Skip to content

Gotham Security Daily Threat Alerts

May 26, Softpedia – (International) Apache HBase fixes denial-of-service, info disclosure flaw. Apache released a fix for a vulnerability in its HBase software in which a remote attacker with network access could create a denial-of-service (DoS) condition and read sensitive information by exploiting insecure Access Control Lists (ACLs) on the ZooKeeper quorum. Source

May 26, Securityweek – (International) Synology fixes XSS, command injection vulnerabilities in NAS software. Taiwan-based Synology released software updates addressing security vulnerabilities in DiskStation Manager (DSM) network attached storage (NAS) software that runs on the company’s DiskStation and RackStation devices, including a cross-site scripting (XSS) bug that could allow attackers to steal victims session tokens and login credentials or perform arbitrary actions, and a command injection flaw that exposes devices to cross-site request forgery (CSRF) attacks. Source

May 26, Help Net Security – (International) Massive campaign uses router exploit kit to change routers’ DNS servers. A security researcher discovered an active campaign in which attackers are targeting Google Chrome browser users with cross-site request forgery (CSRF) code attacks via compromised Web sites with the intent of compromising routers and changing their domain name system (DNS) settings to point to a hacker-controlled server. Researchers believe that millions of devices across 55 router models made by several manufacturers have been affected in the campaign. Source

May 25, Securityweek – (International) New PoS malware hits victims via spam campaign: FireEye. Security researchers at FireEye discovered a new type of point-of-sale (PoS) malware dubbed NitlovePoS that can capture and exfiltrate both track one and two data from payment cards by running process on compromised machines, and is distributed via emails containing Word documents with embedded malicious macros. Source

May 22, Securityweek – (International) Emerson patches SQL injection vulnerability in ICS product. Emerson’s Process Management group released a software addressing a structured query language (SQL) injection vulnerability in its AMS Device Manager in which an attacker could escalate privileges and gain access to administrative functions by supplying a malformed input to the software. The AMS Device Manager is part of the AMS Suite and is used in many industrial control systems (ICS) worldwide, especially in the oil, gas, and chemical industries. Source

Gotham Security Daily Threat Alerts

May 22, Softpedia – (International) Apache Hive infrastructures vulnerable to authentication flaw in HiveServer2. Apache reported that a vulnerability in all versions of its HiveServer2 interface for Apache Hive enterprise data warehouse infrastructure in which users without proper credentials could gain access by exploiting a flaw in the Lightweight Directory Access Protocol (LDAP) authentication mode. The company recommended that users update to the newest version or disable unauthenticated binds in the LDAP service. Source

May 22, Securityweek – (International) Flawed Android factory reset allows recovery of sensitive data: researchers. Security researchers at the University of Cambridge discovered that up to 500 million Android devices may not properly sanitize data partitions containing credentials and other personal data when users utilize the “factory reset” feature. Source

May 22, Help Net Security – (International) mSpy finally admits they’ve been hacked. Officials from mSpy announced that their servers had been breached, and that data from 80,000 customers could have been stolen and leaked on the Dark Web. The software is intended for legal monitoring of individuals’ online and phone activity. Source

May 21, Securityweek – (International) Hundreds of cloud services potentially vulnerable to Logjam attacks: Skyhigh. Skyhigh’s Service Intelligence Team found that 575 cloud services were potentially vulnerable to attacks following the discovery of the transport layer security (TLS) vulnerability dubbed Logjam which affects a number of cloud services. The vulnerability is caused as a result of the way the Diffie-Hellman (DHE) key exchange is deployed, and can be exploited by a man-in-the-middle (MitM) attacker to down grade TLS connections in order to gain access to the data. Source

May 20, Softpedia – (International) Amount of new malware strains more than doubled in second half of 2014. G Data researchers found that in the second half of 2014, hackers increased their malware threats as the amount of new strains grew to 125 percent, with the most prevalent being adware variants, which accounted for 31.4 percent of all threats. Researchers also determined that Vawtrak was the predominant banking trojan and focused on targets in the U.S., U.K., and Canada, in addition to new targets in France and Russia. Source

May 20, SC Magazine – (International) DDoS attacks increase and methods changed in Q1 2015, report says. Akamai released its Q1 2015 State of the Internet Report, which found that hackers are using lower bandwidth distributed denial of service (DDoS) attacks that occur more frequently and last longer, and that Simple Service Discovery Protocol (SSDP) attacks accounted for 20 percent of attack vectors. The report also found that the gaming industry was the most targeted industry, accounting for 35 percent of all attacks, and that more than 50 percent of all DDoS attacks targeted China, Germany, and the U.S. Source

May 20, Securityweek – (International) Apples fixes security bugs with first update for Watch OS. Apple released update 1.0.1 patching 13 vulnerabilities for its Watch operating system (OS), the iOS-based operating system that runs on the Apple Watch, addressing certain components including, the Secure Transport, kernel, Foundation framework, FontParser, IOHIDFamily, and IOAcceleratorFamily. The update also addresses the factoring RSA export key (FREAK) vulnerability, which allows a man-in-the-middle (MitM) attacker to access encrypted data. Source

Gotham Security Daily Threat Alerts

May 20, Softpedia – (International) TLS protocol flawed, HTTPS connections susceptible to FREAK-like attack. Cryptography and security researchers discovered that approximately 8.4 percent of the top one million domains containing mail and web servers are vulnerable to an attack dubbed Logjam, in which an attacker could compromise a secure communication between a client and server by downgrading the transport layer security (TLS) connection to 512-bit export-grade cryptography due to left over variants of the Diffie-Hellman cryptographic key exchange mechanism from the 1990s. The attack method is similar to the one used in the Factoring RSA Export Keys (FREAK) attacks from early 2015. Source

May 20, Securityweek – (International) Millions of routers vulnerable to attacks due to NetUSB bug. Security researchers at SEC Consult discovered a kernel stack buffer overflow vulnerability in NetUSB drivers developed by Taiwan-based KCodes, in which an unauthenticated attacker can execute arbitrary code or cause a denial-of-service (DoS) condition by specifying a computer name longer than 64 characters whenthe client connects to the server. The driver is found in millions of routers from vendors including Netgear, TP-Link, ZyXEL, and TRENDnet. Source

May 19, Threatpost – (International) Google fixes sandbox escape in Chrome. Google patched 37 bugs in Chrome version 43, including 6 high-risk sandbox-escape, cross-origin bypass, and use-after-free vulnerabilities discovered by various security researchers. Source

May 19, Threatpost – (International) Malvertising leads to Magnitude exploit kit, ransomware infection. Security researchers at Zscaler discovered that attackers are using malicious ads and 302 cushioning attacks to direct users to sites hosting the Magnitude exploit kit (EK), which in turn infects users with CryptoWall ransomware. The researchers reported that most of the threat infrastructure for these attacks is housed in Germany. Source

Gotham Security Daily Threat Alerts

May 19, Securityweek – (International) Attackers use trojanized version of PuTTY to steal SSH credentials. Security researchers at Symantec discovered that actors are using a malicious version of the PuTTY open-source secure shell (SSH) software to access systems remotely and steal data by copying secure server connection info and login details to be sent to an attacker-controlled server. The software bypasses common firewalls and security products due to its whitelisted status and used by system and database administrators and web developers. Source

May 19, Securityweek – (International) Address bar spoofing bugs found in Safari, Chrome for Android. Security researchers identified address bar vulnerabilities in the Safari and Chrome for Android Web browsers in which attackers could leverage Web page reloads via the setInterval() function in Safari and a problem in how Chrome handles 204 ‘No Content’ responses to render spoofed Web pages. Source

May 18, Krebs on Security – (National) St. Louis Federal Reserve suffers DNS breach. The St. Louis Federal Reserve reported that hackers hijacked its domain name servers (DNS) April 24 and redirected a portion of the bank’s online traffic to rogue sites resembling portions of its research.stlouisfed.org Web site. The bank recommended that potentially affected users change login information that could have been compromised in the attack. Source

How to Prepare Your Microsoft PKI Infrastructure for the Deprecation of the SHA1 Hash Algorithm

Background

If your organization has deployed a Microsoft Certificate Authority (CA) for its PKI solution, your users probably started inquiring recently what the yellow triangle in the address bar of Google Chrome is all about (if they haven’t, either you are ahead of the curve or your users are… Well, I won’t go down that slippery slope).

image1

When clicking on the padlock, additional information shows that the website is encrypted with obsolete cryptography. Additionally, there is a reference that SHA1 is used for message authentication.

image2

So, what is this all about, and why do Internet Explorer and Firefox not show a warning?

Read more…

Gotham Security Daily Threat Alerts

May 15, Softpedia – (International) Apache fixes vulnerability affecting security manager protections. The security team responsible for Apache Tomcat discovered a vulnerability in multiple versions of the software’s open-source web server and servlet container that could allow an attacker to bypass protections for the Security Manager component and run malicious web applications. Source

May 14, CNN – (International) Washington Post mobile site temporarily shut down in apparent hack. The Washington Post confirmed that it was the victim of an apparent hack May 14 after the paper’s mobile website was blocked and redirected users to a site claiming to be run by the Syrian Electronic Army. No customer information was impacted. Source

 

Citrix Synergy 2015 Recap

Last week I had the privilege to attend Citrix Synergy 2015 down in Orlando, FL. In this blog I wanted to review some the key announcements Citrix made during the keynote.

XenApp 6.5 Lifecycle

Citrix loves XenApp, so much so that they extended the lifecycle for XenApp 6.5 to December 31, 2017. However, there is a catch; the extended date is only for customers that remain current in the Software Maintenance or Subscription Advantage and Technical Support programs. Otherwise the end of maintenance (EOM) date is February 26, 2016.

XenApp 6.5 FP3

This was a surprise, as was extending the lifecycle for XenApp 6.5. The feature pack will provide the following features, announced in the keynote:

  • Storage performance
  • Enhanced profile management
  • Director “Help Desk” & troubleshooting
  • Enhanced Lync support
  • Receiver.next
  • StoreFront 3 – will support XenApp 5, 6, 6.5 and 7.6

Read more…

%d bloggers like this: