Skip to content

Gotham Security Daily Threat Alerts

May 19, Securityweek – (International) Attackers use trojanized version of PuTTY to steal SSH credentials. Security researchers at Symantec discovered that actors are using a malicious version of the PuTTY open-source secure shell (SSH) software to access systems remotely and steal data by copying secure server connection info and login details to be sent to an attacker-controlled server. The software bypasses common firewalls and security products due to its whitelisted status and used by system and database administrators and web developers. Source

May 19, Securityweek – (International) Address bar spoofing bugs found in Safari, Chrome for Android. Security researchers identified address bar vulnerabilities in the Safari and Chrome for Android Web browsers in which attackers could leverage Web page reloads via the setInterval() function in Safari and a problem in how Chrome handles 204 ‘No Content’ responses to render spoofed Web pages. Source

May 18, Krebs on Security – (National) St. Louis Federal Reserve suffers DNS breach. The St. Louis Federal Reserve reported that hackers hijacked its domain name servers (DNS) April 24 and redirected a portion of the bank’s online traffic to rogue sites resembling portions of its research.stlouisfed.org Web site. The bank recommended that potentially affected users change login information that could have been compromised in the attack. Source

How to Prepare Your Microsoft PKI Infrastructure for the Deprecation of the SHA1 Hash Algorithm

Background

If your organization has deployed a Microsoft Certificate Authority (CA) for its PKI solution, your users probably started inquiring recently what the yellow triangle in the address bar of Google Chrome is all about (if they haven’t, either you are ahead of the curve or your users are… Well, I won’t go down that slippery slope).

image1

When clicking on the padlock, additional information shows that the website is encrypted with obsolete cryptography. Additionally, there is a reference that SHA1 is used for message authentication.

image2

So, what is this all about, and why do Internet Explorer and Firefox not show a warning?

Read more…

Gotham Security Daily Threat Alerts

May 15, Softpedia – (International) Apache fixes vulnerability affecting security manager protections. The security team responsible for Apache Tomcat discovered a vulnerability in multiple versions of the software’s open-source web server and servlet container that could allow an attacker to bypass protections for the Security Manager component and run malicious web applications. Source

May 14, CNN – (International) Washington Post mobile site temporarily shut down in apparent hack. The Washington Post confirmed that it was the victim of an apparent hack May 14 after the paper’s mobile website was blocked and redirected users to a site claiming to be run by the Syrian Electronic Army. No customer information was impacted. Source

 

Citrix Synergy 2015 Recap

Last week I had the privilege to attend Citrix Synergy 2015 down in Orlando, FL. In this blog I wanted to review some the key announcements Citrix made during the keynote.

XenApp 6.5 Lifecycle

Citrix loves XenApp, so much so that they extended the lifecycle for XenApp 6.5 to December 31, 2017. However, there is a catch; the extended date is only for customers that remain current in the Software Maintenance or Subscription Advantage and Technical Support programs. Otherwise the end of maintenance (EOM) date is February 26, 2016.

XenApp 6.5 FP3

This was a surprise, as was extending the lifecycle for XenApp 6.5. The feature pack will provide the following features, announced in the keynote:

  • Storage performance
  • Enhanced profile management
  • Director “Help Desk” & troubleshooting
  • Enhanced Lync support
  • Receiver.next
  • StoreFront 3 – will support XenApp 5, 6, 6.5 and 7.6

Read more…

Gotham Security Daily Threat Alerts

May 14, Softpedia – (International) Cisco TelePresence vulnerable to unauthorized root access, denial of service. Cisco reported two vulnerabilities in versions of its TelePresence TC and TE video conference products in which an attacker could exploit improper authentication protocols for internal services to bypass authentication and obtain root access on the system, and a flaw in the network drivers in which an attacker could use specially crafted internet protocol (IP) packets sent at a high rate to cause a denial-of-service (DoS) condition. Source

May 14, V3.co.uk – (International) APT17 DeputyDog hackers are pushing Blackcoffee malware using TechNet. Research by FireEye revealed that the APT17 threat group used posts and profiles on the TechNet blog as a way to conceal their use of the Blackcoffee backdoor by embedding strings that the malware would decode to find and communicate with the malware’s true command-and-control (C&C) server. The TechNet blog was not compromised and the operation was shut down, but FireEye warned that other groups may mimic the tactic. Source

May 13, Threatpost – (International) XSS, CSRF vulnerabilities identified in WSO2 Identity Server. Researchers at SEC Consult discovered three cross-site scripting (XSS), cross-site request forgery (CSRF), and extensible markup language (XML) external injection vulnerabilities in version 5.0.0 of WSO2 Identity Server that could allow an attacker to take over a victim’s session, add arbitrary users to the server, or inject arbitrary XML entities. Source

May 13, Securityweek – (International) Flaw found in OSIsoft product deployed in critical infrastructure sectors. OSIsoft advised customers to mitigate an incorrect default permissions vulnerability in its PI Asset Framework (PI AF) in which an unauthorized remote attacker could leverage “Trusted Users” group status in some product installations to execute arbitrary structured query language (SQL) statements on the affected system, potentially leading to information disclosure, data tampering, privilege escalation, and/or denial-of-service (DoS) conditions. Source

May 13, Dark Reading – (International) Oil & gas firms hit by cyber attacks that forgo malware. Panda Lab researchers discovered a unique targeted attack campaign dubbed Phantom Menace that has infiltrated and stolen credentials from 10 international oil and gas maritime transportation companies since August 2013, via a spear-phishing email containing a fake Adobe PDF file utilizing a file transfer protocol (FTP) server. The attackers contact oil brokers and request a fee in exchange for fake barrels of oil sold at a discounted rate, which are never delivered. Source

Gotham Security Daily Threat Alerts

May 13, Softpedia – (International) Flash Player 17.0.0.188 addresses security holes. Adobe released updates for Flash Player that fixed 18 vulnerabilities, including 10 memory corruption, heap overflow, integer overflow, type confusion, and use-after-free bugs that could allow an attacker to run arbitrary code on an affected system. Source

May 13, Softpedia – (International) Mozilla Firefox 38 fixes 13 vulnerabilities, 5 are critical. Mozilla released fixes for 13 vulnerabilities in Firefox version 38, including 5 critical flaws that could be leveraged to execute arbitrary code or read parts of the memory containing sensitive data. The update also added support for Digital Rights Management (DRM), among other improvements. Source

May 13, Softpedia – (International) Adobe rolls out critical update for Reader and Acrobat. Adobe released new versions for Acrobat and Reader PDF software patching 34 vulnerabilities, 17 of which include use-after-free, heap-based buffer overflow, and buffer overflow to memory corruption bugs that could have allowed an attacker to execute arbitrary code and take control of an affected system. Source

May 13, IDG News Service – (International) Microsoft fixes 46 flaws in Windows, IE, Office, other products. Microsoft released patches addressing 46 vulnerabilities across various products, including 3 critical security bulletins that covered remote code execution flaws in Windows, Internet Explorer, Office, Microsoft .NET Framework, Lync, and Silverlight. Source

May 13, Threatpost(International) “VENOM” flaw in virtualization software could lead to VM escapes, data theft. Security researchers from CrowdStrike discovered a vulnerability in virtualization platforms in which an attacker could exploit a flaw in the virtual floppy disk controller component of the QEMU open-source visualization package to escape from a guest virtual machine (VM) to gain code execution on the host in addition to any other VMs running on the affected system. The bug has been dubbed VENOM and affects a variety of virtualization software running on all major operating systems (OS). Source

May 12, Softpedia – (International) DDoS botnet relies on thousands of insecure routers in 109 countries. An investigation by the Web site security company Incapsula revealed that cybercriminals are using tens of thousands of Internet service providers (ISP) distributed home routers with default security configurations to create large botnets for distributed denial of service (DDoS) attacks. Findings revealed that 60 command and control (C&C) servers were being used for the botnets by a variety of groups employing various forms of malware worldwide. Source

May 11, Securityweek – (International) MacKeeper patches serious remote code execution flaw. The developers of the MacKeeper utility software suite for Apple OS X patched a critical input validation vulnerability which an attacker could exploit to remotely execute code on affected systems by tricking victims to visit a specially crafted Web site that runs code with root privileges once visited. Source

May 11, Securityweek – (International) Angler EK makes it difficult to track down malvertising sources. A security expert discovered that the Angler Exploit Kit (EK) is leveraging Web browser bugs to break the referrer chain, making it more difficult for security researchers and advertising networks to determine the kit’s source in the campaign. Source

May 8, Threatpost – (International) WordPress sites backdoored, leaking credentials. Security researchers at Zscaler discovered backdoor code compromising content management systems (CMS) on a number of WordPress Web sites that activates when users input their login credentials. Once activated, the backdoor injects JavaScript (JS) code hosted on a command and control (C&C) server. Source

May 8, Securityweek – (National) Rockwell Automation fixes flaw in factory communication solution. Rockwell Automation released software updates to address a buffer overflow vulnerability in its RSLinx Classic comprehensive factory communication server solution in which an attacker could crash the application or inject malicious code with elevated privileges by loading a specially crafted concurrent versions system (CVS) file to trigger a stack-based buffer overflow in the application. Source

Gotham Security Daily Threat Alerts

May 7, Threatpost – (International) Apple fixes webkit vulnerabilities in Safari browser. Apple released an update for its Safari Web browser fixing multiple vulnerabilities in Webkit, including memory corruption and anchor element issues that could be exploited by an attacker to send users to malicious Web sites, leading to arbitrary code execution or unexpected application termination, as well as a state management problem in which unprivileged origins could access file system contents via a specially crafted Web page. Source

%d bloggers like this: