Skip to content

Gotham Security Daily Threat Alerts

February 27, Softpedia – (International) Apps bypass Google Play verification and spew tempest of ads. Bitdefender security researchers discovered 10 apps hosted in Google Play that use social engineering to trick users into installing ad-spewing software and relied on deceptive tactics to ensure persistence on users’ devices. None of the apps linked to Web sites hosting malware, allowing the apps to bypass Google Play quality controls. Source

February 27, Securityweek – (International) Critical vulnerability found in Jetty web server. Security researchers from Gotham Digital Science discovered a critical vulnerability dubbed JetLeak in the Eclipse Foundation’s Jetty Web server that allows remote, unauthenticated attackers to read arbitrary data from requests previously submitted by users to the server, including cookies, authentication tokens, anti-CSRF tokens, usernames, and passwords. The flaw was addressed February 24 with the release of Jetty version 9.2.9 while the Jetty development team reported an anticipated fix for the vulnerability in version 9.3.0. which is in beta. Source

February 26, Nextgov – (International) It’s official – FCC enacts expansive net-neutrality rules. The Federal Communications Commission (FCC) approved sweeping net-neutrality regulations February 26 that gives the government expanded power over Internet access, and allows the FCC to bar Internet providers from blocking Web sites, selectively slowing down any content, or offering bandwidth increases for specific content with payment. The rules also classify the Internet as a telecommunications service under Title II of the Communications Act. Source

 

Gotham Security Daily Threat Alerts

February 26, Securityweek – (International) Lizard Squad hijacks Lenovo website, emails. Lizard Squad hackers hijacked the Lenovo Web site and email servers by using CloudFlare IP addresses to modify DNS records in Lenovo domain registrar accounts and redirect users to defacement pages, and changed mail server records to allow the group to intercept emails sent to Lenovo email addresses. The hijacking mirrored a similar attack that targeted Google Vietnam during the week of February 23. Source

February 26, Associated Press – (Arizona) Arizona authorities probe vandalism that cut off Internet, phones for hours. Officials announced February 26 that vandalism caused an Internet, cellphone, and landline outage in northern Arizona for more than 6 hours February 25 after CenturyLink employees and Phoenix police found a cut fiber-optic cable. Crews restored services that impacted a 100-mile area stretching between Phoenix to Flagstaff. Source

February 26, Yavapai County Daily Courier; Chino Valley Review – (Arizona) Prescott-area police, fire, 911 service hit hard by outage. Emergency 9-1-1 calls to the Prescott Regional Communications Center in Arizona were rerouted February 25 to the backup dispatching center at the Yavapai County Sheriff’s Office after a CenturyLink fiber cable near New River was damaged causing an Internet and telephone outage. The Chino Valley Police Department was also impacted by the outage, along with the sheriff’s office in Yavapai County which suffered landline and Internet outages. Source

 

Gotham Security Daily Threat Alerts

February 25, Securityweek – (International) Mozilla fixes 17 vulnerabilities in Firefox 36. Mozilla released version 36 of its Firefox browser closing 17 vulnerabilities and flaws, including 4 rated as critical. Source

February 25, Help Net Security – (International) New DDoS attack and tools use Google Maps plugin as proxy. PLXsert security researchers discovered that attackers are exploiting a known vulnerability in Joomla’s Google Maps plugin by spoofing the sources of requests, causing results to be sent from proxies to their denial of service (DDoS) targets. Researchers identified more than 150,000 potential Joomla reflectors on the internet, many of which remain vulnerable to be used for this type of attack. Source

February 25, Threatpost – (International) Ramnit botnet shut down. Europol Cybercrime Centre (EC3) investigators, Microsoft, AnubisNetworks, and Symantec carried out an operation to shut down the Ramnit botnet’s 7 command and control (C&C) servers and redirected traffic from 300 domains used by the botnet. EC3 estimated that more than 3.2 million Windows computers have been infected with the botnet via spam campaigns, phishing scams, and drive-by downloads that installed malicious code to grant attackers access to banking credentials and other log-in information. Source

February 24, Securityweek – (International) McAfee: Popular mobile apps remain vulnerable to MitM flaws found last year. Intel Security’s McAfee Labs reported that almost 75 percent of the most popular mobile apps found vulnerable to man-in-the-middle (MitM) attacks remain exposed to attacks since they were first identified in a September 2014 analysis by the Computer Emergency Response Team (CERT) at Carnegie Mellon University. Source

 

Gotham Security Daily Threat Alerts

February 23, SC Magazine – (International) Older vulnerabilities a top enabler of breaches, according to report. Hewlett Packard security researchers reported that 44 percent of known breaches happened as a result of server misconfigurations and vulnerabilities discovered years ago. The report cites 33 percent of identified exploit samples from Microsoft Windows, 11 percent from Adobe Reader and Acrobat, 6 bugs in Oracle Java, and 2 flaws in Microsoft Office flaws. Source

February 23, Securityweek – (International) Norton update caused Internet Explorer to crash. Symantec released a new version of the Intrusion Prevention System (IPS) definition package after a corrupt file in the previous release caused the 32-bit version of Microsoft’s Internet Explorer web browser to crash on computers running Norton Security, Norton Security with Backup, Norton 360, and Norton Internet Security. Source

February 23, Softpedia – (International) Comodo’s PrivDog breaks HTTPS security possibly worse than Superfish. A security researcher discovered that Comodo’s PrivDog browsing privacy protection tool compromised browsing security by acting as a man-in-the-middle (MitM), intercepting and replacing all certificates with its own, causing browsers to accept every HTTPS certificate regardless of authority. The issue could affect nearly 64,000 users worldwide, and PrivDog released an update with a fix for the issue. Source

February 23, Softpedia – (International) CSIS security group warns of fake emails using its name. CSIS security experts discovered an email campaign that spoofed the company’s email address and used an employee’s name to distribute a malicious attachment and deploy malware on the recipients’ machines. The Danish-based company provides security services for some of the largest global banks and acts as a consultant to governments, media, and businesses. Source

Got Normal?

I was out to dinner with my parents the other night and my mother started getting on my case. You know, the way mothers do.

“Kenneth.”

Yes, I’m a grown man and my mother still calls me Kenneth when she’s angry with me.

“I’ve been reading the paper and there are all these security problems all the time. Aren’t you supposed to be fixing this? There must be something you can do to stop it. It seems like quite a problem.”

Mothers. How is it that they can bundle up a wonderful compliment (I’m capable of fixing it) with a sort of backhanded insult (I’m too lazy to bother fixing it) and throw some guilt on top (security breaches are apparently my fault)?

Which leads me to explaining to my mother (who’s 70), why it’s not fixed yet.

“Look, Mom, if I had some kind of box I could sell people that would make this all go away, I surely would. And I would be rich like Elvis and buy you a big white Cadillac. But, sorry, no such box exists.”

“Here’s the problem. We used know what attacks looked like, and we would look for them and stop them. Now the hackers are smarter. They know what we’re looking for so they make sure their attacks look different.”

“Given this, there’s only one way to look for bad things. We have to know what good things look like and find the things that aren’t good. We have to know what normal looks like. Then we can find the hackers.”

“Some of this can be pretty easy. If your firewall is communicating on a regular basis with North Korea and you don’t have any customers there, that’s not normal. But most of it is pretty hard. Most companies are so large and complicated they really have no understanding of what normal looks like.”

“They do business in dozens of countries and have thousands of applications. It’s very difficult to normalize.”

“So, that’s the problem. Does that make sense?”

Unfortunately, this didn’t really help. My mother must have been a Fortune 500 CEO in her last life.

She simply said, “Sounds like a load of excuses to me. Blah, Blah, Normal. Please just fix it so I can use my credit card on the Internet again.”

 

Gotham Security Daily Threat Alerts

February 23, The Register – (International) Cisco IPv6 processing bug can cause DoS attacks. Cisco announced that its NCS 6000 and Carrier Routing System (CRS-X) contain an IPv6 software bug that attackers could repeatedly exploit by sending a malformed IPv6 packet, carrying extension headers, through an affected Cisco IOS XR device line card to cause an extended denial of service (DoS) condition. Source

February 23, Securityweek – (International) Superfish SSL interception library found in several applications: Researchers. Security researchers discovered that the Komodia Redirector and SSL Digestor, originally used by the Superfish software preinstalled on Lenovo laptops, can be found in several products, and at least 12 Facebook applications using the SSL interception library. The researchers stated that Komodia’s proxy software does not properly implement SSL or validate certificates, enabling attackers to potentially hijack affected users’ connections. Source

 

Gotham Security Daily Threat Alerts

February 20, Softpedia – (International) Commercial spyware found in enterprise environment. Security researchers at Lacoon Mobile Security and Check Point discovered 18 different commercial remote access trojan (mRAT) spying tools that connect to the company’s Wi Fi and communicate with the command and control (C&C) server on 1,000 of 900,000 corporate mobile devices tested. The spyware, generally marketed for monitoring children, allows employers to track the location of users, log activity on the device, access emails, texts, and contacts, and possibly activate the device’s microphone for recording. Source

February 20, The Register – (International) Hackers now popping Cisco VPN portals. An Australian hacker reported a flaw that allows attackers to crack customized Cisco virtual private networks (VPNs) to steal credentials, inject malware, modify Clientless Secure Sockets Layer (SSL) and VPN portal content, and launch cross-site scripting (XSS). Cisco stated that the flaw was due to improper implementation of authentication checks in the customization framework of Clientless SSL VPN portal versions earlier than October 8, 2014 and recommended customers follow their incident response process. Source

February 19, Softpedia – (International) Android malware takes over device’s shutdown process. AVG security researchers discovered a new mobile malware strain affecting Android devices that hijacks the shutdown process and obtains root permission to run nefarious activities, such as initiating calls or taking pictures while the phone appears to be off. Source

February 20, Softpedia – (National) Tax related spear-phishing aims at CTOs in tech companies. Security researchers at Talos discovered a new phishing campaign targeting chief technology officers (CTOs) with malicious attachments disguised as Microsoft Word documents laced with macros that funnel in the Vawtrak banking trojan, which can capture user credentials for more than 100 online services. The emails purport to be related to large sum payment details and federal taxes, with some appearing to originate from fake government addresses. Source

 

%d bloggers like this: