Skip to content

Gotham Security Daily Threat Alerts

July 1, Securityweek – (International) Attackers abuse RIPv1 Protocol for DDoS reflection: Akami. Security researchers from Akami discovered that malicious actors have been leveraging routers running Routing Information Protocol version 1 (RIPv1) to reflect distributed denial-of-service (DDoS) attacks by creating malicious requests for routes and then spoofing the source Internet protocol (IP) address to match the one of the targeted system. Source

July 1, Softpedia – (International) iOS 8.4 fixes 33 security vulnerabilities. Apple released iOS version 8.4 addressing 33 security vulnerabilities, including a fix for the Logjam flaw that allows a man-in-the-middle (MitM) attacker to downgrade cryptographic security, and other protection against potential arbitrary code execution. Source

July 1, Softpedia – (International) Researchers expose attack on iOS that can break system apps. Security researchers from FireEye reported two Apple iOS flaws, dubbed Manifest Masque and Extension Masque, in which an attacker could break or replace system apps and extensions on an affected device by taking advantage of apps created in Xcode outside of Apple’s App Store. The vulnerabilities behind Manifest Masque attacks were partially addressed in the release of iOS 8.4. Source

June 30, Securityweek – (International) ESET analyzes complex espionage platform used by “Animal Farm” APT. ESET released research on the Dino cyber-espionage platform used by the “Animal Farm” advanced persistent threat (APT) group revealing that Dino is capable of retrieving information, executing Microsoft Windows batch commands, searching for files, and transferring files back and forth between a command and control (C&C) server. Researchers have not determined the tool’s initial infection vector. Source

Gotham Security Daily Threat Alerts

June 30, Softpedia – (International) Dridex is the most prevalent banking malware in the corporate sector. SecurityScorecard released findings from a report revealing that the Dridex banking trojan was the most prevalent malware found in corporate environments from January – May, primarily targeting the manufacturing and retail sectors, followed by the Beloh and Tinba trojans, which targeted telecommunications and technologies companies. Source

June 30, Securityweek – (International) Yahoo patches SSRF vulnerability in image processing system: researcher. A security researcher reported that Yahoo patched a server-side request forgery (SSRF) vulnerability affecting all of its services that required images to be processed in which an attacker could use the vulnerability to bypass controls and access data on the affected system. Source

June 29, Securityweek – (International) Many organizations using Oracle PeopleSoft vulnerable to attacks: report. ERPScan released findings from a report revealing that Oracle’s PeopleSoft contained several vulnerabilities including information disclosure, extensible markup language external entity (XXE), cross-site scripting (XSS), and authentication bypass flaws as well as configuration-related issues that could allow an attacker to breach PeopleSoft systems connected to the Internet. Source

June 30, – (International) Pentagon, OPM shut down background check systems. The U.S. Department of Defense Joint Personnel Adjudication System was taken offline following the Office of Personnel Management’s (OPM) June 29 announcement that the e-QIP system would be offline 4-6 weeks for security improvements. A vulnerability in the OPM tool that links to JPAS was discovered during a probe of the recent OPM breach. Source

Gotham Security Daily Threat Alerts June 29-30, 2015

June 29, Securityweek – (International) Security firm discloses details of Amazon Fire Phone vulnerabilities. MWR InfoSecurity released details on three recently patched Amazon Fire Phone vulnerabilities, including flaws in the CertInstaller package that can allow third party applications to install digital certificates to intercept encrypted traffic via man-in-the-middle attacks, and an issue with the Android Debug Bridge (ADB) in which an attacker could bypass the lock screen, steal information, add and remove applications, and access a high privilege shell on the phone. Source

June 29, Help Net Security – (International) Hackers are exploiting Magento flaw to steal payment card info. A security researcher from Sucuri Security discovered that attackers are actively exploiting a flaw in eBay’s Magento platform to steal users’ billing and payment card information by injecting malicious code into Magento’s core file. Researchers are investigating the attack vectors to identify the vulnerability. Source

June 29, Softpedia – (International) LG’s Update Center app fails to check server’s SSL certificate, MitM risk. Security researchers from Search-Lab discovered a vulnerability in LG’s Update Center application on Android phones in which an attacker could exploit the fact that the app does not check the secure sockets layer/transport layer security (SSL/TLS) certificate of the update server to execute a man-in-the-middle (MitM) attack and install arbitrary applications on the device. Source

June 29, Securityweek – (International) Flash player flaw used by APT3 group added to Magnitude exploit kit. A French security researcher discovered that an exploit for a recently patched Adobe Flash Player heap buffer overflow vulnerability, leveraged by the APT3 threat group has been added to the Magnitude exploit kit (EK). Source

June 26, IDG News Service – (International) Samsung will stop blocking Microsoft software updates ‘within a few days’. Samsung reported that users will be receiving a patch through the Samsung Software Update notification process to revert back to restore default Microsoft Windows Update settings, after a security researcher discovered that the company had disabled Windows Update to de-conflict with its SW Update service. Source

June 26, Softpedia – (International) Click-fraud attack morphs into ransomware risk in a couple of hours. Security researchers at Damballa discovered that a threat actor dubbed RuthlessTreeMafia is distributing exploit kits along with the Rerdom malware in a click-fraud campaign in which they sell other threat actors access to infected users’ systems. Researchers observed an infection result in the delivery of the CryptoWall ransomware. Source

June 26, Securityweek – (International) Default SSH keys expose Cisco’s virtual security appliances. Cisco reported that customers using its Web Security, Email Security, and Security Management Virtual Appliances were vulnerable due to the products’ use of default secure shell (SSH) keys, which could allow an unauthenticated, remote attacker to connect to a system with root user privileges. The company released a patch addressing the issue. Source

June 26, Softpedia – (International) 94% of Android devices vulnerable to bug exposing memory content. Security researchers from Trend Micro discovered security flaw in the Android operating system’s (OS) debugging component in which an attacker could create a special Executable and Linkable Format (ELF) file to crash the debugger and view dumps and log files stored in memory, or to create a denial-of-service (DoS) condition. The issue affects all Android versions after 4.0, Ice Cream Sandwich. Source

June 25, Threatpost – (International) Stored XSS flaw patched in Thycotic secret server. Thycotic patched a stored cross-site scripting (XSS) vulnerability in its Secret Server product in which an attacker could use JavaScript code in the browser of a valid user to toggle the password mask and steal a victim’s stored passwords. Source

June 25, Securityweek – (National) U.S. healthcare companies hardest hit by ‘Stegoloader’ malware. Security researchers from Trend Micro reported that North American healthcare organizations are the primary victims of the Stegoloader Trojan, a malware identified as TROJ_GATAK which embeds malicious code in image files to avoid detection and has anti-virtual machine and anti-emulation capabilities to prevent analysis. Source

Gotham Security Daily Threat Alerts

June 25, Help Net Security – (International) Samsung disables Windows Update, undermines the security of your devices. A security researcher discovered that the Samsung SW Update software for Microsoft Windows personal computers (PCs) runs an executable file upon start-up that disables Windows Update to prevent driver and update software conflicts, posing a security risk to users. Microsoft has reportedly contacted Samsung to address the issue. Source

June 25, Help Net Security – (International) The downfall of a major cybercrime ring exploiting banking trojans. European authorities from six countries along with Europol and Eurojust arrested five suspects in Ukraine believed to be part of a major cybercriminal ring that developed, exploited, and distributed Zeus and SpyEye malware, actively traded stolen credentials, laundered profits, and infected tens of thousands of users’ computers worldwide with banking Trojans. Source

June 25, Help Net Security – (International) Why a Dyre infection leads to more than just stolen banking credentials. Symantec reported that in addition to targeting banks, financial institutions, customers of electronic payment services, and users of digital currencies, cybercriminals are employing the Dyre Trojan to collect credentials for career and human resource Web sites, as well as Web hosting companies. The group using Dyre has reportedly targeted customers of over 1,000 organizations worldwide. Source

June 25, SC Magazine – (International) Study: 61 percent of critical infrastructure execs confident systems could detect attack in less than a day. Tripwire released survey results from 400 executives in the energy, oil, gas, and utility industries in its “Critical Infrastructure Study” revealing that executives had high levels of confidence regarding their organizations’ ability to quickly detect cyber-attacks on their systems, while noting that attacks could seriously damage their infrastructure, among other findings. Source

June 25, – (International) Android malware dominates mobile threat landscape. Pulse secure released findings from its Mobile Threat Report revealing that 97 percent of mobile malware is targeted at Android devices, and that in 2014 almost 1 million individual malicious apps were released. The report also highlighted the dangers in jailbroken and non-jailbroken iOS devices, among other findings. Source

June 24, SC Magazine – (International) Cyber-crime economy triggers rise in malicious macros. Proofpoint released The Cybercrime Economics of Malicious Macros report, revealing that malicious macro campaigns have grown in size, frequency, sophistication, and effectiveness while increasingly relying on inexpensive vectors and techniques to exploit the human factor, among other findings. Source

June 24, SC Magazine – (International) MacKeeper flaw enables attacker to run code with admin rights. Security researchers discovered a serious vulnerability in ZeoBit’s MacKeeper utility program in which an attacker could use a phishing email containing a malicious link that prompts a user for a password, effectively executing the malware with administrator rights. ZeoBit reportedly acknowledged and patched the vulnerability. Source

June 24, SC Magazine – (International) COA Network breached, all customer data treated as potentially compromised. New Jersey-based COA Network Inc., reported that it had detected a pattern of irregular activity in its systems June 5, and is considering all customer contact and payment information as possibly having been compromised. The company took actions to increase security and protect customer information, and has notified all customers. Source

June 24, Softpedia – (International) ESET patches scan engine against remote root exploit. ESET pushed an update for its scan engine addressing a vulnerability in antivirus products’ code emulator component in which an attacker used a remote root exploit to take complete control of a system. NOD32 Antivirus, Microsoft Windows, Apple OS X, Linux, and numerous other consumer and business antivirus solutions, utilize the product. Source

June 24, Help Net Security – (International) Deadly Windows, Reader font bugs can lead to full system compromise. A security engineer with Google Project Zero shared the discovery of 15 flaws in font engines used by Microsoft Windows, Adobe Reader, and other popular software that could allow an attacker to compromise systems in a variety of ways including creating an exploit chain leading to a full-system compromise. All of the reported vulnerabilities have been patched in recent updates. Source

June 24, Securityweek – (International) Visibility challenges industrial control system security: survey. Findings from a SANS Institute survey of over 314 respondents across several industries that interact with industrial control systems (ICS) revealed the perceived threats posed by internal and external attackers and the challenges of ICS protection. Challenges cited include poor optimization of ICS protection for information technology (IT) environments, the difficulty in detecting threats that spread without affecting operations, and the integration of IT into previously isolated ICS platforms, among other findings. Source

June 25, Securityweek – (International) Leaked government credentials abundant on public Web. Recorded Future released a report June 24 revealing that login credentials belonging to 47 U.S. Government agencies have been discovered on the public Web since November 2014, with the most affected agencies being the U.S. Department of Energy and Department of Commerce. The company shared its finding with affected agencies and is unsure if attackers attempted to leverage any stolen information. Source

Gotham Security Daily Threat Alerts

June 24, Softpedia – (International) Dyre banking malware uses 285 command and control servers. Security researchers from Symantec released a report revealing that multiple groups are running at least 285 command and control (C&C) servers, as well as 44 machines to deliver payloads and execute man-in-the-browser (MitB) attacks. The servers are located primarily in Ukraine and Russia but located worldwide, and are primarily targeting financial organizations in the U.S. and United Kingdom. Source

June 24, The Register – (International) Feds count Cryptowall cost: $18 million says FBI. The FBI reported that the U.S. Internet Crime Complaints Commission (IC3) received 992 complaints associated with the CryptoWall ransomware resulting in U.S. user and business losses of over $18 million from April 2014 – June 2015. Source

June 23, Softpedia – (International) Flash Player zero-day used by Chinese Cyber-Espionage group. Security researchers from FireEye discovered that the APT3 advanced threat group is currently exploiting a zero-day Adobe Flash Player heap buffer overflow vulnerability patched by Adobe June 23. The group’s latest campaign was dubbed Operation Clandestine Wolf, and they generally target organizations from the aerospace and defense, construction and engineering, technology, telecommunications, and transportation industries. Source

June 23, Softpedia – (International) Cheap radio device can steal decryption keys from nearby laptop. Researchers from Israel created a palm-sized radio device that can capture decryption keys from laptops just a few feet away by intercepting bit patterns in electromagnetic emanations from the targeted machine’s central processing unit (CPU). The device can be built for about $300 from readily available components, and was able to extract decryption keys within seconds. Source

June 23, SC Magazine – (International) Targeted attacks rise, cyber attackers spreading through networks, report says. Vectra Networks released findings from its Post-Intrusion Report of 40 customer and prospect networks revealing that non-linear growth in lateral movement of attacks increased 580 percent from 2014, that reconnaissance detections were up 270 percent, and that overall detections increased 97 percent. Vectra attributed the large uptick in detections partly to the increased accessibility of hacker tools. Source

June 23, Dark Reading – (International) Government, Healthcare particularly lackluster in application security. Veracode released findings from its State of Software Security Report revealing that government agencies and healthcare organizations performed the worst in industry-specific software security metrics due to issues such as slow rates in addressing identified flaws and cryptographic vulnerabilities from weak algorithms, while all industries struggled with software supply chain issues, among other findings. Source

June 23, Threatpost – (International) TCP vulnerability haunts Wind River VxWorks embedded OS. Security researchers at Georgia Tech discovered a transmission control protocol (TCP) prediction vulnerability in Wind River’s VxWorks embedded operating system (OS) used in a large number of industrial control system (ICS) products in which an attacker can leverage a predictable TCP initial sequence to spoof or disrupt connections to and from target devices. Source

June 23, Softpedia – (International) Adobe fixes Flash Player zero-day exploited in the wild. Adobe released an emergency update for its Flash Player software addressing a heap buffer overflow vulnerability that is being exploited in the wild in which an attacker could execute arbitrary code and take control of an affected system, possibly funneling in malware via drive-by download attacks. Source

June 23, Dark Reading – (International) Banks targeted by hackers three times more than other sectors. Raytheon and Websense released findings from a study on their customers revealing that financial services organizations, many of which are U.S. firms, are targeted three times more by cybercriminals than any other industry, and that these attacks are primarily utilizing the Rerdom, Vawtrack, and Geodo malware families, among other findings. Source

June 23, Bloomberg – (International) Most-wanted cybercriminal extradited to U.S. from Germany. German authorities extradited a Turkish suspect, who is considered to be one of the world’s most wanted cybercriminals, to the U.S. June 23 on charges that he allegedly organized a complex bank heist of $40 million in cash from ATMs in New York and in 23 other countries in February 2013. The suspect also reportedly stole $19 million through 25,700 ATM transactions in 20 countries from 2011 – 2012. Source

Gotham Security Daily Threat Alerts

June 23, Help Net Security – (International) Critical RubyGems vulns can lead to installation of malicious apps. Security researchers at Trustwave discovered a vulnerability in the RubyGems package manager in which an attacker could redirect a RubyGem client using hypertext transfer protocol secure (HTTPS) to an attacker controlled gem server, bypassing HTTPS verification and allowing the attacker to install malicious or trojan gems. Source

June 23, Softpedia – (International) Minor Chrome release fixes high severity issues. Google released an update for its Chrome browser addressing issues including a scheme validation error in WebUI, and a cross-origin bypass bug in the browser’s layout engine, among other fixes. Source

June 22, Threatpost – (International) HP releases details, exploit code for unpatched IE flaws. Security researchers at Hewlett-Packard Company’s Zero Day Initiative released details on unpatched Microsoft Internet Explorer vulnerabilities which could allow attackers to fully bypass address space layout randomization (ASLR) mitigation in the browser. Source

June 22, ABC News – (National) Feds feared tens of millions impacted by OPM hack, internal memo says. An internal assessment by the U.S. Office of Personnel Management warned the cyber-assault on its computer systems may have affected as many as 18 million Americans, increasing the number of potential victims from the estimated 4.2 million announced June 4. Source

Gotham Security Daily Threat Alerts

June 22, Softpedia – (International) Hackers disrupt Polish airline LOT, ground 10 flights. Officials from LOT Polish Airlines reported that their ground operation systems at Warsaw’s Frederic Chopin Airport suffered a 5-hour cyber-attack that grounded 10 national and international flights and affected about 1,400 passengers June 21. An investigation into the attack is ongoing. Source

June 22, Help Net Security – (International) New password recovery scam hitting Gmail, Outlook and Yahoo Mail users. Security researchers from Symantec discovered a new password recovery scam in which attackers are utilizing targets’ email addresses and mobile phone numbers along with Microsoft Outlook, Gmail, and Yahoo Mail’s password recovery feature to trick victims into compromising their accounts, at which point the scammers create alternate email addresses that receive forwarded copies of all messages on affected accounts. Source

%d bloggers like this: