Skip to content

Gotham Security Daily Threat Alerts

October 23, Softpedia – (International) CryptoWall 2.0 delivered through malvertising on Yahoo and other large sites. Proofpoint researchers observed a recent campaign using malicious advertisements on Yahoo, 9gag, and other popular Web sites to deliver the CryptoWall 2.0 ransomware via the FlashPack Exploit Kit. The exploit kit exploits vulnerabilities in Adobe Flash Player to deliver the ransomware that encrypts users’ files and demands a ransom to decrypt them. Source:

October 23, Securityweek – (International) 1.2 million networking devices vulnerable due to NAT-PMP issues. A security researcher with Rapid7 reported October 21 that the company identified around 1.2 million Internet-connected devices that are vulnerable to various attacks due to poor implementation or configuration of the Network Address Translation – Port Mapping Protocol (NAT-PMP). The vulnerabilities could allow attackers to perform denial of service (DoS) attacks, intercept traffic, or perform other malicious actions. Source:

October 22, Softpedia – (International) Apple warns users of attack targeting iCloud site. Apple confirmed reports of man-in-the-middle (MitM) attacks against its iCloud service that employed an insecure certificate and advised users not to dismiss browser warnings regarding the security of content. The attacks trigger warnings in the Chrome and Firefox browsers but not in Qihoo, the most popular Web browser in China. Source:

October 22, Securityweek – (International) ‘Operation Pawn Storm’ cyber-espionage campaign hits organizations. Trend Micro researchers identified a cyberespionage operation dubbed “Operation Pawn Storm” that uses targeted emails and compromised Web sites to infect users in government, military, and media organizations with the SEDNIT (also known as Sofacy) malware. Source:

Gotham Security Daily Threat Alerts

October 22, Securityweek – (International) Windows zero-day exploited in targeted attacks through PowerPoint. Microsoft reported that it has observed limited targeted attacks exploiting a zero-day vulnerability in the company’s Object Linking and Embedding (OLE) technology which could allow an attacker to perform remote code execution if a user opens a specially-crafted Microsoft Office file. The vulnerability affects all current Microsoft Windows releases except Windows Server 2003 and Microsoft advised users to apply a series of workarounds until a patch can be released. Source:

October 22, Help Net Security – (International) Koler worm spreads via SMS, holds phones for ransom. Researchers at AdaptiveMobile identified a new variant of the Koler worm for Android that spreads via a bitly link that directs users to a Dropbox page where the malware is disguised as an app. The malware then blocks infected devices’ screens with a fake law enforcement page and demands a ransom to be paid via Money Pak Voucher. Source:

October 22, Help Net Security – (International) Attackers change home routers’ DNS settings via malicious code injected in ads. Sucuri Security researchers identified a malvertising campaign that embeds malicious code into an ad hosted on the network and attempts to change the DNS settings on users’ home routers in order to lead them to potentially malicious Web sites. Source:

October 22, Help Net Security – (International) Malware directs stolen documents to Google Drive. Researchers with Trend Micro identified a new piece of information-stealing malware dubbed Drigo that uploads any .PDF, text, and Microsoft Word, Excel, and PowerPoint files to a Google Drive account. The researchers reported that the malware appears to be targeting government agencies and reported the Google Drive account associated with the malware to Google. Source:

October 21, Securityweek – (International) Apple fixes security flaws with release of iOS 8.1. Apple released an update to its iOS 8 mobile operating system, closing several vulnerabilities and adding new features. Source:

Gotham Security Daily Threat Alerts

October 21, IDG News Service – (International) One week after patch, Flash vulnerability already exploited in large-scale attacks. Researchers identified an exploit kit sold on underweb forums known as Fiesta that is bundled with an exploit for a recently-patched Flash Player vulnerability. Users were advised to apply the patch that was issued October 14. Source

October 21, Securityweek – (International) Cisco products vulnerable to POODLE attacks. Cisco is analyzing its products to determine which may be affected by the POODLE vulnerability in Secure Sockets Layer (SSL) and released a list of confirmed vulnerable products, which includes Cisco Webex Social, Cisco ACE, Cisco Wireless LAN Controller, and several other products. Source

October 21, The Register – (International) Palo Alto Networks boxes spray firewall creds across the net. A researcher found that misconfigured Palo Alto Networks firewalls could allow attackers to gain user and domain names and passwords, potentially exposing customer services such as VPNs and webmail. Palo Alto Network advised users to apply best practice guidelines developed by the company. Source

Gotham Security Daily Threat Alerts

October 20, The Register – (International) Microsoft pulls another dodgy patch. Microsoft stated that it is investigating a patch for Windows 7 and Windows Server 2008 R2 after some users reported experiencing issues with their systems after installation. Microsoft advised users experiencing problems to uninstall the patch. Source

October 18, Softpedia – (International) Dropbox users are served a phishing page delivered over SSL. A researcher with Symantec stated that attackers are using a phishing campaign with a page hosted on Dropbox to attempt to steal users’ Dropbox and email credentials. The phishing page uses the secure sockets layer (SSL) protocol of its host in order to appear legitimate. Source

October 17, The Register – (International) Apple releases MEGA security patch round for OS X, Server and iTunes. Apple released a round of patches for several of its products, including OS X, OS X Server, and iTunes, addressing 150 issues including patches to close the POODLE and Shellshock vulnerabilities. Source

October 17, Softpedia – (International) Modular malware for OS X relies on open-source keylogger code. Kaspersky Lab researchers identified a piece of modular malware for Apple OS X known as Ventir that uses the legitimate LogKext keylogging software in order to steal information from infected systems. Source

October 17, SC Magazine – (International) Sandworm vulnerability seen targeting SCADA-based systems. An advisory issued by Trend Micro stated that researchers have identified attackers using the Sandworm vulnerability to target systems running the GE Intelligent Platform’s CIMPLICITY human-machine interface (HMI) solution used in supervisory control and data acquisition (SCADA) systems. The attackers appear to be using the vulnerability in the first stage of an advanced persistent threat (APT) targeted attack and use the vulnerability to install the Black Energy malware. Source

Migrating a Citrix XenDesktop Environment to a New VMware vCenter Instance


Recently we ran into a situation where a customer had requested an upgrade to their existing VMware vCenter from version 5.1 to 5.5. Upon reviewing the existing vCenter server, we noticed both VMware SSO and SRM were being used on the same server. Based on VMware best practices, we recommended separating vCenter, SSO and SRM to three distinct servers. The migration of the services to the three new servers worked without any issue. However, the existing Citrix XenDesktop environment was pointing to the old vCenter instance. Unfortunately Citrix doesn’t make it easy to simply point to the new vCenter instance.


The Citrix XenDesktop 5.6 environment was using Machine Creation Service (MCS) along with Personal vDisk (PVD) features. Both features integrate heavily into the virtual infrastructure, in this case VMware vCenter. To resolve this issue, Gotham created new virtual desktops based on the new vCenter instance. We then followed to back up and restore the PVD’s to the new virtual desktop. The PVD migration could only take place when the user was logged off, as the PVD was locked. Following the backup and restore of the PVD, we simply disabled access to the old virtual desktop and enabled access to the new virtual desktop.


Overall this was a tedious process even given a small XenDesktop implementation. If this was a much larger deployment of XenDesktop with PVD this would have been a major issue.

Gotham Security Daily Threat Alerts

October 17, Threatpost – (International) SAP patches DoS flaw in Netweaver. SAP released a patch for its Netweaver platform that closes a remotely exploitable denial of service (DoS) vulnerability reported by Core Security researchers in June. The vulnerability could allow an unauthenticated attacker to use a specially crafted SAP Enqueue Server packet to create the DoS condition. Source

October 17, IDG News Service – (International) New technique allows attackers to hide stealthy Android malware in images. Two researchers presenting at the Black Hat Europe conference October 16 revealed a technique dubbed AngeCryption that could allow an attacker to hide malicious Android applications inside image files in order to avoid detection by antivirus programs and potentially the Google Play store’s malware scanner. Source

October 16, Softpedia – (International) XSS risk found in links to New York Times articles prior to 2013. A student reported and published a proof of concept for a vulnerability in articles on the New York Times Web site published before 2013 that could allow attackers to hijack browser sessions, direct users to phishing sites, or steal cookies by exploiting a cross-site scripting (XSS) flaw. The vulnerability exists on pages containing certain buttons and does not affect the most recent versions of popular Web browsers. Source

October 16, The Register – (International) Bad news, fandroids: He who controls the IPC tool, controls the DROID. Researchers with Check Point presenting at the Black Hat Europe conference October 16 detailed a flaw in the Android inter-process communication (IPC) tool Binder that could allow attackers to override in-app security features to tamper with apps and steal passwords and other information. Source

October 16, IDG News Service – (International) All-in-one printers can be used to control infected air-gapped systems from far away. A cryptographer and two researchers from Ben-Gurion University presenting at the Black Hat Europe conference October 16 demonstrated how an all-in-one printer could be used to issue commands to infected systems on an air-gapped network by shining infrared or visible light at the scanner lid when open, issuing commands to malware already planted on the system via USB drive or other method. The researchers were able to successfully test the method at a target printer inside a building at 200, 900, and 1,200 meters and stated that a more powerful laser could produce reliable results from up to 5 kilometers. Source


Gotham Security Daily Threat Alerts

October 16, Securityweek – (International) Attackers abuse UPnP devices in DDoS attacks, Akamai warns. Researchers at Akamai Technologies reported that attackers have increasingly used the Simple Service Discovery Protocol (SSDP) that comes enabled on Universal Plug and Play (UPnP) devices to launch reflection and amplification distributed denial of service (DDoS) attacks starting in July. The researchers found that 4.1 million Internet-facing devices could be used in this type of DDoS attack. Source

October 16, Help Net Security – (International) New OpenSSL updates fix POODLE, DoS bugs. The OpenSSL Project released updates to OpenSSL that close four serious vulnerabilities, including the POODLE issue and two memory leak issues that could be used to launch denial of service (DoS) attacks against servers. Source

October 15, The Register – (International) FireEye, Microsoft, Cisco team up to take down RAT-flinging crew. A group of security and IT firms led by Novetta began a coordinated campaign to detect and remediate malware installations belonging to a cyberespionage campaign targeting policy groups, governments, financial services institutions, the education sector, and think tanks since 2010. The cyberespionage group uses several tools including Moudoor, a derivative of the Gh0st RAT remote access trojan, and the Hikiti malware used to control compromised systems. Source

October 15, Threatpost – (International) Drupal fixes highly critical SQL injection flaw. Drupal issued a patch for its popular content management system (CMS) that closes a critical SQL injection vulnerability affecting version 7.x. The vulnerability could allow an unauthenticated user to perform arbitrary SQL execution and all users were advised to update their installations as soon as possible. Source

October 16, Softpedia – (International) Botnets used in “Wolf of Wall Street” spam campaign. Researchers with Bitdefender identified a spam campaign dubbed “Wolf of Wall Street” that uses botnets to send out promotional emails encouraging penny stock investors to purchase stocks of Canada-based Confederation Minerals Ltd., which has resulted in the transaction volume of the company increasing to 1,620,000 shares from 10,000 shares within 3 days. The spam campaign is the largest recorded in 2014 and the attackers behind it stand to profit by selling stocks after inflating the prices. Source

October 15, Softpedia – (International) Cyberswim announces data breach lasting for more than three months. Cyberswim Inc., notified customers who made purchases on its Web site between May 12 and August 28 that their personal information, including payment card data, may have been compromised after officials confirmed that malicious software was installed on the company’s network, granting attackers access to the data. Cyberswim updated its Web site code and issued a password reset command to block the intruders’ access to the network. Source

%d bloggers like this: