Skip to content

Gotham Security Daily Threat Alerts

October 8, Securityweek – (International) New collision attack lowers cost of breaking SHA1. A team of experts from Centrum Wiskunde & Informatica in Europe, Inria in France, and Singapore’s Nanyang Technological University discovered that hackers could execute a “freestart collision” attack to break the full secure hash algorithm 1 (SHA1) cryptographic hash function within 10 days for a cost of $75,000 – $120,000 using graphics cards and computing power from Amazon’s EC2 cloud. Previous research estimated that the cost to break the algorithm would be approximately $700,000 in 2015 and $173,000 in 2018. Source

October 8, Softpedia – (International) Operation Cleaver hackers return, now used LinkedIn to target victims. Security researchers from Dell’s SecureWorks Counter Threat Unit Threat Intelligence team discovered that a group that they observed chemical, energy, government, education, and telecommunications organizations worldwide, appear to be the same or affiliated the group who carried out Operation Cleaver in 2014, which targeted critical infrastructure points worldwide. Source

October 8, IDG News Service – (International) Journalist convicted of helping Anonymous hack the LA Times. A California journalist who previously worked for Reuters was convicted October 7 for his role in a conspiracy to make unauthorized changes to a computer and the transmission of malicious code on the Los Angeles Times’ Web site by passing login credentials enabling access to a content management system to an Anonymous hacking group member in December 2010. Source

October 7, Securityweek – (International) Developers of mysterious Wifatch malware come forward. The group behind the “benevolent” Linux.Wifatch malware that was observed infecting tens of thousands of routers, Internet Protocol (IP) cameras, and other devices with the apparent purpose of protecting them, published the Wifatch source code and revealed themselves as “The White Team,” claiming it was an altruistic project. Source

October 8, CNET – (International) Samsung says customer payment data not affected by hack attack. Samsung released a statement October 8 reassuring customers that no payment data was at risk following a March hacking incident involving LoopPay, a company that Samsung acquired to set up Samsung Pay. The attack reportedly only targeted LoopPay’s office network handling email, file sharing, and printing, and was possibly intended to steal the magnetic strip technology that the company developed. Source

Gotham Security Daily Threat Alerts

October 7, Securityweek – (International) Malicious Android adware infects devices in 20 countries. Security researchers from FireEye were monitoring a new malicious adware campaign dubbed Kemoge that has affected Android devices in 20 countries, in which the malware serves ads to an infected device, extracts exploits to root phones, and employs multiple persistence mechanisms. The malware is packaged with popular Android apps uploaded to third-party stores. Source

October 7, Softpedia – (International) Zero-day exploit found in Avast antivirus. Security researchers from Google’s Project Zero discovered a zero-day exploit in Avast antivirus software in which an attacker could leverage a faulty method used for parsing X.509 certificates in secure connections to execute code on an affected system. Avast has since patched the vulnerability. Source

October 7, Softpedia – (International) Major ransomware campaign disrupted, attackers lose potential revenues of $34M. Researchers from Cisco shut down a massive ransomware campaign accounting for 50 percent of all ransomware deployments via the Angler exploit kit (EK) that would have allowed the campaign’s operators to collect over $34 million. The cyber-criminals used a network of 147 proxy servers bought from Limestone Networks via stolen credit cards to deliver the largest ransomware delivery platform ever noticed in the wild. Source

October 7, Help Net Security – (International) Previously unknown Moker RAT is the latest APT threat. Security researchers from enSilo discovered a new Remote Access Trojan (RAT) dubbed Moker that takes over targeted systems by creating a new user account before opening an RDP channel to gain remote control, and tampers with sensitive system and security files and settings. The malware comes with a complete feature set and achieves system privileges, and may also be controlled locally. Source

October 7, The Register – (International) Remote code exec hijack hole found in Huawei 4G USB modems. Security researchers from Positive Technologies discovered cross-site scripting (XSS) and stack overflow vulnerabilities in Huawei E3272 USB 4G modem that could allow attackers to conduct remote execution and denial-of-service (DoS) attacks and hijack connected computers. Huawei released patches addressing the vulnerabilities. Source

October 6, Securityweek – (International) Winnti spies use bootkit for persistence, distributing backdoors. Security researchers from Kaspersky Lab discovered that the advanced persistent threat (APT) group Winnti has been using an attack platform dubbed “HDRoot” as a bootkit disguised to look like Microsoft’s Net.exe utility while protected by VMProtect software, delivering two backdoors. The group previously targeted gaming companies in the U.S. and worldwide. Source

Gotham Security Daily Threat Alerts

October 6, Securityweek – (International) Google patches Stagefright 2.0 flaws on Nexus devices. Google released a security update for Nexus devices resolving 20 recently discovered critical security vulnerabilities in the libstagefright and libutils Android media playback engine, dubbed Stagefright 2.0, in which an attacker could push a specially crafted file to cause memory corruption and remote code execution. Source

October 6, Softpedia – (International) Hackers breach Microsoft OWA server, steal 11,000 user passwords. Security researchers from Cybereason discovered that hackers placed a malicious dynamic link library (DLL) file via an unnamed company’s Microsoft Outlook Web Application (OWA), allowing them to steal usernames and passwords of 11,000 employees off the company’s server. The hackers replaced the OWAAUTH.dll with one containing a backdoor, and collected user login and password information in clear text against the Active Directory server. Source

Gotham Security Daily Threat Alerts

October 5, SC Magazine – (International) Zero day vulnerability found in VMware product. Researchers from 7 Elements discovered a VMware vCentre zero day vulnerability involving the deployment of the JMX/RMI service used in the management interface in which an attacker could gain unauthorized remote system access to the hosting server, leading to full enterprise environment compromise. VMware reported that it is working on releasing a patch to address the vulnerability. Source

October 3, Softpedia – (International) Fareit malware uses different file hash for each attack to avoid AV detection. Security researchers from Cisco’s Talos team discovered a new version of the Fareit trojan specializing in information stealing that changes its file hash with each infection. Researchers found only 23 shared common hashes out of 2,455 recorded samples, and determined that the samples communicated with only 2 command and control (C&C) servers. Source

Gotham Security Daily Threat Alerts

October 2, Help Net Security – (International) Unexpectedly benevolent malware improves security of routers, IoT devices. Security researchers from Symantec discovered an apparently benevolent botnet scheme targeting Internet of things (IoT)-connected devices utilizing code dubbed Wifatch that aims to protect devices from attacks via threat updates and removal of known malware families, among other features. Source

October 2, Softpedia – (International) Latest Upatre trojan version targets Windows XP users. Researchers from AppRiver reported a new spam-scareware campaign targeting Microsoft Windows XP users with ZIP archives containing the Upatre trojan, which primarily acts as an entry point for other infections including Dryeza, Rovnix, Crilock, and Zeus, and shuts down when executed on a non-Windows XP platform. Source

October 2, Softpedia – (International) Stored XSS in Jetpack plugin allows attackers to run code in the WordPress backend. Security researchers from Sucuri discovered a persistent cross-site scripting (XSS) vulnerability in Automattic’s Jetpack WordPress plugin versions 3.7 and lower in which an attacker could run malicious code that would execute whenever a WordPress administrator accessed the Feedback section of the admin panel, by crafting a malicious email string that would end up in the WordPress database. The development team released version 3.7.1 patching the XSS bug. Source

October 1, Softpedia – (International) HTTP denial of service vulnerability found in Node.js 4.x and io.js 3.x. Node reported the existence of a hypertext transfer protocol (HTTP) denial-of-service (DoS) vulnerability affecting recent Node.js and io.js platforms, and urged users to migrate back to a previous version until a fix is released. Source

Gotham Security Daily Threat Alerts

October 1, Threatpost – (International) Apple patches 100+ vulnerabilities in OS X, Safari, iOS. Apple released OS X version 10.11 El Capitan addressing over 100 security vulnerabilities, including 20 hypertext preprocessor (PHP) flaws, XARA password stealing vulnerabilities which could allow an attacker to use a malicious application to access a user’s keychain, and 45 issues in the Safari 9 Web browser, among others. Source

October 1, IDG News Service – (International) New Android vulnerabilities put over a billion devices at risk of remote hacking. Security researchers from Zimperium discovered a series of Android media processing vulnerabilities, dubbed Stagefright 2.0, affecting over 1 billion devices which could allow an attacker to trick users into visiting maliciously crafted Web sites that would exploit the flaws and lead to remote code execution on almost all devices starting with version 1.0 of the operating system (OS). Source

September 30, Computerworld – (International) Critical flaw puts 500 million WinRAR users at risk of being pwned by unzipping a file. Security researchers disclosed a critical zero day WinRAR remote code execution vulnerability affecting up to 500 million users, in which an attacker could inject malicious code into an archive that would automatically execute upon unzipping. The vulnerability can be exploited without system user privileges or user interaction. Source

Gotham Security Daily Threat Alerts

September 30, Help Net Security – (International) Scammers use Google AdWords, fake Windows BSOD to steal money from users. Security researchers from Malwarebytes discovered that cybercriminals are using Google’s AdWords to place malicious links at the top of Google’s search page for common searches, which would lead to a fake “Blue Screen of Death” (BSOD) page prompting users to call a toll-free “helpline” with scammers that would solicit payments for support services and personal and bank account information. Source

September 30, Softpedia – (International) Microsoft Exchange Server fixed against information disclosure bug. Microsoft released an update for Exchange Server 2013 addressing a vulnerability in Outlook Web Access (OWA) that could allow an attacker to gain access to an active Webmail session by forcing Exchange Server to dump debug data via a maliciously crafted Uniform Resource Locator (URL), granting access to previously inaccessible cookie session information. Source

September 30, Threatpost – (International) Apple Gatekeeper bypass opens door for malicious code. Security researchers from Synack discovered that Apple’s Gatekeeper security platform could be bypassed by tricking a user into downloading a signed and infected application from a third-party source, or by loading a malicious library over an insecure HyperText Transfer Protocol (HTTP) download via a man-in-the-middle (MitM) position to gain access to the system. Source

September 29, Threatpost – (International) Dyreza trojan targeting IT supply chain credentials. Security researchers from Proofpoint published research revealing that the Dyreza trojan has been used to phish information technology (IT) supply chain credentials for up to 20 organizations, including software companies supporting fulfillment and warehousing, and computer distributors. Researchers believe that hackers intend to infect all points of the supply chain to possibly divert physical shipments, issue payments and invoices to artificial companies, or enact large-scale gift-card issuances. Source

September 29, Threatpost – (International) SAP patches 12 SQL injection, XSS vulnerabilities in HANA. SAP released updates addressing 12 structured query language (SQL), cross-site scripting (XSS), and memory corruption vulnerabilities in its HANA in-memory management system that could allow an attacker to abuse management interfaces and compromise stored information, or lock users out of the platform, among other exploits. Source

September 29, Securityweek – (International) Linux XOR DDoS botnet flexes muscles with 150+ Gbps attacks. Security researchers from Akamai Technologies released details of a botnet targeting primarily corporations in Asia that is capable of launching 150+ gigabit-per-second (Gbps) distributed denial-of-service (DDoS) attacks from Linux systems compromised by the XOR DDoS trojan, as well as being able to download and execute arbitrary code and self-update. Source

September 30, Softpedia – (New Jersey) Despite new equipment, Rutgers University goes down after DDoS attack. Rutgers University announced September 28 that the university experienced network issues due to a distributed-denial-of-service (DDoS) attack, which limited access to the Internet for several hours. The attack was allegedly orchestrated by a hacker known as Exfocus, and followed four previous attacks against the university between March and May. Source

%d bloggers like this: