Skip to content

Gotham Security Daily Threat Alerts

November 19, Securityweek – (International) Microsoft blocks unauthorized code injection in Edge. Microsoft released several improvements to its Edge Software with the introduction of EdgeHTML 13 that adds a security feature to block dynamic-link library (DLL) injections into the browser process and only allow components signed by Microsoft and Windows Hardware Quality Labs (WHQL) signed-device drivers to load. Source

November 19, Softpedia – (International) 15-year-old Brit charged with DDoS attacks, bomb threats. British police arrested and charged a 15-year-old teenager November 16 for violating the Computer Misuse Act and Criminal Law Act after he launched a series of Distributed Denial of Service (DDoS) attacks from his home targeting companies and servers in Africa, Asia, Europe, and North America, as well as delivering several bomb threats against North American airlines via social media platforms. Source


Gotham Security Daily Threat Alerts

November 18, The Register – (International) Blackhole’s back: Hated exploit kit returns from the dead. Researchers from Malwarebytes discovered that the previously extinct Blackhole Exploit Kit has resurfaced after finding an active drive-by download campaign via compromised websites with the same Adobe Java platform and PDF exploits as the Blackhole Exploit Kit, which can still compromise vulnerable computers despite its old exploits. Source

November 18, Securityweek – (International) Security flaws in LastPass exposed user passwords. LastPass security team released patches addressing a series of bugs and design flaws, discovered by two researchers from Salesforce, that could have been used to exploit user passwords through an attack against LastPass via various vectors including a special disable one-time password (dOTP) that can be used for authentication to access the encrypted vault key and decrypt it, and bypass IP restrictions and two-factor authentication (2FA), as well as using custom_js to inject and execute JavaScript code on login pages of websites. Source

November 17, Securityweek – (International) Adobe issues security fixes for ColdFusion, LiveCycleDS, Premiere Clip. Adobe released a series of updates addressing security vulnerabilities in several of its products including ColdFusion, which resolved two input validation issues that may be used in reflected cross-site scripting (XSS) attacks; LiveCycleDS, which resolved a server-side request forgery vulnerability; and Premiere Clip products, which patched an input validation issue in a mobile application that allows Apple iOS users to create or edit videos on mobile devices. Source


Gotham Security Daily Threat Alerts

November 17, Securityweek – (International) Poor backend security practices expose sensitive data. Researchers at the Technical University of Darmstadt in Germany discovered more than 18.6 million records of security risks associated with the use of Backend-as-a-Service (BaaS) offerings including extrapolation of an ID and an undisclosed key for authentication from a victims’ mobile application that allows attackers access to the backend with the same privileges as the application. Source

November 17, Securityweek – (International) Flaw in D-Link switches exposes corporate networks: Researchers. Security researchers from Elastica’s Cloud Threat Labs discovered a flaw in DGS-1210 Series Gigabit Smart Switches from D-Link that can be exploited by remote attackers to access backup files found on the flash memory and the web server, where log and configuration files are stored, with any authentication credentials if the attackers identify the targeted device’s Internet Protocol (IP) address. Source

November 17, Help Net Security – (International) Cyber crooks actively hijacking servers with unpatched vBulletin installations. Symantec researchers discovered that attackers are using a patched zero-day flaw that affects vBulletin Connect versions 5.1.4 through 5.1.9, to remotely execute code on a vulnerable server by first downloading and executing a multipurpose malicious shell script, onto a vulnerable server via a single Hypertext Transfer Protocol (HTTP) request. Source

November 17, Securityweek – (International) Automation fuels onslaught of web app attacks: Report. Imperva released its Web Application Attack Report (WAAR) revealing that more than 75 percent of analyzed applications were targeted by automated attacks via SQL injection (SQLi), remote file inclusion (RFI), remote code execution (RCE), directory traversal (DT), cross-site scripting (XSS), spam, file upload (FU), and Hypertext Transfer Protocol (HTTP) reconnaissance, to compromise users and steal sensitive information as cybercriminals leverage automated tools, making SQL injections attacks 3 times higher this year than previous years. Source

Gotham Security Daily Threat Alerts

November 16, Securityweek – (International) Thousands of sites infected with Linux encryption ransomware. Researchers from Dr. Web reported that approximately 2,000 websites were compromised by the Linux file-encrypting ransomware dubbed Linux.Encoder1, that targets the root and home files, web servers, backups, and source code via a downloaded file containing the public RSA key used to store AES keys that adds .encrypt extension to each file, allowing files to be nearly impossible to recover without paying a ransom to the attackers. A patch was released, but experts warned that attackers may update the malware to make file decryption more difficult. Source

November 16, IDG News Service – (International) State-sponsored cyber spies inject victim profiling and tracking scripts in strategic websites. Security researchers from FireEye discovered an attack campaign dubbed WITCHCOVEN, which has injected computers profiling and tracking scripts into over 100 websites involved in international business travel, diplomacy, energy production and policy, international economics, and official government work. The malware was designed to identify users of interest and target such users with exploits designed for their specific computer and software configurations. Source

November 16, InfoWorld – (International) Microsoft fixes Hyper-V bug in Windows. Microsoft released patches for vulnerabilities in its Hyper-V hypervisor software affecting several Windows Servers, including a flaw in the central processing unit (CPU) chip set that issues instructions and causes the host system into a nonresponsive state, resulting in a denial-of-service condition for users’ operating systems. No attacks in the wild have been reported. Source

November 16, Softpedia – (International) A quarter of web-accessible devices have vulnerable firmware. Researchers from EURECOM and Ruhr University in Bochum, Germany, released a study confirming the weak state of security for Internet of Things (IoT) devices included cross-site scripting (XSS) vulnerabilities, cross-site request forgery (CSRF) vulnerabilities, SQL injection (SQLi) vulnerabilities, and remote code/command execution (RCE) vulnerabilities which can grant attackers access to devices, spy on users, steal data, and rewrite the firmware to perform other malicious activities. Source

November 16, Securityweek – (International) Libpng Library updated to patch vulnerabilities. The official Portable Network Graphics (PNG) reference library, Libpng released an update addressing several memory corruption vulnerabilities in all its versions from 1.6.18 – 1.0.63, affected by a potential out-of-bounds read in the png_set_tIME() and png_convert_to_rfc1123() functions, and an out-of-bounds write issue in the png_get_PLTE() and png_set_PLTE() functions that failed to check for an out-of-range palette when reading or writing PNG files. The flaws were patched with the release of updated versions. Source

November 15, Softpedia – (International) Compromised website fools security vendor, continues to infect users. Researchers from Palo Alto Networks reported that the CryptoWall 3.0 ransomware, that previously affected all users via the Angler Exploit Kit when users visited the website, cxda.[.]gov[.]cn, was still active and compromised 4,000 additional websites despite initial reports that revealed the malicious campaign had stopped. Researchers revealed a “dormant” and “filtering” functionality imbedded in the campaign’s malicious code allowed attackers to go unnoticed depending on the website’s source Internet Protocol (IP) and user agent. Source

November 13, Softpedia – (International) Oil and gas companies indirectly put at risk by vulnerabilities in ERP systems. Researchers from ERPScan presenting at Black Hat Europe 2015 showed how a vulnerability in an enterprise resource planning (ERP) suite from SAP and Oracle used inside oil and gas companies, could allow an attacker to gain access into operation technology (OT) infrastructure through connected applications that are insecure. The researchers also determined that misconfigurations, the presence of unnecessary privileges, and custom code provided entry or access escalation points for attacks. Source

Gotham Security Daily Threat Alerts

November 13, Securityweek – (International) Flaw in “Spring Social” puts user accounts at risk. Researchers at SourceClear (SRC:CLR) discovered that a vulnerability in Pivotal Software’s Spring Social authentication feature can be exploited via a specially crafted Uniform Resource Locator (URL) that bypasses the cross-site request forgery (CSRF) protection to link an attacker’s account, on a similar service to GitHub or Facebook, with a victim’s account on a compromised website. Pivotal Software patched the vulnerability with the release of Spring Social Core update. Source

November 12, The Register – (International) Jenkins plugs 11 security holes with two updates. Jenkins released Versions 1.638 and 1.625.2 for its open source integration tool that patched 11 critical security vulnerabilities including a zero-day vulnerability that exploited Jenkins CLI subsystem; a secret key flaw that allowed attackers to connect as slaves, take over Jenkins systems, and access private data; and a critical flaw that used unsafe deserialization, allowing remote attackers to run arbitrary code on the Jenkins master, among other vulnerabilities. Source

November 12, The Register – (International) Latest Android phones hijacked with tidy one-stop-Chrome-pop. A researcher from Quihoo 360 discovered, and reported during the MobilePwn2Own event at the PacSec security conference, a single clean exploit in Google’s Chrome browser for Android via its JavaScript v8 engine that does not require several chained vulnerabilities to gain access and load software without user interaction once a user visits a malicious website. Source

November 12, Foster’s Daily Democrat – (New Hampshire) Computer virus infects county dispatch center. The Strafford County chief deputy announced November 12 that computers at the Strafford County Regional Dispatch Center in Dover were infected by the CryptoLocker ransomware which severely limited the amount of data used by both dispatchers and emergency personnel on the field. Officials were able to isolate the virus and are working on bringing systems back online. Source

November 12, Securityweek – (National) New PoS malware delivered via malicious docs, exploit kit. Researchers from Proofpoint observed the “AbaddonPOS” point-of-sale (PoS) malware and determined that it was being widely distributed with the aid compromised Microsoft Word documents designed to download information-stealing threats. Once the malware infects the system, it targets the memory of all processes in track 1 and track 2 data associated with payment cards. Source

Gotham Security Daily Threat Alerts

November 12, Securityweek – (International) Microsoft reissues security update due to Outlook crash. Microsoft reissued a security patch updating its KB3097877 software on Windows 7 and some versions of its KB3105213 update on Windows 10 after customer complaints revealed that the software update had an issue with its Outlook 2010 and 2013 versions which caused crashes for consumers viewing HyperText Markup Language (HTML) emails. Source

November 11, Securityweek – (International) Attackers abuse security products to install “Bookworm” trojan. Researchers from Palo Alto Networks discovered a new trojan dubbed “Bookworm” which captures keystrokes and steals the content of a clipboard, as well as load additional modules from its command and control (C&C) server to expand its abilities by using a Smart Installer Maker tool to disguise the malware as a self-extracting RAR archive, or a Flash slideshow/installer, to write a executable data definition language (DDL) file named “Loader.ddl,” and a file named “readme.txt,” to the victims’ system. Source

November 10, Softpedia – (International) Here’s the list of all security bugs that Adobe fixed in Flash Adobe released patches for 17 critical bugs in its Flash Player for Windows and Apple Mac, Flash Player for Linux systems, as well as Adobe AIR that patched vulnerabilities including a type confusion flaw, and a security bypass vulnerability that allows attackers to write data to the target’s file system with the user’s permission. Source

November 12, Securityweek – (International) “Cherry Picker” PoS malware cleans up after itself. Researchers from Trustwave discovered that a point-of-sale (PoS) malware dubbed “Cherry Picker” relies on a new memory scraping algorithm using a file infector for persistence that removes all traces of the infection from the system with updated versions of sr.exe and srf.exe, which has been used to install the malware and inject a data definition language (DLL) into processes. The latest version of the malware relies on an application programming interface (API) called “QueryWorkingSet” to scrape the memory and harvest the data. Source

Gotham Security Daily Threat Alerts

November 10, Securityweek – (International) Flaw in Linux encryption ransomware exposes decryption key. Researchers at Bitdefender discovered a flaw in the Linux.Encoder1 ransomware in its advanced encryption standard (AES) key generation process that revealed the libc rand() function, seeded with the current system timestamp during encryption, allows the retrieval of the AES key without having to decrypt the malware by paying the attackers for a RSA public key. The security firm released a decryption tool that automatically restores encrypted files previously attacked by Linux.Encoder1. Source

November 9, Securityweek – (International) Remote code execution flaw found in Java app servers. Researchers from FoxGlove Security released a report addressing deserialization vulnerabilities in Java applications including Oracle WebLogic, IBM WebSphere, and Jenkins, among other products that can be remotely exploited for arbitrary code due to poor coding via Java library Apache Commons Collections that is used for more than 1,300 projects. A Java deserialization library and a report were released to secure applications from malicious actors and educate developers on how to avoid such flaws. Source

November 10, Wall Street Journal – (International) Charges announced in J.P. Morgan hacking case. A Federal indictment was unsealed November 10 against three men in connection to an alleged massive cyber-attack against J.P. Morgan Chase & Co., and several other U.S. financial institutions that allowed the suspects to steal the personal information of more than 100 million customers by hacking into the financial institutions’ systems and stealing customer information to carry out a stock-manipulation scheme. The defendants would artificially inflate stock prices and send spam emails to customers to trick them into buying stocks. Source

November 9, Washington Post – (National) Comcast says it’s not to blame after 200,000 user accounts were put up for the sale online. Comcast announced November 9 that it will reset passwords for roughly 200,000 customers after a package of personal data, including the e-mail addresses and passwords, was listed for sale for $1,000 on a Dark website. The company reported it was not hacked and that its systems and apps were not compromised and held unsuspecting customers responsible for visiting malware-laden sites or fallen victim to other schemes that allowed hackers to obtain their data. Source

%d bloggers like this: