Skip to content

Gotham Security Daily Threat Alerts

July 25, Threatpost – (International) TAILS team recommends workarounds for flaw in I2P. TAILS operating system developers claimed a vulnerability in the I2P anonymity network software affecting versions 1.1 and earlier can be mitigated with a couple of workarounds, though the vulnerability has yet to be patched. Source:

July 25, Softpedia – (International) Cloud botnets used for mining crypto-currency. Researchers from Bishop Fox created a botnet capable of mining several hundred dollars in Litecoin crypto-currency on a daily basis using free services of multiple cloud-computing businesses. Conducted distributed denial of service (DDoS) attacks was determined to be another way to use the machines. Source:

July 24, SC Magazine – (International) Sony to shell out $15M in PSN breach settlement. Sony released a statement July 24 claiming it reached an agreement to pay $15 million in a preliminary settlement associated with the April 2011 hacking of its PlayStation Network system, its on-demand service Qriocity, and gaming portal Sony Online Entertainment, exposing the personal data of roughly 77 million users. Source:

July 24, Threatpost – (International) More details of Onion/Critroni crypto ransomware emerge. Kaspersky Lab and other researchers found that the Critroni or CTB-Locker dubbed Onion uses a number of features that separate it from other forms of malware including that the ransomware is spread through Andromeda using a version of the asymmetric ECDH (Elliptic Curve Diffie-Hellman) algorithm. Source:

July 24, Softpedia – (International) Popular wireless home alarms can be hacked from afar. Two security researchers found that wireless home alarm systems are vulnerable to remote hijacking which would allow for access into the protected environment without tripping the alarm due to the signals lack of encryption or authentication. The tools used to hack into systems are available for purchase, potentially allowing intruders to completely disable the alarm from 10 feet. Source:


Gotham Security Daily Threat Alerts

July 24, The Register – (International) 50,000 sites backdoored through shoddy WordPress plugin. A researcher with Sucuri reported that around 50,000 Web sites were vulnerable to malware injection, defacement, and spam due to a vulnerability in the MailPoet plugin for WordPress. The vulnerability can affect Web sites that do not run MailPoet if the vulnerable plugin is present elsewhere on the same server. Source

July 24, Softpedia – (International) Fake Googlebots used for layer 7 DDoS attacks. Incapsula issued a report that shows how malicious Web crawlers that mimic Googlebots to bypass security are being used for various malicious purposes. The majority of the fake crawlers were used for collecting marketing information while 23.5 percent were used for application layer distributed denial of service (DDoS) attacks. Source

July 23, – (International) DDoS attackers turn attention to SaaS and PaaS systems, Akamai reports. Akamai released its Q2 2014 Global DDoS Attack Report, which found a 22 percent increase in distributed denial of service (DDoS) attack activity in the second quarter of 2014. The report also found that around half of DDoS attacks targeted IT infrastructure, with vendors of cloud services such as Software-as-a-Service (SaaS) and Platform-as-a-Service (PaaS) being common targets Source

July 23, The Register – (International) Apple fanbois SCREAM as update BRICKS their Macbook Airs. Users of Apple’s 2011 Macbook Air reported experiencing nonresponsive systems after applying a version 2.9 EFI firmware update to their systems, while others reported difficulties installing the update. Source

July 23, Securityweek – (International) Metro News website compromised to serve malware. Researchers at Websense reported July 22 that the Web site of newspaper was compromised and used to redirect visitors to a malicious Web site hosting the RIG exploit kit. The RIG exploit kit then attempts to exploit any present vulnerabilities in users’ software to install a piece of malware identified as Win32/Simda. Source


Gotham Security Daily Threat Alerts

July 23, The Register – (International) Android ransomware demands 12x more cash, targets English-speakers. Researchers at ESET identified a new version of the Simplocker ransomware for Android that displays a fake law enforcement ransom note in English and demands a higher ransom than previous versions that were written in Russian and demanded payment in Ukrainian hryvnias. The new version of the ransomware contains additional features such as the encryption of more types of files on victims’ devices and actions that make it more difficult to remove. Source:

July 23, Securityweek – (International) Mozilla fixes 11 vulnerabilities with release of Firefox 31. Mozilla released new versions of its Firefox Web browser and Thunderbird email client July 22, closing 11 vulnerabilities, including 3 rated as critical. Source:

July 23, Help Net Security – (International) 40% of orgs running VMware still susceptible to Heartbleed. Data collected and analyzed by CloudPhysics found that 57 percent of deployed VMware vCenter servers and 58 percent of ESXi hypervisor hosts remain vulnerable to the Heartbleed vulnerability in OpenSSL, affecting 40 percent of organizations in the CloudPhysics data set. Source:

July 23, Help Net Security – (International) Internet Explorer vulnerabilities increase 100%. An analysis by Bromium Labs surveyed vulnerabilities in popular Web browsers and common software and found that vulnerabilities in Internet Explorer increased by more than 100 percent in the first quarter of 2014. Other findings included that Action Script Sprays were leveraged in zero day attacks and that zero day vulnerabilities in Java have declined greatly in the first quarter of 2014 compared to 2013. Source:


Gotham Security Daily Threat Alerts

July 22, Securityweek – (International) iOS backdoors expose personal data: Researcher. A security researcher presenting at a security conference reported that Apple’s iOS mobile operating system contains several undocumented services which could be used in some circumstances to access email, location data, media, and other personal data. Apple stated that the services are used for diagnostic purposes and can only be used to access data with user approval. Source:

July 21, – (International) Fresh threat to critical infrastructure found in Havex malware. Researchers at FireEye analyzed a variant of the Havex malware (also known as Fertger or Peacepipe) and found that it contained an open-platform communication (OPC) scanner that could be used to target supervisory control and data acquisition (SCADA) systems used by several industries, including power plants and water utilities. Source:

July 21, Help Net Security – (International) Unpatched OpenSSL holes found on Siemens ICSs. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) stated July 17 that six Siemens industrial control products contained vulnerabilities in their OpenSSL implementation that could lead to man-in-the-middle (MitM) attacks or the crashing of Web servers. Four of the vulnerabilities remain unpatched and are present in industrial control products used by the manufacturing, chemical, energy, agriculture, and water industries and utilities. Source:

July 19, Softpedia – (International) Kelihos trojan delivered through Researchers with Malwarebytes reported that the online publication was compromised by attackers and used to redirect users to a malicious page serving the Nuclear Pack exploit kit for the purpose of infecting users with the Kelihos malware. The compromise was achieved by injecting malicious code into the server, and the site’s administrators were notified. Source:

July 18, Help Net Security – (International) Fake Flash Player steals credit card information. Dr. Web researchers reported finding a new piece of Android malware dubbed BankBot that is disguised as Adobe Flash Player and persistently asks users for administrator privileges in order to display a fake credit card information form and steal any entered information. The malware is currently targeting users in Russia but can be repurposed to attack other targets. Source:

July 18, Securityweek – (International) Researchers analyze multipurpose malware targeting Linux/Unix Web servers. Virus Bulletin published an analysis of a recently discovered piece of malware that infects Linux and Unix Web servers known as Mayhem, which has infected around 1,400 servers. The malware relies on several plugins for various capabilities, including information stealing and brute-force attacks. Source:

July 18, Network World – (International) Cisco counterfeiter gets 37 months in prison, forfeits $700,000. The CEO of was sentenced for his role in conspiring with a Chinese company to produce counterfeit Cisco Systems network products and then sell them as genuine products. Four people and two companies were charged in the case, with two others found guilty and a Chinese co-conspiratorremaining at large. Source:

July 18, Threatpost – (International) Critroni crypto ransomware seen using TOR for command and control. Security researchers found that a new piece of ransomware known as Critroni has been spotted in use by various attackers using the Angler exploit kit to infect users with it and other malware. The ransomware encrypts victims’ files and demands a ransom, and uses the TOR network to contact its command and control servers. Source:

Gotham Security Daily Threat Alerts

July 18, Softpedia – (International) New Android ransomware locks device completely. Researchers at Lookout identified a new piece of Android ransomware dubbed ScarePakage that infects devices by posing as a legitimate app on third-party Android markets and then locks the device and demands a ransom. The ransomware uses a Java TimerTask to kill other processes and a wave lock mechanism to prevent the phone from entering sleep mode. Source:

July 17, Dark Reading – (International) Government-grade stealth malware in hands of criminals. Sentinel Labs researchers reported that a piece of malware likely originating from a state-sponsored espionage campaign known as Gyges is being repurposed by cybercriminals to conceal and protect various pieces of malware and ransomware. Gyges contains several sophisticated features to avoid detection and prevent reverse-engineering and appears to have originated in Russia. Source:

July 17, The Register – (International) Microsoft’s Black Thursday: Xbox Live goes down as Xbox Studio canned. Microsoft reported that its Xbox Live gaming and entertainment service went offline for several hours July 17, leaving users unable to access the service during the outage. Source:

July 17, Softpedia – (International) DDoS attacks decrease in Q2 2014, compared to Q1. Arbor Networks reported that distributed denial of service (DDoS) attacks during the second quarter of 2014 decreased in terms of speeds and frequency compared to the previous quarter, with average DDoS attack size at 759.83 Mb/s, among other findings. Source:

July 17, Softpedia – (International) Neverquest banking trojan expands list of targets. Researchers with Symantec found that the attackers operating the Neverquest banking trojan, also known as Snifula, have focused their efforts on banks in the U.S. and Japan since December 2013. The trojan is able to obtain banking login information from victims and can also steal digital certificates, among other capabilities. Source:

Gotham Security Daily Threat Alerts

July 17, The Register – (International) Pushdo trojan outbreak: 11 THOUSAND systems infected in just 24 hours. Bitdefender researchers reported that a new campaign to spread the Pushdo botnet malware compromised over 11,000 systems within a 24-hour period, with the majority of infected users in Asia and some in the U.S., U.K., and France. The Pushdo botnet has previously been used in spam campaigns and to distribute malware such as Zeus and SpyEye. Source:

July 17, Softpedia – (International) Cisco patches critical issue in wireless residential gateway products. Cisco released patches for several Cisco Wireless Residential Gateway products, closing a vulnerability that could allow attackers to use malicious HTTP requests to crash the Web server and inject commands or execute code with elevated privileges. Source:

July 17, Softpedia – (International) SQL injection risk in vBulletin receives prompt patch. vBulletin released a patch for its forum software which closes a SQL injection vulnerability that was identified and disclosed by Romanian Security Team. Source:

July 17, Softpedia – (International) Critical vulnerabilities fixed in Drupal 7.29 and 6.32. The Drupal Security Team advised all users to update to versions to 7.29 or 6.32 in order to close vulnerabilities that could allow attackers to perform denial of service (DoS) attacks cross-site scripting (XSS) attacks. Source:

July 17, Threatpost – (International) Five vulnerabilities fixed in Apache Web Server. The Apache Software Foundation released version 2.4.10-dev of its Apache Web Server, closing five vulnerabilities, including a buffer overflow vulnerability and several denial of service (DoS) vulnerabilities. Source:


%d bloggers like this: