Skip to content

Gotham Security Daily Threat Alerts

March 26, Softpedia – (International) Microsoft revokes rogue digital certificate for Google and other web domains. Microsoft updated its Certificate Trust List (CTL) for Windows operating systems, and pushed automatic updates to revoke a certificate fraudulently issued by Egypt-based MCS Holdings. The fraudulent certificates affected several Google domains, as well as other domains, and left Windows users vulnerable to Web content spoofing, phishing, and man-in-the-middle (MitM) attacks. Source

March 26, Softpedia – (International) Apple customers lured to disclose Apple ID and card data. Security analysts at Bitdefender discovered a phishing scheme in which Apple device users are being targeted with emails that link to a hoax site requesting Apple ID credentials, personal information, payment card information, and a 3D Secure password. After users fill out the form, they are notified of a bogus two-factor authentication (2FA) process and are given an option to change their password. Source

March 26, Securityweek – (International) Cisco fixes DoS vulnerabilities in IOS software. Cisco Systems released security updates patching 16 vulnerabilities in IOS and IOS XE software components, including Autonomic Network Infrastructure (ANI), Common Industrial Protocol (CIP), multicast Domain Name System (mDNS), transmission control protocol (TCP), Virtual Routing and Forwarding (VRF), and Internet Key Exchange version 2 (IKEv2). The vulnerabilities allowed remote, unauthenticated attackers to trigger denial-of-service (DoS) conditions on targeted systems. Source

March 25, Threatpost – (International) Default setting in Windows 7, 8.1 could allow privilege escalation, sandbox escape. A Google Security Project Zero researcher identified certain default authentication settings in Microsoft’s Windows versions 7 and 8.1 that could allow attackers to use cross-protocol NT LAN Manager (NTLM) reflection to attack a local Server Message Block (SMB) server and leverage Web Distributed Authoring and Versioning (WebDAV) to elevate privileges or escape application sandboxes. Microsoft urged users to implement Extended Protection for Authentication (EPA) to mitigate the vulnerability. Source



Gotham Security Daily Threat Alerts

March 25, Securityweek – (International) Over 15,000 vulnerabilities detected in 2014: Secunia. Secunia released its annual vulnerability review and found that 15,435 vulnerabilities across 3,870 applications from 500 vendors were discovered in 2014, 11 percent of which were considered highly critical, while .3 percent were rated extremely critical. The report also states that over 60 percent of attacks occurred through remote networks, making it the most common attack vector, among other trends. Source

March 25, Help Net Security – (International) Half of all Android devices vulnerable to installer hijacking attacks. Security researchers at Palo Alto Networks discovered that a critical Android vulnerability discovered over a year ago and dubbed “Android Installer Hijacking” can allow attackers to completely compromise devices, by changing or replacing seemingly legitimate applications with malware during installation, without users’ knowledge. The flaw affects all devices running Android versions 4.2 and earlier, and some running version 4.3. Source

March 24, Softpedia – (International) Yebot backdoor built for wide range of malicious operations. Security researchers from Dr.Web discovered that a backdoor trojan dubbed Yebot can run file transfer protocol (FTP) and socket secure (SOCKS) 5 proxy servers, gain remote access to systems through a remote desktop protocol (RDP), capture keystrokes and screenshots, intercept system functions, change code of running processes, search for private keys, and intercept all features associated with Web browsing. The trojan infects computers by injecting code into four Microsoft Windows processes before downloading and decrypting its contents and running in memory. Source

March 24, Softpedia – (International) Leaked full version of NanoCore RAT used to target energy companies. Security researchers at Symantec identified that approximately 40 percent of systems infected by the widely-available NanoCore remote access trojan (RAT) delivered by a malicious rich text format (RTF) or Microsoft Word file that exploits an old vulnerability in Windows Common Controls ActiveX component since January 2014 were in the U.S., while cyber-criminals have been employing the malware in targeted attacks on energy companies in Asia and the Middle East since March 6. Source

March 24, Softpedia – (International) Over 22.5 million PUAs detected last month by antivirus vendor. Germany-based Avira reported that the company’s antivirus software detected over 22.5 million potentially unwanted applications (PUAs) and highlighted five as the most prevalent in February that could inject malicious code, request sensitive information from users, or extract information without their consent. Source

March 23, – (International) Alleged hacker brought to N.J. on charges of large-scale identity theft. A Romanian national was extradited to the U.S. March 20 to face charges that he allegedly oversaw a large-scale computer hacking scheme in which he breached computer systems of retailers, medical offices, security companies, and individuals’ online accounts to obtain several thousand user names, passwords, and payment card numbers from 2011 – 2014, including 10,000 credit and debit cards from one victim alone. Source

Gotham Security Daily Threat Alerts

March 23, Softpedia – (International) New point-of-sale malware PoSeidon exfiltrates card data to Russian domains. Security researchers from Cisco Systems’ Talos Security Intelligence and Research Group discovered that cybercriminals are using a new point-of-sale (PoS) malware family dubbed PoSeidon that infects systems via a binary file and uses a memory scraping technique to retrieve and clone Discover, American Express, MasterCard, and Visa card information before delivering it to command and control (C&C) servers in Russia. The malware contains routines to ensure persistence regardless of restart or user log-off. Source

March 23, Softpedia – (International) CryptoWall ransomware also adds infostealer to compromised systems. Security researchers at Trend Micro discovered that the latest version of the CryptoWall ransomware contains the Fareit infostealer which collects credentials from programs including email clients, Web browsers, file transfer protocol (FTP) clients, and digital currency wallets. The malware is delivered via an archived JavaScript attachment in an email claiming to deliver a resume that connects to command and control (C&C) servers to download JPG images as a ploy to bypass intrusion detection systems (IDS). Source

March 23, Help Net Security – (International) Cisco Small Business IP phones vulnerable to eavesdropping. Cisco Systems confirmed that its Small Business SPA 300 and 500 series IP phones with firmware version 7.5.5 or older, contain flaws in authentication settings that could allow attackers to listen in on phone audio streams or make calls remotely by sending crafted extensible markup language (XML) requests to the affected device. The company is reportedly working on a patch to address the vulnerability. Source

March 23, IDG News Service – (International) Fake patient data could have been uploaded through SAP medical app. SAP fixed two issues in the Electronic Medical Records (EMR) Unwired app that could have allowed attackers to potentially leverage an SQL injection flaw and configuration file vulnerability to access the embedded database and change medical records stored on the server. Source

March 23, Securityweek – (International) Dridex banking malware dodges detection with run-on-close macros. Security researchers at Proofpoint discovered that the Dridex banking malware is using run-on-close macros in infected Microsoft Office documents to avoid detection by malware sandboxes and antivirus software. The Dridex malware was previously linked to attacks targeting banking customers in the U.S., Canada, and the U.K. Source

Gotham Security Daily Threat Alerts

March 19, Softpedia – (International) Zero-days for Firefox, IE 11, Adobe’s Flash and Reader exploited at Pwn2Own 2015. Security researchers leveraged multiple zero-day vulnerabilities to exploit 13 undisclosed bugs in Adobe’s Flash and Reader, Mozilla’s Firefox, and Microsoft’s Internet Explorer 11 to take control of compromised systems through various methods, which included heap overflow remote code execution, a cross-origin vulnerability, and a use-after-free (UAF) remote code execution, among others at Hewlett Packard and Google Project Zero’s Pwn2Own hacking competition. Source

March 19, Softpedia – (International) OpenSSL’s undisclosed high-severity issue is far from FREAK, POODLE, or Heartbleed. OpenSSL released an update for its cryptographic library addressing one high severity denial-of-service (DoS) vulnerability affecting version 1.0.2 that could allow a NULL pointer dereference to occur. The update also addressed a number of other moderate vulnerabilities affecting several OpenSSL versions, including segmentation faults and an issue with processing Base64 encoded data. Source

March 19, IDG News Service – (International) At least 700,000 routers given to customers by ISPs are vulnerable to hacking. A security researcher discovered that over 700,000 ADSL routers, mostly running firmware from the China-based Shenzhen Gongjin Electronics, doing business as T&W trademark, and distributed to customers from internet service providers (ISPs) worldwide, contain directory transversal flaws in their firmware that could allow attackers to extract sensitive data and change router configuration settings. The researcher notified the firmware developer, affected device vendors, and the U.S. Computer Emergency Readiness Team (US-CERT). Source


Gotham Security Daily Threat Alerts

March 18, Softpedia – (International) Ransomware uses GnuPG encryption program to lock down files. Researchers from Bleeping Computer and Emsisoft discovered that cybercriminals are using open source GNU Privacy Guard (GnuPG) code and Visual Basic Scripting Edition (VBS) to power VaultCrypt ransomware that uses a 1024-bit RSA key pair to encrypt information and Microsoft’s sDelete application to remove data used in the process. The ransomware sends user log-in credentials for Web sites to a command and control (C&C) server hidden in the Tor anonymous network. Source

March 18, Softpedia – (International) Repackaged Android apps filling third-party stores. Security researchers at Trend Micro discovered an increase of the number of Android apps that are either localized or repackaged containing malware being released for free on unofficial app stores, including spyware that can intercept payment notices or collect the user’s phone model and location, and list of installed apps. Source

March 17, U.S. Attorney’s Office, Eastern District of New York – (New York) New York City Police Department auxiliary officer charged with hacking into NYPD computer and FBI database. An auxiliary officer with the New York City Police Department (NYPD) was arrested and charged March 17 for allegedly using his position to hack into a restricted NYPD computer and other sensitive law enforcement computer systems by installing multiple electronic devices in the Traffic Safety Office of an NYPD precinct to obtain the personal information of thousands of citizens in order to commit fraud. The auxiliary officer ran over 6,400 queries and contacted individuals involved in traffic accidents falsely claiming to be affiliated with a law firm in order to encourage the victims to hire his services. Source


%d bloggers like this: