerable to XSS attacks. A researcher identified and reported a cross-site scripting (XSS) vulnerability in the RadEditor text editor used in several Microsoft products that could allow attackers to inject malicious script and obtain private data. The vulnerability was closed by Telerik September 24.

All CloudFlare customers benefit from Universal SSL. CloudFlare announced September 29 that it was providing all customers with SSL certificates under its Universal SSL service to enhance security.

New data breaches hit Supervalu, Albertson's. Supervalu officials reported a second incident September 29 where hackers installed a different piece of malware on the company’s computer system that potentially captured customers’ payment card information from the payment processing systems of four Cub Foods stores in Minnesota and several Albertson’s grocery stores across the U.S. between August and September.

9/30/2014

Dyre banking trojan delivered via voice message email notification. Researchers discovered that the Dyre (Dyreza) banking trojan is being employed via phishing emails claiming to be from financial institutions and bogus emails purporting to inform of a new voicemail message which include a link to a malware dropper that has five Romanian Portable Executable (PE) resources and downloads a variant of the trojan. The malware relies on the man in the middle (MitM) technique to take over the connection between the client and the server.

U.S. Bank refunding $48 million to customers. The Consumer Financial Protection Bureau ordered U.S. Bank September 25 to refund $48 million to consumers and pay $9 million in penalties to resolve allegations that the bank charged about 420,000 customers for fraudulent credit card add-on products and services that were not provided between 2004 and 2012.

New remote code execution flaws found in Shellshock-patched Bash. Researchers found four additional vulnerabilities with the Bash command interpreter for Linux, Shellshock, two of which were unofficially patched after new changes to the code. The two new bugs that remain could be exploited remotely and in an easier way due to the rare use of address space layout randomization (ASLR) when compiling Bash.

Ello social network recovers after DDoS attack. Administrators with Ello, a social networking site, announced they blocked a bad IP address that was responsible for sending junk traffic after reporting the site was under an apparent distributed denial of service (DDoS) attack.

Cisco lists 31 products vulnerable to the Shellshock vulnerability. Cisco released a list of 31 products vulnerable to the Shellshock glitch which included connection routing, network management, and media content delivery and encoding, among others. Oracle also released a list of 32 products vulnerable to attack by the Bash bug after the company changed its initial list and appended new products.

iThemes users asked to change passwords following attack. The CEO if iThemes, a WordPress themes, plugins, and training provider, advised 60,000 past and current users to reset their passwords following an attack on its membership database that may have compromised usernames, email addresses, passwords, names, IP addresses, and purchase information.

9/29/2014

Dyre malware takes inventory of software on infected systems. Researchers from Proofpoint analyzed a new variant of the Dyre (also known as Dyreza) banking trojan and found that several new features were added to the malware, including the addition of its own SSL certification and a feature that enables hackers to collect cookies, client-side certificates, and private keys from an infected computer’s Windows Certificate Store. The latest version of the Trojan can also extract a list of installed programs and services from an infected computer to be by hackers to determine which vectors can be exploited in the future.

Honeypot catches malware exploiting Shellshock Bash bug. Alien Vault researchers found two pieces of malware through their honeypots, an Internet Relay Chat (IRC) bot and an Executable and Linkable Format (ELF) binary that offers malicious actors the possibility to use the infected machine in distributed denial of service (DDoS) attacks in order to exploit the Shellshock Bash vulnerability. Patches are available for several software platforms as attackers are rapidly working to exploit the CVE-2014-6271 vulnerability.

Phishers go after unprecedented breadth of targets. The Anti-Phishing Working Group (APWG) released its Global Phishing Survey co-authored with Internet Identity (IID) and found that in the first half of 2014 Apple was the most phished brand in the world, accounting for 17 percent of all reports sampled. PayPal came in second accounting for 14.4 percent or 17,811 targeted attacks the report stated, among other findings.

BlackEnergy malware linked to targeted attacks. ESET and F-Secure researchers found that the BlackEnergy malware has been active in targeted attacks in 2014, modified to be used as a tool for sending spam and for online bank fraud. The alteration was dubbed “BlackEnergyLite” by researchers due to the lack of a kernel-mode driver component and less support for plug-ins and a lighter overall footprint.

9/25/2014

New Tinba banking trojan variant is stealthier, uses public key signing. Researchers from Trusteer analyzed an updated variant of the Tiny Banker (also known as Tinba) financial malware and discovered that the authors added a domain generation algorithm (DGA) and fitted it with user-mode rootkit capabilities and a verification process to make sure that messages are sent from an authentic bot master.

Mozilla to part ways to SHA-1. Mozilla asked Certificate Authorities and Web sites to upgrade certificates to SHA-256, SHA-384, or SHA-512 after experts reported that SHA-1 will be practical for collision attacks by 2018. Mozilla will release warnings to update certificates on versions of Firefox in early 2015.

Fiberlink wipes one smartphone or tablet every three minutes. Researchers at Fiberlink examined 130,000 devices managed by MaaS360 and found that one mobile device is wiped every 3 minutes. The study also determined that in 2013 businesses, on average, cleared 10 percent to 20 percent of their entire device populations yearly.

Mitigations for Spike DDoS toolkit-powered attacks. Akamai Technologies released an advisory alerting enterprises of the Spike distributed denial of service (DDoS) toolkit that runs on a Windows system and can launch infrastructure-based and application-based DDoS payloads including SYN flood, UDP flood, GET flood, and Domain Name system (DNS) query floods. The toolkit can be mitigated be implementing access control lists (ACLs).

Apple’s new iPhone 6 vulnerable to last year’s TouchID fingerprint hack. Lookout researchers found that a vulnerability that could allow access into Apple’s iPhone 6 and 6 Plus models through their TouchID fingerprint sensors remained unpatched. Scammers can unlock the devices by creating a fake fingerprint, the same flaw that was found in the iPhone 5S model in 2013.

9/24/2014

DDoS attackers turn fire on ISPs and gaming servers. NSFOCUS researchers determined gaming hosts and Internet service Providers (ISP) have been the focus for distributed denial of service (DDoS) attacks in 2014, rising in the first half to 10 percent and nearly 15 percent of attacks respectively.

jQuery.com compromised to serve malware via drive-by download. RiskIQ researchers found and reported that jQuery.com, the official Web site of the cross-platform JavaScript library of the same name, was compromised and redirected its visitors to a site hosting the RIG exploit kit and delivered information-stealing malware. The attack was discovered September 18 and the site’s administrators removed the malicious script.

Kyle and Stan malvertising network nine times bigger than first reported. Researchers found nearly 6,500 malicious domains are involved in the Kyle and Stan malvertising network and over 31,000 connections were made to the domains, nine times larger than originally reported by Cisco. The campaign is unique in its ability to infect Windows and Mac OS X software differently and can drop ads on larger Web sites.

9/23/2014

Hackers target Destiny and Call of Duty servers with DDoS attack. Several servers for online games Destiny and Call of Duty: Ghost went down during the weekend of September 20 due to a distributed denial of service (DDoS) attack that affected PlayStation and Xbox users. Attackers claiming affiliation with the Lizard Squad group claimed responsibility for the attacks.

Exercise-tracking app not QUITE fit for purpose. A researcher identified and reported a direct object reference vulnerability in the MyFitnessPal app that allowed users’ personal information, including location and dates of birth, to be accessed by any user. The vulnerability was closed 2 days after being reported.

Yahoo fixes RCE flaw leading to root server access. A researcher identified and reported a series of vulnerabilities in a Yahoo domain which led to a remote code execution vulnerability that was leveraged to gain root access to a Yahoo server. The vulnerability was reported September 5 and closed September 7.

Payment card info of 880k Viator customers compromised. Viator representatives confirmed September 19 that the company was made aware September 2 that its network was breached and the encrypted personal and financial information of about 1.4 million customers may have been compromised. Customers were advised to update their Viator online account information, including passwords.

9/19/2014

Bank tellers helped steal identities, $850G, A.G. says. Five people, including three bank tellers at branches in New York and Florida, were indicted September 16 in White Plains, New York, for allegedly running an identity theft and bank fraud ring that stole over $850,000 in funds as well as customers’ personal information over at least 4 years. The tellers allegedly supplied information to their co-conspirators that enabled them to create fraudulent checks, driver’s licenses, and other documents used to withdraw the stolen funds from bank branches in Connecticut, Massachusetts, and New York.

Apple fixes “backdoors” with release of iOS 8. Apple released the newest version of its mobile operating system, iOS 8, September 17, which adds improvements and closes over 50 security vulnerabilities.

Series of vulnerabilities found in Schneider Electric SCADA products. An advisory from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) warned users of Schneider Electric StruxureWare SCADA Expert ClearSCADA products after researchers discovered unpatched, remotely-exploitable vulnerabilities. Included in the vulnerabilities is a cross-site scripting (XSS) issue that could allow industrial control systems (ICS) to be shut down, while an authentication bypass issue could give attackers access to sensitive information.

AppBuyer iOS malware targets jailbroken iPhones. Researchers with Palo Alto Networks analyzed a piece of iOS malware discovered by WeiPhone Technical Group in May and found that the malware dubbed AppBuyer is targeting jailbroken iPhones in order to steal Apple ID and password information and make unauthorized purchases from the App Store.

Analysts spot ‘Critolock,’ ransomware claims to be CryptoLocker. Researchers at Trend Micro identified a new piece of ransomware known as Troj_Critolock.A or Critolock that infects devices and encrypts users’ data and demands a ransom. The malware purports to be the CryptoLocker ransomware but contains several differences including its use of the Rijndael symmetric-key algorithm.

Drupal patches XSS vulnerability in spam module. Drupal released a patch September 17 for the Mollom spam and content moderation module that closes a cross-site scripting (XSS) vulnerability that could allow an attacker to gain admin-level access to Web sites and enable them to steal data or hijack sessions.

9/18/2014

Breach at Goodwill vendor lasted 18 months. Payment vendor C&K Systems stated that its hosted managed services systems were found by investigators to be compromised between February 10, 2013 and August 14, 2014, allowing the installation of the infostealer.rawpos point of sale (PoS) malware that led to payment card breaches from over 330 Goodwill retail locations. The malware infection was not detected by the company’s systems until September 5 and affected Goodwill and two other customers.

Twitter fixes vulnerability potentially impacting company’s ad revenue. A security researcher identified and reported a vulnerability in a Twitter subdomain that could be used to delete the payment card information used by advertisers to pay for ads on the social media network. Twitter addressed the vulnerability and awarded a $2,800 bounty to the researcher.

Amazon fixes persistent XSS vulnerability affecting Kindle library. Amazon addressed a cross-site scripting (XSS) vulnerability on the Amazon Web page used to manage users’ Kindle libraries that could be used by an attacker to inject malicious code through eBook metadata.

Macro based malware is on the rise. Researchers with Sophos found that macro-based malware created in Visual Basic rose from around 6 percent of document malware to 28 percent in July, among other findings.

Adobe gets delayed Reader update out the door. Adobe released new versions of Adobe Reader and Acrobat September 16 that were delayed during Adobe’s scheduled patch release the week of September 8. The updates close eight vulnerabilities including two memory corruption issues and a cross-site scripting (XSS) vulnerability affecting Macintosh users.

Archie exploit kit targets Adobe, Silverlight vulnerabilities. Researchers at AlienVault Labs analyzed a new exploit kit first identified by EmergingThreats researchers and found that the Archie exploit kit attempts to exploit older versions of Adobe Flash, Reader, and Microsoft Silverlight and Internet Explorer.

9/17/2014

Malicious Kindle eBooks can give hackers access to your Amazon account. A security researcher identified a security issue in Amazon’s “Manage your Kindle page” that can be exploited using a malicious eBook file to take over a user’s Amazon account. The same vulnerability was reported and fixed in November 2013 but was reintroduced in a new version of the page.

THREE QUARTERS of Android mobes open to web page spy bug. A Metasploit developer released a Metasploit module for a vulnerability in Android versions 4.2.1 and below that was discovered September 1, which could automate an exploitation of the vulnerability and allow attackers behind a malicious Web page to see users’ other open pages and hijack sessions.

LinkedIn feature exposes email addresses. Researchers with Rhino Security Labs demonstrated how an attacker could use a ‘find connections’ feature in LinkedIn and a large number of email contacts generated with likely email addresses to identify the email address of specific individuals for possible use in spear-phishing or other malicious activities. LinkedIn stated that it was planning at least two changes to the way the professional network handles user email addresses to counteract the issue.

SNMP DDoS scans spoof Google public DNS server. The SANS Internet Storm Center reported September 15 that large-scale scans of Simple Network Management Protocol (SNMP) spoofing Google’s public DNS server traffic were taking place, indicating a scan being used to identify routers and devices using default SNMP passwords. Vulnerable routers and devices could have their configuration variables changed, creating a denial of service (DoS) situation on the affected devices.

9/16/2014

Twitch chat malware spreads, wipes dry Steam accounts. Researchers at F-Secure identified a piece of malware known as Eskimo that is being spread through a fake raffle invitation in Twitch.tv’s chat feature. The page used for the fake raffle sign-up drops the Windows binary that can take screenshots as well as take control of the client for gaming service Steam to add friends, trade or sell items, and buy items if funds are available.

Freenode suffers breach, asks users to change their passwords. IRC network Freenode notified users that it experienced a security breach September 13 and advised all users to change their passwords as a precaution.

Vulnerabilities found in website of Google-owned Nest. A security researcher identified and reported several security vulnerabilities in the Web site of home automation company Nest, including a file upload vulnerability that could allow attackers to upload a shell and gain access to personal and financial details of Nest customers. Google stated that the issue was addressed by restricting access to the affected domain and redirecting visitors to a different domain.

Four vulnerabilities patched in IntegraXor SCADA. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued an advisory September 11 advising users of Ecava Sdn Bhd’s IntegraXor supervisory control and data acquisition (SCADA) server software to patch their systems after four remotely exploitable vulnerabilities were discovered. The software is primarily used for industrial automation in firms managing railways, sewage systems, telecommunications, and heavy engineering.

9/15/2014

Chinese attack groups operate in parallel in cyber espionage campaigns: FireEye. Researchers with FireEye discovered two cyberespionage campaigns originating in two regions of China that appear to share several commonalities including using the same custom backdoors and remote access trojans (RATs). One campaign dubbed Moafee targets various military, government, and defense industry entities while the second known as DragonOK targets high-tech and manufacturing companies in Taiwan and Japan.

Researchers find malicious extension in Chrome Web Store. Trend Micro researchers identified several malicious extensions inside the Chrome Web Store, including one spread via a Facebook scam campaign that allows attackers to post statuses, send messages, and take other actions using a victim’s Facebook account.

9/12/2014

Zemot malware dropper strain delivered via Asprox botnet and exploit kits. Microsoft researchers analyzed the Zemot malware dropper, a variant of Upatre, and observed that it has been distributed through the Asprox (also known as Kuluoz) spam botnet and via exploit kits including Magnitude and Nuclear Pack. Once it infects a system the dropper can then deliver click fraud malware and was recently observed to distribute information-stealing malware including Rovnix, Tesch, and Viknok.

TorrentLocker unpicked: Crypto coding shocker defeats extortionists. Researchers with Nixu found that the encryption used by the TorrentLocker ransomware to encrypt victims’ files can be defeated if a user has an original copy of the encrypted version of a file over 2MB in size by applying XOR between the encrypted and unencrypted files.

Massive Gmail credential leak is not result of a breach. Google investigated a dump of Gmail credentials posted online and found that the credentials were not the result of a breach and that less than 2 percent of the credentials might have worked. Users were advised to change their passwords, use strong passwords, and enable two-factor authentication if possible as a precaution.

Details disclosed for critical vulnerability patched in Webmin. A researcher with the University of Texas published details on a critical vulnerability in Webmin that was patched in May, showing that the vulnerability could have been used by unauthenticated users to delete files stored on the server.

Apache warns of Tomcat remote code execution vulnerability. The Apache Software Foundation warned users of some older versions of Apache Tomcat that they are vulnerable under limited circumstances to a vulnerability that could allow an attacker to upload malicious JavaServer Pages (JSP) to a server, trigger the execution of the JSP, and then execute arbitrary commands on the server. The vulnerability affects versions 7.0.0 to 7.0.39 and users were advised to update their installations.

9/11/2014

Vendor fixes vulnerabilities in wireless traffic sensors. Sensys Networks, a company that manufactures sensor devices used in wireless traffic control systems, announced September 5 that it released software updates for its products to address security vulnerabilities and protect systems against attacks caused by lack of encryption or sufficient authentication methods. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued an advisory stating that the issues affect Sensys Networks VSN240-F and VSN240-T systems and advised operators to update their software installations.

Adobe fixes critical flaws in Flash Player, delays Reader and Acrobat updates. Adobe Systems released a critical security update for its Flash Player software, closing 12 security issues, 9 of which could lead to remote code execution. The company also delayed planned patches for Reader and Acrobat by 1 week due to issues identified during testing.

September Patch Tuesday: Microsoft closes door on IE zero day attacks. Microsoft released its monthly Patch Tuesday round of updates for September, with 4 bulletins closing 42 vulnerabilities in various Microsoft products. One bulletin for the Internet Explorer browser closes 37 vulnerabilities, 1 of which was a critical Internet Explorer zero-day vulnerability.

Use home networking kit? DDoS bot is BACK…and it has EVOLVED. A researcher identified a new variant of the Lightaidra router-to-router malware that targets consumer-grade cable and DSL modems using default passwords in order to use them in distributed denial of service (DDoS) attacks. The new variant is able to reconfigure victims’ firewalls and requires Linux to be running on targeted devices in order to infect them.

Apple beefs up security, sends iCloud access alert. Apple announced September 5 that within 2 weeks it would implement new security policies for its iCloud service following attacks that leaked personal photos belonging to celebrities. Some features have already been implemented, such as a notification when an iCloud account is accessed via a Web browser.

Phishing miscreants are THWARTING secure-sleuths with AES crypto. Researchers with Symantec identified what they believe was the first use of AES encryption to disguise fraudulent Web sites designed to steal users’ login credentials. The use of AES encryption allows attackers to make the analysis of phishing sites more difficult without affecting how the sites appear and function to users.

Yandy.com hacked, financial information exposed. Yandy.com notified its customers that a Web-based database hosting customers’ information, including payment card data, was accessed by an unknown party at least four times between May 28 and August 18. The online retailer detected the breach August 18 and has implemented additional measures to secure its systems.

9/10/2014

Malvertising on YouTube and Amazon delivers sophisticated malware. Researchers with Cisco’s Talos Security Research identified a malvertising campaign dubbed Kyle & Stan that began in May and is currently affecting Windows and Mac users on popular Web sites such as Amazon and YouTube. The campaign inserts malicious ads that serve various forms of spyware, adware, and browser hijacking malware and uses unique configuration files and encryption to attempt to avoid detection.

Dyre banking trojan targets Salesforce customers. Customer relationship management (CRM) provider Salesforce found that the Dyre banking malware (also known as Dyreza) has been used against some of its customers but found no evidence that any were impacted. The malware uses man-in-the-middle (MitM) attacks to steal credentials and Salesforce advised its users to ensure that their systems were protected against the malware.

Hackers going Nuclear following Blackhole takedown. A Zscaler ThreatLabz researcher identified a campaign utilizing the Nuclear Exploit Kit and compromised sites including SocialBlade.com, AskMen.com, and Facebook survey scam pages to attempt to infect users’ systems. The researcher reported that the Nuclear Exploit Kit has become increasingly popular in the last 3 months following the arrest of the alleged creator of the Blackhole Exploit Kit.

New timing attack could de-anonymize Google users. Mavenlink identified and reported an issue in Google accounts that could be used by an attacker in specific circumstances to identify when a particular user visits a site by sharing a Google document with the user’s address. Google acknowledged the issue but stated it would not address the issue because the risk presented was judged to be low and only usable in limited circumstances.

Home Depot confirms months-long hack. Home Depot representatives confirmed September 8 that the company’s payment systems were breached as early as April 2014 and the attack went unnoticed until September 2 when banking institutions reported unusual activity connected to debit and credit card data from the company’s stores in the U.S. and Canada. The company is working with the U.S. Secret Service to determine the scope of the breach and has implemented additional security measures at its stores.

9/9/2014

Dodgy Norton update borks UNDEAD XP systems. Symantec issued a fix for a recent update to its Norton security software after some users running Windows XP reported issues after applying the update.

Hackers target Apple Max OS X with 25 malware variants. F-Secure released its Threat Report H1 2014 which found that 25 new malware variants targeting Apple OS X systems were observed in the first half of the year. Several variants were observed being used in targeted attacks against activities, the energy industry, and other industries.

Social engineering campaign leads to malicious Chrome extension. TrendMicro researchers identified a social engineering campaign that uses malicious shortened Twitter links to lead victims to a malicious Chrome browser extension used in a click fraud campaign. The malicious extension circumvents Google’s security policy against non-Chrome Web Store apps by creating a folder in the browser directory where it then drops its components.

9/8/2014

Bitcoin exchange CEO pleads guilty to enabling Silk Road drug deals. The former CEO of Bitcoin exchange BitInstant and a Bitcoin seller pleaded guilty September 4 in New York City to charges of operating an unlicensed money exchange that was used to facilitate illicit transactions for users of the Silk Road underweb marketplace.

Cyberespionage group starts using new Mac OS X backdoor program. FireEye researchers found that a cyberespionage group dubbed GREF has recently begun using a backdoor program known as XSLCmd that targets Mac OS X systems in order to steal files and install additional malware. The GREF group is known for attacks on several sectors including the U.S. defense industry as well as electronics manufacturers, engineering firms, and non-governmental organizations worldwide.

Coursera privacy issues exposed. A researcher identified and reported two issues in the Coursera online educational software that could disclose a list of students’ names, email addresses, information on their courses, and disable a stated protection feature. Coursera partially addressed one of the reported issues while the second remains unaddressed.

Researchers discover two SQL injection flaws in WordPress security plugin. Researchers with High-Tech Bridge identified and reported two SQL injection vulnerabilities in the All in One WordPress Security and Firewall plugin that affects version 3.8.2 and likely all prior versions.

Verizon failed to tell 2 million using their personal info for marketing. Now the FCC is making it pay. The U.S. Federal Communications Commission issued a $7.4 million fine against Verizon after the company failed to tell 2 million customers of their ability to opt out of having their personal information used for marketing purposes for 6 years. Verizon agreed to pay the fine and stated that the technical glitch has since been fixed.

9/5/2014

Updated Vawtrak banking malware strain expands target list. Researchers with PhishLabs identified a new variant of the Vawtrak financial malware (also known as Neverquest) that has added features in the last month enabling it to expand its targets to users in the U.S., Canada, and Europe. The malware targets financial institutions as well as social networks, online retailers, gaming portals, and analytics firms and can steal credentials and automate fraudulent transactions.

Old Slider Revolution vulnerability massively exploited. Researchers at Sucuri found that attackers began heavily exploiting an old vulnerability in unpatched versions of the Slider Revolution Premium plugin for WordPress during August, which could allow a Local File Inclusion (LFI) attack. The vulnerability was fixed in February and all users were advised to update to the latest version as soon as possible.

CERT warns of Android apps vulnerable to MitM attacks. The Computer Emergency Response Team Coordination Center at Carnegie Mellon University (CERT/CC) published a list of popular Android apps that expose users to man-in-the-middle (MitM) attacks due to the apps not properly validating SSL certificates. CERT/CC released its findings in a spreadsheet detailing their results and is attempting to contact the authors of every app that failed the organization’s tests.

Home router DNS settings changed via Web-based attack. Kaspersky Lab researchers identified a Web-based attack that uses Web pages with malicious scripts to attempt to change users’ home router Domain Name System (DNS) settings in order to redirect users to phishing pages of financial institutions. The attack was mostly observed in Brazil but also targeted some users in the U.S., Canada, Mexico, and other countries.

VirusTotal mess means YOU TOO can track Comment Crew! A researcher released findings on how he was able to use structured data and analysis to identify a subgroup of the Comment Crew group and an unnamed Iranian group using Google’s VirusTotal service to test new versions of malware against security software and check for detection rates.

Semalt botnet hijacked nearly 300k computers. Incapsula researchers reported that the Semalt botnet is spreading quickly and is currently made up of around 290,000 infected machines. The botnet is linked to a Ukrainian search engine optimization (SEO) service and spams millions of Web sites in a referrer spam campaign designed to fraudulently boost a site’s search engine ranking.

9/4/2014

Linux systems infiltrated and controlled in a DDoS botnet. Researchers at Akamai Technologies reported that Linux systems could be at risk of infections using IptabLes and IptabLex to compromise systems and use them in distributed denial of service (DDoS) attacks. The researchers reported that the infections appeared to be caused by a large number of Linux-based Web servers being compromised via Apache Struts, Tomcat, and Elasticsearch vulnerabilities.

Firefox 32 moves to kill MITM attacks. The Mozilla Foundation released version 32 of its Firefox browser, which adds new features including public key pinning to help protect users against man-in-the-middle (MitM) attacks.

Apple fixes glitch in Find My iPhone app connected to celebrity photo leak. A security issue in Apple’s Find My iPhone app that researchers demonstrated could be exploited in brute force attacks was fixed by the company. Apple stated that a recent breach of celebrities’ personal photos stored in its iCloud service was not the result of the researchers’ findings, but instead involved targeted attacks on the individuals’ accounts.

Cybercriminals love PayPal, financial phishing on the rise. Kaspersky Lab researchers released statistics on spam and phishing emails for the month of July, which found that phishing emails targeting financial services increased 7.9 percent during the month, with PayPal being the most targeted company. The researchers also found that the overall share of spam in all email traffic increased 2.2 percent to a total of 67 percent during July, among other findings.