Skip to content

Gotham Security Daily Threat Alerts

August 3, Help Net Security – (International) Fake “Windows 10 Free Upgrade” emails deliver ransomware. Security researchers from Cisco’s Talos Group discovered a ransomware campaign in which attackers purporting to be from Microsoft send victims emails with a fake Windows 10 installer attached that is actually a variant of the CTB-Locker crypto-malware. Source

August 3, Softpedia – (International) Chrome extensions can be disabled without user interaction. Security experts from Detectify Labs discovered that an attacker could disable a list of Google Chrome security extensions upon visiting a site using the “ping” attribute inside a regular link, effectively removing safeguards without the user’s knowledge. Google Chrome was notified of the vulnerability and released a patch addressing the issue. Source

August 3, IDG News Service – (International) DNS server attacks being using BIND software flaw. Security researchers from Sucuri reported that attackers have begun exploiting a denial-of-service (DoS) flaw in all versions of BIND 9 open-source Domain Name System (DNS) software that was patched the week of July 27. The company confirmed that two clients in different sectors had experienced attacks. Source

August 3, Help Net Security – (International) The leading cause of insider threats? Employee negligence. The Ponemon Institute released findings from a survey on insider information technology (IT) threats in U.S. and German firms, revealing that in addition to malicious intent, employee negligence is a significant cause of security incidents that lead to decreases in IT productivity, which can cause a company as much as $1.5 million in losses per year. The report cited long hours and multitasking as common elements leading to negligence, among other findings. Source

July 31, Securityweek – (International) Flaw in fingerprint access devices could make it easy to open doors. Security researchers at CERT Coordination Center (CERT/CC) discovered two flaws in several models of fingerprint access controllers developed by Taiwan-based Chiyu Technology in which an unauthenticated attacker with network access could view and modify the device’s configuration by accessing known paths. Source

August 3, Softpedia – (National) Data of 4 million patients lost in MIE hacking. The Indiana Attorney General announced that an estimated 1.5 million State residents and 3.9 million individuals from 11 healthcare providers and 44 radiology clinics nationwide may have been impacted by a May breach of Medical Informatics Engineering and its subsidiary NoMoreClipboard’s networks. Officials continue to investigate the attack, which allowed hackers to gain access to patients’ personal and medical information. Source

August 3, Securityweek – (National) FDA issues alert over vulnerable Hospira drug pumps. Healthcare organizations were alerted by the U.S. Food and Drug Administration July 31 regarding cyber security risks associated with the use of Hospira Symbiq infusion systems following flaws discovered in 2014, which included security holes that can be remotely exploited by hackers in order to gain access to the devices and possibly change the dosage they deliver. The company has been working on developing a software update and the vendor is working to remove all of the infusion systems from the market until a permanent replacement is available. Source

August 1, Sioux City Journal – (South Dakota) Siouxland Pain Clinic says patient information likely exposed by hacker. The Siouxland Pain Clinic in Dakota Dunes reported July 31 that patients’ health and other personal information was likely exposed during an attack on the clinic’s server between March 26 and April 2, and that there was no evidence that the information was misused. The clinic continues to evaluate the attack after being notified of the breach June 26. Source

Gotham Security Daily Threat Alerts

July 31, Help Net Security – (International) Cybercriminals are preying on existing vulnerabilities to plan future attacks. An analysis of cyber threats by Solutionary identified several campaigns consisting of over 600,000 events worldwide that targeted the bash vulnerability in the second quarter of 2015, and found that the U.S. was a leading source of command and control traffic and malware threats, among other findings. Source

July 30, Securityweek – (International) Stack ranking the SSL vulnerabilities for the enterprise. Security researchers discovered an OpenSSL vulnerability dubbed “OprahSSL” in which an attacker with a legitimate end-leaf certificate could circumvent OpenSSL code validating the certificate’s purpose, and sign other certificates in order to perpetrate man-in-the-middle (MitM) attacks on Secure Sockets Layer (SSL) sessions, and ranked the severity of the flaw in relation to other SSL vulnerabilities, including Heartbleed, Early CCS, and LOGJAM. Source

July 30, Softpedia – (International) Google fixes Chrome issue that leaked the user’s real IP from behind a VPN. Google released a Chrome Web browser extension called “WebRTC Network Limiter” to address an issue with the WebRTC protocol in which certain circumstances could reveal the real public and local Internet Protocol (IP) address of a user connected via a virtual private network (VPN). Source

July 30, CNET – (National) GM quickly issues fix for OnStar hack, but service still vulnerable. The General Motors Company confirmed July 30 that OnStar-equipped vehicles are vulnerable to a flaw that could allow an attacker to remotely locate the vehicle and issue commands through OnStar’s RemoteLink app, such as locking doors or starting the engine. A hacker demonstrated the vulnerability using a device called “OwnStar,” which he claimed allowed him to intercept communications between the app and the vehicle. Source

July 31, MarketWatch – (National) How vulnerable are the U.S. stock markets to hackers? An analysis of information security and cyber risk trends in the financial sector cited findings from a 2015 U.S. Securities and Exchange Commission Risk Alert revealing that about 88 percent of brokerages and 74 percent of financial advisers in the U.S. have suffered cyber-attacks, and that according to Congressional testimony, a major U.S. bank is attacked every 34 seconds, among other disclosures. Source

Gotham Technology Daily Threat Alerts

July 30, The Register – (International) Cisco IOS-XE update time: squash that DoS bug. Cisco released a patch for a vulnerability In its IOS-XE operating system (OS) in which an attacker could cause a denial-of-service (DoS) condition by sending a series of Internet Protocol version 4 (IPv4) or IPv6 fragments designed to trigger an error message. Source

July 30, Help Net Security – (International) More than a third of employees would sell company data. Loudhouse released results from a survey on enterprise security practices polling over 500 Internet technology (IT) decision-makers and 4,000 employees across the U.S., Europe, and Australia, revealing that 25 percent of employees polled would sell company data for less than $8,000, citing the ready access most employees have access to valuable data, among other findings. Source

July 30, Help Net Security – (International) Most malvertising attacks are hosted on news and entertainment Web sites. Bromium Labs released an analysis of malware evasion technology revealing that over 50 percent of malware is hosted on news and entertainment Web sites, and reported an 80 percent increase in new ransomware families since 2014, among other findings. Source

July 29, Securityweek – (International) Shellshock flaw still actively exploited: Solutionary. Solutionary’s Security Engineering Research Team released findings from a report revealing that the Shellshock bug discovered in 2014 has been actively exploited by threat actors, identifying about 600,000 Shellshock-related events from over 25,000 Internet Protocol (IP) addresses, mostly in the U.S. Researchers noted that education organizations were the most targeted, among other findings. Source

July 29, IDG News Service – (International) Maliciously crafted MKV video files can be used to crash Android phones. Security researchers from Trend Micro discovered a vulnerability in the Android operating system’s (OS) mediaserver component in which an attacker could use a malformed Matroska video container (MKV) file to crash and render a device unusable. Source

Gotham Security Daily Threat Alerts

July 29, Securityweek – (International) Russian hacker tool uses legitimate Web services to hide attacks: FireEye. Security researchers from FireEye discovered that the APT29 threat group is employing a malicious backdoor dubbed “HAMMERTOSS” that utilizes a multi-stage process involving social media, steganography, and PowerShell to hide malicious activity within legitimate network traffic. Researchers believe that the backdoor is only being deployed against critical targets, possibly as a backup in case other tools fail or are disrupted. Source

July 29, Securityweek – (International) BIND update patches critical DoS vulnerability. The Internet Systems Consortium released updates for the popular BIND Domain Name System (DNS) software addressing a critical remotely exploitable vulnerability in the handling of TKEY recorded queries in which an attacker could use a specially crafted DNS packet to trigger a denial-of-service (DoS) condition. Source

July 29, Softpedia – (International) Row Hammer DRAM bug now exploitable via JavaScript, most DDR3 memory chips vulnerable. Security researchers from universities in Austria and France released findings revealing that the Row Hammer exploit can be initiated and actively exploited remotely via JavaScript, making it the first documented “remote software-induced hardware-fault attack.” Source

July 29, Securityweek – (International) Black Vine espionage group attacked aerospace, energy, healthcare industries. Security researchers from Symantec reported that the Black Vine espionage group responsible for the 2014 Anthem system breach has been active since 2012, used custom-built malware, zero-day exploits, and watering hole attacks to target organizations across the aerospace, healthcare, energy, military, defense, finance, agriculture, and technology industries, primarily in the U.S. Source

July 29, The Register – (International) Microsoft admits critical .NET Framework 4.6 bug, issues workaround. Microsoft released a workaround addressing a critical codegen bug for those running 64-bit processes on .NET Framework 4.6, in which incorrect parameters could be passed, leading to unpredictable results. Source

July 29, Homeland Security News Wire – (International) Cellphones can steal data from isolated “air-gapped” computers. Researchers at the Ben-Gurion University of the Negev Cyber Security Research Center discovered a way to use central processing unit (CPU) firmware-modification software to turn an air-gapped system into a cellular transmitting antenna, making it possible for any mobile phone infected with malicious code to use GSM phone frequencies to steal data from infected air-gapped systems. Researchers recommended mitigation measures including defined “zones” where mobile phones and other devices are not allowed near at-risk air-gapped computers. Source

July 29, Bloomberg – (International) China-tied hackers that hit U.S. said to breach United Airlines. Investigators involved in a probe of a previously unreported May or June breach of United Airlines’ computer systems reported links between the hackers and the Chinese threat group that perpetrated the theft of security-clearance records from the U.S. Office of Personnel Management and medical data from Anthem Inc., as well as at least seven other travel and health insurance organizations. Officials believe that the breach may have compromised movement data of millions of Americans and opened the airline’s systems to future disruptions and attacks. Source

July 28, IDG News Service – (International) Xen patches new virtual-machine escape vulnerability. The Xen Projected released updates for its virtualization software addressing a vulnerability in the CD-ROM drive emulation feature of the QEMU open-source hardware emulator that could allow an attacker to bypass the security barrier between virtual machines and their host operating systems (OS). Source

Gotham Security Daily Threat Alerts July 28-29, 2015

July 28, Softpedia – (International) One in 600 Web sites lists its .git folder, exposing sensitive data. A web developer discovered that out of 1.5 million web sites scanned, 2,402 had an inadvertently exposed .git folder, possibly exposing sensitive information. Source

July 28, Securityweek – (International) Cybercriminals use Angler exploit kit to target PoS systems. Trend Micro researchers reported that cybercriminals have been utilizing the Angler exploit kit (EK) to deliver a reconnaissance trojan that detects mitigation tools before downloading one of three point-of-sale (PoS) malware payloads. Source

July 28, IDG News Service – (International) Over 10 million Web surfers possibly exposed to malvertising. Cyphort released tracking data from malicious advertisement campaigns revealing that since July 18, over 10 million people may have visited Web sites containing malicious ads which redirect visitors to directories hosting the Angler exploit kit (EK). Source

July 28, Softpedia – (International) Darkode forum returns with enhanced security measures. MalwareTech researchers reported that the Darkode hacker forum was back online with enhanced security and authentication processes to prevent future infiltrations, after July raids by the FBI and international partners led to the shutdown of the Web site and the detainment of multiple individuals associated with it. Source

July 28, SC Magazine – (International) Apple App Store and iTunes buyers hit by zero-day. Security researchers from Vulnerability Lab published a zero-day filter bypass flaw in Apple’s online invoicing system used in its App Store and iTunes that could allow an attacker to hijack a user’s purchasing session to buy and download any app or content they want, before charging it to the original user. Source

July 28, Network World– (International) Software vulnerabilities hit a record high in 2014, report says. Secunia released analysis from its Vulnerability Review 2015 revealing that the number of recorded software vulnerabilities hit a record high of 15,435 in 2014, an increase of 18 percent from the previous year, and that many organizations are too slow to release security fixes, among other findings. Source

July 27, Dark Reading – (International) Phishing attacks drive spike in DNS threat. Infoblox and Internet Identity published data revealing that the Domain Name System (DNS) Threat Index jumped nearly 60 percent in the second quarter of 2015, reportedly due to a corresponding 74 percent increase in phishing and phishing domains over the same period. Source

July 27, Threatpost – (International) Android Stagefright flaws put 950 million devices at risk. Security researchers at Zimperium zLabs reported that about 950 million Android devices are vulnerable to flaws in the operating system’s (OS) Stagefright media engine, in which excessive permissions could allow an attacker to send a Multimedia Messaging Service (MMS) or Google Hangouts message to trigger the vulnerability, granting system access on the affected device. Source

July 27, Securityweek – (International) Many high-profile firms using vulnerable PHP File Manager: researcher. A security researcher identified several vulnerabilities in Revived Wire Media’s PHP File Manager application, including the existence of a default user account with backdoor access to systems running the software, lack of protection for the user database, and arbitrary file upload vulnerabilities, among other flaws. Many firms reportedly still use the application even though it has not been updated since its release in 2010 – 2011. Source

July 27, Help Net Security – (International) Over 5,000 mobile apps found performing in-app ad fraud. Security researchers from Forensiq discovered at least 5,000 mobile applications being used for mobile hijacking ad fraud worldwide that were observed affecting 12 million unique devices over a 10-day period. Source

July 27, Threatpost – (International) Pair of bugs open Honeywell home controllers up to easy hacks. Researchers discovered vulnerabilities in Honeywell’s Tuxedo touch devices used for controlling home systems, including an authentication bypass bug that could grant access to restricted systems, and a cross-site request forgery bug that an attacker could use during an active authenticated session to execute the same commands as the user. Source

July 25, Military Times – (National) GAO: defense installation utilities at risk of cyber attack. A recent report released by the U.S. Government Accountability Office warned against vulnerabilities in the military’s industrial control systems (ICS) network controlling essential services to military installations worldwide. A 2018 deadline set by the Pentagon to address limited cyber defenses for the ICS will be difficult to meet due to delays and unreliable data, according to the report. Source

Gotham Security Daily Threat Alerts

July 27, Threatpost – (International) Android Stagefright flaws put 950 million devices at risk. Security researchers at Zimperium zLabs reported that about 950 million Android devices are vulnerable to flaws in the operating system’s (OS) Stagefright media engine, in which excessive permissions could allow an attacker to send a Multimedia Messaging Service (MMS) or Google Hangouts message to trigger the vulnerability, granting system access on the affected device. Source

July 27, Securityweek – (International) Many high-profile firms using vulnerable PHP File Manager: researcher. A security researcher identified several vulnerabilities in Revived Wire Media’s PHP File Manager application, including the existence of a default user account with backdoor access to systems running the software, lack of protection for the user database, and arbitrary file upload vulnerabilities, among other flaws. Many firms reportedly still use the application even though it has not been updated since its release in 2010 – 2011. Source

July 27, Help Net Security – (International) Over 5,000 mobile apps found performing in-app ad fraud. Security researchers from Forensiq discovered at least 5,000 mobile applications being used for mobile hijacking ad fraud worldwide that were observed affecting 12 million unique devices over a 10-day period. Source

July 27, Threatpost – (International) Pair of bugs open Honeywell home controllers up to easy hacks. Researchers discovered vulnerabilities in Honeywell’s Tuxedo touch devices used for controlling home systems, including an authentication bypass bug that could grant access to restricted systems, and a cross-site request forgery bug that an attacker could use during an active authenticated session to execute the same commands as the user. Source

July 25, Military Times – (National) GAO: defense installation utilities at risk of cyber attack. A recent report released by the U.S. Government Accountability Office warned against vulnerabilities in the military’s industrial control systems (ICS) network controlling essential services to military installations worldwide. A 2018 deadline set by the Pentagon to address limited cyber defenses for the ICS will be difficult to meet due to delays and unreliable data, according to the report. Source

Gotham Security Daily Threat Alerts

July 24, Securityweek – (International) Red Hat patches “libuser” library vulnerabilities. Red Hat patched two vulnerabilities in its “libuser” library, including a race condition flaw that could lead to a denial-of-service (DoS) condition and a bug in the chfn function of the userhelper utility that an attacker could leverage to create a DoS condition and achieve privilege escalation on the system. Source

July 24, SC Magazine – (International) Sophos moves to patch Web Security Appliance flaws. A security researcher from Info-Assure Ltd discovered two vulnerabilities in Sophos Security’s Web Appliance prior to version 4.0.4 that could allow unauthenticated users to read files from the device and inject arbitrary JavaScript via its management interface. Source

July 23, FierceGovernmentIT – (National) Census Bureau confirms ‘unauthorized access’ to system; Anonymous members claim responsibility. The online activist group Anonymous claimed responsibility July 22 for a cyber-attack on the U.S. Census Bureau, which leaked non-confidential information including email addresses, phone numbers, and job titles of the organization’s 4,200 employees. The organization’s internal systems were not affected, and the compromised servers have been locked down. Source

July 24, Autoblog – (National) FCA issuing software update for 1.4M vehicles to prevent hacking. Fiat Chrysler Automobiles U.S. issued a voluntary recall and software update for 1.4 million model year 2013 – 2015 Chrysler 200 and 300, Dodge Charger, Challenger, Viper, Ram, Durango, and Jeep Cherokee and Grand Cherokee vehicles with 8.4-inch touchscreen Uconnect systems to protect vehicles from remote manipulation, following reports that a security expert remotely hacked a vehicle via a cellular connection. Source

July 24, Computerworld – (International) Firewalls can’t protect today’s connected cars. Security and automotive experts reported on the risks associated with Internet-enabled vehicles, including a lack of operational security and multiple access wireless access points to vehicles’ controller area networks (CAN). The researchers recommended alternate approaches to vehicle security such as encrypted CAN messaging or detection-software. Source

%d bloggers like this: