Skip to content

Gotham Security Daily Threat Alerts

February 4, SecurityWeek – (International) Cisco patches high severity flaws in several products. Cisco released software updates for its Application Policy Infrastructure Controller (APIC) and several other products that patched high severity vulnerabilities including a denial-of-service (DoS) flaw in Nexus 900 switches, a remote authentication flaw in ASA-CX and Prime Security Manager (PRSM), and a logic issue in the role-based access control (RBAC) processing code that allowed unauthenticated attackers to make configuration changes. In addition, Cisco released advisories detailing three medium severity issues that have yet to be patched. Source

February 4, SecurityWeek – (International) Serious Crypto flaw found in Socat tool. A security researcher from Microsoft discovered a backdoor in the networking utility, Socat versions and 2.0.0-b8 that could allow attackers to eavesdrop on communications and recover the shared secret from a key exchange within its encrypted channels after finding that to the “p” parameter in 1024-bit Diffie-Hallman (DH) was not prime. Source

February 4, SecurityWeek – (International) Flaws expose Sauter SCADA systems to takeover. Sauter released firmware updates for its moduWEB Vision SCADA products after a researcher from Outpost24 discovered multiple vulnerabilities could be exploited by a remote attacker to take control of the products via a pass the hash attack. The attack can be administered through the use of default accounts, which have the password hash for the administrative account as a backup feature. Source

February 3, Computerworld – (International) Google expands Chrome’s Safe Browsing defenses to sniff out ad scams. Google reported February 3 that it is expanding its Safe Browsing technology to help protect users from misleading embedded content, such as social engineering ads which deceived users into providing their personal information and convinced users to download malware disguised as updates for name-brand software. Source

February 3, SecurityWeek – (International) Microsoft EMET adds Windows 10 compatibility. Microsoft released updated version 5.5 for its Enhanced Mitigation Experience Toolkit (EMET) to include Windows 10 capability and several other improvements including enhanced writing of the mitigations to the registry, ease in leveraging existing tools to manage EMET mitigations via Group Policy (GPO), and support for untrusted fonts mitigation in Windows 10. Source


Gotham Security Daily Threat Alerts

February 3, Softpedia – (International) Dual-Mode DMA ransomware cracked, users can recover files for free. Security researchers from Malwarebytes discovered a flaw in the DMA ransomware that could allow victims to decrypt their encrypted files without paying the ransomware after discovering that the ransomware’s encryption key was hard-coded in its binary, allowing victims to re-download the malicious file and input the encryption key inside the ransom note to unlock their files. Source

February 3, SecurityWeek – (International) WordPress 4.4.2 patches open redirect, SSRF flaws. WordPress released version 4.4.2 for its content management system that patched an open redirection vulnerability, a server-side request forgery (SSRF) which affected certain local Uniform Resource Identifiers (URLs), and 17 flaws affecting WordPress versions 4.4 and 4.4.1. Source

February 3, SecurityWeek – (International) Comodo browser breaks security: Google researcher. A researcher from Google found that the Chromodo web browser that comes installed with Comodo’s Internet Security product disables the same origin policy (SOP) and effectively turns off all web security, allowing malicious scripts opened in one browser to interact with other windows and infect several systems. Comodo released a patch to fix the vulnerability, but researchers found the patch was ineffective. Source

February 2, Reuters – (National) Microsoft recalls 2.3 mln power cords sold with Surface Pro tablets. Microsoft issued a recall February 2 for about 2.25 million of its AC power cords sold with certain models of the Microsoft Surface Pro convertible tablet devices after the company received a total of 61 consumer reports that the power cords overheated, emitted flames, and posed electrical shock hazards. Source

Gotham Security Daily Threat Alerts

February 2, Softpedia – (International) Compromised WordPress sites hijacked over and over again to push malware. Security researchers from Sucuri discovered a new campaign that targets WordPress websites after finding that all of the sites’ JavaScript files were infected with malicious codes to load an iframe, show advertisements, and leave an unknown backdoor on each web page with the intention to reinfect websites once the pages were cleaned. Researchers reported that if victims hosted several domains on the same hosting account, all of the domains will be affected via cross-site contamination. Source

February 2, Softpedia – (International) Deja-Vu: Google fixes another RCE vulnerability in the Mediaserver component. Google released patches for its Android mobile operating system (OS) fixing 13 flaws including 3 elevation of privilege issues in the Qualcomm Wi-Fi driver, and 2 remote code execution (RCE) vulnerabilities in its Mediaserver component that allowed an attacker to craft a malicious multimedia file and cause a memory corruption in the phone’s OS, among other exploits. Source

February 1, Softpedia – (International) Joomla zero-day accounted for the majority of web attacks in Q4 2015. The Solutionary Security Engineering Research Team (SERT) released a report titled, “Sert Quarterly Threat Report Q4 2015” which stated that malware attacks had increased during the past quarter, with virus and worm numbers increasing by 236 percent compared to Quarter 3 (Q3) and that ransomware attacks were growing within the U.S., accounting for 78 percent of all malware delivered during Quarter 4 (Q4). In addition, the report stated most violations were web applications that targeted flaws in web-based software and leveraged the Joomla zero-day vulnerability in Q4, among other information. Source

February 1, The Register – (International) WirelessHART industrial control kit is riddled with security holes. Security researchers from Applied Risk discovered several flaws in various WirelessHART products that could enable attackers to manipulate instruments and compromise process data integrity due to its low security protocol within its implementation layer, allowing hackers to extract the encryption key. Source

Gotham Security Daily Threat Alerts

February 1, SecurityWeek – (International) New Cross-Platform backdoors target Linux, Windows. Security researchers from Kaspersky Lab reported that the Linux backdoor dubbed OLMyJuxM.exe was recently found infecting Window-based systems with new capabilities similar to the 32-bit Windows variant of the DropboxCache and uses the same filename templates to steal screenshots, audiocaptures, keylogs, and other arbitrary data by using the SetWindowsHook API for keylogger functionality to contact the command and control (C&C) server for commands, and sends a heartbeat signal via Hypertext Transfer Protocol (HTTP) similar to the Linux variant. Users were advised to have an anti-virus program enabled on their systems to avoid opening emails from unknown sources, and to avoid installing applications from untrusted sources. Source

January 31, Softpedia – (International) OS X Security Compromised via the update process of many popular Mac apps. Sparkle released version 0.13.1 that patched a flaw in its Sparkle Updater framework, used to disseminate app updates to Apple Mac users after a security researcher discovered that all the updated information was sent out in Hypertext Transfer Protocol (HTTP), which can allow an attacker to set up a Man-in-the-Middle (MitM) attack by intercepting update requests from the Appcast server and modifying the update message Extensible Markup Language (XML) request to add their own malicious code. Source

January 30, Softpedia – (International) iOS app hot patching reveals a gaping security hole in Apple’s Walled Garden. Security researchers from FireEye discovered a process flaw in how Apple’s iOS developers patch their applications using the JSPatch library after researchers found they could deliver malicious instructions to test application, such as loading sensitive local iOS application program interfaces (APIs) and using them to access personal information, which was an unapproved function. The JSPatch engine translates the JavaScript code into Objective-C, which can allow any type of iOS exploit to be executed. Source

January 29, SecurityWeek – (International) Firefox warns of password requests over HTTP. Firefox released updates to its Mozilla browser, starting with Firefox DevEdition 46 that warned users when passwords were requested over non-secure connections and advised users to only provide passwords on secure connections such as Hypertext Transfer Protocol (HTTP) after a security researcher discovered the non-secure websites could be manipulated by a Man-in-the-Middle (MitM) attacker. The new Mozilla feature will check each web page against the algorithm in the World Wide Web Consortium’s (W3C) Secure Contexts Specification to determine whether the page is secure or not, and will warn security developers if the page is not secure. Source

Cyber Resilience: What is it and how do you get some?

A couple of weeks ago I had the pleasure of introducing Bruce Schneier and Larry Ponemon at an event focused on Cyber Resilience. If you’re interested in the material, there’s a recorded version available here.

Bruce and Larry are both rock stars, so the content was terrific. I thought I would share some of the things I learned.

Cyber resilience is an up and coming term in the cyber security world. It represents the ability to manage, mitigate, and move on from a cyberattack. It kind of reminds me of the Rocky speech to his son in Rocky 4. “It ain’t about how hard you’re hit. It’s about how hard you can get hit and keep moving forward. How much you can take and keep moving forward.”

Here are some of the things I picked up:

  • Businesses all agree that sooner or later, they’re going to get tagged. Most organizations are not ready to take that punch. Only 32% of organizations feel that they can properly recover from a cyberattack.
  • Planning and process are the keys. Tools help but only in the hands of trained and prepared teams. In the word of Mr. Schneier, anti-virus is a technology-first solution but incident response is a human-first endeavor.
  • Collaboration between business and operational units is critical during an incident, but 32% of companies polled report that collaboration is poor or nonexistent in their organization.

As a kid, I learned to waterski one sunny Saturday on a lake near our house. I remember that just learning to get up on top of the water took a long time. But once I got up, I discovered a whole new issue. What was falling going to be like? And on that whole first time up, I really couldn’t think of anything other than worrying about my eventual fall. Regardless of how long it had taken to get up, I basically fell almost right away, just to understand what that part of the experience was going to be like. It wasn’t bad and the rest of the day was great.

Sooner or later, we’re all going to fall. We need be ready to fall well and get back up.

Gotham Security Daily Threat Alerts

January 29, Help Net Security – (International) 60+ trojanized Android games lurking on Google Play. Researchers from Dr. Web found over 60 game apps offered on the Google Play store were embedded with the malicious Xiny trojan that can download additional malicious apps and collect device information such as the device’s International Mobile Station Equipment Identity (IMEI) and International Mobile Subscriber Identity (IMSI), and send the data to a command and control (C&C) server via 30 different game developer accounts including Billapps, Conexagon Studio, and Fun Color Games, among other accounts. Researchers believe the accounts are operated by the same cybercriminals. Source

January 29, The Register – (International) Two-thirds of Android users vulnerable to web history sniff ransomware. Researchers from Symantec reported that two in three devices running Android versions prior to 5.0 (Lollipop) were susceptible to the Lockdroid ransomware, which tricks users into allowing malicious code to gain administrative privileges via overlaid popups that uses a fake message disguised from the U.S. Department of Justice to trick victims’ into paying a fee to unlock their devices after the message prompts them that their devices have been locked due to visiting inappropriate websites. In addition, the malware is capable of changing the device personal identification number (PIN) and deleting user data through a factory reset. Source

January 29, SecurityWeek – (International) Facebook pays out $7,500 bounty for account hijacking flaw. A researcher discovered a serious cross-site scripting (XSS) vulnerability that could allow attackers to compromise users’ Facebook accounts by using several Facebook plugins designed in an iframe, which bypasses protections and can allow attackers to steal users’ cross-site request forgery (CSRF) token and compromise users’ accounts by convincing a user to click or visit a malicious link the hacker controls. Once the victim opens the malicious link, the hacker can execute any action to the victims’ account. Source

January 29, Help Net Security – (International) OpenSSL bug that could allow traffic decryption has been fixed. The OpenSSL Project released updates to its security protection system to protect its products against the malicious Logjam, and released new versions of its OpenSSL cryptographic library including OpenSSL 1.0.2f and 1.0.1r, which patches two security flaws that could have been exploited by attackers to obtain keys to decrypt secure communication and obtain sensitive information. Source

January 28, The Register – (International) Alleged ISIL hacker faces US terror charges for doxing soldiers. The U.S. Department of Justice and the FBI reported January 28 that a man was extradited from Malaysia to Virginia after being charged with hacking crimes and for providing support to a Middle Eastern terrorist group after he allegedly released the personal information of more than 1,000 U.S. soldiers and government employees to the group who intended to use the information to attack the U.S. military and government personnel. Source

%d bloggers like this: