Skip to content

Gotham Security Daily Threat Alerts

November 19, Securityweek – (International) Advanced variant of “NotCompatible” Android malware a threat to enterprises. Researchers with Lookout identified a new variant of the NotCompatible trojan for Android dubbed NotCompatible.C which includes several changes to avoid detection by security software, including encrypted communications and geographically distributed command and control (C&C) servers. The malware is being spread by spam emails and compromised Web sites and acts as a proxy on infected systems. Source:

November 18, Securityweek – (International) Microsoft fixes critical Kerberos flaw under attack with out-of-band patch. Microsoft released an out-of-band patch November 18 to close a vulnerability in Microsoft Windows Kerberos KDC that could allow an attacker to elevate unprivileged domain user account privileges to domain administrator privileges. The vulnerability has been exploited in limited, targeted attacks and users were advised to apply the patch as soon as possible due to the critical nature of the vulnerability. Source:

November 18, SC Magazine – (International) Apple releases OS X Yosemite and iOS updates. Apple released updates November 18 for its OS X Yosemite operating system and iOS 8 mobile operating system, adding improvements and closing an unlimited passcode attempt vulnerability in iOS 8. Source:

November 18, Securityweek – (International) Flashpack exploit kit uses ad networks to deliver Cryptowall, Dofoil malware. Trend Micro researchers identified a malicious advertisement campaign that uses free ads to attempt to redirect users to a page hosting the Flashpack exploit kit, which then attempts to serve a variant of the Dofoil trojan or the Cryptowall ransomware. Source:

November 18, Softpedia – (International) Legit Windows Phone apps can be replaced by malicious ones through copy/paste. A researcher reported that rogue versions of legitimate apps can be installed onto Windows Phone mobile devices after the installation of the legitimate app by replacing the files with the rogue app files. Source:

Gotham Security Daily Threat Alerts

November 18, Securityweek – (International) New variant of Matsnu trojan uses configurable DGA. Researchers from Seculert found that a new variant of the Matsnu trojan (also known as Trustezeb) is using a configurable Domain Generation Algorithm (DGA) to attempt to create domain names that won’t be detected by phonetic algorithms designed to look for nonsensical domain names. The malware can be instructed to take various actions, including downloading and executing files, updating itself, and reporting its status to its controllers. Source:

November 17, Securityweek – (International) Research finds 1 percent of online ads malicious. Researchers from universities in the U.S., U.K., and Germany presenting at the 2014 Internet Measurement Conference reported that their research looked at 600,000 online advertisements on 40,000 Web sites over a 3 month period and found that 1 percent of advertisements were malicious. Source:

Gotham Security Daily Threat Alerts

November 17, Softpedia – (International) BusyBox devices compromised through Shellshock attack. Researchers with Trend Micro identified a new version of the Bashlite malware that identifies devices on an infected system’s network that use the BusyBox software for Linux, including routers, and can then attempt to compromise them using the Shellshock vulnerability. Source

November 17, Softpedia – (International) Steam password stealer is stored on Google Drive. A researcher with Panda Security analyzed and reported a piece of malware designed to steal passwords for the Steam gaming service that is being delivered from a Google Drive account. The account was still active when the researcher reported the malware November 16 and targets victims via a fraudulent link in Steam chat that downloads an executable file. Source

November 17, The Register – (International) WinShock PoC clocked: But DON’T PANIC… It’s no Heartbleed. Researchers released a proof-of-concept (PoC) exploit for a SChannel crypto library flaw that was patched the week of November 10 in a Microsoft patch release. The flaw can still be exploited in unpatched Windows Server 2012, 2008 R2, and 2003 installations to run arbitrary code. Source

November 17, The Register – (International) Attack reveals 81 percent of Tor users but admins call for calm. A paper released by researchers at the Indraprastha Institute of Information Technology outlined a traffic confirmation attack method that the researchers stated could be used to identify users of the Tor anonymity network in 81 percent of cases if an attacker has sufficient resources. Source

November 17, Securityweek – (International) Alleged creators of WireLurker malware arrested in China. Authorities in China arrested three individuals for allegedly creating and distributing the WireLurker malware targeting Mac OS X, iOS, and Windows devices and shut down the Web site used to distribute the malware. Source

November 17, Securityweek – (International) Majority of top 100 paid iOS, Android apps have hacked versions: Report. Arxan Technologies released their annual State of Mobile App Security report which found that there were cloned or repackaged versions of 97 percent of the top 100 paid Android apps and 87 percent for top 100 paid iOS apps, and that repackaged or cloned financial services apps existed for 95 percent of apps on Android and 70 percent in iOS, among other findings. Source

November 16, Softpedia – (International) New variant of Dofoil trojan emerges with strong evasion features. Fortinet researchers identified a new variant of the Dofoil botnet malware that contains several changes aimed at preventing the malware from being detected and analyzed. Source

November 15, Softpedia – (International) New encryption ransomware offers file decryption trial. Researchers at Webroot identified a new piece of encryption ransomware dubbed CoinVault that encrypts victims’ files using AES-256 encryption, demands a ransom, and offers a free trial of the decryption performed if a ransom is paid. Source

November 14, Softpedia – (International) Google misses trojan SMS app in Play Store for more than a year. An SMS trojan named Thai Fun Content was identified by Malwarebytes researchers on the Google Play Store and was available for download for over 1 year. The app subscribes victims to a paid SMS service and charges victims $0.37 per day. Source


November 14, Securityweek – (International) OnionDuke APT malware distributed via malicious Tor exit node. Researchers with F-Secure identified a piece of sophisticated malware dubbed OnionDuke that was distributed by a Russia-based Tor exit node and uses the same command and control infrastructure as the MiniDuke malware used in advanced persistent threat (APT) campaigns. Source

November 13, Threatpost – (International) Internet voting hack alters PDF ballots in transmission. Researchers at Galois published a paper demonstrating how an attacker could conduct an attack against home routers by altering the router firmware that would allow them to intercept a PDF voting ballot and modify it before sending it to the election authority. Source

November 12, Associated Press – (National) US confirms climate agency websites hacked. A National Oceanic and Atmospheric Agency spokesman confirmed November 12 that four of its Web sites were compromised by an Internet-sourced attack after staff detected the intrusion and began incident response efforts. The agency performed unscheduled maintenance and all services were fully restored. Source

November 13, Securityweek – (International) Mobile Pwn2Own 2014: iPhone 5s, Galaxy S5, Nexus 5, Fire Phone hacked. Researchers participating in the Mobile Pwn2Own mobile device hacking competition in Tokyo November 12-13 were able to compromise several popular smartphones and mobile devices, achieving a full sandbox escape on an iPhone 5s, successful near field communications (NFC) attacks on the Galaxy 5S, and several other successful compromises. Source

November 12, WTNH 8 New Haven – (Connecticut) Coast Guard contractor pleads guilty to stealing personal information. A Pawcatuck man who ran a computer repair business and also worked as a contractor for the U.S. Coast Guard pleaded guilty November 12 to stealing personal information and data over 250 times from computers and other devices brought to him for repairs. Source

November 12, Softpedia – (International) 18-year-old remotely exploitable vulnerability in Windows patched by Microsoft. Microsoft released a patch November 11 for a data manipulation vulnerability that has existed in Windows operating systems starting with Windows 95. Researchers with IBM’s X-Force discovered and reported the vulnerability in May, which could have been used by attackers to gain control of affected systems for the last 18 years. Source

November 12, Help Net Security – (International) Microsoft patches Windows, IE, Word, SharePoint and IIS. Microsoft released its monthly Patch Tuesday round of updates for its products, which includes 14 bulletins including one patching a zero-day vulnerability in the Windows OLE packager for Windows Vista and newer Windows operating systems. Source

November 12, Softpedia – (International) 18 critical vulnerabilities patched in Flash Player Adobe released a new version of its Flash Player software, closing 18 critical security issues, 15 of which could allow an attacker to execute arbitrary code. Source

November 12, Network World – (International) Google DoubleClick down, leaving sites ad-free. The Google DoubleClick for Publishers service experienced an outage November 12, preventing ads from being displayed on several Web sites. Google stated that the company was working to resolve the issue. Source

November 12, Softpedia – (International) Air-gapped systems targeted by Sednit espionage group. Researchers with ESET stated that the Sednit espionage group (also known as APT28 or Sofacy) have employed a tool known as Win32/USBStealer since at least 2005 that can exfiltrate data from air gapped systems. The tool is added to a compromised system connected to the Internet and then plants the tool on any removable storage device, collects information on the air gapped system, and then transmits it back to the attackers whenever the storage device is next connected to an Internet-connected system. Source

November 11, Softpedia – (International) Uroburos espionage group is still active, relies on new remote access trojan. G Data researchers found that the Uroburos espionage group (also known as Turla or Snake) remains active and is using two similar versions of a new remote access trojan (RAT) known as ComRAT that includes increased obfuscation and anti-analysis capabilities. Source

November 10, Securityweek – (International) SQL injection vulnerability patched in IP.Board forum software. Invision Power Services released patches for its IP.Board forum software November 9, closing a SQL injection vulnerability several hours after its discovery on versions 3.3.x and 3.4.x. Source

November 10, Securityweek – (International) iOS security issue allows attackers to swap good apps for bad ones: FireEye. Researchers with FireEye identified a new attack dubbed a Masque Attack that can allow attackers to replace a legitimate iOS app with a malicious one if both applications use the same bundle identifier. Victims targeted by the attack must be lured into installing the malicious app which can then be replaced by the malicious app on jailbroken and non-jailbroken iOS devices. Source


Gotham Security Daily Threat Alerts

November 10, Securityweek – (International) Darkhotel attackers target business travelers via hotel networks. Kaspersky Lab researchers identified an advanced persistent threat (APT) group dubbed Darkhotel APT that has targeted travelers in the Asia-Pacific region in addition to the U.S. using malicious hotel WiFi networks, spear phishing, and malicious torrent files. The group’s hotel attacks involve prompting users with a software update notice that installs a backdoor, and the group has targeted guests associated with industries and sectors including government organizations, the defense industry, energy industry, pharmaceutical industry, electronics manufacturers, medical providers, and non-governmental organizations. Source

November 10, The Register – (International) BrowserStack HACK ATTACK: Service still suspended after rogue email. Browser testing service BrowserStack stated that it was temporarily suspending service to recover after an attacker managed to gain access to a list of email addresses and the company’s official email account, using it to send out a fake message to developers. Source

November 10, The Register – (International) Emoticons blast three security holes in Pidgin :-(. Researchers at Cisco reported that the instant messaging client Pidgin contained three security vulnerabilities that could have allowed attackers to overwrite files or cause a denial of service (DoS) situation. The vulnerabilities have since been patched. Source

November 11, Dark Reading – (International) Stuxnet ‘Patient Zero’ Attack Targets Revealed Researchers name five Iranian industrial control systems companies attacked in 2009-2010, and they question whether USB sticks were really the method of infection. Research released today challenges some earlier analysis of the Stuxnet attacks of 2009 and 2010. Source


Gotham Security Daily Threat Alerts

November 7, The Register – (International) Belkin flings out patch after Metasploit module turns guests to admins. Belkin recently released a patch for its N750 dual-band router to close a vulnerability demonstrated in a Metasploit module that could allow attackers on guest networks to gain root access. Users were advised to update their firmware to close the vulnerability. Source

November 7, Help Net Security – (International) WireLurker: Apple blocks Trojanized apps, revokes certificate. Apple stated that it blocked apps identified as containing the WireLurker malware for OS X and iOS and revoked the certificate used to sign the malware. Source

November 7, Securityweek – (International) Metasploit module released for new UXSS vulnerability in Android browser. An independent researcher in coordination with Rapid7 identified and reported a universal cross-site scripting (UXSS) vulnerability in the default Android browser that could allow an attacker to scrape page contents and cookie data. A Metasploit module for the vulnerability was released, and although Google fixed the issue September 30 many Android users may not receive the fix due to lack of Android version updates. Source

November 7, Help Net Security – (International) After Silk Road 2, global law enforcement seizes other dark markets. U.S. and European law enforcement agencies undertook joint action against several other underweb marketplaces following actions against the Silk Road 2.0 marketplace, resulting in 17 arrests and the takedown of over 410 hidden services. Authorities also seized around $1 million in cash, illegal drugs, and precious metals. Source

November 6, Softpedia – (International) Cisco patches three out of four buggy small business RV series routers. Cisco posted an advisory November 5 stating that three vulnerabilities in four routers intended for small business use could allow attackers to execute arbitrary commands and upload files to the devices. The company issued patches for the RV120W Wireless-N VPN Firewall, RV180 VPN Router, and RV 180W Wireless-N Multifunction VPN Router, while a patch for the RV220W Wireless Network Security Firewall is expected by the end of November. Source

November 5, Lafayette Daily Advertiser – (Louisiana) LUS Fiber victim of Internet attack. The director of Lafayette Utilities System (LUS Fiber) stated that disruptions to customers’ Internet access November 4 and November 5 in Lafayette were the result of an attacker intentionally overwhelming the system. LUS Fiber had also experienced an unrelated email server malfunction the week of October 27 that left customers without email service for several days. Source

November 7, Help Net Security – (International) 53M customer email addresses were also stolen in Home Depot breach. Home Depot officials disclosed November 6 that an investigation into a previously reported breach of the company’s payment data systems revealed that 53 million email addresses of customers in the U.S. and Canada were also compromised during the attack and officials urged consumers to be on guard against phishing scams. The company also reported that hackers used the stolen credentials of a third-party vendor to access the company’s point-of-sale (PoS) devices, then acquired administrator rights that enabled them to deploy custom-built malware on self-checkout systems at the company’s stores in the U.S. and Canada. Source

November 6, Securityweek – (International) New “WireLurker” malware targets iOS, Mac OS X users via trojanized applications. Researchers with Palo Alto Networks identified a new piece of malware targeting Apple OS X systems and iOS devices dubbed WireLurker, which can run malicious code in order to steal users’ contacts, Apple IDs, and other data. The malware spreads via trojanized and repackaged OS X applications and can compromise any iOS devices linked to an infected system via USB cable by infecting iOS applications on stock or jailbroken devices. Source

November 6, Krebs on Security – (International) Feds arrest alleged ‘Silk Road 2’ admin, seize servers. FBI and DHS agents arrested a San Francisco man and charged him with drug trafficking, conspiracy to commit hacking, and money laundering for allegedly operating the Silk Road 2.0 underweb market that sold illegal drugs, fraudulent identification documents, and hacking services and tools. U.S. and European authorities seized control of servers hosting Silk Road 2.0 following the arrest. Source

Gotham Security Daily Threat Alerts

November 5, Ars Technica – (International) Crypto attack that hijacked Windows Update goes mainstream in Amazon Cloud. A researcher stated that he was able to replicate the MD5 hash collision method used in the Flame cyberespionage attacks using a GPU instance on Amazon Web Service to cause two images to have the same MD5 hash. The method was used in the Flame campaign to cause compromised Windows Update certificates to be recognized as valid on targeted systems, allowing malware to be downloaded undetected. Source:

November 5, Help Net Security – (International) New technique makes phishing sites easier to create, more difficult to spot. Trend Micro researchers identified a new phishing site technique targeting an e-commerce site that uses a proxy to relay user traffic to a legitimate site and then redirects users to a phishing site once they make a purchase and enter payment information. The method was observed in an attack on an online store in Japan but could be used for other sites. Source:

November 4, Softpedia – (International) Compromised EDU domain used to send out ZeuS-laden emails. Researchers with PhishMe detected a spam email campaign distributing the Zeus (also known as Zbot) information-stealing trojan through email addresses belonging to an undisclosed U.S. educational organization with around 25,000-30,000 enrolled students. Source:

November 4, SC Magazine – (International) redirects to Rig Exploit Kit, infects users with malware, Symantec observes. Symantec researchers stated November 4 that the music news Web site was redirecting users to a page hosting the Rig Exploit Kit October 27 and that the issue has been closed. The researchers were unsure of how the compromise occurred but found that the attackers injected an iFrame into the site in order to redirect visitors. Source:



Gotham Security Daily Threat Alerts

November 3, The Register – (International) VMware: Yep, ESXi bug plays ‘finders keepers’ with data backups. VMware confirmed an issue reported by users of its ESXi 4.x and ESXi 5 hypervisor where virtual machines with Changed Block Tracking (CBT) enabled and that have been increased in size by more than 128GB show an inaccurate list of allocated virtual machine disk sectors, which could cause backed-up data to be unrecoverable. VMware recommended that users disable and then re-enable CBT and stated that the company is working on a permanent solution. Source

November 3, SC Magazine – (International) Researchers notice uptick in ‘Poweliks’ trojan infections. Symantec researchers observed an increase in reported Poweliks trojan infections, with the malware delivered by spam emails, exploit kits, and a spam campaign that impersonates the U.S. Postal Service and Canadian Post. Source

October 31, Securityweek – (International) New RAT hijacks COM objects for persistence, stealthiness. Researchers at G DATA Software’s SecurityLabs identified a new remote access trojan (RAT) dubbed COMpfun that hijacks legitimate Component Object Model (COM) objects to evade detection by security software. The RAT is capable of executing code, logging keystrokes, downloading or uploading files, and other tasks. Source

October 31, Softpedia – (International) RIG Exploit Kit used in Drupal CMS exploit incidents. RiskIQ researchers observed the RIG Exploit Kit being used in attacks that exploit a critical SQL injection vulnerability in the Drupal content management system (CMS) to redirect users to the exploit kit. The researchers found that all instances of the exploit kit are hosted on a machine at a Selectel datacenter in Russia. Source

October 31, Securityweek – (International) iOS app vulnerability exposed GroupMe accounts. A researcher identified and reported a vulnerability in the GroupMe app for iOS that could have allowed an attacker to hijack the account of another user due to the sign-up process for new accounts lacking rate limiting or a security lockout mechanism on a phone number verification process. The issue was reported August 28 and patched September 17, and the researcher stated that there was no evidence it was exploited before being fixed. Source

October 31, Help Net Security – (International) Android dialer hides, resists attempts to remove it. Researchers with Dr. Web identified a malicious dialer for Android dubbed Android.Dialer.7.origin that places calls to a paid service at regular intervals after infecting devices disguised as an app. The malware attempts to hide itself by deleting its shortcut, disabling the device earpiece during calls, and removing evidence of the calls from the call and system logs. Source

October 30, The Register – (International) Danish court finds Pirate Bay cofounder guilty of hacking CSC servers. A court in Denmark found a cofounder of the Pirate Bay Web site guilty of working with an anonymous accomplice to compromise servers belonging to U.S. company CSC that contained data for European governments between February and August 2012. Source

%d bloggers like this: