Skip to content

Gotham Security Daily Threat Alerts

October 29, Securityweek – (International) Vulnerability found in firmware update process of ASUS routers. A researcher identified and reported a vulnerability in ASUS RT-series routers that could have allowed attackers to use a man-in-the-middle (MitM) attack to trick users into downloading older, vulnerable firmware versions or potentially malicious code due to the firmware request being sent in HTTP instead of HTTPS. ASUS closed the vulnerability in its update. Source:



Gotham Security Daily Threat Alerts

October 28, The Register – (International) EvilToss and Sourface hacker crew ‘likely’ backed by Kremlin – FireEye. FireEye released a report on an advanced persistent threat (APT) actor dubbed APT28 stating that the group used the Sourface downloader and Chopstick and EvilToss malware to attack NATO, Eastern European governments, European defense industry events, the World Bank, and other national and international organizations. The researchers stated that APT28 has been active since 2007 and was likely backed by the Russian government. Source

October 28, Securityweek – (International) Attackers exploit ShellShock via SMTP to distribute malware. Binary Defense Systems researchers reported that attackers are leveraging the ShellShock vulnerability in GNU Bash to target servers by adding the ShellShock payload to email subject, from, and to fields, abusing the Simple Mail Transfer Protocol (SMTP). If a system is compromised, a Perl-based IRC bot is downloaded and the SMTP gateway is added to a botnet designed for distributed denial of service (DDoS) attacks. Source

October 28, IDG News Service – (International) ‘ScanBox’ keylogger targets Uyghurs, US think tank, hospitality industry. Researchers at PricewaterhouseCoopers found that the ScanBox keylogging framework may be being used by several attacker groups after it was found being used to perform keylogging attacks on a variety of Web sites, including a U.S. think tank and other sites. ScanBox was first discovered in August and uses JavaScript rather than installing malware to collect keystrokes and other information. Source

October 28, Softpedia – (International) Sophisticated Chinese espionage group after Western advanced technology. A group of security and information technology companies coordinated by Novetta released a report into an advanced persistent threat (APT) group dubbed Axiom Group that has used the Hikit malware family and other tools to target government agencies, law enforcement, aerospace, manufacturers, media, communications, pharmaceutical, energy, educational, and other institutions in the U.S. and several other countries since 2008. The researchers stated that the group originates in China and appears to choose targets in line with Chinese government policies. Source

October 27, Securityweek – (International) Targeted attacks against businesses jump: Kaspersky Lab. Kaspersky Labs and B2B International released the results of a survey covering 3,900 respondents in 27 countries and found that 94 percent of businesses surveyed reported at least one cybersecurity incident in the past 12 months, with 12 percent of the countries surveyed reporting one or more targeted attack, among other findings. Source


Gotham Security Daily Threat Alerts

October 27, Securityweek – (International) Tor exit node found maliciously modifying files. A researcher with Leviathan Security Group identified and reported an exit node on the Tor network that wraps binary files with malware as the files move through the node. The Tor Project stated that they set a “BadExit” flag on the node to protect users after it was reported. Source:

October 24, Dark Reading – (International) Backoff PoS malware boomed in Q3. Damballa released a report which found that detections of the Backoff point-of-sale (PoS) malware increased by 57 percent between August and September. Source:

Gotham Security Daily Threat Alerts

October 24, The Register – (International) iMessage SPAM floods US mobile networks. CloudMark researchers reported that China-based designer goods counterfeiters are using the Apple iMessage platform to spam users with advertisements, the largest mobile spam campaign in the U.S. so far this year and accounting for over 80 percent of all reported mobile messages in the U.S. Source:

October 24, Securityweek – (International) Cisco fixes 3-year-old vulnerability affecting security appliances. Cisco released patches to close a vulnerability in its AsyncOS used in several of the company’s security appliances that could allow a remote, unauthenticated attacker to execute arbitrary code with elevated privileges. The vulnerability affects all models of Cisco Email Security Appliances (ESA), Cisco Web Security Appliances (WES) and Cisco Content Security Management Appliances (SMA) running affected versions of AsyncOS. Source:

October 24, Softpedia – (International) Adobe Digital Editions now encrypts data collected from users. Adobe stated that its Adobe Digital Editions ebook software would begin using encryption to send data on users to Adobe’s servers starting October 23. Researchers previously discovered the transmission of user data and found that it was not encrypted, posing a security risk. Source:

October 23, IDG News Service – (International) Akamai sees record-setting spikes in size and volume of DDoS attacks. Akamai released their Q3 2014 State of the Internet report and found that distributed denial of service (DDoS) attacks increased in average bandwidth by 389 percent over the past year, among other findings. Source:

Gotham Security Daily Threat Alerts

October 23, Softpedia – (International) CryptoWall 2.0 delivered through malvertising on Yahoo and other large sites. Proofpoint researchers observed a recent campaign using malicious advertisements on Yahoo, 9gag, and other popular Web sites to deliver the CryptoWall 2.0 ransomware via the FlashPack Exploit Kit. The exploit kit exploits vulnerabilities in Adobe Flash Player to deliver the ransomware that encrypts users’ files and demands a ransom to decrypt them. Source:

October 23, Securityweek – (International) 1.2 million networking devices vulnerable due to NAT-PMP issues. A security researcher with Rapid7 reported October 21 that the company identified around 1.2 million Internet-connected devices that are vulnerable to various attacks due to poor implementation or configuration of the Network Address Translation – Port Mapping Protocol (NAT-PMP). The vulnerabilities could allow attackers to perform denial of service (DoS) attacks, intercept traffic, or perform other malicious actions. Source:

October 22, Softpedia – (International) Apple warns users of attack targeting iCloud site. Apple confirmed reports of man-in-the-middle (MitM) attacks against its iCloud service that employed an insecure certificate and advised users not to dismiss browser warnings regarding the security of content. The attacks trigger warnings in the Chrome and Firefox browsers but not in Qihoo, the most popular Web browser in China. Source:

October 22, Securityweek – (International) ‘Operation Pawn Storm’ cyber-espionage campaign hits organizations. Trend Micro researchers identified a cyberespionage operation dubbed “Operation Pawn Storm” that uses targeted emails and compromised Web sites to infect users in government, military, and media organizations with the SEDNIT (also known as Sofacy) malware. Source:

Gotham Security Daily Threat Alerts

October 22, Securityweek – (International) Windows zero-day exploited in targeted attacks through PowerPoint. Microsoft reported that it has observed limited targeted attacks exploiting a zero-day vulnerability in the company’s Object Linking and Embedding (OLE) technology which could allow an attacker to perform remote code execution if a user opens a specially-crafted Microsoft Office file. The vulnerability affects all current Microsoft Windows releases except Windows Server 2003 and Microsoft advised users to apply a series of workarounds until a patch can be released. Source:

October 22, Help Net Security – (International) Koler worm spreads via SMS, holds phones for ransom. Researchers at AdaptiveMobile identified a new variant of the Koler worm for Android that spreads via a bitly link that directs users to a Dropbox page where the malware is disguised as an app. The malware then blocks infected devices’ screens with a fake law enforcement page and demands a ransom to be paid via Money Pak Voucher. Source:

October 22, Help Net Security – (International) Attackers change home routers’ DNS settings via malicious code injected in ads. Sucuri Security researchers identified a malvertising campaign that embeds malicious code into an ad hosted on the network and attempts to change the DNS settings on users’ home routers in order to lead them to potentially malicious Web sites. Source:

October 22, Help Net Security – (International) Malware directs stolen documents to Google Drive. Researchers with Trend Micro identified a new piece of information-stealing malware dubbed Drigo that uploads any .PDF, text, and Microsoft Word, Excel, and PowerPoint files to a Google Drive account. The researchers reported that the malware appears to be targeting government agencies and reported the Google Drive account associated with the malware to Google. Source:

October 21, Securityweek – (International) Apple fixes security flaws with release of iOS 8.1. Apple released an update to its iOS 8 mobile operating system, closing several vulnerabilities and adding new features. Source:

Gotham Security Daily Threat Alerts

October 21, IDG News Service – (International) One week after patch, Flash vulnerability already exploited in large-scale attacks. Researchers identified an exploit kit sold on underweb forums known as Fiesta that is bundled with an exploit for a recently-patched Flash Player vulnerability. Users were advised to apply the patch that was issued October 14. Source

October 21, Securityweek – (International) Cisco products vulnerable to POODLE attacks. Cisco is analyzing its products to determine which may be affected by the POODLE vulnerability in Secure Sockets Layer (SSL) and released a list of confirmed vulnerable products, which includes Cisco Webex Social, Cisco ACE, Cisco Wireless LAN Controller, and several other products. Source

October 21, The Register – (International) Palo Alto Networks boxes spray firewall creds across the net. A researcher found that misconfigured Palo Alto Networks firewalls could allow attackers to gain user and domain names and passwords, potentially exposing customer services such as VPNs and webmail. Palo Alto Network advised users to apply best practice guidelines developed by the company. Source

%d bloggers like this: