Skip to content

Gotham Security Daily Threat Alerts

April 20, Softpedia – (International) Russian hackers exploit Windows, Flash Player zero-day flaws in targeted attack. Microsoft is working to patch a privilege escalation flaw in its operating system (OS) affecting Windows 7 and earlier products after FireEye researchers reported the zero-day attack, allegedly run by a Russian group dubbed APT28, on Adobe Flash Player that relies on the Flash vulnerability to gain access to the targeted system. Adobe released a patch addressing the flaw with its current version of Flash Player. Source

April 20, Softpedia – (International) New variant of Upatre malware downloader integrates full SSL encryption. Talos researchers discovered new versions of the Upatre malware that adopts encrypted communication with command and control (C&C) servers, including a version that uses secure sockets layer (SSL) cryptographic protocol to hide the type of data flowing between the infected client and the C&C server. The new version of the malware downloads the payload in the background while the communication is encrypted. Source

Gotham Security Daily Threat Alerts

April 17, Help Net Security – (International) Pawn Storm cyberspies still at work, target NATO and the White House. Security researchers at Trend Micro reported that cybercriminals are concentrating attacks in the Pawn Storm cyber-espionage operation on the North Atlantic Treaty Organization (NATO) and White House personnel in the U.S., in addition to government and military officials and media companies. The attacks seek to compromise targets’ computers and Microsoft Outlook accounts via spear-phishing emails and compromised Web sites that deliver the SEDNIT/Sofacy trojan malware. Source

April 17, Softpedia – (International) Flash Player bug allows video, audio recording without user consent. A security researcher from Klikki Oy discovered a vulnerability in versions of Adobe Flash Player prior to 17.0.0.169 in which an information disclosure could be leveraged to deliver audio and/or video streams captured on victims’ devices to remote locations controlled by attackers. The flaw is connected to another double-free vulnerability that could allow an attacker to execute arbitrary code on the affected system. Source

April 17, Help Net Security – (International) 1 in 4 employees enable cloud attacks. CloudLock released research from a study of over 750 million files, 77,500 apps, and 6 million users in the cloud that concludes nearly 1 in 4 employees violate corporate data security policy in public cloud applications, culminating in an average of 4,000 instances of exposed credentials in each organization, among other findings. Source

April 16, Securityweek – (International) Users warned of serious flaw in deprecated Cisco Secure Desktop feature. Cisco released a security advisory warning of a high severity command execution vulnerability affecting Cisco-signed Java Archive (JAR) executables in Cache Cleaner for Cisco Secure Desktop that could allow an unauthenticated attacker to run arbitrary commands on affected systems. The company deprecated the Cache Cleaner product over 2 years ago and advised users to transition to the Cisco Host Scan standalone package. Source

April 16, Securityweek – (International) D-Link failed to patch HNAP flaws in routers: Researcher. D-Link published security advisories for multiple router models that identify vulnerabilities related to the Home Network Administration Protocol (HNAP) that could allow unauthenticated attackers to inject commands through HNAP requests, leverage flaws to gain access to information on hosts connected to the network, change system settings, and reset the devices to factory settings. D-Link is working on fixing the flaws through additional firmware updates. Source

April 16, SC Magazine – (International) PCI SSC releases version 3.1, eschews SSL, early TLS. The Payment Card Industry Security Standards Council (PCI SSC) announced in its release of PCI Data Security Standard (PCI DSS) Version 3.1 that secure-sockets layer (SSL) support would be discontinued in favor of current transport layer security (TLS) encryption, due to weaknesses that were identified in SSL by the National Institute of Standards and Technology that could put payment data at risk. The change also occurred as a result of previous Web browser attacks that took advantage of SSL vulnerabilities such as POODLE and BEAST. Source

April 16, SC Magazine – (International) POS threat ‘Punkey’ allows additional malware download for greater access. An investigation by the U.S. Secret Service and Trustwave researchers discovered a new point-of-sale (POS) malware threat resembling NewPosThings that utilizes advanced encryption standard (AES) encryption with an embedded key, and has the capability to download additional malware on affected systems. Authorities revealed that up to 75 unique POS terminals may be infected with the malware. Source

April 16, ZDNet – (International) IBM’s X-Force Exchange to make decades worth of cyber-threat data public. IBM announced that that it will release a raw cyber-threat database of over 700 terabytes to cyber-threat data and intelligence companies, as well as malware threat data from 270 million computers and devices, 25 billion Web pages and images, and spam and phishing attack emails in an initiative called X-Force Exchange, which seeks to help companies mobilize against ongoing threats. Source

Gotham Security Daily Threat Alerts

April 16, Softpedia – (International) Current threat prevention systems are not enough protection for enterprises. Findings from a recent study in automated breach detection carried out by security researchers at Seculert revealed that gateway solutions at participating Fortune 2000 enterprises only blocked 87 percent of communications from compromised devices within their networks. The report also found that about 2 percent of devices in organizations were compromised by malware, while nearly 400,000 interactions that were generated went undetected, among other findings. Source

April 16, Softpedia – (International) Company employees not sufficiently trained to avoid phishing, study finds. A survey commissioned by Intel Security of 700 respondents in businesses across multiple continents revealed that 38 percent of information technology and security professionals believe vulnerability to social engineering is a significant factor in the success of attacks, and that threat actors’ use of multiple attack vectors, exploits, and payloads makes defending against attacks difficult, among other findings. Source

April 16, Help Net Security – (International) TeslaCrypt ransomware pushed by several exploit kits. Security researchers discovered that threat actors are distributing a new ransomware called TeslaCrypt via the Angler, Sweet Orange, and Nuclear exploit kits (EKs), which encrypts the typical assortment of file types along with those related to video games and game-related software, and iTunes-related files. Users have been targeted via redirects to compromised WordPress Web sites and hosts running vulnerable out-of-date Adobe Flash plugins. Source

April 15, IDG News Service – (International) AirDroid app fixes severe authentication vulnerability. AirDroid fixed a severe authentication software flaw in its Web interface affecting versions 3.0.4 and earlier, that could have allowed attackers to take over a device running the software by sending targets a malicious link over short message service (SMS) which exploit the app’s use of JavaScript Object Notation (JSONP) to request data from a server in a different domain. Source

April 15, Softpedia – (International) Victim of cyber-attack replies with own backdoor. Security researchers at Kaspersky Lab reported that it observed two cyberespionage advanced persistent threat (APT) groups called Hellsing and Naikon engage in deliberate APT-on-APT attacks through spear-phishing emails containing custom malware, signaling a potential new trend. Hellsing was previously linked to other APT groups and the group has targeted diplomatic organizations in the U.S. Source

April 15, Help Net Security – (International) Adobe fixes Flash Player zero-day exploited in the wild. Adobe released a new version of Flash Player for Windows, Macintosh, and Linux that addresses 22 critical vulnerabilities, including one that is exploited in the wild and could lead to code execution and an attacker taking control of the affected system. A security bypass vulnerability that could lead to information disclosure and memory leak flaws that could be leveraged to bypass address space layout randomization (ALSR) also received fixes. Source

April 15, Computerworld – (International) With latest patches, Oracle signals no more free updates for Java 7. Oracle released patches addressing 14 vulnerabilities in Java as part of a 98 security-issue fix that covered multiple product lines and marked the end of free Java 7 updates. Three of the Java vulnerabilities were high severity and could be exploited over networks without authentication and could lead to a complete compromise of affected systems’ confidentiality and integrity, and 12 others could be exploited from the Web through the Java browser plug-in. Source

April 15, Securityweek – (International) Google fixes 45 security flaws with release of Chrome 42. Google released Chrome 42 for Windows, Mac, and Linux, which included fixes for 45 security issues, including a cross-origin bypass flaw in the HTML parser, a type confusion in V8, a use-after-free vulnerability in inter-process communication (IPC), and an out-of-bounds write bug in the Skia graphics engine, among others. The update also removed support for the Netscape Plugin Application Programming Interface (NPAPI). Source

April 14, Network World – (International) Microsoft Patch Tuesday April 2015 closes 0-day holes: 4 of 11 patches rated critical. Microsoft released 11 security bulletins that address 26 vulnerabilities, including critical remote code execution (RCE) flaws in Microsoft Office, a critical RCE vulnerability in HTTP.sys that could allow an attacker to use a malicious HTTP request to Windows Server to gain full remote control of a system, and 9 critical security holes in Internet Explorer, among others. Source

April 14, IDG News Service – (International) Web app attacks, PoS intrusions and cyberespionage leading causes of data breaches. Findings from Verizon’s recently released annual Data Breach Investigations Report revealed that the top industries affected by data breaches in the last year were public administration, financial services, manufacturing, accommodations, and retail, and that over two-thirds of cyberespionage incidents since 2013 involved phishing attacks. The report also determined that banking information and credentials were the most common records stolen, among other findings. Source

April 14, Threatpost – (International) Apple fixes cookie access vulnerability in safari on billions of devices. A recent Apple update patched a cookie cross-domain vulnerability in all versions of the Safari Web browser on iOS, OS X, and Windows, that affected up to 1 billion devices, and was a result of the way Safari handled its file transfer protocol (FTP) uniform resource locator (URL) scheme, which could allow attackers to call upon documents to access and modify cookies belonging to Apple.com via JavaScript (JS). The update also patched a proxy manipulation vulnerability in iOS and multiple kernel vulnerabilities in OS X. Source

Gotham Security Daily Threat Alerts

April 14, Softpedia – (International) Misconfigured DNS servers vulnerable to domain info leak. The U.S. Computer Emergency Readiness Team (US-CERT) released a security statement warning that misconfigured, public-facing domain name system (DNS) servers utilizing Asynchronous Transfer Full Range (AXFR) protocols, are vulnerable to system takeovers, redirects to spoofed addresses, and denial-of-service (DoS) attacks from unauthenticated users via DNS zone transfer requests. Research from Alexa revealed that over 72,000 domains and 48,000 nameservers were affected by the issue. Source

April 14, Help Net Security – (International) 18-year-old bug can be exploited to steal credentials of Windows users. A Cylance researcher identified a new technique for exploiting an 18-year-old flaw in Windows Server Message Block (SMB) in all versions of Windows operating systems (OS) which allows attackers to intercept user credentials by hijacking communications with legitimate Web servers via man-in-the-middle (MitM) attacks that send them to malicious server message block (SMB) servers that reveal victims’ usernames, domains, and hashed passwords. Source

April 14, Help Net Security – (International) Attackers use deceptive tactics to dominate corporate networks. Symantec released research revealing that spear-phishing attacks on corporations increased by 8 percent in 2014, and that email and social media had remained significant attack vectors. Researchers also found that software companies took an average of 59 days to release patches and that 24 zero-day vulnerabilities were discovered in 2014, among other findings. Source

April 13, Help Net Security – (International) Attackers can easily crack Belkin routers’ WPS PINs. A security researcher discovered that 80 percent of Belkin routers tested generated Wi-Fi Protected Setup (WPS) PINs based on the device’s own Mac addresses and serial numbers, leaving it vulnerable to discovery by attackers using unencrypted request/response packets via Wi-Fi probes. Source

April 13, Securityweek – (International) Attacks against SCADA systems doubled in 2014: Dell. Dell revealed in its annual threat report that attacks against supervisory control and data acquisition systems (SCADA) doubled in 2014, including 51,258 attacks in the U.S., and that the attacks tended to be political in nature and targeted operational capabilities within power plants, factories, and refineries primarily in Finland, the U.K., and the U.S. The report found that 25 percent of the attacks witnessed exploited buffer overflow vulnerabilities followed by improper input validation and information exposure. Source

April 14, Securityweek – (International) Alleged creator of Svpeng Android malware arrested in Russia. Russia’s Ministry of Internal Affairs reported April 11 that the suspected developer of the Svpeng Android trojan along with 4 co-conspirators calling themselves “The Fascists” who had allegedly used the trojan to steal money from bank accounts in the U.S. and Europe were arrested. The malware employs a combination of short message service (SMS) hacking, phishing Web pages, credential logging, and ransomware to access victims’ account and access funds. Source

April 13, Threatpost – (New York) Vulnerabilities identified in NY banking vendors. The New York State Department of Financial Services released a report on cyber security in the banking sector April 9 which revealed that one in three New York banks are neglectful of information security relating to third-party vendors and are vulnerable to backdoor access by those looking to steal data as a result. One in three banks interviewed did not require vendors to notify them in the event of a data breach, and only half had strategies prepared for breach scenarios, among other findings. Source

Gotham Security Daily Threat Alerts

April 10, Softpedia – (International) OS X 10.9.x and older vulnerable to hidden backdoor API. A Swedish security researcher discovered a hidden backdoor application programming interface (API) present in the Admin framework of Apple OS X versions prior to 10.10.2 that could grant attackers root access to users with both admin and regular user accounts. Apple patched the issue in its release of OS X 10.10.3 Source

April 10, Softpedia – (International) United States, South Africa most affected by Changeup worm. A task force of European and American law enforcement organizations and private security companies including Intel, Kaspersky, and Shadowserver took action to disrupt the Changeup worm botnet and sinkhole its command-and-control (C&C) servers. The worm morphed every few hours and leveraged an LNK vulnerability in Windows to infect approximately 30,000 systems in early 2015, and downloaded other pieces of malware, including banking trojans, click-fraud programs, crypto-malware and other botnet threats. Source

April 9, Softpedia – (International) Multiple flaws found in Motorola’s Surfboard SBG6580 cable modem. Security researchers at Rapid7 discovered vulnerabilities in Motorola Home/ARRIS Surfboard SBG6580 series cable modems, including a backdoor account with hardcoded credentials and persistent cross-site scripting (XSS), and cross-site request forgery (CSRF) flaws that could allow attackers who know the internal gateway internet protocol (IP) address to access the device remotely, change network settings, and inject malicious JavaScript (JS) code. Source

April 9, Softpedia – (International) Cisco threat defense tool vulnerable to DoS attack. Cisco released a security advisory that a flaw in the company’s ASA FirePOWER and Context Aware (CX) Services can be exploited to allow attackers to cause denial-of-service (DoS) conditions by sending a high rate of crafted packets to the services’ management interface. Cisco released updates for the products addressing the issues, as well as three additional related glitches. Source

April 9, Softpedia – (International) Group uses over 300,000 unique passwords in SSH log-in brute-force attacks. Security researchers from Cisco Talos Group and Level 3 Communications collaborated to monitor and take down netblocks being used by a group of cybercriminals dubbed SSHPsychos to run large amounts of scamming traffic, utilizing a dictionary to find root user log-in credentials and install distributed denial-of-service (DDoS) rootkits that add compromised systems to a persistent DDoS botnet. Source

Gotham Security Daily Threat Alerts

April 9, Softpedia – (International) Over 100 forum websites foist poorly detected malware. Security researchers at Cyphort discovered a supposed click-fraud campaign that exploits Web forums running outdated versions of vBulletin or IP Board software to use malicious code to direct visitors to a landing page hosting the Fiesta exploit kit (EK) to deliver Gamarue and FleerCivet malware that steals information and injects backdoor trojans. The malware ensures persistence by avoiding virtual environments and disabling security settings on compromised systems, and exploits vulnerabilities found in Internet Explorer and in Adobe Flash Player version 16.0.0.296 and earlier. Source

April 9, Threatpost – (International) Apple iOS 8.3 includes long list of security fixes. Apple released iOS 8.3 for iPhone and iPad users patching over three dozen vulnerabilities, including flaws in the mobile operating system’s kernel, several bugs in WebKit, and a number of code-execution bugs. Source

April 9, Help Net Security – (International) Deadly combination of Upatre and Dyre trojans still actively targeting users. ESET researchers discovered that an email campaign targeting users worldwide utilizes a combination of the Upatre (Waski) downloader and Dyre/Dyreza banking trojans delivered via simple spam emails to gain information about compromised systems and intercept online banking credentials. Researchers believe that the scheme is part of the larger, previously discovered Dyre Wolf campaign that has targeted businesses around the world. Source

April 8, Securityweek – (International) Google Chrome extension criticized for data collection. Security researchers at ScrapeSentry and Heimdal Security reported that the Webpage Screenshot Google Chrome third-party extension contained malicious code that allowed for copies of all browser data to be sent to a server in the U.S. Google removed the extension from the Chrome Web Store, and Webpage Screenshot claimed that the information was only used for marketing and development purposes. Source

April 8, Threatpost – (International) Two NTP key authentication vulnerabilities patched. Network Time Protocol (NTP) patched two vulnerabilities that allowed attackers to leverage symmetric key authentication flaws to bypass message authentication code (MAC) to send packets to clients. The second vulnerability utilized symmetric key authentication to create denial-of-service (DoS) conditions when peering hosts receive packets with mismatched timestamps. Source

%d bloggers like this: