Fraud Alert Message Center
Tips for Safe Banking Over the Internet
As use of the Internet continues to expand, more banks are using the Web to offer products and services or otherwise enhance communications with customers.
The internet offers the potential for safe, convenient new ways shop for financial services and conduct banking business, any day, any time. However, safe banking online involves making good choices - decisions that will help you avoid costly surprises or even scams.
- Consumer Best Practices for Online Banking
- Business Best Practices for Online Banking
- Recommendations for Online Fraud Victims
- Recommendations for Mobile Phone Security
Current Online Threats
Please be aware of any email you receive from the following organizations FDIC, FFIEC, NACHA, EPCOR, Federal Reserve and the Better Business Bureau. None of these organizations should ever send you unsolicited emails regarding your bank or your bank accounts. If you receive an email purporting to be from any of the above organizations or other emails you are unsure about, do not open it. The email could potentially contain a virus or malware.
For more information regarding email and phishing scams, please visit: http://onguardonline.gov/
Online Shopping Tips for Consumers. Click Here for Information.
ATM and Gas pump skimming information. Click Here for Article.
Target Card Breach - A breach of credit and debit card data at discount retailer Target may have affected as many as 70 million shoppers. The Secret Service, which is charged with safeguarding the nation's financial infrastructure and payment systems, confirmed it was investigating the breach. Please be assured we are aware of the breach. As we receive additional information from Visa, we will notify any client whose card has potentially been compromised. Customers should monitor their account activity online if they have used their card at Target and report any fraudulent activity to the bank.
Advisory of “Shellshock” Vulnerability
On September 24, 2014, multiple security experts began reporting on a security vulnerability, Shellshock, which affects an application called Bash.
1. Bash, which stands for the GNU Bourne Again Shell exists in the GNU Operating System (free software) that is distributed with most versions of Linux and Unix free software;
2. Could enable attackers, without authentication, to obtain information, modify authentication parameters, and disrupt service; and
3. Is currently given the highest possible ratings (“10”) for Severity, Impact, and Exploitability based on the Common Vulnerability Scoring System (CVSS).
In response, it is recommended that business clients work with their IT professionals to:
1. Identify, filter and block internet protocol (IP) addresses that may be maliciously scanning systems.
2. Review all systems and services to identify any systems that may be vulnerable to this exploit.
3. Actively work to identify effective patching for this vulnerability, and patch any systems and services that are vulnerable.
Shellshock known vulnerabilities and vendor statues: http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=252743&SearchOrder=4
CryptoWall 2.0 delivered through malvertising on Yahoo and other large sites. Proofpoint researchers observed a recent campaign using malicious advertisements on Yahoo, 9gag, and other popular Web sites to deliver the CryptoWall 2.0 ransomware via the FlashPack Exploit Kit. The exploit kit exploits vulnerabilities in Adobe Flash Player to deliver the ransomware that encrypts users’ files and demands a ransom to decrypt them.
1.2 million Networking devices vulnerable due to NAT-PMP issues. A security researcher with Rapid7 reported October 21 that the company identified around 1.2 million Internet-connected devices that are vulnerable to various attacks due to poor implementation or configuration of the Network Address Translation – Port Mapping Protocol (NAT-PMP). The vulnerabilities could allow attackers to perform denial of service (DoS) attacks, intercept traffic, or perform other malicious actions.
Apple warns users of attack targeting iCloud site. Apple confirmed reports of man-in-the-middle (MitM) attacks against its iCloud service that employed an insecure certificate and advised users not to dismiss browser warnings regarding the security of content. The attacks trigger warnings in the Chrome and Firefox browsers but not in Qihoo, the most popular Web browser in China.
Windows zero-day exploited in targeted attacks through PowerPoint. Microsoft reported that it has observed limited targeted attacks exploiting a zero-day vulnerability in the company’s Object Linking and Embedding (OLE) technology which could allow an attacker to perform remote code execution if a user opens a specially-crafted Microsoft Office file. The vulnerability affects all current Microsoft Windows releases except Windows Server 2003 and Microsoft advised users to apply a series of workarounds until a patch can be released.
Koler worm spreads via SMS, holds phones for ransom. Researchers at AdaptiveMobile identified a new variant of the Koler worm for Android that spreads via a bitly link that directs users to a Dropbox page where the malware is disguised as an app. The malware then blocks infected devices’ screens with a fake law enforcement page and demands a ransom to be paid via Money Pak Voucher.
Attackers change home routers’ DNS settings via malicious code injected in ads. Sucuri Security researchers identified a malvertising campaign that embeds malicious code into an ad hosted on the googlesyndication.com network and attempts to change the DNS settings on users’ home routers in order to lead them to potentially malicious Web sites.
Malware directs stolen documents to Google Drive. Researchers with Trend Micro identified a new piece of information-stealing malware dubbed Drigo that uploads any .PDF, text, and Microsoft Word, Excel, and PowerPoint files to a Google Drive account. The researchers reported that the malware appears to be targeting government agencies and reported the Google Drive account associated with the malware to Google.
Apple fixes security flaws with release of iOS 8.1. Apple released an update to its iOS 8 mobile operating system, closing several vulnerabilities and adding new features.
One week after patch, flash vulnerability already exploited in large-scale attacks. Researchers identified an exploit kit sold on underweb forums known as Fiesta that is bundled with an exploit for a recently-patched Flash Player vulnerability. Users were advised to apply the patch that was issued October 14.
Cisco products vulnerable to POODLE attacks. Cisco is analyzing its products to determine which may be affected by the POODLE vulnerability in Secure Sockets Layer (SSL) and released a list of confirmed vulnerable products, which includes Cisco Webex Social, Cisco ACE, Cisco Wireless LAN Controller, and several other products.
Palo Alto Networks boxes spray firewall creds across the net. A researcher found that misconfigured Palo Alto Networks firewalls could allow attackers to gain user and domain names and passwords, potentially exposing customer services such as VPNs and webmail. Palo Alto Network advised users to apply best practice guidelines developed by the company.
Microsoft pulls another dodgy patch. Microsoft stated that it is investigating a patch for Windows 7 and Windows Server 2008 R2 after some users reported experiencing issues with their systems after installation. Microsoft advised users experiencing problems to uninstall the patch.
Dropbox users are served a phishing page delivered over SSL. A researcher with Symantec stated that attackers are using a phishing campaign with a page hosted on Dropbox to attempt to steal users’ Dropbox and email credentials. The phishing page uses the secure sockets layer (SSL) protocol of its host in order to appear legitimate.
Apple releases MEGA security patch round for OS X, Server and iTunes. Apple released a round of patches for several of its products, including OS X, OS X Server, and iTunes, addressing 150 issues including patches to close the POODLE and Shellshock vulnerabilities.
Modular malware for OS X relies on open-source keylogger code. Kaspersky Lab researchers identified a piece of modular malware for Apple OS X known as Ventir that uses the legitimate LogKext keylogging software in order to steal information from infected systems.
Sandworm vulnerability seen targeting SCADA-based systems. An advisory issued by Trend Micro stated that researchers have identified attackers using the Sandworm vulnerability to target systems running the GE Intelligent Platform’s CIMPLICITY human-machine interface (HMI) solution used in supervisory control and data acquisition (SCADA) systems. The attackers appear to be using the vulnerability in the first stage of an advanced persistent threat (APT) targeted attack and use the vulnerability to install the Black Energy malware.
SAP patches DoS flaw in Netweaver. SAP released a patch for its Netweaver platform that closes a remotely exploitable denial of service (DoS) vulnerability reported by Core Security researchers in June. The vulnerability could allow an unauthenticated attacker to use a specially crafted SAP Enqueue Server packet to create the DoS condition.
New technique allows attackers to hide stealthy Android malware in images. Two researchers presenting at the Black Hat Europe conference October 16 revealed a technique dubbed AngeCryption that could allow an attacker to hide malicious Android applications inside image files in order to avoid detection by antivirus programs and potentially the Google Play store’s malware scanner.
XSS risk found in links to New York Times articles prior to 2013. A student reported and published a proof of concept for a vulnerability in articles on the New York Times Web site published before 2013 that could allow attackers to hijack browser sessions, direct users to phishing sites, or steal cookies by exploiting a cross-site scripting (XSS) flaw. The vulnerability exists on pages containing certain buttons and does not affect the most recent versions of popular Web browsers.
Bad news, fandroids: He who controls the IPC tool, controls the DROID. Researchers with Check Point presenting at the Black Hat Europe conference October 16 detailed a flaw in the Android inter-process communication (IPC) tool Binder that could allow attackers to override in-app security features to tamper with apps and steal passwords and other information.
All-in-one printers can be used to control infected air-gapped systems from far away. A cryptographer and two researchers from Ben-Gurion University presenting at the Black Hat Europe conference October 16 demonstrated how an all-in-one printer could be used to issue commands to infected systems on an air-gapped network by shining infrared or visible light at the scanner lid when open, issuing commands to malware already planted on the system via USB drive or other method. The researchers were able to successfully test the method at a target printer inside a building at 200, 900, and 1,200 meters and stated that a more powerful laser could produce reliable results from up to 5 kilometers.
Botnets used in “Wolf of Wall Street” spam campaign. Researchers with Bitdefender identified a spam campaign dubbed “Wolf of Wall Street” that uses botnets to send out promotional emails encouraging penny stock investors to purchase stocks of Canada-based Confederation Minerals Ltd., which has resulted in the transaction volume of the company increasing to 1,620,000 shares from 10,000 shares within 3 days. The spam campaign is the largest recorded in 2014 and the attackers behind it stand to profit by selling stocks after inflating the prices.
Attackers abuse UPnP devices in DDoS attacks, Akamai warns. Researchers at Akamai Technologies reported that attackers have increasingly used the Simple Service Discovery Protocol (SSDP) that comes enabled on Universal Plug and Play (UPnP) devices to launch reflection and amplification distributed denial of service (DDoS) attacks starting in July. The researchers found that 4.1 million Internet-facing devices could be used in this type of DDoS attack.
New OpenSSL updates fix POODLE, DoS bugs. The OpenSSL Project released updates to OpenSSL that close four serious vulnerabilities, including the POODLE issue and two memory leak issues that could be used to launch denial of service (DoS) attacks against servers.
FireEye, Microsoft, Cisco team up to take down RAT-flinging crew. A group of security and IT firms led by Novetta began a coordinated campaign to detect and remediate malware installations belonging to a cyberespionage campaign targeting policy groups, governments, financial services institutions, the education sector, and think tanks since 2010. The cyberespionage group uses several tools including Moudoor, a derivative of the Gh0st RAT remote access Trojan, and the Hikiti malware used to control compromised systems.
Drupal fixes highly critical SQL injection flaw. Drupal issued a patch for its popular content management system (CMS) that closes a critical SQL injection vulnerability affecting version 7.x. The vulnerability could allow an unauthenticated user to perform arbitrary SQL execution and all users were advised to update their installations as soon as possible.
Microsoft patches two more 0-days actively used by attackers. Microsoft released its monthly Patch Tuesday round of patches for October, closing several critical vulnerabilities including the SandWorm vulnerability and others exploited by attackers.
Flash Player 15 update plugs remote code execution bugs. Adobe released patches for three critical vulnerabilities in its Flash Player consisting of two memory corruption issues and one integer overflow vulnerability.
Mozilla fixes critical bugs in Firefox 33. Mozilla released the latest version of its Firefox browser, closing 33 critical vulnerabilities and adding improved functionality.
SSL 3.0 falls in the face of POODLE attack, needs to be disabled. Researchers with Google designed an attack named POODLE that can exploit a flaw in the design of the Secure Sockets Layer 3.0 (SSL 3.0) protocol that can allow the extraction of data from secure connections using the protocol. SSL 3.0 has been superseded by several other protocols but is still used in some clients and servers and as a backup protocol by Web browsers if modern protocols are unavailable.
Malware-like browser pop-ups used by advertisers to push apps on Android. A researcher at Malwarebytes reported that some advertisers are using fake warning or update notifications directed at Android users in an attempt to get them to download legitimate but potentially unwanted programs in an affiliate marketing scheme.
BlackBerry 10 devices open to bug that allows malicious app installation. BlackBerry released a patch for a vulnerability in BlackBerry 10 devices that could allow an attacker with a man-in-the-middle position to replace legitimate apps downloaded through the BlackBerry World app store with malicious apps.
Malicious YouTube ads lead to exploits, ransomware. Trend Micro researchers identified and reported a malvertising campaign where attackers appeared to have bought traffic from legitimate ad providers in order to place malicious ads on popular YouTube videos to redirect users through several sites to a server hosting the Sweet Orange exploit kit. The exploit kit then attempts to infect users with the Kovter ransomware via an Internet Explorer vulnerability.
Massive Oracle security update lands on Microsoft Patch Tuesday. Oracle released over 150 patches for several of its products, closing critical vulnerabilities in several products including Oracle Database and Java SE.
Russian espionage group used Windows 0-day to target NATO, EU. iSIGHT Partners discovered a zero-day vulnerability used in a cyber-espionage campaign dubbed SandWorm targeting the North Atlantic Treaty Organization, the European Union, Ukrainian and Polish government organizations, and several European telecommunications and energy sectors. Microsoft is expected to release a patch for the zero-day which exploits supported versions of Microsoft Windows and Windows Server 2008 and 2012.
Dropbox denies being hacked, points to third-party services. Dropbox announced that its servers were not breached after a list of 420 username and password pairs were publicized on Pastebin with a poster claiming that more would be published with Bitcoin donations. The company reported that the information was stolen from other Web services used by the victims, who had identical usernames and passwords for Dropbox.
The snappening: Snapsaved admits to hack that leaked SnapChat photos. Snapchat’s third-party app Snapsaved was hacked involving the release of 500MB of images containing between 90,000 and 200,000 photos and videos due to a misconfiguration in their Apache server. Snapsaved subsequently deleted the entire Web site and database associated with the breach.
Multiple vulnerabilities found in BMC Track-It! help desk software. Researchers with the Computer Emergency Response Team Coordination Center at Carnegie Mellon University (CERT/CC) and Agile Information Security found that Track-It! version 22.214.171.1245, the IT helpdesk solution created by BMC Software, contains three vulnerabilities related to permissions, privileges, and access control, missing authentication for critical function, and an exploitation using blind SQL injection. The company is working on addressing the issues.
New mobile Trojan masquerading as Tic-tac-toe game targets Android devices. Kaspersky Lab researchers found that a Tic-tac-toe game available on Android devices houses the Gomal Trojan which allows hackers to record audio from the microphone, steal incoming SMS messages, steal data from the device log, and obtain root privileges, among other things. Good for Enterprise researchers determined that the app was a proof-of-concept app presented at Black Hat 2013 and used only in Samsung Exynos memory access vulnerability, which has since been patched.
HP to remove digital signature that code-signed malware. Symantec discovered that an HP digital certificate was used to cryptographically sign (code-sign) malware shipped through HP products in May 2010. HP will revoke the digital certificate October 21 after researchers found an apparent signature on a four-year-old Trojan that may have been included in the software.
New Rovnix variant targets users in EU countries. Researchers with CSIS Security Group identified a new variant of the Rovnix malware currently targeting users in European Union countries that includes a new domain generation algorithm (DGA), changes to avoid detection, and removes a bootkit component.
Shellshock exploits spreading Mayhem botnet malware. Researchers at Malware Must Die reported detecting a number of Linux and UNIX systems infected by several IP addresses belonging to the Mayhem botnet. The botnet was found to be pinging Internet-facing systems looking for the Shellshock vulnerability in order to drop a new remote installer written in Perl.
Flaw in PayPal authentication process allows access to blocked accounts. A researcher with Vulnerability Laboratory identified and reported a flaw in the mobile authentication process for PayPal that can allow an attacker to attempt to input passwords an unlimited number of times without causing the account to be locked. The issue reported in March 2013 affects the iOS mobile app for PayPal and a fix is not currently available.
ATM programmer's reference manual leaked online. F-Secure researchers found a document online using the Baidu search engine that contains API documentation for ATM cashpoints manufactured by NCR Corporation during an investigation into ATM malware. The programming reference materials could be used by attackers to inform their development of ATM malware.
Aggressive Selfmite SMS worm variant goes global. Researchers with AdaptiveMobile identified a new variant of the Selfmite SMS worm for Android that spreads via malicious links in SMS messages that lead to a trojanized Google Plus app. The worm uses compromised devices to send the malicious SMS messages to every contact on the device several times and redirect users to unsolicited subscription Web sites.
Multiple vulnerabilities found in SAP enterprise software. Researchers at Onapsis published seven advisories for flaws in SAP HANA, SAP BusinessObjects, and SAP NetWeaver Business Warehouse enterprise software, including a remotely exploitable command injection vulnerability in HANA that could allow an unauthenticated attacker to completely compromise the SAP system and the information it handles and stores.
Several Siemens industrial products affected by ShellShock bug. Siemens released an advisory warning that variants of the Shellshock vulnerability can be leveraged by attackers against several of its products including some versions of Rugged Operating System on Linux (ROX) 1 and ROX 2 and APE Linux versions. The company is working on developing patches for the affected products.
There is anti-BadUSB protection, but it's a bit sticky. The researchers who revealed the details for infecting USB devices via the BadUSB vulnerability released a patch and instructions for preventing the reprogramming of USB devices by disabling the "boot mode" state of the device. The researchers stated that a patched device could be tampered with to reset it and remove the patch, and suggested physically securing the device with glue or similar substances to prevent undetected access.
Tyupkin is new ATM malware that allows cash extraction without card. Researchers with Kaspersky Lab identified and analyzed a new piece of ATM malware known as Tyupkin that is installed on ATMs through a bootable CD and can allow attackers to withdraw currency without a card. The malware includes several security features to prevent access and analysis and was mostly found in Eastern Europe as well as some cases in the U.S., Asia, and Western Europe.
Google fixes 159 security bugs with release of Chrome 38. Google released the latest version of its Chrome browser for Windows, Linux, Mac, and iOS, closing 159 security vulnerabilities.
Adobe spies on reading habits over unencrypted web because your ‘privacy is important.’ Adobe confirmed October 8 that its Digital Editions software collects information on users’ ebooks and sends it to Adobe servers as part of digital rights management (DRM) practices after a researcher reported finding the traffic being sent from Digital Editions. The company also confirmed that the information was sent in an unencrypted format and would be corrected, and stated that it was investigating the researcher’s claims that the program collected additional information on ebooks files stored on users’ systems.
SSDP reflection attacks spike in Q3: Arbor Networks. Arbor Networks released its report on distributed denial of service (DDoS) attacks during the third quarter (Q3) of 2014 and found that Simple Service Discovery Protocol (SSDP) reflection attacks grew significantly during Q3, with almost 30,000 such attacks during the quarter, among other findings.
Siemens swats security bugs affecting PCS 7. Siemens released an update for its PCS 7 supervisory control and data acquisition (SCADA) product that addresses five issues with the WinCC product, including a hard coded encryption key and another issue that could lead to privilege escalation.
Belkin says router outages should be resolved. Belkin stated October 7 that it fixed an issue in some older wireless routers that caused the routers to experience problems around midnight October 7 when pinging a Belkin-hosted service in order to check network connectivity. Belkin advised users still experiencing issues to restart their routers.
Monster banking trojan botnet claims 500,000 victims. Researchers with Proofpoint identified a new banking trojan botnet known as Qbot or Qakbot that has infected 500,000 systems and stolen data from users including 800,000 online banking transactions, with 59 percent of the stolen sessions taken from accounts in major U.S. banks. The researchers found that the malware for the botnet was launched from compromised WordPress sites using drive-by download attacks.
Bugzilla vulnerability exposes undisclosed bugs. The developers of the Bugzilla bug-tracking software released an update to address several security issues, including one reported by Check Point Software Technologies researchers that could allow an attacker to bypass the email validation process and potentially receive information on undisclosed security issues.
Yahoo! changes tune after saying servers were hacked by Shellshock. Yahoo reported October 6 that some servers that were recently compromised were not compromised using the Shellshock vulnerability but instead by a bug in a parsing script used on some servers.
Trojans-SMS are top threat on Android, INTERPOL and Kaspersky say. Kaspersky Labs and INTERPOL released the results of a study of mobile security threats over a 1 year period and found that Android users were the most targeted by attackers, with SMS trojans accounting for 57.08 percent of all detections, among other findings.
Bash bug payload downloads KAITEN DDoS malware source code. Trend Micro researchers detected a payload being delivered via attacks exploiting the Shellshock vulnerability that downloads the source code for the KAITEN distributed denial of service (DDoS) malware.
76M households hit by JPMorgan data breach. JPMorgan Chase & Co. stated October 2 that a large cyberattack against the company’s systems compromised the customer information of around 76 million households and 7 million small businesses. The attack was discovered in August and began as early as June and compromised customers’ names, addresses, email addresses, and phone numbers but the bank stated that there was no evidence that the breach included account information.
CryptoWall 2.0 available in the wild, has new obfuscator. A 2.0 version of the CryptoWall ransomware has been spotted in the wild by researchers and includes the use of the Tor network for communicating with command and control servers and a new obfuscator to prevent analysis and debugging.
Destructive Android trojan poses as newest Angry Birds game. Researchers with Doctor Web identified a piece of destructive Android malware detected as Android.Elite.1.origin that poses as an unreleased Angry Birds game app and once installed deletes a device’s data, blocks communications programs, and sends out a high volume of messages to all contacts on the device.
“BadUSB” code published. Two researchers presenting at the Derbycon 4.0 conference reverse-engineered USB firmware to launch various attacks and posted the attack code online. The flaw in USB firmware that enables the attack was first revealed at the Black Hat conference but the attack code was not released at that time.
Second same-origin policy bypass flaw haunts Android browser. A researcher identified and reported a same-origin policy bypass vulnerability in the Android browser in versions prior to 4.4 that could allow an attacker to steal data from a user’s browser. Google issued a patch for the vulnerability for users of Android 4.1-4.3 in late September.
Major security flaw in Xen hypervisor disclosed. The developers of the Xen hypervisor released a patch after a security vulnerability was disclosed October 1 that could allow an attacker to use a malicious hardware virtual machine to read data from other virtual machines or crash the host machine.
OS X botnet malware uses Reddit to get IPs of control servers. Researchers with Doctor Web found that a piece of botnet malware for OS X known as iWorm uses the search function on Reddit to access a list of command and control (C&C) servers used to receive instructions. Over 17,000 unique IP addresses are associated with systems infected by iWorm and the C&C server addresses are disguised on Reddit by purporting to be addresses for Minecraft servers.
VMware releases software updates to fix ShellShock bug. VMware released patches for several of its products in order to close the Shellshock vulnerability in GNU Bash.
Researchers bypass Redmond’s EMET, again. Researchers with Offensive Security reported that they were able to bypass the fifth version of Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) security tool on several versions of the Windows operating system.
Bash bug flung against NAS boxes. FireEye researchers warned that attackers are attempting to exploit the Shellshock vulnerability in GNU Bash in order to compromise Network Attached Storage (NAS) systems before the systems can be patched. The researchers reported that NAS systems made by QNAP were especially targeted and that attackers were seeking to install backdoors.
Joomla re-issues security update after patches glitch. The developers of Joomla released a second version of a security update October 1 after an initial update designed to close critical vulnerabilities created some technical issues with users.
Data breach on Flinn Scientific server lasted for four months. Flinn Scientific officials notified October 2 customers that made at least one purchase through its online store since May 2 that their financial information, including payment card number and card verification code, may have been compromised after malware was planted on the company’s Web based payment system. The breach was discovered September 8 and the company removed the malicious software from its network.
Four hackers accused of $100m US military software and gaming IP theft. Four individuals were indicted for allegedly stealing over $100 million worth of intellectual property from game developers and the U.S. Army including data from yet-to-be-released games and training software used to train helicopter pilots. Two of the accused pleaded guilty and reportedly used a SQL injection attack to steal the usernames and passwords of employees and software developers in order to gain access to the data.
Xsser mRAT, advanced spyware for iOS, discovered. Researchers with Lacoon Mobile Security identified a new remote access trojan (RAT) for iOS mobile devices dubbed Xsser that targets jailbroken iOS devices and can exfiltrate personal and device data. The researchers believe that Xsser is linked to the Chinese government and targets protestors in Hong Kong.
High risk vulnerability patched in Joomla. The developers of the Joomla content management system (CMS) released a patch for version 3.x closing two vulnerabilities including a remote file inclusion (RFI) issue that could allow an attacker to run remote files.
OpenVPN open to pre-auth Bash Shellshock bug - researcher. The chief technology officer of Mullvad stated that some configurations of OpenVPN are susceptible to the Shellshock vulnerability if Bash is allowed to run scripts. A proof-of-concept for the issue was identified online.
Asprox botnet malware sent through fake Viber email notification. An analysis from Tech Help List identified a new spam campaign utilizing fake Viber emails to attempt to add new bots to the Asprox botnet. The analysis noted that the attackers were using several techniques to hide their malicious activity and avoid analysis by researchers.
Variant of Upatre malware dropper seen in bank emails. A security researcher reported finding a new variant of the Upatre malware dropper attached to emails purporting to be from financial institutions. The new variant is distributed as a download through a link in the malicious emails and has a low VirusTotal detection rate.
Apple patches Shellshock bug in OS X. Apple released a security update for its OS X operating system that closes two remotely exploitable vulnerabilities in the GNU Bash UNIX shell known as Shellshock.
‘Shellshock’ attacks could already top 1 billion: Report. Incapsula researchers reported that the company’s Web application firewall deflected over 217,000 attempted exploitations of the Shellshock vulnerability in GNU Bash during the 4 days after the vulnerability was disclosed and estimated that the total number of attacks attempting to exploit the flaw could reach 1 billion.
Seller of StealthGenie mobile spyware app indicted and arrested. The CEO of InvoCode was arrested September 27 in Los Angeles for allegedly selling and advertising the StealthGenie mobile spyware. The Pakistani national allegedly worked with others to develop and market the spyware that is compatible with major mobile operating systems such as Android, Blackberry, and iOS.
Signed CryptoWall delivered via malvertising campaign on top-ranked websites. Researchers with Barracuda Labs identified a variant of the CryptoWall ransomware signed with a valid digital certificate from DigiCert and spread through malicious ads on the Zedo ad network to several popular Web sites. As of September 29, the CryptoWall variant was detected by 12 of 55 security solutions on VirusTotal.
RadEditor web editor vulnerable to XSS attacks. A researcher identified and reported a cross-site scripting (XSS) vulnerability in the RadEditor text editor used in several Microsoft products that could allow attackers to inject malicious script and obtain private data. The vulnerability was closed by Telerik September 24.
All CloudFlare customers benefit from Universal SSL. CloudFlare announced September 29 that it was providing all customers with SSL certificates under its Universal SSL service to enhance security.
New data breaches hit Supervalu, Albertson's. Supervalu officials reported a second incident September 29 where hackers installed a different piece of malware on the company’s computer system that potentially captured customers’ payment card information from the payment processing systems of four Cub Foods stores in Minnesota and several Albertson’s grocery stores across the U.S. between August and September.
Dyre banking trojan delivered via voice message email notification. Researchers discovered that the Dyre (Dyreza) banking trojan is being employed via phishing emails claiming to be from financial institutions and bogus emails purporting to inform of a new voicemail message which include a link to a malware dropper that has five Romanian Portable Executable (PE) resources and downloads a variant of the trojan. The malware relies on the man in the middle (MitM) technique to take over the connection between the client and the server.
U.S. Bank refunding $48 million to customers. The Consumer Financial Protection Bureau ordered U.S. Bank September 25 to refund $48 million to consumers and pay $9 million in penalties to resolve allegations that the bank charged about 420,000 customers for fraudulent credit card add-on products and services that were not provided between 2004 and 2012.
New remote code execution flaws found in Shellshock-patched Bash. Researchers found four additional vulnerabilities with the Bash command interpreter for Linux, Shellshock, two of which were unofficially patched after new changes to the code. The two new bugs that remain could be exploited remotely and in an easier way due to the rare use of address space layout randomization (ASLR) when compiling Bash.
Ello social network recovers after DDoS attack. Administrators with Ello, a social networking site, announced they blocked a bad IP address that was responsible for sending junk traffic after reporting the site was under an apparent distributed denial of service (DDoS) attack.
Cisco lists 31 products vulnerable to the Shellshock vulnerability. Cisco released a list of 31 products vulnerable to the Shellshock glitch which included connection routing, network management, and media content delivery and encoding, among others. Oracle also released a list of 32 products vulnerable to attack by the Bash bug after the company changed its initial list and appended new products.
iThemes users asked to change passwords following attack. The CEO if iThemes, a WordPress themes, plugins, and training provider, advised 60,000 past and current users to reset their passwords following an attack on its membership database that may have compromised usernames, email addresses, passwords, names, IP addresses, and purchase information.
Dyre malware takes inventory of software on infected systems. Researchers from Proofpoint analyzed a new variant of the Dyre (also known as Dyreza) banking trojan and found that several new features were added to the malware, including the addition of its own SSL certification and a feature that enables hackers to collect cookies, client-side certificates, and private keys from an infected computer’s Windows Certificate Store. The latest version of the Trojan can also extract a list of installed programs and services from an infected computer to be by hackers to determine which vectors can be exploited in the future.
Honeypot catches malware exploiting Shellshock Bash bug. Alien Vault researchers found two pieces of malware through their honeypots, an Internet Relay Chat (IRC) bot and an Executable and Linkable Format (ELF) binary that offers malicious actors the possibility to use the infected machine in distributed denial of service (DDoS) attacks in order to exploit the Shellshock Bash vulnerability. Patches are available for several software platforms as attackers are rapidly working to exploit the CVE-2014-6271 vulnerability.
Phishers go after unprecedented breadth of targets. The Anti-Phishing Working Group (APWG) released its Global Phishing Survey co-authored with Internet Identity (IID) and found that in the first half of 2014 Apple was the most phished brand in the world, accounting for 17 percent of all reports sampled. PayPal came in second accounting for 14.4 percent or 17,811 targeted attacks the report stated, among other findings.
BlackEnergy malware linked to targeted attacks. ESET and F-Secure researchers found that the BlackEnergy malware has been active in targeted attacks in 2014, modified to be used as a tool for sending spam and for online bank fraud. The alteration was dubbed “BlackEnergyLite” by researchers due to the lack of a kernel-mode driver component and less support for plug-ins and a lighter overall footprint.
New Tinba banking trojan variant is stealthier, uses public key signing. Researchers from Trusteer analyzed an updated variant of the Tiny Banker (also known as Tinba) financial malware and discovered that the authors added a domain generation algorithm (DGA) and fitted it with user-mode rootkit capabilities and a verification process to make sure that messages are sent from an authentic bot master.
Mozilla to part ways to SHA-1. Mozilla asked Certificate Authorities and Web sites to upgrade certificates to SHA-256, SHA-384, or SHA-512 after experts reported that SHA-1 will be practical for collision attacks by 2018. Mozilla will release warnings to update certificates on versions of Firefox in early 2015.
Fiberlink wipes one smartphone or tablet every three minutes. Researchers at Fiberlink examined 130,000 devices managed by MaaS360 and found that one mobile device is wiped every 3 minutes. The study also determined that in 2013 businesses, on average, cleared 10 percent to 20 percent of their entire device populations yearly.
Mitigations for Spike DDoS toolkit-powered attacks. Akamai Technologies released an advisory alerting enterprises of the Spike distributed denial of service (DDoS) toolkit that runs on a Windows system and can launch infrastructure-based and application-based DDoS payloads including SYN flood, UDP flood, GET flood, and Domain Name system (DNS) query floods. The toolkit can be mitigated be implementing access control lists (ACLs).
Apple’s new iPhone 6 vulnerable to last year’s TouchID fingerprint hack. Lookout researchers found that a vulnerability that could allow access into Apple’s iPhone 6 and 6 Plus models through their TouchID fingerprint sensors remained unpatched. Scammers can unlock the devices by creating a fake fingerprint, the same flaw that was found in the iPhone 5S model in 2013.
DDoS attackers turn fire on ISPs and gaming servers. NSFOCUS researchers determined gaming hosts and Internet service Providers (ISP) have been the focus for distributed denial of service (DDoS) attacks in 2014, rising in the first half to 10 percent and nearly 15 percent of attacks respectively.
Kyle and Stan malvertising network nine times bigger than first reported. Researchers found nearly 6,500 malicious domains are involved in the Kyle and Stan malvertising network and over 31,000 connections were made to the domains, nine times larger than originally reported by Cisco. The campaign is unique in its ability to infect Windows and Mac OS X software differently and can drop ads on larger Web sites.
Hackers target Destiny and Call of Duty servers with DDoS attack. Several servers for online games Destiny and Call of Duty: Ghost went down during the weekend of September 20 due to a distributed denial of service (DDoS) attack that affected PlayStation and Xbox users. Attackers claiming affiliation with the Lizard Squad group claimed responsibility for the attacks.
Exercise-tracking app not QUITE fit for purpose. A researcher identified and reported a direct object reference vulnerability in the MyFitnessPal app that allowed users’ personal information, including location and dates of birth, to be accessed by any user. The vulnerability was closed 2 days after being reported.
Yahoo fixes RCE flaw leading to root server access. A researcher identified and reported a series of vulnerabilities in a Yahoo domain which led to a remote code execution vulnerability that was leveraged to gain root access to a Yahoo server. The vulnerability was reported September 5 and closed September 7.
Payment card info of 880k Viator customers compromised. Viator representatives confirmed September 19 that the company was made aware September 2 that its network was breached and the encrypted personal and financial information of about 1.4 million customers may have been compromised. Customers were advised to update their Viator online account information, including passwords.
Bank tellers helped steal identities, $850G, A.G. says. Five people, including three bank tellers at branches in New York and Florida, were indicted September 16 in White Plains, New York, for allegedly running an identity theft and bank fraud ring that stole over $850,000 in funds as well as customers’ personal information over at least 4 years. The tellers allegedly supplied information to their co-conspirators that enabled them to create fraudulent checks, driver’s licenses, and other documents used to withdraw the stolen funds from bank branches in Connecticut, Massachusetts, and New York.
Apple fixes “backdoors” with release of iOS 8. Apple released the newest version of its mobile operating system, iOS 8, September 17, which adds improvements and closes over 50 security vulnerabilities.
Series of vulnerabilities found in Schneider Electric SCADA products. An advisory from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) warned users of Schneider Electric StruxureWare SCADA Expert ClearSCADA products after researchers discovered unpatched, remotely-exploitable vulnerabilities. Included in the vulnerabilities is a cross-site scripting (XSS) issue that could allow industrial control systems (ICS) to be shut down, while an authentication bypass issue could give attackers access to sensitive information.
AppBuyer iOS malware targets jailbroken iPhones. Researchers with Palo Alto Networks analyzed a piece of iOS malware discovered by WeiPhone Technical Group in May and found that the malware dubbed AppBuyer is targeting jailbroken iPhones in order to steal Apple ID and password information and make unauthorized purchases from the App Store.
Analysts spot ‘Critolock,’ ransomware claims to be CryptoLocker. Researchers at Trend Micro identified a new piece of ransomware known as Troj_Critolock.A or Critolock that infects devices and encrypts users’ data and demands a ransom. The malware purports to be the CryptoLocker ransomware but contains several differences including its use of the Rijndael symmetric-key algorithm.
Drupal patches XSS vulnerability in spam module. Drupal released a patch September 17 for the Mollom spam and content moderation module that closes a cross-site scripting (XSS) vulnerability that could allow an attacker to gain admin-level access to Web sites and enable them to steal data or hijack sessions.
Breach at Goodwill vendor lasted 18 months. Payment vendor C&K Systems stated that its hosted managed services systems were found by investigators to be compromised between February 10, 2013 and August 14, 2014, allowing the installation of the infostealer.rawpos point of sale (PoS) malware that led to payment card breaches from over 330 Goodwill retail locations. The malware infection was not detected by the company’s systems until September 5 and affected Goodwill and two other customers.
Twitter fixes vulnerability potentially impacting company’s ad revenue. A security researcher identified and reported a vulnerability in a Twitter subdomain that could be used to delete the payment card information used by advertisers to pay for ads on the social media network. Twitter addressed the vulnerability and awarded a $2,800 bounty to the researcher.
Amazon fixes persistent XSS vulnerability affecting Kindle library. Amazon addressed a cross-site scripting (XSS) vulnerability on the Amazon Web page used to manage users’ Kindle libraries that could be used by an attacker to inject malicious code through eBook metadata.
Macro based malware is on the rise. Researchers with Sophos found that macro-based malware created in Visual Basic rose from around 6 percent of document malware to 28 percent in July, among other findings.
Adobe gets delayed Reader update out the door. Adobe released new versions of Adobe Reader and Acrobat September 16 that were delayed during Adobe’s scheduled patch release the week of September 8. The updates close eight vulnerabilities including two memory corruption issues and a cross-site scripting (XSS) vulnerability affecting Macintosh users.
Archie exploit kit targets Adobe, Silverlight vulnerabilities. Researchers at AlienVault Labs analyzed a new exploit kit first identified by EmergingThreats researchers and found that the Archie exploit kit attempts to exploit older versions of Adobe Flash, Reader, and Microsoft Silverlight and Internet Explorer.
Malicious Kindle eBooks can give hackers access to your Amazon account. A security researcher identified a security issue in Amazon’s “Manage your Kindle page” that can be exploited using a malicious eBook file to take over a user’s Amazon account. The same vulnerability was reported and fixed in November 2013 but was reintroduced in a new version of the page.
THREE QUARTERS of Android mobes open to web page spy bug. A Metasploit developer released a Metasploit module for a vulnerability in Android versions 4.2.1 and below that was discovered September 1, which could automate an exploitation of the vulnerability and allow attackers behind a malicious Web page to see users’ other open pages and hijack sessions.
LinkedIn feature exposes email addresses. Researchers with Rhino Security Labs demonstrated how an attacker could use a ‘find connections’ feature in LinkedIn and a large number of email contacts generated with likely email addresses to identify the email address of specific individuals for possible use in spear-phishing or other malicious activities. LinkedIn stated that it was planning at least two changes to the way the professional network handles user email addresses to counteract the issue.
SNMP DDoS scans spoof Google public DNS server. The SANS Internet Storm Center reported September 15 that large-scale scans of Simple Network Management Protocol (SNMP) spoofing Google’s public DNS server traffic were taking place, indicating a scan being used to identify routers and devices using default SNMP passwords. Vulnerable routers and devices could have their configuration variables changed, creating a denial of service (DoS) situation on the affected devices.
Twitch chat malware spreads, wipes dry Steam accounts. Researchers at F-Secure identified a piece of malware known as Eskimo that is being spread through a fake raffle invitation in Twitch.tv’s chat feature. The page used for the fake raffle sign-up drops the Windows binary that can take screenshots as well as take control of the client for gaming service Steam to add friends, trade or sell items, and buy items if funds are available.
Freenode suffers breach, asks users to change their passwords. IRC network Freenode notified users that it experienced a security breach September 13 and advised all users to change their passwords as a precaution.
Vulnerabilities found in website of Google-owned Nest. A security researcher identified and reported several security vulnerabilities in the Web site of home automation company Nest, including a file upload vulnerability that could allow attackers to upload a shell and gain access to personal and financial details of Nest customers. Google stated that the issue was addressed by restricting access to the affected domain and redirecting visitors to a different domain.
Four vulnerabilities patched in IntegraXor SCADA. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued an advisory September 11 advising users of Ecava Sdn Bhd’s IntegraXor supervisory control and data acquisition (SCADA) server software to patch their systems after four remotely exploitable vulnerabilities were discovered. The software is primarily used for industrial automation in firms managing railways, sewage systems, telecommunications, and heavy engineering.
Chinese attack groups operate in parallel in cyber espionage campaigns: FireEye. Researchers with FireEye discovered two cyberespionage campaigns originating in two regions of China that appear to share several commonalities including using the same custom backdoors and remote access trojans (RATs). One campaign dubbed Moafee targets various military, government, and defense industry entities while the second known as DragonOK targets high-tech and manufacturing companies in Taiwan and Japan.
Researchers find malicious extension in Chrome Web Store. Trend Micro researchers identified several malicious extensions inside the Chrome Web Store, including one spread via a Facebook scam campaign that allows attackers to post statuses, send messages, and take other actions using a victim’s Facebook account.
Zemot malware dropper strain delivered via Asprox botnet and exploit kits. Microsoft researchers analyzed the Zemot malware dropper, a variant of Upatre, and observed that it has been distributed through the Asprox (also known as Kuluoz) spam botnet and via exploit kits including Magnitude and Nuclear Pack. Once it infects a system the dropper can then deliver click fraud malware and was recently observed to distribute information-stealing malware including Rovnix, Tesch, and Viknok.
TorrentLocker unpicked: Crypto coding shocker defeats extortionists. Researchers with Nixu found that the encryption used by the TorrentLocker ransomware to encrypt victims’ files can be defeated if a user has an original copy of the encrypted version of a file over 2MB in size by applying XOR between the encrypted and unencrypted files.
Massive Gmail credential leak is not result of a breach. Google investigated a dump of Gmail credentials posted online and found that the credentials were not the result of a breach and that less than 2 percent of the credentials might have worked. Users were advised to change their passwords, use strong passwords, and enable two-factor authentication if possible as a precaution.
Details disclosed for critical vulnerability patched in Webmin. A researcher with the University of Texas published details on a critical vulnerability in Webmin that was patched in May, showing that the vulnerability could have been used by unauthenticated users to delete files stored on the server.
Apache warns of Tomcat remote code execution vulnerability. The Apache Software Foundation warned users of some older versions of Apache Tomcat that they are vulnerable under limited circumstances to a vulnerability that could allow an attacker to upload malicious JavaServer Pages (JSP) to a server, trigger the execution of the JSP, and then execute arbitrary commands on the server. The vulnerability affects versions 7.0.0 to 7.0.39 and users were advised to update their installations.
Vendor fixes vulnerabilities in wireless traffic sensors. Sensys Networks, a company that manufactures sensor devices used in wireless traffic control systems, announced September 5 that it released software updates for its products to address security vulnerabilities and protect systems against attacks caused by lack of encryption or sufficient authentication methods. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued an advisory stating that the issues affect Sensys Networks VSN240-F and VSN240-T systems and advised operators to update their software installations.
Adobe fixes critical flaws in Flash Player, delays Reader and Acrobat updates. Adobe Systems released a critical security update for its Flash Player software, closing 12 security issues, 9 of which could lead to remote code execution. The company also delayed planned patches for Reader and Acrobat by 1 week due to issues identified during testing.
September Patch Tuesday: Microsoft closes door on IE zero day attacks. Microsoft released its monthly Patch Tuesday round of updates for September, with 4 bulletins closing 42 vulnerabilities in various Microsoft products. One bulletin for the Internet Explorer browser closes 37 vulnerabilities, 1 of which was a critical Internet Explorer zero-day vulnerability.
Use home networking kit? DDoS bot is BACK…and it has EVOLVED. A researcher identified a new variant of the Lightaidra router-to-router malware that targets consumer-grade cable and DSL modems using default passwords in order to use them in distributed denial of service (DDoS) attacks. The new variant is able to reconfigure victims’ firewalls and requires Linux to be running on targeted devices in order to infect them.
Apple beefs up security, sends iCloud access alert. Apple announced September 5 that within 2 weeks it would implement new security policies for its iCloud service following attacks that leaked personal photos belonging to celebrities. Some features have already been implemented, such as a notification when an iCloud account is accessed via a Web browser.
Phishing miscreants are THWARTING secure-sleuths with AES crypto. Researchers with Symantec identified what they believe was the first use of AES encryption to disguise fraudulent Web sites designed to steal users’ login credentials. The use of AES encryption allows attackers to make the analysis of phishing sites more difficult without affecting how the sites appear and function to users.
Yandy.com hacked, financial information exposed. Yandy.com notified its customers that a Web-based database hosting customers’ information, including payment card data, was accessed by an unknown party at least four times between May 28 and August 18. The online retailer detected the breach August 18 and has implemented additional measures to secure its systems.
Malvertising on YouTube and Amazon delivers sophisticated malware. Researchers with Cisco’s Talos Security Research identified a malvertising campaign dubbed Kyle & Stan that began in May and is currently affecting Windows and Mac users on popular Web sites such as Amazon and YouTube. The campaign inserts malicious ads that serve various forms of spyware, adware, and browser hijacking malware and uses unique configuration files and encryption to attempt to avoid detection.
Dyre banking trojan targets Salesforce customers. Customer relationship management (CRM) provider Salesforce found that the Dyre banking malware (also known as Dyreza) has been used against some of its customers but found no evidence that any were impacted. The malware uses man-in-the-middle (MitM) attacks to steal credentials and Salesforce advised its users to ensure that their systems were protected against the malware.
Hackers going Nuclear following Blackhole takedown. A Zscaler ThreatLabz researcher identified a campaign utilizing the Nuclear Exploit Kit and compromised sites including SocialBlade.com, AskMen.com, and Facebook survey scam pages to attempt to infect users’ systems. The researcher reported that the Nuclear Exploit Kit has become increasingly popular in the last 3 months following the arrest of the alleged creator of the Blackhole Exploit Kit.
New timing attack could de-anonymize Google users. Mavenlink identified and reported an issue in Google accounts that could be used by an attacker in specific circumstances to identify when a particular user visits a site by sharing a Google document with the user’s address. Google acknowledged the issue but stated it would not address the issue because the risk presented was judged to be low and only usable in limited circumstances.
Home Depot confirms months-long hack. Home Depot representatives confirmed September 8 that the company’s payment systems were breached as early as April 2014 and the attack went unnoticed until September 2 when banking institutions reported unusual activity connected to debit and credit card data from the company’s stores in the U.S. and Canada. The company is working with the U.S. Secret Service to determine the scope of the breach and has implemented additional security measures at its stores.
Dodgy Norton update borks UNDEAD XP systems. Symantec issued a fix for a recent update to its Norton security software after some users running Windows XP reported issues after applying the update.
Hackers target Apple Max OS X with 25 malware variants. F-Secure released its Threat Report H1 2014 which found that 25 new malware variants targeting Apple OS X systems were observed in the first half of the year. Several variants were observed being used in targeted attacks against activities, the energy industry, and other industries.
Social engineering campaign leads to malicious Chrome extension. TrendMicro researchers identified a social engineering campaign that uses malicious shortened Twitter links to lead victims to a malicious Chrome browser extension used in a click fraud campaign. The malicious extension circumvents Google’s security policy against non-Chrome Web Store apps by creating a folder in the browser directory where it then drops its components.
Bitcoin exchange CEO pleads guilty to enabling Silk Road drug deals. The former CEO of Bitcoin exchange BitInstant and a Bitcoin seller pleaded guilty September 4 in New York City to charges of operating an unlicensed money exchange that was used to facilitate illicit transactions for users of the Silk Road underweb marketplace.
Cyberespionage group starts using new Mac OS X backdoor program. FireEye researchers found that a cyberespionage group dubbed GREF has recently begun using a backdoor program known as XSLCmd that targets Mac OS X systems in order to steal files and install additional malware. The GREF group is known for attacks on several sectors including the U.S. defense industry as well as electronics manufacturers, engineering firms, and non-governmental organizations worldwide.
Coursera privacy issues exposed. A researcher identified and reported two issues in the Coursera online educational software that could disclose a list of students’ names, email addresses, information on their courses, and disable a stated protection feature. Coursera partially addressed one of the reported issues while the second remains unaddressed.
Researchers discover two SQL injection flaws in WordPress security plugin. Researchers with High-Tech Bridge identified and reported two SQL injection vulnerabilities in the All in One WordPress Security and Firewall plugin that affects version 3.8.2 and likely all prior versions.
Verizon failed to tell 2 million using their personal info for marketing. Now the FCC is making it pay. The U.S. Federal Communications Commission issued a $7.4 million fine against Verizon after the company failed to tell 2 million customers of their ability to opt out of having their personal information used for marketing purposes for 6 years. Verizon agreed to pay the fine and stated that the technical glitch has since been fixed.
Updated Vawtrak banking malware strain expands target list. Researchers with PhishLabs identified a new variant of the Vawtrak financial malware (also known as Neverquest) that has added features in the last month enabling it to expand its targets to users in the U.S., Canada, and Europe. The malware targets financial institutions as well as social networks, online retailers, gaming portals, and analytics firms and can steal credentials and automate fraudulent transactions.
Old Slider Revolution vulnerability massively exploited. Researchers at Sucuri found that attackers began heavily exploiting an old vulnerability in unpatched versions of the Slider Revolution Premium plugin for WordPress during August, which could allow a Local File Inclusion (LFI) attack. The vulnerability was fixed in February and all users were advised to update to the latest version as soon as possible.
CERT warns of Android apps vulnerable to MitM attacks. The Computer Emergency Response Team Coordination Center at Carnegie Mellon University (CERT/CC) published a list of popular Android apps that expose users to man-in-the-middle (MitM) attacks due to the apps not properly validating SSL certificates. CERT/CC released its findings in a spreadsheet detailing their results and is attempting to contact the authors of every app that failed the organization’s tests.
Home router DNS settings changed via Web-based attack. Kaspersky Lab researchers identified a Web-based attack that uses Web pages with malicious scripts to attempt to change users’ home router Domain Name System (DNS) settings in order to redirect users to phishing pages of financial institutions. The attack was mostly observed in Brazil but also targeted some users in the U.S., Canada, Mexico, and other countries.
VirusTotal mess means YOU TOO can track Comment Crew! A researcher released findings on how he was able to use structured data and analysis to identify a subgroup of the Comment Crew group and an unnamed Iranian group using Google’s VirusTotal service to test new versions of malware against security software and check for detection rates.
Semalt botnet hijacked nearly 300k computers. Incapsula researchers reported that the Semalt botnet is spreading quickly and is currently made up of around 290,000 infected machines. The botnet is linked to a Ukrainian search engine optimization (SEO) service and spams millions of Web sites in a referrer spam campaign designed to fraudulently boost a site’s search engine ranking.
Linux systems infiltrated and controlled in a DDoS botnet. Researchers at Akamai Technologies reported that Linux systems could be at risk of infections using IptabLes and IptabLex to compromise systems and use them in distributed denial of service (DDoS) attacks. The researchers reported that the infections appeared to be caused by a large number of Linux-based Web servers being compromised via Apache Struts, Tomcat, and Elasticsearch vulnerabilities.
Firefox 32 moves to kill MITM attacks. The Mozilla Foundation released version 32 of its Firefox browser, which adds new features including public key pinning to help protect users against man-in-the-middle (MitM) attacks.
Apple fixes glitch in Find My iPhone app connected to celebrity photo leak. A security issue in Apple’s Find My iPhone app that researchers demonstrated could be exploited in brute force attacks was fixed by the company. Apple stated that a recent breach of celebrities’ personal photos stored in its iCloud service was not the result of the researchers’ findings, but instead involved targeted attacks on the individuals’ accounts.
Cybercriminals love PayPal, financial phishing on the rise. Kaspersky Lab researchers released statistics on spam and phishing emails for the month of July, which found that phishing emails targeting financial services increased 7.9 percent during the month, with PayPal being the most targeted company. The researchers also found that the overall share of spam in all email traffic increased 2.2 percent to a total of 67 percent during July, among other findings.
New BlackPoS strain disguises as antivirus service. Researchers with Trend Micro identified a new variant of the BlackPoS point-of-sale (PoS) malware that disguises itself as an antivirus product and contains other changes to improve efficiency and avoid detection. The malware can reach PoS systems by the infection of company servers, breaching network communication, or infecting the PoS device before deployment.
Hackers steal customer payment data from ClamCase. Keyboard and iPad case manufacturer ClamCase stated that attackers compromised the company’s systems and obtained an undisclosed number of customers’ personal information including names, addresses, and payment card data. The company stated that the attack occurred between April 15 and August 6 and is offering identity theft prevention services to affected customers.
KER-CHING! CryptoWall ransomware scam rakes in $1 MEEELLION. Dell SecureWorks researchers published an analysis of the CryptoWall ransomware and found that it continues to be the largest ransomware threat, extorting at least $1 million from victims. The researchers detected around 625,000 systems infected with the ransomware between mid-March and late August, encrypting over 5.25 billion files, among other findings.
Phishers targeting crypto currency and retail sites. The Anti-Phishing Working Group (APWG) released its report for the second quarter of 2014 (Q2) and found that the number of phishing attacks was the second-highest number since recording began in 2008, with online payment services and cryptocurrency sites being frequent targets, among other findings.
FBI, Secret Service studying ‘scope’ of reported bank cyberattacks. A spokesperson for the FBI stated August 27 that the FBI and U.S. Secret Service are investigating to determine the scope of recently reported cyberattacks against several major U.S. financial services institutions.
Malvertising hits high-profile websites, Java, deviantART, TMZ, Photobucket. Researchers at Fox-IT identified a malvertising campaign that used ads on popular Web sites such as those belonging to Java, deviantART, Photobucket, TMZ, and others to expose users with outdated Java, Flash Player, and Silverlight versions to compromise using the Angler exploit kit. The ads ran between August 19 and August 23 and did not require users to click on them in order to attempt to drop the Rerdom trojan.
Mozilla reports user data leak from Bugzilla project. Mozilla disclosed August 27 that the email addresses and encrypted passwords of around 97,000 users who tested early versions of the Bugzilla bug tracking tool were exposed for 3 months after a server migration. The breach was caused by database dump files being left in an unprotected server location starting May 4.
Microsoft purges 1,500 copycat, fraudulent Windows 8.1 apps. Microsoft stated August 27 that it removed over 1,500 fake Windows 8 and 8.1 apps from its Windows Store marketplace due to the apps attempting to charge users for free software.
Scratched PC-dispatch patch patched, hatched in batch rematch. Microsoft released an updated version of a security patch following reports that some users experienced ‘blue screen of death’ crashes after applying the original patch.
Crypto-malware steals email addresses and passwords, spreads itself. Avast researchers analyzed a new piece of ransomware that uses several freely available tools to infect users, encrypt files, and demand a ransom. The ransomware also steals email credentials to attempt to propagate itself and is currently targeting users in Russian-speaking countries.
Updated NetTraveler backdoor has encrypted configuration file. Researchers at Kaspersky Labs identified an updated variant of the NetTraveler (also known as Travnet or Netfile) malware being used in a spearphishing campaign that contains an encrypted configuration file. The NetTraveler malware has been used for as long as 10 years and is frequently used in attacks targeting diplomatic, government, military, and activist groups.
470 million sites exist for 24 hours, 22% are malicious. Blue Coat researchers reported the results of an analysis of over 660 million unique hostnames requested by users and found that 71 percent of hostnames were sites that appeared for only 1 day, with around 22 percent found to be malicious sites used in short-lived attacks or botnet management. The largest number of 1-day sites were legitimate sites used by major online organizations.
Ouch…right in the VIDEO GAME: Lizard Squad attacks Xbox, Twitch. Attackers calling themselves Lizard Squad launched distributed denial of service (DDoS) attacks against video game-streaming service Twitch and the Microsoft Xbox Live service August 26, disrupting service on Twitch for a time but failing to impact Xbox Live service.
HP recalls 6M laptop power cords that can pose fire hazards. Hewlett-Packard announced a recall of over 6 million LS-15 AC power cords used with HP and Compaq branded laptops due to the potential for the power cords to overheat, melt, and pose a fire or burn hazard. The recall covers around 5.6 million units in the U.S. and 446,000 in Canada
Hardcoded password in Netis, Netcore routers offers backdoor to devices. Trend Micro researchers found that some routers sold under the Netis brand in the U.S. and other countries, and under the Netcore brand in China, contain a backdoor that can be accessed if the routers provide external access. The researchers also found a hardcoded password in the devices that can allow anyone with the password to access the router.
50 security flaws fixed in Google Chrome. Google released an update for its Chrome browser, addressing 50 security issues, including a series of critical vulnerability that could be exploited to execute arbitrary code outside of the Chrome sandbox.
Researchers exploit flaw to tie Secret users to their secrets. Researchers from Rhino Security Labs demonstrated a proof-of-concept attack against the Secret app that could allow a user to deduce the identity behind a posting on the anonymous social network. The attack method was previously reported to Secret and closed before the researchers’ demonstration.
263.35 Gbps of traffic aimed at one Sony server during DDoS attack. Users of Sony’s PlayStation Network and Sony Online Entertainment services experienced issues and were unable to sign in August 24 after the services were hit by a distributed denial of service (DDoS) attack that was claimed by the attacker to peak at 263.35 Gbps. A separate group attempted to take credit for the attack and tweeted a bomb scare regarding a Dallas-to-San Diego flight that was carrying a Sony executive.
FlashPack exploit kit shared through social media buttons add-on. Researchers with Trend Micro observed the FlashPack exploit kit being distributed to users through social media sharing buttons on Web sites. The exploit kit attempts to exploit vulnerabilities in Adobe Flash and is mostly targeting users in Japan at present.
MeetMe social network systems breached. Social network MeetMe reported that it was compromised by attackers between August 5 and August 7 who were able to obtain an unspecified number of users’ encrypted user names, passwords, and email addresses. The company advised users to change their passwords as a precaution.
Credentials can be stolen in UI state inference attack. Researchers presenting at the USENIX Security Symposium published a paper outlining a new form of attack called a user interface (UI) inference attack that can steal Android users’ credentials by conducting a side-channel attack relying on a common shared-memory mechanism used by window managers. The attack uses a malicious app that does not require permissions and the researchers believe that the same vulnerability likely exists in other operating systems such as iOS, Windows, and OSX.
Vulnerability found in Google Wallet, Alipay payment SDKs. Researchers with Trend Micro identified and reported a security vulnerability in the in-app payment SDKs for Google Wallet and Alibaba Alipay in Android that can be exploited by attackers using intent-filters to display phishing messages and obtain user credentials. Alibaba and Google both released updates to their apps after being informed by the researchers May 27.
Vulnerability in Akeeba Backup for Joomla went undetected for years. Sucuri researchers found a vulnerability in the Akeeba Backup extension for Joomla that has existed for years and could allow a skilled attacker to access backup files created with Akeeba and download them. The researchers stated that the security risk presented by the vulnerability was low due to the difficulty in exploiting it, and the newest version of Akeeba is no longer vulnerable.
38-day long DDoS siege amounts to over 50 petabits in bad traffic. Incapsula reported that a video game company client experienced a distributed denial of service (DDoS) attack that lasted 38 days between June 21 and July 28, used several attack vectors, and peaked at over 110 Gbps. The attack used techniques separately or at the same time and was mitigated by Incapsula using a scrubbing server.
Most popular Android apps open users to MITM attacks. FireEye researchers conducted an analysis of the 1,000 most popular free Android apps in the Google Play store and found that many contain one or more vulnerabilities that could leave users vulnerable to man-in-the-middle (MitM) attacks.
Graphic library flaw exposes apps created with Delphi, C++ Builder. Researchers with Core Security reported identifying a security vulnerability that can affect software with a specific version of Embarcadero C++ Builder XE6, Embarcadero Delphi XE6, and possibly other versions. Embarcadero products are used by organizations and companies in industries including healthcare, financial services, and other industries to develop in-house applications.
UPS now the third company in a week to disclose data breach. The United Parcel Service (UPS) announced August 20 that a security breach at 51 of its UPS Stores in 24 States may have exposed the personal information, including addresses and payment card information, of customers who completed transactions between January 20 and August 11. An investigation found previously unknown malware
Cryptolocker flogged on YouTube. Two researchers reported that cybercriminals have been observed to use purchased ad space on YouTube in order to redirect users to malicious sites serving the Cryptolocker ransomware. The researchers are scheduled to present at the Virus Bulletin 2014 conference detailing how legitimate ad networks could be used to spread malware.
Vulnerability in WordPress Mobile Pack exposes password-protected posts. Researchers with dxw Security identified and reported a vulnerability in the Mobile Pack plugin for WordPress that could allow access to password-protected posts. The vulnerability was reported July 24 and closed August 19 with the release of Mobile Pack version 2.0.2.
‘Reveton’ ransomware upgraded with powerful password stealer. Avast researchers analyzed a new variant of the Reveton ransomware that now includes the Pony password and virtual currency stealer and a Papras family password stealer that can also disable security programs. The new variant was also programmed to check if an infected user had visited the Web sites of 17 German banks.
Bug in iOS Instagram app fixed, impacts Facebook accounts. IOActive researchers reported that an issue in the Instagram app for iOS could leave users open to having their Facebook access token intercepted over public Wi-Fi due to the app sending the token in plain text. The issue was fixed in Instagram version 6.0.4 and users were advised to update to the latest version.
New attack binds malware in parallel to software downloads. Researchers at Ruhr University developed a proof-of-concept attack that can inject malicious code into a legitimate download that runs parallel to the original and does not modify the code, taking advantage of security deficiencies present in some free and open source software. An attacker using the attack would need to control an intermediate network node between the client and the download server, such as compromising a router, using a network redirection attack, or compromising an insider through social engineering.
Four-year old flaw exploited by Stuxnet still targeted. Kaspersky Lab researchers found that vulnerability CVE-2010-2568 leveraged in the Stuxnet attacks was still present on many systems 4 years after it was patched, with tens of millions of exploits targeting the vulnerability observed between November 2013 and June 2014. The researchers also found that other older vulnerabilities are still frequently targeted, and that around 53 percent of 15.06 million detected exploits targeted Java vulnerabilities.
Grocery stores in multiple states hit by data breach. Supervalu Inc. reported that payment card data from customers at 180 of its grocery stores in several States between June 22 and July 17 may have been compromised after the company experienced a breach of its systems. Supervalu operates or provides IT services to several grocery store brands including Hornbacher’s Shop ‘n Save, Farm Fresh, Albertsons, ACME, Jewel-Osco, Cub Foods, and other brands.
Windows security update causing system crash. Microsoft removed the download links to a Windows security update and is investigating after several users reported their systems crashing upon startup after applying the update. The “blue screen of death” (BSoD) issue was found to be incorrect handling of the Windows font cache file in specific circumstances, according to a Sophos researcher.
New TorrentLocker ransomware uses CryptoLocker and CryptoWall components. Researchers with iSIGHT Partners identified a new piece of ransomware known as TorrentLocker that uses elements of the CryptoLocker and CryptoWall ransomware to encrypt victims’ files and demand a ransom. The ransomware is spread by spam emails and uses the Rijndael encryption algorithm.
Gyroscopes on Android devices can be used to eavesdrop on users’ conversations. Researchers published a paper showing how the gyroscope sensors in Android devices can be combined with a speech recognition algorithm to eavesdrop on conversations due to Android gyroscopes using a sampling rate that is within a range of human voice frequency. The researchers stated that the initial results did not present a significant eavesdropping threat currently, but that it could become a vulnerability with further refinements in the speech recognition algorithm.
Average peak size of DDoS attacks spiked in Q2: Verisign. Verisign released its second quarter (Q2) 2014 distributed denial of service (DDoS) attack report, which found that the size of DDoS attacks increased by 216 percent compared to the first quarter of the year and that 65 percent of attacks exceeded 1 Gbps, among other findings. The report stated that the entertainment and media industry was the most attacked during Q2, followed by IT services.
Don’t think you’re SAFE from Windows zombies just ‘cos you have an iPhone - research. Researchers at the Georgia Institute of Technology reported finding that Apple iOS devices can be compromised with iOS malware after being connected to a Windows computer by exploiting weaknesses in the iTunes syncing process, allowing attackers to steal data, install malicious apps, and replace existing apps. The researchers plan to demonstrate their findings August 20 at the Usenix Security Symposium.
50% of corporate passwords crackable within a few minutes. Trustwave released the results of research that analyzed 620,000 passwords compiled over 2 years and found that around 50 percent of U.S. corporate passwords could be cracked using a brute force method within a few minutes, while 92 percent could be cracked within 31 days. The research found that a longer password containing only letters took much longer to brute force compared to a shorter password that also includes numbers and special characters.
Microsoft’s Visual Studio Online outage hits users worldwide. Microsoft’s Visual Studio Online service experienced a service interruption across multiple regions for around 9 hours August 14.
New Bugat malware uses HTML injections taken from Gameover Zeus. A researcher from IBM Security reported August 14 that a new variant of the Bugat financial malware (also known as Cridex or Geodo) was spotted infecting computers in the U.K. and the Middle East region. The new variant uses HTML injections and scripts and an attack structure similar to that used by the Gameover Zeus malware and attempts to redirect victims to fake financial institution Web sites in order to steal login information.
New Gameover Zeus botnet forming, the US sees most infections. Arbor Networks researchers observed two new variants of the Gameover Zeus financial malware using 8,494 IP addresses to attempt to connect to command and control (C&C) servers in July in order to build a new botnet after a law enforcement and industry takedown of the original botnet. The new variants no longer use the peer-to-peer (P2P) command and control architecture of the original and instead utilize a domain generation algorithm (DGA) to contact C&C servers.
Vitamin seller website attacked, payment cards and other info compromised. Vitamin seller TheNaturalOnline.com reported August 12 that an undisclosed number of their customers may have had their payment and personal information compromised during a breach of the company’s systems that was identified July 15. The information included names, addresses, email addresses, account passwords, phone numbers, and payment card numbers, expiration dates, and CVV codes.
Vulnerabilities found in Disqus plugin for WordPress. A researcher identified and reported three vulnerabilities in the Disqus plugin for WordPress, including a cross-site request forgery (CSRF) issue that could allow an attacker to inject an exploit. The vulnerabilities were addressed June 29 in Disqus version 2.7.6, and a new version containing additional fixes was also released as version 2.7.7
Internet routers hitting 512K limit, some become unreliable. LastPass, Liquid Web, eBay, and other services reported outages or isolated disruptions August 12 that were believed to be related to the growth of routable networks lists, also known as border gateway protocol (BGP) tables, beyond 512K, overwhelming some older routers and switches.
New Google Chrome 36 Stable fixes 12 vulnerabilities. Google released an update for its Chrome browser, closing 12 vulnerabilities. The new version also includes the latest version of Adobe Flash Player.
iOS malware hijacks revenue from 22 million ads. A researcher published a paper detailing the operation of the AdThief (also known as Spad) malware that infected around 75,000 jailbroken iOS devices and stole ad revenue from around 22 million ads. The researcher found that the revenue was diverted to the attackers using a Cydia Substrate extension to modify the ads developer ID to one used by the attackers.
Kovter ransomware thrives in Q2 2014, reaches 43,713 infections in a single day. Damballa released its State of Infections report for the second quarter (Q2) of 2014 and found that the daily infection rate of the Kovter ransomware increased by around 153 percent between April and May, infecting 43,713 systems in one day.
Adobe Reader and Acrobat zero-day vulnerability patched in 11.0.08. Adobe released an out-of-band patch for Adobe Acrobat and Adobe Reader to close a vulnerability in Windows versions of the software that could allow attackers to bypass sandbox protections. Attackers were observed exploiting the vulnerability in targeted attacks and all users were advised to update their installations as soon as possible.
Microsoft’s Patch Tuesday updates focus on Internet Explorer. Microsoft released its August round of Patch Tuesday updates August 12, which addressed 37 vulnerabilities in Microsoft products including 26 patches for Internet Explorer and a critical vulnerability in OneNote.
Seven critical Flash Player vulnerabilities fixed in new version. Adobe released an update for its Adobe Flash Player product that closes seven critical security vulnerabilities.
15 new vulnerabilities reported during router hacking contest. A security contest held at the DefCon 22 conference resulted in researchers identifying and reporting 15 new vulnerabilities in 5 popular models of wireless routers.
Security holes exposed in Trend Micro, Websense, open source DLP. Two researchers from Duo Security and Tumblr presenting at the Black Hat conference reported identifying several cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities in four commercial data loss prevention (DLP) products and one open-source DLP product that could allow attackers to access or manipulate data. The majority of the flaws were in the products’ Web-based interfaces.
New Android malware Krysanec infects legitimate apps. Researchers at ESET identified a new remote access trojan (RAT) for Android devices known as Krysanec that is integrated into legitimate apps and can allow attackers to remotely control various device functions and steal information. The malware is being spread through several methods, including social networks and pirated content Web sites.
Millions of computers have backdoor enabled by default. Researchers from Kaspersky and Cubica Labs presenting at the Black Hat conference demonstrated how the legitimate Computrace anti-theft solution can be used by attackers performing a man-in-the-middle (MitM) attack to remotely execute arbitrary code on the target device due to the lack of encryption in Computrace traffic. Most computers come with Computrace already present, leaving millions of devices vulnerable to malicious use of the solution.
Authentication bypass bug fixed in BlackBerry Z10. Modzero researchers identified and reported two methods for remotely exploiting an authentication bypass vulnerability in BlackBerry Z10 phones that could allow attackers to install malware or steal personal data. BlackBerry released an update that closes the vulnerability and pushed it out to phone carriers.
Yahoo ad network used to spread CryptoWall ransomware. A researcher at Blue Coat Systems identified a malicious advertising campaign that uses the Yahoo advertisement network to distribute malicious ads that direct users to malicious pages that attempt to serve a variant of the Cryptowall ransomware. The researcher also reported that the adsmail.us service was also used in the campaign.
Critical 0-days found in CPE WAN Management Protocol. Check Point researchers reported finding several zero-day vulnerabilities in CPE WAN Management Protocol (CWMP/TR-069) deployments used by major Internet service providers (ISPs) to control home and business Internet equipment which could allow large-scale malware infections able to compromise privacy, steal information, or cause service disruptions. Check Point reported the vulnerabilities to ISPs and assisted in closing them before reporting their findings publicly.
Smart Nest thermostat easily turned into spying device. An independent researcher and two researchers from the University of Central Florida presenting at the 2014 Black Hat conference demonstrated how Nest smart thermostats can be compromised quickly using a USB flash drive, potentially allowing attackers to obtain information on a victim’s habits as well as network information such as WiFi credentials. Compromised thermostats could also be used to connect to the Internet and be used in a variety of malicious tasks.
10,000 impacted by resurging Facebook color changing app scam. Researchers at Cheetah Mobile reported that a resurgence of a scam that purports to change the color scheme of Facebook has affected 10,000 users recently. The campaign steals users’ Access Tokens and then attempts to install a malicious fake antivirus program or video player.
Oracle Database 12c’s data redaction security smashed live on stage. A researcher with Datacomm TSS presenting at the Defcon 22 conference demonstrated how a remote attacker could inject SQL queries to access redacted information in Oracle Database 12c due to several coding flaws.
Some mobile POS devices still affected by critical flaws months after patch. A researcher with MWR InfoSecurity and a colleague presenting at the Black Hat 2014 conference detailed how flaws in mobile point of sale (mPOS) devices from several manufacturers may be vulnerable to being taken over by attackers using customized smart cards in order to steal the payment card information read by the devices. The researchers reported the flaws previously and a patch for the EMV library was released in April, but some vendors have yet to push out the update to their devices, leaving the devices vulnerable.
Network access storage devices are highly exploitable. A researcher from Independent Security Evaluators presenting at the Black Hat 2014 conference reported finding a wide variety of vulnerabilities in network access storage (NAS) devices from several manufacturers, including directory traversal, command injection, memory corruption, authentication bypass, or back door vulnerabilities.
Critical bug in WordPress plugin allows site hijacking. Sucuri researchers identified and reported a vulnerability in the Custom Contact Forms plugin for WordPress that could allow attackers to take control of sites using the plugin. The developers of Custom Contact Forms published an update for the plugin after the issue was published by the WordPress Security team.
Two Gameover Zeus variants targeting Europe and beyond. Researchers at Bitdefender identified two Gameover Zeus variants in the wild, one botnet primarily targeting the U.S. while the second targets Belarus and Ukraine. The first botnet is generating around 1,000 domains per day while the second generates 10,000 per day but appears to currently be inactive.
Cybercriminals steal cryptocurrency via BGP hijacking. Researchers with Dell SecureWorks reported finding cybercriminals using fake Border Gateway Protocol (BGP) broadcasts to redirect traffic from cryptocurrency mining pools to servers they control, diverting tens of thousands of dollars in cryptocurrency. The attackers compromised 51 mining pools hosted on 19 hosting companies.
Attackers used multiple zero-days to hit spy agencies in cyber-espionage campaign. Kaspersky Lab researchers identified the infection methods used in the Epic Turla cyber-espionage campaign (also known as Snake or Uroburos) that targeted intelligence agencies, military organizations, government agencies, education institutions, pharmaceutical companies, and research groups in over 45 countries. The attackers behind the campaign used several malware platforms and zero-day exploits in Windows XP and Server 2003 and Adobe Reader to infect systems and then could upgrade the malware with additional capabilities once in place.
Attack harbors malware in images. A researcher with Dell SecureWorks reported finding the Lurk malware being distributed within a fake digital image as part of a click fraud campaign that infected around 350,000 systems. The malware in the campaign was spread through iFrames on Web sites containing an Adobe Flash exploit, and required victims to have a vulnerable version of Adobe Flash that is used to download the fake image file, which contains an encrypted URL that downloads a second malicious payload.
Flaws in email and Web filtering solutions expose organizations to attacks: Researcher. A researcher at NCC Group presenting at the Black Hat 2014 conference published two whitepapers outlining how email and Web filtering solutions can be used by attackers in the reconnaissance phase of attacks to obtain information on a potential target network if the attackers can determine which products or services are being used on the target network.
Symantec issues update fixing Endpoint Protection zero-day. Symantec issued a patch for its Symantec Endpoint Protection (SEP) security solution to address a zero-day vulnerability identified by Offensive Security researchers that could allow an attacker with access to the target computer to escalate admin privileges or cause a denial of service (DoS) situation. The vulnerability can not be exploited remotely but the exploit code is publicly available.
OpenSSL receives nine security fixes. A new version of the OpenSSL library was released, closing nine security vulnerabilities identified by researchers from various organizations. The vulnerabilities could lead to information leaking, downgrading to lower versions of the security protocol, or denial of service (DoS) attacks.
US Plextor website hacked by CoMoDo Islamic hackers. Attackers identifying themselves as the CoMoDo group defaced the Web site of computer hardware manufacturer Plextor Americas. The company stated that they are investigating the incident.
WordPress and Drupal fix common PHP XML parser vulnerability. WordPress and Drupal released new versions of their respective products in a joint effort to close an XML processing vulnerability that existed in both services and could be used by attackers to perform denial of service (DoS) attacks. The vulnerability was reported by a researcher at Salesforce.com and affected over 250 million Web sites according to Incapsula researchers.
APT group hijacks popular domains to mask C&C communications: FireEye. Researchers with FireEye reported identifying an advanced persistent threat campaign dubbed “Poisoned Hurricane” that used a variant of the PlugX (Kaba) malware configured to resolve DNS lookups through the nameservers of Hurricane Electric, which then spoofed legitimate domains and IP addresses to disguise the malware’s communication with command and control (C&C) servers.
Twitter URL shortening service abused by spammers. Cloudmark researchers reported that the t.co URL shortening service used by Twitter was used in 54 percent of shortened links blacklisted by the company for use in spam campaigns, and that one entity appeared to be behind two observed campaigns abusing the service, among other findings.
PayPal confirms new two-factor authentication bypass issue. Researchers with Escalate Internet identified a way to bypass PayPal’s two-factor authentication (2FA) mechanism with companies that use Adaptive Payments, as the method Adaptive Payments uses to connect PayPal accounts to the application only requires a login and password with no 2FA. PayPal stated that they are aware of the issue and working on a fix.
1.2 billion unique credentials, 500 million email addresses stolen by Russian cyber gang. Researchers with Hold Security found that a Russian cybercrime group dubbed “CyberVor” was able to collect 1.2 billion unique credentials from the Web sites of a wide variety of large and small businesses, as well as over 500 million email address credentials. The researchers reported that the cybercriminals used SQL injection attacks and later botnets that scanned sites on a large scale looking for SQL vulnerabilities to obtain the information.
Synology NAS devices hit in ransomware attack, firm advises upgrade. Synology stated that it confirmed user reports of infections by the SynoLocker ransomware on the company’s Diskstation devices and found that Synology network-attached storage (NAS) servers running DSM 4.3-3810 and earlier were compromised by exploiting a vulnerability that was patched in December 2013. Users were advised to upgrade their DSM installations to close the vulnerability.
Magnitude Exploit Kit is a well-oiled crimeware. Trustwave researchers analyzed the Magnitude Exploit Kit used to infect several high-profile Web sites and found that the malware relied on one Internet Explorer exploit and two Java exploits, and had a 20 percent infection success rate within 1 month, among other findings.
Over 90% of enterprises exposed to man-in-the-browser attacks: Cisco. Cisco released its Midyear Security Report August 5, which found that around 94 percent of its customers have issued domain name system (DNS) requests to hostnames with IP addresses associated with the distribution of malware that contains man-in-the-browser (MitB) capabilities. The report also found that aviation, chemical, pharmaceutical, and media and publishing industries had the highest rates of malware encounters, among other findings.
Security flaw in Spotify for Android may enable phishing. Trend Micro researchers identified a vulnerability in the Spotify app for Android that could allow attackers to take control of what is displayed in the app’s interface, which could potentially be used for phishing or redirection to malicious pages. Spotify stated that they released an update that closes the vulnerability after being notified and advised all users to update to the latest version.
Oracle issues fix for Java update that crippled some Web apps. Oracle issued an update for Java 7, Java 7 Update 67, which contains a fix for an issue in the recent Java 7 Update 65 that caused some Web applications to be unable to launch.
Multi function p0wnage just getting worse, researcher finds. A researcher with Rapid 7 reported that multi-function printers from several companies contain vulnerabilities that can allow an attacker to access usernames, email addresses, and passwords from corporate Active Directory accounts. The researcher and his team reported being able to gain access to corporate networks in 40-50 percent of attempts.
DDoS attack volumes plummet as NTP servers got patched. Black Lotus released its Q2 2014 Threat Report which found that patching weaknesses in systems decreased distributed reflection denial of service (DrDoS) attacks by 86 percent in the second quarter of 2014 while multi-vector attacks such as TCP SYN and HTTP GET attacks increased 140 percent during the quarter, among other findings.
Mobile users targeted with SandroRat posing as security software. Researchers with McAfee identified a campaign targeting Android users in Europe which disguises the SandroRat malware as a Kaspersky mobile security app to trick users into installing it. The malware is spread via text messages and emails and purports to be from a bank as a means of enhancing mobile security.
Flaw enabled access to internal Yahoo administration panel. A researcher with RMSEC identified and reported an issue with Yahoo that allowed him to guess a correct URL and then be logged into an internal content management system (CMS) with full administrator rights. Yahoo closed the issue after being informed by the researcher.
Apache Cordova vulnerabilities expose Android apps. IBM Security Systems researchers identified three vulnerabilities in the Apache Cordova developer APIs that could allow attackers to steal sensitive information from applications created using Apache Cordova. The Apache Cordova development team was notified by the researchers prior to public disclosure and an update was released August 4 that closes the flaws.
RAT malware communicating via Yahoo Mail. A researcher with G-Data published an analysis of a remote access trojan (RAT) known as IcoScript that has mostly gone undetected since 2012 and uses Yahoo Mail to communicate with its controllers to avoid creating suspicious traffic. The RAT could also be modified to use Gmail or other webmail providers.
PF Chang’s names 33 restaurants in data breach. Restaurant chain P.F. Chang’s provided the locations of 33 restaurants that were compromised in a data breach uncovered in June, which included restaurants in Baltimore; Pittsburgh; St. Louis; Austin, Texas; and Charlotte, North Carolina. An investigation into the breach is continuing.
Citadel malware variant allows attackers remote access, even after removal. Researchers at IBM identified a new variant of the Citadel banking malware that uses Windows shell commands to create a new local user with a non-expiring password in order to circumvent the removal of the malware and maintain remote control over the affected system.
Registry-residing malware creates no file for antivirus to scan. A researcher with GData published details of a new type of malware dubbed Poweliks that can avoid detection by antivirus programs by not creating any file on the disk, performing its functions instead in the system memory, and making the registry key unavailable to the Registry Editor.
Remote code execution flaw patched in Samba 4. The developers of open source software suite Samba released a patch August 1 that closes a vulnerability present in all versions of Samba 4 that could allow an attacker to generate a remote code execution vulnerability as the root superuser.
Thousands of Mozilla developers’ emails, passwords exposed. Mozilla stated August 1 that around 76,000 Mozilla Developer Network email addresses and around 4,000 hashed and salted passwords were left publicly accessible for about 30 days due to a failed data sanitation process. Developers were advised to change their passwords as a precaution.
Cisco patches OSPF bug that sends traffic into black holes. Cisco released a patch for a flaw in its Open Shortest Path First (OSPF) routing implementation that could allow an attacker to take control of the OSPF Autonomous System domain routing table, intercept traffic, or blackhole traffic. The issue affects all unpatched versions of Cisco IOS Software, IOS XE Software, ASA Software, PIX Software, and FWSM Software.
Synology NAS users hit with Cryptolocker variant. Users of Synology’s network-attached storage (NAS) devices reported having devices infected with a variant of the Cryptolocker ransomware beginning over the weekend of August 2 that encrypts files and demands a ransom to decrypt them. The method by which the malware is infecting NAS devices is currently unknown and users were advised to backup their files and unplug the devices until the infection vector is identified.
New point-of-sale malware “Backoff” scrapes RAM for card data. The U.S. Computer Emergency Response Team (US CERT) published an advisory warning of a new family of malware known as “Backoff” that can compromise point-of-sale (PoS) systems by compromising remote desktop applications and then performing memory scraping to obtain payment card track data. The malware currently has very low rates of detection in most antivirus engines and contains various other capabilities including keystroke logging and injecting a malicious stub into explorer.exe to increase persistency.
Sandwich chain Jimmy John’s investigating breach claims. Sandwich restaurant chain Jimmy John’s reported that it is working with authorities to investigate a possible breach of customer payment data.
USB device firmware can be reprogrammed to hide sophisticated malware. Researchers from SRLabs reported developing a new piece of malware that can reprogram USB controller chips to spoof other devices, allowing an attacker to take control of a computer, steal data, and perform other actions. The researchers plan to demonstrate the “BadUSB” malware at the upcoming Black Hat security conference.
Hackers steal video game source code. Dell SecureWorks’ Counter Threat Unit identified a group of attackers labeled Threat Group-3279 that has been observed targeting video game and entertainment companies to steal source code and create cracks or cheat codes for games. The group is believed to be associated with the China Cracking Group and leverages a variety of tools and pieces of malware, including ones created by the group.
“Pitty Tiger” threat actors possibly active since 2008: FireEye. Researchers at FireEye analyzed the “Pitty Tiger” advanced persistent threat group first identified by Airbus Defense & Space and found that the group may have been active since 2008. The Pitty Tiger campaign targeted a variety of sectors including the defense and telecoms industries, and is believed to be operating from China.
New ransomware uses GnuPG to encrypt files. Researchers at Symantec and Trend Micro analyzed a new piece of ransomware dubbed Trojan.Ransomcrypt.L or BAT_CRYPTOR.A that uses GNU Privacy Guard to encrypt files for ransom and can be easily updated by its controllers. Trend Micro also identified another new piece of ransomware dubbed Cryptoblocker which does not use RSA keys and appears to have been written by inexperienced writers.
Fiesta Exploit Kit delivers double payload. A Malwarebytes researcher reported that attackers have modified the way the Fiesta Exploit Kit delivers its malicious payload by delivering two malicious files at once to attempt to avoid antivirus detection for at least one file.
Innominate patches vulnerability in mGuard industrial security routers. Innominate Security Technologies fixed a vulnerability in its mGuard series of industrial security routers that could have allowed an unauthenticated attacker to obtain configuration information. The routers are frequently used in the manufacturing, healthcare, and communications industries, and users were advised to update their firmware to close the vulnerability.
POW! Apple smites Macbook Air EFI firmware update borkage. Apple released a firmware update for 2011 and later MacBook Air systems that addresses an issue encountered by users in an EFI firmware update released the week of July 21 that caused MacBooks to become unresponsive.
Pushdo botnet continues to stay strong. Researchers with Bitdefender reported that they have recorded a steady increase in the number of infected systems attempting to contact the command and control servers for the Pushdo malware botnet, with around 200,000 unique IP addresses observed.
Malicious Android apps can impersonate trusted ones. Researchers at Bluebox Security reported a vulnerability present in Android versions below 4.4 (KitKat) can allow malicious apps to benefit from the access permissions of legitimate apps due to signatures issued from a legitimate app not being checked.
Tor warns of attack attempting to deanonymize users. The Tor Project reported that an attack that could have broken users’ anonymity on the Tor network was detected July 4 and may have been part of a research project. The attack used a combination of a Sybil attack and a traffic confirmation attack, and the vulnerabilities exploited were closed in a patch issued July 30.
Zero-day flaws found in Symantec’s Endpoint Protection. Offensive Security researchers reported finding three zero day vulnerabilities in Symantec’s Endpoint Protection product that could allow a logged-in user to gain system access and perform attacks such as identifying domain administrator cache credentials or hash dumping.
Trio of flaws fixed in Facebook Android app. Facebook issued an update for its Android app that closes a vulnerability where an HTTP server used for video playback would accept requests from any client, leading to the potential for attacks to cause a denial of service (DoS) condition or transfer large amounts of data to run up charges on a victim’s mobile bill.
Many antivirus engines plagued by vulnerabilities: Researcher. A researcher with Coseinc presenting at the SyScan 360 conference reported that 14 of 17 antivirus products tested contained at least one vulnerability due to a variety of factors. Some vulnerabilities have since been patched, while the researcher reported that others remain exploitable.
70 percent of IoT devices vulnerable to cyberattacks: HP. HP released a report on Internet of Things (IoT) devices and found that 70 percent of devices tested contained serious vulnerabilities, while 80 percent raised privacy concerns, among other findings.
Instagram account hijack code published. A developer released a proof-of-concept that exploits the lack of HTTPS encryption in certain functions of the Instagram app for iOS that could allow an attacker on the same network to intercept session cookies and use them to take over Instagram accounts. Instagram parent company Facebook stated that they are aware of the issue and are working to find a solution.
Only ‘3% of web servers in tops corps’ fully fixed after Heartbleed snafu. A study by Venafi Labs found that only 3 percent of machines have been fully protected against the Heartbleed Open SSL vulnerability which includes patching servers and changing private keys, as well as being issued with new SSL certificates and having the old ones revoked.
Cybercriminals abuse Amazon cloud to host Linux DDoS Trojans. Kaspersky Lab reported that Amazon cloud services and other companies are being abused by cybercriminals to host distributed denial of service (DDoS) bots, including a sophisticated Linux trojan capable of conducting domain name system (DNS) amplification DDoS attacks. The attackers are able to access the servers by exploiting vulnerabilities in versions 1.1.x of Elasticsearch.
Kaspersky analyzes distribution network for Koler mobile ransomware. Kaspersky Lab published findings on the Koler ransomware which targets Android and Internet Explorer users stating that dozens of automatically generated sites redirect traffic to a central hub using a traffic distribution system where users are again redirected. The distribution infrastructure relies on a network of at least 48 malicious adult Web sites linked to Keitaro traffic redirection system.
I2P networking tool patched against de-anonymization. Developers of the I2P network released the 0.9.14 patch which integrates repairs for cross-site-scripting (XSS) and remote execution vulnerabilities addressing flawed components in Tails operating system enabling de-anonymization of a client. The release contains several bug fixes in i2ptunnel, i2psnark, and other updates.
XSS flaw fixed in Barracuda Spam and Virus Firewall. Vulnerability Laboratory researchers discovered a non-persistent cross-site scripting (XSS) vulnerability in the Barracuda Spam and Virus Firewall web application affecting versions 5.1.3 and earlier that allowed a potential attacker to hijack session information or execute a non-persistent code. The vulnerability was patched July 15 after researchers notified the developer.
Remotely exploitable flaws fixed in Siemens SCADA system. Siemens patched 5 vulnerabilities discovered in its SIMATIC industrial automation system, four of them presenting remote exploitation risk, after an advisory by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) which explained that the flaws resided in the SIMATIC WinCC product which is a supervisory control and data acquisition (SCADA) system.
XML-RPC abused in brute-force attacks against WordPress sites. Sucuri researchers found new brute-force attacks delivered against WordPress Web sites leverage the XML-RPC protocol and the wp.getUersBlogs function have increased since July 4 with 2 million attempts originating from 17,000 different IP addresses.
TAILS team recommends workarounds for flaw in I2P. TAILS operating system developers claimed a vulnerability in the I2P anonymity network software affecting versions 1.1 and earlier can be mitigated with a couple of workarounds, though the vulnerability has yet to be patched.
Cloud botnets used for mining crypto-currency. Researchers from Bishop Fox created a botnet capable of mining several hundred dollars in Litecoin crypto-currency on a daily basis using free services of multiple cloud-computing businesses. Conducted distributed denial of service (DDoS) attacks was determined to be another way to use the machines.
Sony to shell out $15M in PSN breach settlement. Sony released a statement July 24 claiming it reached an agreement to pay $15 million in a preliminary settlement associated with the April 2011 hacking of its PlayStation Network system, its on-demand service Qriocity, and gaming portal Sony Online Entertainment, exposing the personal data of roughly 77 million users.
More details of Onion/Critroni crypto ransomware emerge. Kaspersky Lab and other researchers found that the Critroni or CTB-Locker dubbed Onion uses a number of features that separate it from other forms of malware including that the ransomware is spread through Andromeda using a version of the asymmetric ECDH (Elliptic Curve Diffie-Hellman) algorithm.
Popular wireless home alarms can be hacked from afar. Two security researchers found that wireless home alarm systems are vulnerable to remote hijacking which would allow for access into the protected environment without tripping the alarm due to the signals lack of encryption or authentication. The tools used to hack into systems are available for purchase, potentially allowing intruders to completely disable the alarm from 10 feet.
Six men charged in StubHub cyber-theft case. Six individuals were charged in the U.S. in connection with an alleged cybercrime ring that took over accounts on online ticket marketplace StubHub, used victims’ credit cards to purchase tickets to various entertainment events in New York City, sell the tickets, and then launder the proceeds through PayPal accounts and bank accounts in the U.S., U.K., Canada, Germany, and Russia. The alleged fraud totaled around $1 million and affected over 1,000 user accounts.
50,000 sites backdoored through shoddy WordPress plugin. A researcher with Sucuri reported that around 50,000 Web sites were vulnerable to malware injection, defacement, and spam due to vulnerability in the MailPoet plugin for WordPress. The vulnerability can affect Web sites that do not run MailPoet if the vulnerable plugin is present elsewhere on the same server.
Fake Googlebots used for layer 7 DDoS attacks. Incapsula issued a report that shows how malicious Web crawlers that mimic Googlebots to bypass security are being used for various malicious purposes. The majority of the fake crawlers were used for collecting marketing information while 23.5 percent were used for application layer distributed denial of service (DDoS) attacks.
DDoS attackers turn attention to SaaS and PaaS systems, Akamai reports. Akamai released its Q2 2014 Global DDoS Attack Report, which found a 22 percent increase in distributed denial of service (DDoS) attack activity in the second quarter of 2014. The report also found that around half of DDoS attacks targeted IT infrastructure, with vendors of cloud services such as Software-as-a-Service (SaaS) and Platform-as-a-Service (PaaS) being common targets.
Metro News website compromised to serve malware. Researchers at Websense reported July 22 that the Web site of newspaper Metro.us was compromised and used to redirect visitors to a malicious Web site hosting the RIG exploit kit. The RIG exploit kit then attempts to exploit any present vulnerability in users’ software to install a piece of malware identified as Win32/Simda.
Android ransomware demands 12x more cash, targets English-speakers. Researchers at ESET identified a new version of the Simplocker ransomware for Android that displays a fake law enforcement ransom note in English and demands a higher ransom than previous versions that were written in Russian and demanded payment in Ukrainian hryvnias. The new version of the ransomware contains additional features such as the encryption of more types of files on victims’ devices and actions that make it more difficult to remove.
Mozilla fixes 11 vulnerabilities with release of Firefox 31. Mozilla released new versions of its Firefox Web browser and Thunderbird email client July 22, closing 11 vulnerabilities, including 3 rated as critical.
40% of orgs running VMware still susceptible to Heartbleed. Data collected and analyzed by CloudPhysics found that 57 percent of deployed VMware vCenter servers and 58 percent of ESXi hypervisor hosts remain vulnerable to the Heartbleed vulnerability in OpenSSL, affecting 40 percent of organizations in the CloudPhysics data set.
Internet Explorer vulnerabilities increase 100%. An analysis by Bromium Labs surveyed vulnerabilities in popular Web browsers and common software and found that vulnerabilities in Internet Explorer increased by more than 100 percent in the first quarter of 2014. Other findings included that Action Script Sprays were leveraged in zero day attacks and that zero day vulnerabilities in Java have declined greatly in the first quarter of 2014 compared to 2013.
Attackers bypass 2FA systems used by banks in ‘Operation Emmental’. Researchers with Trend Micro released a report July 22 detailing a cybercrime campaign targeting banks in Europe and Japan dubbed “Operation Emmental” that uses computer and Android mobile device malware to steal users’ banking credentials and two-factor authentication (2FA) tokens. The malware used in the campaign can install fake Secure Sockets Layer (SSL) certificates, delete itself after use, and perform other actions to trick users.
Banks: Card breach at Goodwill Industries. Goodwill Industries stated that it is working with the U.S. Secret Service to investigate a possible breach of payment card data from some of its U.S. stores. The company stated that it became aware of a possible breach July 18 after they were contacted by a payment card industry fraud investigation unit and federal authorities.
Significant deficiencies found in Treasury’s computer security. Two reports by the Government Accountability Office released the week of July 14 found new computer security vulnerabilities at the U.S. Department of the Treasury’s Bureau of Fiscal Service and existing security issues at the Federal Deposit Insurance Corporation that remain unaddressed from 2012 which could compromise reporting efficiency or the security of data.
iOS backdoors expose personal data: Researcher. A security researcher presenting at a security conference reported that Apple’s iOS mobile operating system contains several undocumented services which could be used in some circumstances to access email, location data, media, and other personal data. Apple stated that the services are used for diagnostic purposes and can only be used to access data with user approval.
Fresh threat to critical infrastructure found in Havex malware. Researchers at FireEye analyzed a variant of the Havex malware (also known as Fertger or Peacepipe) and found that it contained an open-platform communication (OPC) scanner that could be used to target supervisory control and data acquisition (SCADA) systems used by several industries, including power plants and water utilities.
Secondhand Point-o-Sale terminal was horrific security midden. A researcher with HP found that a second-hand Aloha point-of-sale (PoS) terminal purchased from eBay still held a database of employee names, Social Security numbers, and addresses, as well as default passwords that could be used by an attacker if the previous owners did not change passwords in new equipment.
Unpatched OpenSSL holes found on Siemens ICSs. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) stated July 17 that six Siemens industrial control products contained vulnerabilities in their OpenSSL implementation that could lead to man-in-the-middle (MitM) attacks or the crashing of Web servers. Four of the vulnerabilities remain unpatched and are present in industrial control products used by the manufacturing, chemical, energy, agriculture, and water industries and utilities.
Kelihos Trojan delivered through Askmen.com. Researchers with Malwarebytes reported that the online publication Askmen.com was compromised by attackers and used to redirect users to a malicious page serving the Nuclear Pack exploit kit for the purpose of infecting users with the Kelihos malware. The compromise was achieved by injecting malicious code into the Askmen.com server, and the site’s administrators were notified.
Fake Flash Player steals credit card information. Dr. Web researchers reported finding a new piece of Android malware dubbed BankBot that is disguised as Adobe Flash Player and persistently asks users for administrator privileges in order to display a fake credit card information form and steal any entered information. The malware is currently targeting users in Russia but can be repurposed to attack other targets.
Researchers analyze multipurpose malware targeting Linux/Unix Web servers. Virus Bulletin published an analysis of a recently discovered piece of malware that infects Linux and Unix Web servers known as Mayhem, which has infected around 1,400 servers. The malware relies on several plugins for various capabilities, including information stealing and brute-force attacks.
Neverquest banking Trojan expands list of targets. Researchers with Symantec found that the attackers operating the Neverquest banking Trojan, also known as Snifula, have focused their efforts on banks in the U.S. and Japan since December 2013. The Trojan is able to obtain banking login information from victims and can also steal digital certificates, among other capabilities.
New Android ransomware locks device completely. Researchers at Lookout identified a new piece of Android ransomware dubbed ScarePakage that infects devices by posing as a legitimate app on third-party Android markets and then locks the device and demands a ransom. The ransomware uses a Java TimerTask to kill other processes and a wave lock mechanism to prevent the phone from entering sleep mode.
DDoS attacks decrease in Q2 2014, compared to Q1. Arbor Networks reported that distributed denial of service (DDoS) attacks during the second quarter of 2014 decreased in terms of speeds and frequency compared to the previous quarter, with average DDoS attack size at 759.83 Mb/s, among other findings.
63% of businesses don’t encrypt credit cards. SecurityMetrics found in a study that 63.86 percent of businesses surveyed store unencrypted 16-digit payment cards on their systems, and 7 percent store magnetic stripe data, providing easy targets for fraud, among other findings.
Pushdo trojan outbreak: 11 THOUSAND systems infected in just 24 hours. Bitdefender researchers reported that a new campaign to spread the Pushdo botnet malware compromised over 11,000 systems within a 24-hour period, with the majority of infected users in Asia and some in the U.S., U.K., and France. The Pushdo botnet has previously been used in spam campaigns and to distribute malware such as Zeus and SpyEye.
Cisco patches critical issue in wireless residential gateway products. Cisco released patches for several Cisco Wireless Residential Gateway products, closing a vulnerability that could allow attackers to use malicious HTTP requests to crash the Web server and inject commands or execute code with elevated privileges.
SQL injection risk in vBulletin receives prompt patch. vBulletin released a patch for its forum software which closes a SQL injection vulnerability that was identified and disclosed by Romanian Security Team.
Critical vulnerabilities fixed in Drupal 7.29 and 6.32. The Drupal Security Team advised all users to update to versions to 7.29 or 6.32 in order to close vulnerabilities that could allow attackers to perform denial of service (DoS) attacks cross-site scripting (XSS) attacks.
Five vulnerabilities fixed in Apache Web Server. The Apache Software Foundation released version 2.4.10-dev of its Apache Web Server, closing five vulnerabilities, including a buffer overflow vulnerability and several denial of service (DoS) vulnerabilities.
Oracle patches 13 vulnerabilities, including 20 in Java. Oracle released its Critical Patch Update for July, which includes patches for 113 security vulnerabilities in various Oracle products, including 20 vulnerabilities in Java SE. The 20 vulnerabilities in Java can all be remotely exploited without authentication and users were advised to apply the updates as soon as possible.
vBulletin exploitable through SQL injection. Members of the Romanian Security Team group identified and reported an SQL injection vulnerability in vBulletin which could be used by attackers to gain access to a forum's administration panel and databases. The group reported the vulnerability to the developers of vBulletin and stated that they would disclose the full details of the issue once a fix is released.
OpenBSD downplays PRNG vulnerability in LibreSSL. A researcher with Opsmate reported finding a flaw in the pseudorandom number generator (PRNG) in LibreSSL for Linux. Representatives of the OpenBSD Project confirmed that the issue exists but stated that the now-fixed problem was unlikely to be exploitable in real world conditions.
Critical design flaw in Microsoft’s Active Directory could allow password change. Researchers with Aorato identified a flaw within Microsoft’s Active Directory which could allow attackers to change a victim’s password and use the new password to access a company’s network and enterprise functions. The vulnerability relies on the older NTLM authentication protocol to perform a “pass-the-hash” attack to gain access.
Amazon-based malware triples in 6 months. Solutionary released an analysis of Internet service providers (ISPs) and hosting providers hosting malware and found that Amazon was the top malware-hosting ISP, with a 250 per cent increase during the second quarter of 2014, among other findings.
Google’s Dropcam monitoring device open for video hijacking. Researchers with Synack found that the Google Dropcam home monitoring cameras contain vulnerabilities which could allow the camera’s video and sound content to be intercepted by attackers. The vulnerabilities stem from an old version of OpenSSL that is vulnerable to the Heartbleed flaw and other issues, and from an old version of BusyBox that contains exploitable flaws.
CNET attacked by Russian hackers, user database stolen. CBS Interactive confirmed that media Web site CNET was compromised after attackers claiming affiliation with the Russian hacker group W0rm stated that they were able to obtain databases containing usernames, emails, and encrypted passwords for over 1 million users. The attackers stated that they used a flaw in the site’s implementation of the Symfony PHP framework and claimed that the attack was performed for security demonstration purposes and the information would not be sold.
Gameover ZeuS botnet pulls dripping stake from heart, staggers back from the UNDEAD. Sophos researchers reported that a new variant of the GameOver Zeus trojan is being used to re-establish a botnet 6 weeks after an international law enforcement effort disrupted the original botnet used for banking credential theft and the distribution of the CryptoLocker ransomware.
Citi to pay $7 billion in Justice settlement. Citigroup announced July 14 that it would pay $7 billion to settle U.S. Department of Justice charges that the financial institution knowingly sold risky mortgage-based securities prior to the 2008 financial crisis.
Kronos: New financial malware sold on Russian underground forum. Researchers with Trusteer reported July 11 that a new piece of banking malware known as Kronos has recently been advertised on a Russian underweb forum in a pre-release sale. The malware contains HTML injection and form-grabbing capabilities, allegedly works with modern and older Web browsers, and is compatible with the Zeus trojan.
International hacker pleads guilty to 2011 global cyberattack. A member of an international cybercrime organization pleaded guilty July 11 for working with co-conspirators to hack into the payment card processor for the American Red Cross in 2011 and stealing payment card data that was then used to make $14 million in fraudulent ATM withdrawals around the world.
Critical vulnerabilities in web-based password managers found. Researchers at the University of California identified and reported various vulnerabilities in five Web-based password managers that could allow attackers to obtain a user’s credentials. LastPass, My1Login, RoboForm, and PasswordBox reported that they closed the vulnerabilities after they were reported, while the researchers did not receive word on the issues from NeedMyPassword.
Cisco patches four-year-old Apache Struts 2 issue. Cisco patched a vulnerability in Apache Struts 2 that was reported in 2010 which could allow an attacker to use a malicious Object-Graph Navigation Language (OGNL) expression to compromise vulnerable systems.
Attackers use keyloggers, email to steal data in “NightHunter” attacks. Cyphort researchers reported identifying a cybercriminal operation known as “NightHunter” that has been active since 2009 and uses various pieces of malware and keyloggers to target organizations in the energy, education, health, insurance, and charity industries. The campaign distributes the malware through phishing emails that are usually sent to finance, human resources, and sales departments.
Source code for tiny ‘Tinba’ banking malware leaked. Researchers with CSIS Security Group reported that the source code for the Tinba, also known as Zusy, banking malware was posted openly on underweb forums, potentially allowing a greater number of attackers to utilize the malware. The malware is capable of interfering in online banking sessions to steal user credentials and has an unusually small code base.
Shylock malware infrastructure targeted by international authorities. Law enforcement agencies in the U.S., E.U. and Turkey along with several security firms conducted a coordinated operation July 8-9 to seize domains and command and control servers used by the Shylock banking malware. The malware, also known as Caphaw, has infected at least 30,000 computers and been in use since 2011.
Kaspersky Lab details ‘versatile’ DDoS trojan for Linux systems. Researchers with Kaspersky Lab reported identifying a Linux distributed denial of service (DDoS) trojan with several modules to add various capabilities. Components of the trojan were identified a Backdoor.Linux.Ganiw.a and Backdoor.Linux.Mayday.f.
Gmail for iOS poses man-in-the-middle attack risk. Lacoon researchers found the Gmail app for iOS can leave users vulnerable to man-in-the-middle (MitM) attacks due to the app lacking the certificate pinning feature. This could allow attackers to use a rogue certificate to impersonate the Gmail server and route traffic through their systems.
Kaspersky quickly addresses XSS flaw impacting company website. Kaspersky Lab closed a cross-site scripting (XSS) vulnerability on one of its Web sites after being notified of the issue by a security researcher, the company reported July 10. There was no indication that the flaw was exploited by attackers.
CryptoLocker infrastructure used for other threats: Bitdefender. Researchers with Bitdefender found that the infrastructure for the CryptoLocker ransomware remains active even though a takedown operation in June disrupted the ransomware operation. The infrastructure is currently being used for various fraudulent and malicious purposes including fake antivirus scams and the distribution of the Citadel banking trojan.
Exploit kit dropped through Akamai content delivery network. Malwarebytes researchers found and reported that attackers are abusing the Akamai Technologies Akamaihd.net content delivery network (CDN) to trick users with fake software update notifications to bundle pay-per-install programs and use a malicious iframe to redirect users to an exploit kit. The exploit kit used appears to be the Nuclear Pack exploit kit that targets vulnerabilities in Java, Flash, Internet Explorer, and Adobe Reader.
Crusty API opened Facebook accounts to hijacking. A security researcher revealed that a legacy API in Facebook allowed attackers to make REST API calls on behalf of Facebook users if their user ID was known, allowing attackers to update statuses, like content, and upload or delete photos. The flaw was reported to Facebook in April and fixed by Facebook, earning the researcher $20,000 through Facebook’s bug bounty program.
Nearly 70% of critical infrastructure providers suffered a breach. Unisys released the results of a survey of 599 security executives in the manufacturing, utility, and energy sectors and found that almost 70 percent of respondents reported at least one security breach that led to a disruption in operations or disclosure of confidential information within the last 12 months. The report also found that data breaches were most often attributed to negligent insiders, among other findings.
Buffer overflow vulnerabilities in Yokogawa ICS gear patched. Yokogawa Electric Corporation released patches for its CENTUM and Exaopac industrial control system (ICS) software the week of July 7, closing vulnerabilities that could allow an attacker to remotely execute code.
Feds charge carding kingpin in retail hacks. The U.S. Department of Justice announced July 7 that the U.S. Secret Service arrested a Russian national for allegedly working with others to steal and sell payment card details from stores and restaurants throughout the U.S. between 2009 and 2011. The man and his accomplices allegedly planted malware on merchants’ point-of-sale (POS) devices in order to obtain the payment card information and then sold it through underweb forums.
Rosetta Flash attack mitigated by the new Adobe Flash Player 126.96.36.199. Adobe released an update for its Flash Player that closes a vulnerability identified by a Google researcher that could allow an attacker to abuse JSONP endpoints and cause victims to run arbitrary requests and leak sensitive data.
Vulnerability in AVG security toolbar puts IE users at risk. Researchers with the CERT Coordination Center (CERT/CC) found that the AVG Secure Search browser toolbar could allow attackers to execute malicious code due to an ActiveX control that exposes sensitive functionality to Web sites. The vulnerability affects AVG Secure Search versions 18.1.6 and earlier.
NETGEAR switches exposed to attacks from hardcoded credentials. An advisory from the CERT Coordination Center (CERT/CC) warned users of Netgear GS108PE ProSafe Plus Switches that attackers can log into the switches and execute arbitrary code by using a hardcoded login and password.
Massachusetts man charged in Twitter hack. A Massachusetts man was charged July 2 for allegedly hacking into helpdesk services company Zendesk, disabling a security feature that restricted access to customer information, and exporting Twitter support tickets. The information was then allegedly used to compromise and deface Twitter’s and Zendesk’s Twitter feeds.
App permissions? Pah! Rogue Android soft can ‘place phone calls at will’. Researchers with Curesec identified vulnerabilities in the Android mobile operating system that could allow malicious apps to place phone calls and send Unstructured Supplementary Service Data (USSD) codes. One vulnerability affects Android versions 4.1.1 and up, while the second affects older Android 2.3.3 and 2.3.6 versions.
Researchers find vulnerability in internal PayPal portal. Vulnerability Lab researchers disclosed and published a proof-of-concept for a vulnerability in an “Ethernet portal” used by PayPal employees that could have been used by attackers to gain access to personal and financial information of customers or to hijack accounts. The vulnerability was reported in February 2013, fixed around December 2013, and cleared for publication July 4.
Attack on Dailymotion redirected visitors to exploits. Symantec researchers reported that beginning June 28 attackers injected malicious code into video-sharing Web site Dailymotion.com which redirected visitors to a malicious Web site hosting the Sweet Orange Exploit Kit. Computers compromised by the exploit kit were then infected with the Trojan.Adclicker artificial traffic generator malware.
4th of July malware campaign targets travel websites. Researchers with Proofpoint identified several travel Web sites being compromised and altered to serve an unknown exploit kit to visitors. The attacks were timed to take advantage of the 4th of July holiday and feature an exploit kit that was detected by only four antivirus engines on VirusTotal.
Security vulnerabilities fixed with release of Python 2.7.8. The Python Software Foundation released Python 2.7.8 July 1, closing three security vulnerabilities.
‘CosmicDuke’ malware emerges as update to MiniDuke espionage trojan. Researchers with F-Secure and Kaspersky Lab identified a new version of the MiniDuke information-stealing malware dubbed CosmicDuke that shares code with the Cosmu malware. The researchers stated that the group behind the CosmicDuke malware appears to be the same group that used the MiniDuke malware to steal information from European governments in 2013.
Your Android phone is a SNITCH: Wi-Fi bug makes you easy to track. Researchers with the Electronic Frontier Foundation found that Android devices running Android 3.1 and later may disclose the 15 most recent WiFi networks a user connected to, potentially compromising privacy by allowing attackers to discern a user’s movements or identity. The issue is present on some Android devices but not others, and is also present on all OS X laptops and some Windows 7 laptops.
You CAN’T bust into our login app’s password vault, insists Roboform. RoboForm announced that it adjusted security for the mobile version of its password manager after a security researcher reported that the security of the RoboForm mobile app for Android and iOS can be bypassed by deleting a line in the app’s preferences file. The researcher also claimed that the way the private key is shared with parent company Siber System’s servers could also compromise security.
Bitcoin phishing ads present in Bing search engine. Netcraft researchers found two links to phishing sites targeting Bitcoin users in Bing search result ads. One malicious ad linked to a phishing page, while the other was non-functional due to the attackers using an incorrect top-level domain in the address.
New Android malware targets banking apps, phone information: FireEye. FireEye researchers identified a piece of Android malware known as HijackRAT that disguises itself as a ‘Google Service Framework’ and is capable of disabling antivirus applications, stealing banking credentials and personal information, and remotely accessing infected devices. The malware is currently targeting banks in Korea but can be easily modified to target others.
Enhanced KIVARS malware now attacks 64-bit systems. Researchers with Trend Micro analyzed a new version of the KIVARS malware that is capable of targeting systems running 64-bit operating systems. The malware is distributed using the TROJ_FAKEWORD.A dropper and is capable of several data-stealing and remote actions.
Oh SNAP! Old-school ’80s Unix hack to smack OSX, iOS, Red Hat? Researchers with DefenseCode released a white paper outlining how Unix-based systems could be vulnerable to hijacking via a class of vulnerabilities involving ‘wildcard’ characters in filenames. The vulnerability could allow attackers to inject arbitrary arguments to shell commands run by other users.
Ruby on Rails receives security fixes. Updates for the Ruby on Rails Web application framework were released that include fixes for two vulnerabilities that affected PostgreSQL.
Running Cisco’s VoIP manager? Four words you don’t want to hear: ‘Backdoor SSH root key’. Cisco warned users of its Unified Communications installations that a vulnerability exists in its Unified Communications Domain Manager (Unified CDM) software that can allow an unauthenticated attacker to gain root access by exploiting a default SSH key designed for use by Cisco support representatives. The vulnerability is present in all versions of Cisco Unified CDM prior to version 4.4.2 and users were advised to update the software, or to filter SSH access as a stopgap measure.
HSBC settles U.S. fraud charges over foreclosure fees. HSBC agreed July 1 to pay $10 million to settle charges that the bank overcharged the Federal Housing Administration and Fannie Mae for foreclosure-related fees on federally-backed home loans between 2009 and 2010.
Critical flaw in WordPress newsletter plug-in endangers many blogs. Researchers with Sucuri identified a vulnerability in the MailPoet (formerly wysija-newsletters) plugin for WordPress that could allow attackers to take control of sites using the plugin. The vulnerability was patched July 1 in an update for MailPoet and all users were advised to upgrade as soon as possible.
MONSTER COOKIES can nom nom nom ALL THE BLOGS. A security researcher identified and reported a method that could be used to prevent users from accessing Web sites by setting cookies with header values so large that they trigger Web server errors. The researcher demonstrated the attack against the Google Blog Spot network and showed that users given the altered cookies were not able to see any blogs on the service.
MS No-IP takedown hits 25% of APT attackers. Kaspersky stated that the takedown by Microsoft of several domains belonging to the No-IP Internet service also disrupted in some form the operations of around 25 percent of advanced persistent threat (APT) groups the company is tracking. Microsoft also stated that service was restored to legitimate customers July 1, however No-IP stated that domains were still experiencing outages July 2
Redmond’s EMET defense tool disabled by exploit torpedo. Researchers with Offensive Security demonstrated how an exploit code can be uploaded which disables and bypasses version 4.1 of Microsoft’s Enhanced Mitigation Toolkit (EMET) security tool.
Number and diversity of phishing targets continues to increase. The Anti-Phishing Working Group (APWG) released a report on phishing during the first quarter of 2014 and found that the number of phishing sites increased by 10.7 percent over the previous quarter, among other findings.
Geodo infostealer gets help from worm. A security researcher identified a new version of the Cridex information-stealing malware known as Geodo that works in conjunction with a worm to spread. The researcher found that the malware is completely new code but uses the same botnet, command and control infrastructure, and distribution mechanisms as the previous Feodo version of Cridex.
Microsoft boosts anti-snooping protection in Outlook.com, OneDrive. Microsoft announced that it added encryption protection to its Outlook.com webmail service and OneDrive cloud storage service in order to better protect users’ privacy.
Facebook SDK flaw allows unauthorized access to Facebook accounts. MetaIntell researchers identified a vulnerability in the Facebook SDK for Android and iOS that could allow an attacker to compromise users’ Facebook accounts due to insecure storage of the Facebook Access Token. The vulnerability is present in 31 of the top 100 Android apps and 71 of the top 100 iOS apps.
Microsoft disrupts malware networks and APT operations. Microsoft’s Digital Crimes Unit seized 22 free domain names operated by No-IP.com due to the domain names allegedly being used by the NJrat and NJw0rm families of malware. No-IP stated that the Microsoft takeover and rerouting of traffic through sinkholes has also disrupted legitimate customers’ service.
Apple patches iOS, OSX and Safari on mega Monday. Apple released updates June 30 for its iOS mobile operating system, OSX operating system, and Safari Web browser, closing 44 vulnerabilities in iOS, 19 in OSX, and 12 in Safari.
A lighter ZeuS is discovered. Researchers with Fortinet identified a new variant of the Zeus trojan named Zeus Lite that has fewer functions than previous versions but contains improved encryption and the ability to control infected systems.
“Emotet” banking malware steals data via network sniffing. Researchers at Trend Micro identified a new piece of banking malware dubbed Emotet that attempts to steal banking credentials by logging outgoing traffic and comparing it against a list of targeted financial institutions. The malware is distributed via spam emails containing a link to a malicious Web site, and currently is primarily targeting financial institutions in Germany.
London teen charged over Spamhaus mega-DDoS attacks. Authorities in the U.K. charged a teenager for his alleged involvement in several major distributed denial of service (DDoS) attacks against anti-spam service Spamhaus during 2013. The attacks were also led to worldwide disruptions in Internet exchanges and services.
PHP fixes OpenSSL flaws in new releases. The PHP Group released new versions of PHP, closing two vulnerabilities in OpenSSL that are related to timestamps.
Google Drive update fixes data-leaking flaw. Google closed a security issue in its Google Drive service that previously allowed some files shared with a direct link to be accessed by unauthorized third parties. Some files could still be seen by unauthorized parties, and Google advised users with files that met certain criteria to remove them.