Skip to content

Gotham Security Daily Threat Alerts

August 18, Securityweek – (International) Windows security update causing system crash. Microsoft removed the download links to a Windows security update and is investigating after several users reported their systems crashing upon startup after applying the update. The “blue screen of death” (BSoD) issue was found to be incorrect handling of the Windows font cache file in specific circumstances, according to a Sophos researcher. Source:

August 18, Softpedia – (International) New TorrentLocker ransomware uses CryptoLocker and CryptoWall components. Researchers with iSIGHT Partners identified a new piece of ransomware known as TorrentLocker that uses elements of the CryptoLocker and CryptoWall ransomware to encrypt victims’ files and demand a ransom. The ransomware is spread by spam emails and uses the Rijndael encryption algorithm. Source:

August 18, Help Net Security – (International) Gyroscopes on Android devices can be used to eavesdrop on users’ conversations. Researchers published a paper showing how the gyroscope sensors in Android devices can be combined with a speech recognition algorithm to eavesdrop on conversations due to Android gyroscopes using a sampling rate that is within a range of human voice frequency. The researchers stated that the initial results did not present a significant eavesdropping threat currently, but that it could become a vulnerability with further refinements in the speech recognition algorithm. Source:

August 17, Securityweek – (International) Average peak size of DDoS attacks spiked in Q2: Verisign. Verisign released its second quarter (Q2) 2014 distributed denial of service (DDoS) attack report, which found that the size of DDoS attacks increased by 216 percent compared to the first quarter of the year and that 65 percent of attacks exceeded 1 Gbps, among other findings. The report stated that the entertainment and media industry was the most attacked during Q2, followed by IT services. Source:


Gotham Security Daily Threat Alerts

August 15, The Register – (International) Don’t think you’re SAFE from Windows zombies just ‘cos you have an iPhone – research. Researchers at the Georgia Institute of Technology reported finding that Apple iOS devices can be compromised with iOS malware after being connected to a Windows computer by exploiting weaknesses in the iTunes syncing process, allowing attackers to steal data, install malicious apps, and replace existing apps. The researchers plan to demonstrate their findings August 20 at the Usenix Security Symposium. Source:

August 15, SC Magazine – (International) 50% of corporate passwords crackable within a few minutes. Trustwave released the results of research that analyzed 620,000 passwords compiled over 2 years and found that around 50 percent of U.S. corporate passwords could be cracked using a brute force method within a few minutes, while 92 percent could be cracked within 31 days. The research found that a longer password containing only letters took much longer to brute force compared to a shorter password that also includes numbers and special characters. Source:

August 14, ZDnet – (International) Microsoft’s Visual Studio Online outage hits users worldwide. Microsoft’s Visual Studio Online service experienced a service interruption across multiple regions for around 9 hours August 14. Source:

August 15, Securityweek – (International) New Bugat malware uses HTML injections taken from Gameover Zeus. A researcher from IBM Security reported August 14 that a new variant of the Bugat financial malware (also known as Cridex or Geodo) was spotted infecting computers in the U.K. and the Middle East region. The new variant uses HTML injections and scripts and an attack structure similar to that used by the Gameover Zeus malware and attempts to redirect victims to fake financial institution Web sites in order to steal login information. Source:

August 14, Softpedia – (International) New Gameover Zeus botnet forming, the US sees most infections. Arbor Networks researchers observed two new variants of the Gameover Zeus financial malware using 8,494 IP addresses to attempt to connect to command and control (C&C) servers in July in order to build a new botnet after a law enforcement and industry takedown of the original botnet. The new variants no longer use the peer-to-peer (P2P) command and control architecture of the original and instead utilize a domain generation algorithm (DGA) to contact C&C servers. Source:

Gotham Security Daily Threat Alerts

August 14, Securityweek – (International) Vulnerabilities found in Disqus plugin for WordPress. A researcher identified and reported three vulnerabilities in the Disqus plugin for WordPress, including a cross-site request forgery (CSRF) issue that could allow an attacker to inject an exploit. The vulnerabilities were addressed June 29 in Disqus version 2.7.6, and a new version containing additional fixes was also released as version 2.7.7. Source

August 13, Ars Technica – (International) Internet routers hitting 512K limit, some become unreliable. LastPass, Liquid Web, eBay, and other services reported outages or isolated disruptions August 12 that were believed to be related to the growth of routable networks lists, also known as border gateway protocol (BGP) tables, beyond 512K, overwhelming some older routers and switches. Source

August 13, Softpedia – (International) iOS malware hijacks revenue from 22 million ads. A researcher published a paper detailing the operation of the AdThief (also known as Spad) malware that infected around 75,000 jailbroken iOS devices and stole ad revenue from around 22 million ads. The researcher found that the revenue was diverted to the attackers using a Cydia Substrate extension to modify the ads developer ID to one used by the attackers. Source

August 13, Softpedia – (International) Kovter ransomware thrives in Q2 2014, reaches 43,713 infections in a single day. Damballa released its State of Infections report for the second quarter (Q2) of 2014 and found that the daily infection rate of the Kovter ransomware increased by around 153 percent between April and May, infecting 43,713 systems in one day. Source

August 12, Softpedia – (International) Adobe Reader and Acrobat zero-day vulnerability patched in 11.0.08. Adobe released an out-of-band patch for Adobe Acrobat and Adobe Reader to close a vulnerability in Windows versions of the software that could allow attackers to bypass sandbox protections. Attackers were observed exploiting the vulnerability in targeted attacks and all users were advised to update their installations as soon as possible. Source

August 12, IDG News Service – (International) Microsoft’s Patch Tuesday updates focus on Internet Explorer. Microsoft released its August round of Patch Tuesday updates August 12, which addressed 37 vulnerabilities in Microsoft products including 26 patches for Internet Explorer and a critical vulnerability in OneNote. Source

August 12, Softpedia – (International) Seven critical Flash Player vulnerabilities fixed in new version. Adobe released an update for its Adobe Flash Player product that closes seven critical security vulnerabilities. Source

August 12, IDG News Service – (International) 15 new vulnerabilities reported during router hacking contest. A security contest held at the DefCon 22 conference resulted in researchers identifying and reporting 15 new vulnerabilities in 5 popular models of wireless routers. Source

August 12, Dark Reading – (International) Security holes exposed in Trend Micro, Websense, open source DLP. Two researchers from Duo Security and Tumblr presenting at the Black Hat conference reported identifying several cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities in four commercial data loss prevention (DLP) products and one open-source DLP product that could allow attackers to access or manipulate data. The majority of the flaws were in the products’ Web-based interfaces. Source

August 12, Softpedia – (International) New Android malware Krysanec infects legitimate apps. Researchers at ESET identified a new remote access trojan (RAT) for Android devices known as Krysanec that is integrated into legitimate apps and can allow attackers to remotely control various device functions and steal information. The malware is being spread through several methods, including social networks and pirated content Web sites. Source



Gotham Security Daily Threat Alerts

August 12, Softpedia – (International) Millions of computers have backdoor enabled by default. Researchers from Kaspersky and Cubica Labs presenting at the Black Hat conference demonstrated how the legitimate Computrace anti-theft solution can be used by attackers performing a man-in-the-middle (MitM) attack to remotely execute arbitrary code on the target device due to the lack of encryption in Computrace traffic. Most computers come with Computrace already present, leaving millions of devices vulnerable to malicious use of the solution. Source:

August 12, Threatpost – (International) Authentication bypass bug fixed in BlackBerry Z10. Modzero researchers identified and reported two methods for remotely exploiting an authentication bypass vulnerability in BlackBerry Z10 phones that could allow attackers to install malware or steal personal data. BlackBerry released an update that closes the vulnerability and pushed it out to phone carriers. Source:

August 11, Softpedia – (International) Yahoo ad network used to spread CryptoWall ransomware. A researcher at Blue Coat Systems identified a malicious advertising campaign that uses the Yahoo advertisement network to distribute malicious ads that direct users to malicious pages that attempt to serve a variant of the Cryptowall ransomware. The researcher also reported that the service was also used in the campaign. Source:

Gotham Security Daily Threat Alerts

August 11, Help Net Security – (International) Critical 0-days found in CPE WAN Management Protocol. Check Point researchers reported finding several zero-day vulnerabilities in CPE WAN Management Protocol (CWMP/TR-069) deployments used by major Internet service providers (ISPs) to control home and business Internet equipment which could allow large-scale malware infections able to compromise privacy, steal information, or cause service disruptions. Check Point reported the vulnerabilities to ISPs and assisted in closing them before reporting their findings publicly. Source

August 11, Help Net Security – (International) Smart Nest thermostat easily turned into spying device. An independent researcher and two researchers from the University of Central Florida presenting at the 2014 Black Hat conference demonstrated how Nest smart thermostats can be compromised quickly using a USB flash drive, potentially allowing attackers to obtain information on a victim’s habits as well as network information such as WiFi credentials. Compromised thermostats could also be used to connect to the Internet and be used in a variety of malicious tasks. Source

August 9, Softpedia – (International) 10,000 impacted by resurging Facebook color changing app scam. Researchers at Cheetah Mobile reported that a resurgence of a scam that purports to change the color scheme of Facebook has affected 10,000 users recently. The campaign steals users’ Access Tokens and then attempts to install a malicious fake antivirus program or video player. Source

August 8, The Register – (International) Oracle Database 12c’s data redaction security smashed live on stage. A researcher with Datacomm TSS presenting at the Defcon 22 conference demonstrated how a remote attacker could inject SQL queries to access redacted information in Oracle Database 12c due to several coding flaws. Source

Gotham Security Daily Threat Alerts

August 8, Softpedia – (International) Network access storage devices are highly exploitable. A researcher from Independent Security Evaluators presenting at the Black Hat 2014 conference reported finding a wide variety of vulnerabilities in network access storage (NAS) devices from several manufacturers, including directory traversal, command injection, memory corruption, authentication bypass, or back door vulnerabilities. Source

August 8, Help Net Security – (International) Critical bug in WordPress plugin allows site hijacking. Sucuri researchers identified and reported a vulnerability in the Custom Contact Forms plugin for WordPress that could allow attackers to take control of sites using the plugin. The developers of Custom Contact Forms published an update for the plugin after the issue was published by the WordPress Security team. Source

August 8, Help Net Security – (International) Two Gameover Zeus variants targeting Europe and beyond. Researchers at Bitdefender identified two Gameover Zeus variants in the wild, one botnet primarily targeting the U.S. while the second targets Belarus and Ukraine. The first botnet is generating around 1,000 domains per day while the second generates 10,000 per day but appears to currently be inactive. Source

August 8, Securityweek – (International) Cybercriminals steal cryptocurrency via BGP hijacking. Researchers with Dell SecureWorks reported finding cybercriminals using fake Border Gateway Protocol (BGP) broadcasts to redirect traffic from cryptocurrency mining pools to servers they control, diverting tens of thousands of dollars in cryptocurrency. The attackers compromised 51 mining pools hosted on 19 hosting companies. Source

August 7, Securityweek – (International) Attackers used multiple zero-days to hit spy agencies in cyber-espionage campaign. Kaspersky Lab researchers identified the infection methods used in the Epic Turla cyber-espionage campaign (also known as Snake or Uroburos) that targeted intelligence agencies, military organizations, government agencies, education institutions, pharmaceutical companies, and research groups in over 45 countries. The attackers behind the campaign used several malware platforms and zero-day exploits in Windows XP and Server 2003 and Adobe Reader to infect systems and then could upgrade the malware with additional capabilities once in place. Source

August 7, Dark Reading – (International) Attack harbors malware in images. A researcher with Dell SecureWorks reported finding the Lurk malware being distributed within a fake digital image as part of a click fraud campaign that infected around 350,000 systems. The malware in the campaign was spread through iFrames on Web sites containing an Adobe Flash exploit, and required victims to have a vulnerable version of Adobe Flash that is used to download the fake image file, which contains an encrypted URL that downloads a second malicious payload. Source

August 7, Securityweek – (International) Flaws in email and Web filtering solutions expose organizations to attacks: Researcher. A researcher at NCC Group presenting at the Black Hat 2014 conference published two whitepapers outlining how email and Web filtering solutions can be used by attackers in the reconnaissance phase of attacks to obtain information on a potential target network if the attackers can determine which products or services are being used on the target network. Source

August 8, The Register – (International) ‘Up to two BEEELLION’ mobes easily hacked by evil base station. Researchers from the security firm Accuvant announced at the Black Hat 2014 conference August 7 that up to 2 billion smartphone handsets are at risk for over the air hijacking and abuse which can be exploited through the Open Mobile Alliance Device Management (OMA-DM) protocol, used by approximately 100 mobile phone manufacturers. To access the handsets remotely the hacker only needs to know the handset’s unique International Mobile Station Equipment Identity (IMEI) number and a secret token. Source

Gotham Security Daily Threat Alerts

August 7, Help Net Security – (International) Symantec issues update fixing Endpoint Protection zero-day. Symantec issued a patch for its Symantec Endpoint Protection (SEP) security solution to address a zero-day vulnerability identified by Offensive Security researchers that could allow an attacker with access to the target computer to escalate admin privileges or cause a denial of service (DoS) situation. The vulnerability can not be exploited remotely but the exploit code is publicly available. Source:

August 7, Softpedia – (International) OpenSSL receives nine security fixes. A new version of the OpenSSL library was released, closing nine security vulnerabilities identified by researchers from various organizations. The vulnerabilities could lead to information leaking, downgrading to lower versions of the security protocol, or denial of service (DoS) attacks. Source:

August 7, Softpedia – (International) US Plextor website hacked by CoMoDo Islamic hackers. Attackers identifying themselves as the CoMoDo group defaced the Web site of computer hardware manufacturer Plextor Americas. The company stated that they are investigating the incident. Source:

August 7, Softpedia – (International) WordPress and Drupal fix common PHP XML parser vulnerability. WordPress and Drupal released new versions of their respective products in a joint effort to close an XML processing vulnerability that existed in both services and could be used by attackers to perform denial of service (DoS) attacks. The vulnerability was reported by a researcher at and affected over 250 million Web sites according to Incapsula researchers. Source:

August 6, Securityweek – (International) APT group hijacks popular domains to mask C&C communications: FireEye. Researchers with FireEye reported identifying an advanced persistent threat campaign dubbed “Poisoned Hurricane” that used a variant of the PlugX (Kaba) malware configured to resolve DNS lookups through the nameservers of Hurricane Electric, which then spoofed legitimate domains and IP addresses to disguise the malware’s communication with command and control (C&C) servers. Source:

August 6, Softpedia – (International) Twitter URL shortening service abused by spammers. Cloudmark researchers reported that the URL shortening service used by Twitter was used in 54 percent of shortened links blacklisted by the company for use in spam campaigns, and that one entity appeared to be behind two observed campaigns abusing the service, among other findings. Source:

%d bloggers like this: