Skip to content

Gotham Security Daily Threat Alerts

July 18, Softpedia – (International) New Android ransomware locks device completely. Researchers at Lookout identified a new piece of Android ransomware dubbed ScarePakage that infects devices by posing as a legitimate app on third-party Android markets and then locks the device and demands a ransom. The ransomware uses a Java TimerTask to kill other processes and a wave lock mechanism to prevent the phone from entering sleep mode. Source:

July 17, Dark Reading – (International) Government-grade stealth malware in hands of criminals. Sentinel Labs researchers reported that a piece of malware likely originating from a state-sponsored espionage campaign known as Gyges is being repurposed by cybercriminals to conceal and protect various pieces of malware and ransomware. Gyges contains several sophisticated features to avoid detection and prevent reverse-engineering and appears to have originated in Russia. Source:

July 17, The Register – (International) Microsoft’s Black Thursday: Xbox Live goes down as Xbox Studio canned. Microsoft reported that its Xbox Live gaming and entertainment service went offline for several hours July 17, leaving users unable to access the service during the outage. Source:

July 17, Softpedia – (International) DDoS attacks decrease in Q2 2014, compared to Q1. Arbor Networks reported that distributed denial of service (DDoS) attacks during the second quarter of 2014 decreased in terms of speeds and frequency compared to the previous quarter, with average DDoS attack size at 759.83 Mb/s, among other findings. Source:

July 17, Softpedia – (International) Neverquest banking trojan expands list of targets. Researchers with Symantec found that the attackers operating the Neverquest banking trojan, also known as Snifula, have focused their efforts on banks in the U.S. and Japan since December 2013. The trojan is able to obtain banking login information from victims and can also steal digital certificates, among other capabilities. Source:

Gotham Security Daily Threat Alerts

July 17, The Register – (International) Pushdo trojan outbreak: 11 THOUSAND systems infected in just 24 hours. Bitdefender researchers reported that a new campaign to spread the Pushdo botnet malware compromised over 11,000 systems within a 24-hour period, with the majority of infected users in Asia and some in the U.S., U.K., and France. The Pushdo botnet has previously been used in spam campaigns and to distribute malware such as Zeus and SpyEye. Source:

July 17, Softpedia – (International) Cisco patches critical issue in wireless residential gateway products. Cisco released patches for several Cisco Wireless Residential Gateway products, closing a vulnerability that could allow attackers to use malicious HTTP requests to crash the Web server and inject commands or execute code with elevated privileges. Source:

July 17, Softpedia – (International) SQL injection risk in vBulletin receives prompt patch. vBulletin released a patch for its forum software which closes a SQL injection vulnerability that was identified and disclosed by Romanian Security Team. Source:

July 17, Softpedia – (International) Critical vulnerabilities fixed in Drupal 7.29 and 6.32. The Drupal Security Team advised all users to update to versions to 7.29 or 6.32 in order to close vulnerabilities that could allow attackers to perform denial of service (DoS) attacks cross-site scripting (XSS) attacks. Source:

July 17, Threatpost – (International) Five vulnerabilities fixed in Apache Web Server. The Apache Software Foundation released version 2.4.10-dev of its Apache Web Server, closing five vulnerabilities, including a buffer overflow vulnerability and several denial of service (DoS) vulnerabilities. Source:


Gotham Security Daily Threat Alerts

July 16, Securityweek – (International) Oracle patches 13 vulnerabilities, including 20 in Java. Oracle released its Critical Patch Update for July, which includes patches for 113 security vulnerabilities in various Oracle products, including 20 vulnerabilities in Java SE. The 20 vulnerabilities in Java can all be remotely exploited without authentication and users were advised to apply the updates as soon as possible. Source:

July 16, Softpedia – (International) vBulletin exploitable through SQL injection. Members of the Romanian Security Team group identified and reported an SQL injection vulnerability in vBulletin which could be used by attackers to gain access to a forum’s administration panel and databases. The group reported the vulnerability to the developers of vBulletin and stated that they would disclose the full details of the issue once a fix is released. Source:

July 16, Securityweek – (International) OpenBSD downplays PRNG vulnerability in LibreSSL. A researcher with Opsmate reported finding a flaw in the pseudorandom number generator (PRNG) in LibreSSL for Linux. Representatives of the OpenBSD Project confirmed that the issue exists but stated that the now-fixed problem was unlikely to be exploitable in real world conditions. Source:


Gotham Security Daily Threat Alerts

July 15, IDG News Service – (International) Critical design flaw in Microsoft’s Active Directory could allow password change. Researchers with Aorato identified a flaw within Microsoft’s Active Directory which could allow attackers to change a victim’s password and use the new password to access a company’s network and enterprise functions. The vulnerability relies on the older NTLM authentication protocol to perform a “pass-the-hash” attack to gain access. Source:

July 15, Help Net Security – (International) Amazon-based malware triples in 6 months. Solutionary released an analysis of Internet service providers (ISPs) and hosting providers hosting malware and found that Amazon was the top malware-hosting ISP, with a 250 per cent increase during the second quarter of 2014, among other findings. Source:

July 15, Softpedia – (International) Google’s Dropcam monitoring device open for video hijacking. Researchers with Synack found that the Google Dropcam home monitoring cameras contain vulnerabilities which could allow the camera’s video and sound content to be intercepted by attackers. The vulnerabilities stem from an old version of OpenSSL that is vulnerable to the Heartbleed flaw and other issues, and from an old version of BusyBox that contains exploitable flaws. Source:

July 15, Help Net Security – (International) CNET attacked by Russian hackers, user database stolen. CBS Interactive confirmed that media Web site CNET was compromised after attackers claiming affiliation with the Russian hacker group W0rm stated that they were able to obtain databases containing usernames, emails, and encrypted passwords for over 1 million users. The attackers stated that they used a flaw in the site’s implementation of the Symfony PHP framework and claimed that the attack was performed for security demonstration purposes and the information would not be sold. Source:

July 14, The Register – (International) Gameover ZeuS botnet pulls dripping stake from heart, staggers back from the UNDEAD. Sophos researchers reported that a new variant of the GameOver Zeus trojan is being used to re-establish a botnet 6 weeks after an international law enforcement effort disrupted the original botnet used for banking credential theft and the distribution of the CryptoLocker ransomware. Source:


Gotham Security Daily Threat Alerts July 11, 14-15

July 14, Help Net Security – (International) Critical vulnerabilities in web-based password managers found. Researchers at the University of California identified and reported various vulnerabilities in five Web-based password managers that could allow attackers to obtain a user’s credentials. LastPass, My1Login, RoboForm, and PasswordBox reported that they closed the vulnerabilities after they were reported, while the researchers did not receive word on the issues from NeedMyPassword. Source

July 14, Softpedia – (International) Cisco patches four-year-old Apache Struts 2 issue. Cisco patched a vulnerability in Apache Struts 2 that was reported in 2010 which could allow an attacker to use a malicious Object-Graph Navigation Language (OGNL) expression to compromise vulnerable systems. Source

July 11, Securityweek – (International) Attackers use keyloggers, email to steal data in “NightHunter” attacks. Cyphort researchers reported identifying a cybercriminal operation known as “NightHunter” that has been active since 2009 and uses various pieces of malware and keyloggers to target organizations in the energy, education, health, insurance, and charity industries. The campaign distributes the malware through phishing emails that are usually sent to finance, human resources, and sales departments. Source

July 14, Securityweek – (International) Kronos: New financial malware sold on Russian underground forum. Researchers with Trusteer reported July 11 that a new piece of banking malware known as Kronos has recently been advertised on a Russian underweb forum in a pre-release sale. The malware contains HTML injection and form-grabbing capabilities, allegedly works with modern and older Web browsers, and is compatible with the Zeus trojan. Source

July 10, Securityweek – (International) Kaspersky Lab details ‘versatile’ DDoS trojan for Linux systems. Researchers with Kaspersky Lab reported identifying a Linux distributed denial of service (DDoS) trojan with several modules to add various capabilities. Components of the trojan were identified a Backdoor.Linux.Ganiw.a and Backdoor.Linux.Mayday.f. Source

July 10, Softpedia – (International) Gmail for iOS poses man-in-the-middle attack risk. Lacoon researchers found the Gmail app for iOS can leave users vulnerable to man-in-the-middle (MitM) attacks due to the app lacking the certificate pinning feature. This could allow attackers to use a rogue certificate to impersonate the Gmail server and route traffic through their systems. Source

July 10, SC Magazine – (International) Kaspersky quickly addresses XSS flaw impacting company website. Kaspersky Lab closed a cross-site scripting (XSS) vulnerability on one of its Web sites after being notified of the issue by a security researcher, the company reported July 10. There was no indication that the flaw was exploited by attackers. Source

July 11, IDG News Service – (International) Source code for tiny ‘Tinba’ banking malware leaked. Researchers with CSIS Security Group reported that the source code for the Tinba, also known as Zusy, banking malware was posted openly on underweb forums, potentially allowing a greater number of attackers to utilize the malware. The malware is capable of interfering in online banking sessions to steal user credentials and has an unusually small code base. Source

July 10, Securityweek – (International) Shylock malware infrastructure targeted by international authorities. Law enforcement agencies in the U.S., E.U. and Turkey along with several security firms conducted a coordinated operation July 8-9 to seize domains and command and control servers used by the Shylock banking malware. The malware, also known as Caphaw, has infected at least 30,000 computers and been in use since 2011. Source

July 10, Securityweek – (International) Hackers attack shipping and logistics firms using malware-laden handheld scanners. Researchers with TrapX released a report stating that an undisclosed Chinese manufacturer of handheld scanners used by shipping, logistics, and manufacturing planted malware on the devices as part of a campaign dubbed “Zombie Zero.” The malware attacks company networks once the scanner is connected to the victim’s wireless network and sends data to a command and control server located at the Lanxiang Vocational School in China. Source

July 10, Securityweek – (International) CryptoLocker infrastructure used for other threats: Bitdefender. Researchers with Bitdefender found that the infrastructure for the CryptoLocker ransomware remains active even though a takedown operation in June disrupted the ransomware operation. The infrastructure is currently being used for various fraudulent and malicious purposes including fake antivirus scams and the distribution of the Citadel banking trojan. Source

July 10, Softpedia – (International) Exploit kit dropped through Akamai content delivery network. Malwarebytes researchers found and reported that attackers are abusing the Akamai Technologies content delivery network (CDN) to trick users with fake software update notifications to bundle pay-per-install programs and use a malicious iframe to redirect users to an exploit kit. The exploit kit used appears to be the Nuclear Pack exploit kit that targets vulnerabilities in Java, Flash, Internet Explorer, and Adobe Reader. Source

July 10, The Register – (International) Crusty API opened Facebook accounts to hijacking. A security researcher revealed that a legacy API in Facebook allowed attackers to make REST API calls on behalf of Facebook users if their user ID was known, allowing attackers to update statuses, like content, and upload or delete photos. The flaw was reported to Facebook in April and fixed by Facebook, earning the researcher $20,000 through Facebook’s bug bounty program. Source:

July 10, Help Net Security – (International) Nearly 70% of critical infrastructure providers suffered a breach. Unisys released the results of a survey of 599 security executives in the manufacturing, utility, and energy sectors and found that almost 70 percent of respondents reported at least one security breach that led to a disruption in operations or disclosure of confidential information within the last 12 months. The report also found that data breaches were most often attributed to negligent insiders, among other findings. Source

July 9, Threatpost – (International) Buffer overflow vulnerabilities in Yokogawa ICS gear patched. Yokogawa Electric Corporation released patches for its CENTUM and Exaopac industrial control system (ICS) software the week of July 7, closing vulnerabilities that could allow an attacker to remotely execute code. Source


Gotham Security Daily Threat Alerts

July 9, Softpedia – (International) Facebook helps shut down crypto-currency mining botnet. A joint effort by Facebook, security groups, and Greek law enforcement agencies shut down a Litecoin-mining botnet known as Lecpetex that had infected around 250,000 computers in several countries. The malware for the botnet spread through a social media spam campaign that compromised Facebook accounts and spread the malware disguised as an image file. Source:

July 9, – (International) Microsoft releases critical Internet Explorer fix in Patch Tuesday update. Microsoft released its monthly Patch Tuesday round of updates July 8, which included six updates, two of which were rated as critical. Source:

July 9, Securityweek – (International) Fake Google digital certificates issued by Indian organization. Google stated July 8 that it identified and blocked unauthorized digital certificates issued by India’s National Informatics Center that could have been used to compromise users of the Chrome and Internet Explorer browsers. Source:

July 9, Securityweek – (International) FireEye fixes vulnerabilities in FireEye Operating System (FEOS). FireEye released an update for its FireEye Operating System (FEOS), closing several security issues, including five OpenSSL vulnerabilities. Source:

July 8, Securityweek – (International) Adware company linked to development and distribution of Mevade malware. Trend Micro researchers published a research paper which stated that iBario. Ltd, an Israeli company with ties to Ukraine, is believed to be involved in the creation and distribution of the Mevade malware that has infected millions of computers worldwide. The researchers believe that the InstallBrain installer created by iBario has been used to install Mevade onto victims’ computers. Source:

July 8, CNET News – (International) Android’s phone wiping fails to delete personal data. Researchers with Avast reported the results of a study where the researchers bought 20 used Andr

oid phones and were able to recover former users’ personal data, including photos, emails, and contacts, after the Android factory reset function was used. The researchers reported that users could compromise their personal information when selling used devices because the Android factory reset only clears devices at the application layer. Source:

July 9, The Register – (International) ATTACK of the Windows ZOMBIES on point-of-sale terminals. Researchers with IntelCrawler identified and infiltrated a Windows botnet known as @-Brt that can be used in brute force attacks against point-of-sale (POS) systems and their associated networks. The botnet targets Remote Desktop Protocol (RDP) servers with weak or default passwords in order to grant attackers the access needed to plant payment card data stealing malware. Source:

Gotham Security Daily Threat Alerts

July 8, Softpedia – (International) Rosetta Flash attack mitigated by the new Adobe Flash Player Adobe released an update for its Flash Player that closes a vulnerability identified by a Google researcher that could allow an attacker to abuse JSONP endpoints and cause victims to run arbitrary requests and leak sensitive data. Source:

July 8, IDG News Service – (International) Vulnerability in AVG security toolbar puts IE users at risk. Researchers with the CERT Coordination Center (CERT/CC) found that the AVG Secure Search browser toolbar could allow attackers to execute malicious code due to an ActiveX control that exposes sensitive functionality to Web sites. The vulnerability affects AVG Secure Search versions 18.1.6 and earlier. Source:

July 8, Securityweek – (International) NETGEAR switches exposed to attacks from hardcoded credentials. An advisory from the CERT Coordination Center (CERT/CC) warned users of Netgear GS108PE ProSafe Plus Switches that attackers can log into the switches and execute arbitrary code by using a hardcoded login and password. Source:

July 7, SC Magazine – (International) Massachusetts man charged in Twitter hack. A Massachusetts man was charged July 2 for allegedly hacking into helpdesk services company Zendesk, disabling a security feature that restricted access to customer information, and exporting Twitter support tickets. The information was then allegedly used to compromise and deface Twitter’s and Zendesk’s Twitter feeds. Source:

July 7, The Register – (International) App permissions? Pah! Rogue Android soft can ‘place phone calls at will’. Researchers with Curesec identified vulnerabilities in the Android mobile operating system that could allow malicious apps to place phone calls and send Unstructured Supplementary Service Data (USSD) codes. One vulnerability affects Android versions 4.1.1 and up, while the second affects older Android 2.3.3 and 2.3.6 versions. Source:

July 8, Krebs on Security – (International) Feds charge carding kingpin in retail hacks. The U.S. Department of Justice announced July 7 that the U.S. Secret Service arrested a Russian national for allegedly working with others to steal and sell payment card details from stores and restaurants throughout the U.S. between 2009 and 2011. The man and his accomplices allegedly planted malware on merchants’ point-of-sale (POS) devices in order to obtain the payment card information and then sold it through underweb forums. Source:

%d bloggers like this: