Skip to content

Gotham Security Daily Threat Alerts

August 27, The Register – (International) FireEye intern VXer pleads guilty for Darkode droid RAT ruse. A former FireEye intern from Pittsburgh pleaded guilty to creating and selling the Dendroid remote access trojan (RAT) for Android phones on the Darkode hacker forums. Denroid was capable of infecting about 1,500 phones for each buyer, while it is unknown how many copies the suspect sold. Source

August 27, Threatpost – (International) Endress+Hauser patches buffer overflow in dozens of ICS products. Endress+Hauser and CodeWrights released updates addressing a remotely exploitable vulnerability found in the Device Type Manager (DTM) library of dozens of Endress+Hauser’s products used for industrial process automation, in which an attacker could use a specially crafted packet to create a buffer overflow in the DTM, causing the affected product to hang indefinitely. Source

August 27, Securityweek – (International) Small percentage of employees responsible for most cloud security risk: Report. Report findings from a CloudLock analysis of 10 million users across 1,800 organizations revealed that the top 1 percent of users in organizations are responsible for 57 percent file ownership, 81 percent of file shares, 73 percent of exposed files, and 62 percent of application industries, suggesting that cyber risks could be mitigated by reaching out to an organization’s top users, among other findings. Source

August 27, Softpedia – (International) PayPal fixes XSS flaw that allowed access to unencrypted credit card details. PayPal addressed a cross-site scripting (XSS) flaw on the Web site’s SecurePayments page in which an attacker could inject customized payment forms into the page HyperText Markup Language (HTML) in order to intercept user financial and PayPal login information in clear text. Source

Gotham Security Daily Threat Alerts

August 26, SC Magazine – (International) Zero-day, Angler kit exploits help drive up malvertising by 325%. Security researchers from Cyphort reported study findings revealing that malvertising attacks have increased by 325 percent in 2015, likely due to a combination of frequent zero-day exploits and new technology making the tactic more effective. Source

August 26, Securityweek – (International) New Zeus variant “Sphinx” offered for sales. Malware developers released a new Zeus banking trojan variant called Sphinx that operates fully through The Onion Router (Tor) anonymity network and is designed to work on Microsoft Windows Vista and Windows 7 with User Account Control (UAC) enabled, as well as on low-privilege and “Guest” accounts. The malware has a full feature suite, including Backconnect Virtual Network Computing (VNC) capability, allowing users to transfer funds directly from the infected system. Source

August 26, Threatpost – (International) CERT warns of hard-coded credentials in DSL SOHO routers. The Computer Emergency Readiness Team (CERT) published an advisory warning that certain Digital Subscriber Line (DSL) routers manufactured by ASUS Tek, DIGICOM, Observa Telecom, Philippine Long Distance Telephone, and ZTE contain hard-coded credentials that could allow a hacker to remotely control or access the devices via telnet services. Source

August 26, Securityweek – (International) Sundown EK first to integrate exploit for recently patched IE flaw. Security researchers from Symantec discovered that the Sundown exploit kit (EK) integrated a recently patched Microsoft Internet Explorer memory corruption vulnerability, and reported observing watering hole attacks leveraging the EK to deliver the Trojan.Nancrat backdoor. Source

August 26, Threatpost – (International) Researchers uncover new Italian RAT uWarrior. Security researchers from Palo Alto Networks discovered a new fully-featured remote access trojan (RAT) called uWarrior embedded in a rigged Rich Text Format (.RTF) file. After the file infects the system, it downloads a payload and is copied to another directory, where it communicates with a command and control server through an encrypted protocol. Source

August 26, – (International) Apple iOS Ins0mnia flaw that hides malicious apps revealed by FireEye. Security researchers from FireEye discovered that devices running versions of iOS prior to 8.4.1 are vulnerable to a flaw dubbed Ins0mnia, in which any application could bypass Apple background restrictions, and could allow an attacker to run in the background and steal sensitive user information indefinitely without the user’s consent or knowledge. Source

August 25, IDG News Service – (International) Flaw in Android remote-support tool exploited by screen recording app. Security researchers from Check Point discovered that the Recordable Activator Android app on Google Play was utilizing a recently discovered flaw in the TeamViewer remote support tool dubbed Certifi-gate, in which an attacker could use a rogue app to masquerade as an official tool and take control of an affected device. The app was pulled after having over 500,000 installations Source

August 25, Threatpost – (International) AutoIt used in targeted attacks to move RATs. Security researchers at Cisco discovered that hackers are using the AutoIt task automation freeware to stealthily drop remote access trojans (RATs) that install via malicious macros in Microsoft Word documents. AutoIt is considered a legitimate information technology (IT) administration tool, and is often whitelisted in enterprises. Source

August 25, Associated Press – (California) Audit: California agencies vulnerable to IT security breach. A report released August 25 by the State auditor found that several California agencies were not in compliance with the State’s information technology standards, leaving them vulnerable to potential attacks and security breaches, among other findings. The California Department of Technology responded that it is committed to improving the State’s overall security posture and oversight. Source

Gotham Security Daily Threat Alerts

August 25, Securityweek – (International) Tor increasingly used by malicious actors: IBM. IBM Security released findings from its third quarter X-Force Threat Intelligence report revealing that The Onion Router (Tor) network has been used increasingly by cybercriminals for malicious purposes, with about 180,000 malicious events originating from Tor U.S. exit nodes since May. Researchers found that most Tor-based attacks have been Structured Query Language (SQL) injections and primarily targeted the information and communications industries, among other findings. Source

August 24, Securityweek – (International) Dyre trojan uses semi- random file names to evade detection. Security researchers at IBM discovered that the developers of the Dyre banking trojan modified the malware’s persistence mechanism by making its execution a Microsoft Windows scheduled task, and assigned semi-random filenames to the trojan’s configuration files to evade detection. Source

August 24, Threatpost – (International) AlienSpy RAT resurfaces as Jsocket. Security researchers discovered that the AlienSpy remote access trojan (RAT) malware was renamed and repackaged as Jsocket, and has been involved in phishing campaigns against targets in utilities, government, telecommunications, and other industries. Source

Gotham Security Daily Threat Alerts

August 24, Securityweek – (International) Zero-day flaws found in Dolphin, Mercury browsers for Android. A security researcher discovered a vulnerability in the Dolphin web browser for Android in which a man-in-the-middle (MitM) attacker could inject a specially crafted file to arbitrarily write files or execute remotely, as well as unpatched insecure Intent URI scheme implementation and path transversal vulnerabilities in the Mercury web browser that could allow a remote attacker to read and write arbitrary files within the application’s data directory. Source

August 24, Softpedia – (International) Google patches Android vulnerability that allowed arbitrary code execution. Google issued an update addressing a heap overflow vulnerability in the Android mediserver’s Audio Policy Service that an attacker could trigger to cause a continuous crash loop in the affected device. Source

August 24, Securityweek – (International) Apple patches nine vulnerabilities in QuickTime for Windows. Apple patched nine vulnerabilities in QuickTime 7.7.8 for Microsoft Windows, including denial-of-service (DoS) flaws that can be exploited via specially crafted .MOV files, leading to a memory corruption condition that can cause QuickTime to terminate unexpectedly. Source

August 24, The Register – (International) Samsung smart fridge leaves Gmail logins open to attack. Security researchers from Pen Test Partners discovered a Secure Sockets Layer (SSL) vulnerability in Samsung’s RF28HMELBSR smart fridge in which a man-in-the-middle (MitM) attacker could use a fake Wi-Fi access point and deauthentication to steal Google login credentials via the refrigerator’s calendar client. Source

August 24, Help Net Security – (International) Risky mobile behaviors are prevalent in the government. Lookout released findings from a report revealing that 14,622 Lookout-enabled devices across 20 Federal agencies encountered 1,781 app-based threats, that employees use personal mobile devices in various ways that can compromise agency network security, and that 18 percent of Federal employees with personal and government-issued smartphones reported encountering malicious software, among other findings. Source

Gotham Security Daily Threat Alerts

August 21, Securityweek – (International) Thousands of hacked WordPress sites abused in Neutrino EK attacks. Security researchers from Zscaler discovered a malware campaign in which cybercriminals have compromised over 2,600 WordPress 4.2 and prior web sites in August by planting malicious iframes with redirects to Neutrino exploit kit (EK) landing pages. The Neutrino landing page exploits Adobe Flash Player vulnerabilities to inject CryptoWall 3.0 ransomware on victims’ computers. Source

August 20, Agence France-Presse – (International) New data leaked from ‘cheater’ site Ashley Madison. Vice Media reported that Impact Team hackers released 20 gigabytes (GB) worth of data August 20 related to a July Ashley Madison discrete dating web site breach. The release, containing internal corporate data and emails, follows an August 18 data dump of 32 million emails and user account information from the web site. Source

Gotham Security Daily Threat Alerts

August 20, Securityweek – (International) iOS sandbox flaw exposes companies using MDM solutions. Security experts from Appthority reported that organizations using mobile device management (MDM) solutions and enterprise mobility management (EMM) solutions are vulnerable to third-party app sandbox issue dubbed “Quicksand” in Apple’s iOS, in which an attacker could develop a malicious application that reads the configuration settings of managed applications. Source

August 20, Securityweek – (International) Drupal security updates patch five vulnerabilities. The developers of the Drupal open source content management system (CMS) released security updates addressing five cross-site scripting (XSS), Structured Query Language (SQL) injection, cross-site request forgery (CSRF), and information disclosure vulnerabilities. Source

August 20, The Register – (International) Holes found in Pocket Firefox add-on. Mozilla released a fix August 17 for server-side vulnerabilities in the Pocket Firefox web browser add-on in which an attacker could compromise the Pocket application to gain access to user data, and could use the add-on to populate links to malicious redirects. Source

Gotham Security Daily Threat Alerts

August 19, Securityweek – (International) Hackers leak Ashley Madison user data. Security experts reported that hackers released a 10 gigabyte (GB) file containing the personal information and payment records of over 30 million Ashley Madison discrete dating web sites users following a July breach and threats that information would be released if Avid Life Media Inc., continued its practices regarding user profile retention and confidentiality. Source

August 19, Securityweek – (International) Adobe patches vulnerability in LiveCycle data services. Adobe released a security hotfix for its LiveCycle Data Services (DS) framework addressing an XML Eternal Entity (XXE) vulnerability that could result in information disclosure. Source

August 19, IDG News Service – (International) Internet company hit by credit card breach. The Group reported that a security breach discovered August 13 compromised the name, address, and credit card information of around 93,000 customers. The company reported that no verification codes or other customer information was exposed. Source

August 18, Threatpost – (International) Emergency IE patch fixes vulnerability under attack. Microsoft released an emergency patch August 18 for all supported versions if its Internet Explorer Web browser addressing a zero-day memory corruption vulnerability that an attacker could leverage to remotely execute arbitrary code in the context of the current user. Source

%d bloggers like this: