Skip to content

Gotham Security Daily Threat Alerts

October 21, IDG News Service – (International) One week after patch, Flash vulnerability already exploited in large-scale attacks. Researchers identified an exploit kit sold on underweb forums known as Fiesta that is bundled with an exploit for a recently-patched Flash Player vulnerability. Users were advised to apply the patch that was issued October 14. Source

October 21, Securityweek – (International) Cisco products vulnerable to POODLE attacks. Cisco is analyzing its products to determine which may be affected by the POODLE vulnerability in Secure Sockets Layer (SSL) and released a list of confirmed vulnerable products, which includes Cisco Webex Social, Cisco ACE, Cisco Wireless LAN Controller, and several other products. Source

October 21, The Register – (International) Palo Alto Networks boxes spray firewall creds across the net. A researcher found that misconfigured Palo Alto Networks firewalls could allow attackers to gain user and domain names and passwords, potentially exposing customer services such as VPNs and webmail. Palo Alto Network advised users to apply best practice guidelines developed by the company. Source

Gotham Security Daily Threat Alerts

October 20, The Register – (International) Microsoft pulls another dodgy patch. Microsoft stated that it is investigating a patch for Windows 7 and Windows Server 2008 R2 after some users reported experiencing issues with their systems after installation. Microsoft advised users experiencing problems to uninstall the patch. Source

October 18, Softpedia – (International) Dropbox users are served a phishing page delivered over SSL. A researcher with Symantec stated that attackers are using a phishing campaign with a page hosted on Dropbox to attempt to steal users’ Dropbox and email credentials. The phishing page uses the secure sockets layer (SSL) protocol of its host in order to appear legitimate. Source

October 17, The Register – (International) Apple releases MEGA security patch round for OS X, Server and iTunes. Apple released a round of patches for several of its products, including OS X, OS X Server, and iTunes, addressing 150 issues including patches to close the POODLE and Shellshock vulnerabilities. Source

October 17, Softpedia – (International) Modular malware for OS X relies on open-source keylogger code. Kaspersky Lab researchers identified a piece of modular malware for Apple OS X known as Ventir that uses the legitimate LogKext keylogging software in order to steal information from infected systems. Source

October 17, SC Magazine – (International) Sandworm vulnerability seen targeting SCADA-based systems. An advisory issued by Trend Micro stated that researchers have identified attackers using the Sandworm vulnerability to target systems running the GE Intelligent Platform’s CIMPLICITY human-machine interface (HMI) solution used in supervisory control and data acquisition (SCADA) systems. The attackers appear to be using the vulnerability in the first stage of an advanced persistent threat (APT) targeted attack and use the vulnerability to install the Black Energy malware. Source

Migrating a Citrix XenDesktop Environment to a New VMware vCenter Instance


Recently we ran into a situation where a customer had requested an upgrade to their existing VMware vCenter from version 5.1 to 5.5. Upon reviewing the existing vCenter server, we noticed both VMware SSO and SRM were being used on the same server. Based on VMware best practices, we recommended separating vCenter, SSO and SRM to three distinct servers. The migration of the services to the three new servers worked without any issue. However, the existing Citrix XenDesktop environment was pointing to the old vCenter instance. Unfortunately Citrix doesn’t make it easy to simply point to the new vCenter instance.


The Citrix XenDesktop 5.6 environment was using Machine Creation Service (MCS) along with Personal vDisk (PVD) features. Both features integrate heavily into the virtual infrastructure, in this case VMware vCenter. To resolve this issue, Gotham created new virtual desktops based on the new vCenter instance. We then followed to back up and restore the PVD’s to the new virtual desktop. The PVD migration could only take place when the user was logged off, as the PVD was locked. Following the backup and restore of the PVD, we simply disabled access to the old virtual desktop and enabled access to the new virtual desktop.


Overall this was a tedious process even given a small XenDesktop implementation. If this was a much larger deployment of XenDesktop with PVD this would have been a major issue.

Gotham Security Daily Threat Alerts

October 17, Threatpost – (International) SAP patches DoS flaw in Netweaver. SAP released a patch for its Netweaver platform that closes a remotely exploitable denial of service (DoS) vulnerability reported by Core Security researchers in June. The vulnerability could allow an unauthenticated attacker to use a specially crafted SAP Enqueue Server packet to create the DoS condition. Source

October 17, IDG News Service – (International) New technique allows attackers to hide stealthy Android malware in images. Two researchers presenting at the Black Hat Europe conference October 16 revealed a technique dubbed AngeCryption that could allow an attacker to hide malicious Android applications inside image files in order to avoid detection by antivirus programs and potentially the Google Play store’s malware scanner. Source

October 16, Softpedia – (International) XSS risk found in links to New York Times articles prior to 2013. A student reported and published a proof of concept for a vulnerability in articles on the New York Times Web site published before 2013 that could allow attackers to hijack browser sessions, direct users to phishing sites, or steal cookies by exploiting a cross-site scripting (XSS) flaw. The vulnerability exists on pages containing certain buttons and does not affect the most recent versions of popular Web browsers. Source

October 16, The Register – (International) Bad news, fandroids: He who controls the IPC tool, controls the DROID. Researchers with Check Point presenting at the Black Hat Europe conference October 16 detailed a flaw in the Android inter-process communication (IPC) tool Binder that could allow attackers to override in-app security features to tamper with apps and steal passwords and other information. Source

October 16, IDG News Service – (International) All-in-one printers can be used to control infected air-gapped systems from far away. A cryptographer and two researchers from Ben-Gurion University presenting at the Black Hat Europe conference October 16 demonstrated how an all-in-one printer could be used to issue commands to infected systems on an air-gapped network by shining infrared or visible light at the scanner lid when open, issuing commands to malware already planted on the system via USB drive or other method. The researchers were able to successfully test the method at a target printer inside a building at 200, 900, and 1,200 meters and stated that a more powerful laser could produce reliable results from up to 5 kilometers. Source


Gotham Security Daily Threat Alerts

October 16, Securityweek – (International) Attackers abuse UPnP devices in DDoS attacks, Akamai warns. Researchers at Akamai Technologies reported that attackers have increasingly used the Simple Service Discovery Protocol (SSDP) that comes enabled on Universal Plug and Play (UPnP) devices to launch reflection and amplification distributed denial of service (DDoS) attacks starting in July. The researchers found that 4.1 million Internet-facing devices could be used in this type of DDoS attack. Source

October 16, Help Net Security – (International) New OpenSSL updates fix POODLE, DoS bugs. The OpenSSL Project released updates to OpenSSL that close four serious vulnerabilities, including the POODLE issue and two memory leak issues that could be used to launch denial of service (DoS) attacks against servers. Source

October 15, The Register – (International) FireEye, Microsoft, Cisco team up to take down RAT-flinging crew. A group of security and IT firms led by Novetta began a coordinated campaign to detect and remediate malware installations belonging to a cyberespionage campaign targeting policy groups, governments, financial services institutions, the education sector, and think tanks since 2010. The cyberespionage group uses several tools including Moudoor, a derivative of the Gh0st RAT remote access trojan, and the Hikiti malware used to control compromised systems. Source

October 15, Threatpost – (International) Drupal fixes highly critical SQL injection flaw. Drupal issued a patch for its popular content management system (CMS) that closes a critical SQL injection vulnerability affecting version 7.x. The vulnerability could allow an unauthenticated user to perform arbitrary SQL execution and all users were advised to update their installations as soon as possible. Source

October 16, Softpedia – (International) Botnets used in “Wolf of Wall Street” spam campaign. Researchers with Bitdefender identified a spam campaign dubbed “Wolf of Wall Street” that uses botnets to send out promotional emails encouraging penny stock investors to purchase stocks of Canada-based Confederation Minerals Ltd., which has resulted in the transaction volume of the company increasing to 1,620,000 shares from 10,000 shares within 3 days. The spam campaign is the largest recorded in 2014 and the attackers behind it stand to profit by selling stocks after inflating the prices. Source

October 15, Softpedia – (International) Cyberswim announces data breach lasting for more than three months. Cyberswim Inc., notified customers who made purchases on its Web site between May 12 and August 28 that their personal information, including payment card data, may have been compromised after officials confirmed that malicious software was installed on the company’s network, granting attackers access to the data. Cyberswim updated its Web site code and issued a password reset command to block the intruders’ access to the network. Source

Gotham Security Daily Threat Alerts

October 14, Help Net Security – (International) Russian espionage group used Windows 0-day to target NATO, EU. iSIGHT Partners discovered a zero-day vulnerability used in a cyber-espionage campaign dubbed SandWorm targeting the North Atlantic Treaty Organization, the European Union, Ukrainian and Polish government organizations, and several European telecommunications and energy sectors. Microsoft is expected to release a patch for the zero-day which exploits supported versions of Microsoft Windows and Windows Server 2008 and 2012. Source:

October 14, Softpedia – (International) Dropbox denies being hacked, points to third-party services. Dropbox announced that its servers were not breached after a list of 420 username and password pairs were publicized on Pastebin with a poster claiming that more would be published with Bitcoin donations. The company reported that the information was stolen from other Web services used by the victims, who had identical usernames and passwords for Dropbox. Source:

October 13, Network World – (International) The snappening: Snapsaved admits to hack that leaked SnapChat photos. Snapchat’s third-party app Snapsaved was hacked involving the release of 500MB of images containing between 90,000 and 200,000 photos and videos due to a misconfiguration in their Apache server. Snapsaved subsequently deleted the entire Web site and database associated with the breach. Source:

October 10, Securityweek – (International) Multiple vulnerabilities found in BMC Track-It! help desk software. Researchers with the Computer Emergency Response Team Coordination Center at Carnegie Mellon University (CERT/CC) and Agile Information Security found that Track-It! version, the IT helpdesk solution created by BMC Software, contains three vulnerabilities related to permissions, privileges, and access control, missing authentication for critical function, and an exploitation using blind SQL injection. The company is working on addressing the issues. Source:

October 10, SC Magazine – (International) New mobile trojan masquerading as Tic-tac-toe game targets Android devices. Kaspersky Lab researchers found that a Tic-tac-toe game available on Android devices houses the Gomal trojan which allows hackers to record audio from the microphone, steal incoming SMS messages, steal data from the device log, and obtain root privileges, among other things. Good for Enterprise researchers determined that the app was a proof-of-concept app presented at Black Hat 2013 and used only in Samsung Exynos memory access vulnerability, which has since been patched. Source:

October 10, SC Magazine – (International) HP to remove digital signature that code-signed malware. Symantec discovered that an HP digital certificate was used to cryptographically sign (code-sign) malware shipped through HP products in May 2010. HP will revoke the digital certificate October 21 after researchers found an apparent signature on a four-year-old trojan that may have been included in the software. Source:

Gotham Security Daily Threat Alerts

October 10, Securityweek – (International) New Rovnix variant targets users in EU countries. Researchers with CSIS Security Group identified a new variant of the Rovnix malware currently targeting users in European Union countries that includes a new domain generation algorithm (DGA), changes to avoid detection, and removes a bootkit component. Source

October 9, Threatpost – (International) Shellshock exploits spreading Mayhem botnet malware. Researchers at Malware Must Die reported detecting a number of Linux and UNIX systems infected by several IP addresses belonging to the Mayhem botnet. The botnet was found to be pinging Internet-facing systems looking for the Shellshock vulnerability in order to drop a new remote installer written in Perl. Source

October 14, Information Week Dark Reading – (International) Russian Cyberspies Hit Ukrainian, US Targets With Windows Zero-Day Attack. Researchers at iSIGHT Partners, who have been tracking the so-called Sandworm cyber espionage team out of Russia and four other such teams there for some time, discovered the group using a previously unknown security weakness in Windows. Today, as part of its monthly patch cycle, Microsoft will issue a patch for the CVE-2014-4114 bug, which is found in Windows Vista; Windows versions 7, 8, and 8.1; and Windows Server 2008 and 2012. The Sandworm gang is using the zero-day for the initial attack, which then drops a variant of the notorious BlackEnergy Trojan traditionally used by the pervasive Russian cybercrime underground. Source

%d bloggers like this: