Skip to content

Gotham Security Daily Threat Alerts

December 16, Securityweek – (International) Banking trojan abuses Pinterest in C&C routines. Researchers with Trend Micro identified a variant of the BANKER malware known as TSPY_BANKER.YYSI that is currently targeting users of South Korean banking Web sites via redirection to a phishing site and accesses comments on the Pinterest social network instead of a command and control (C&C) server. The comments are decoded into IP addresses for the server hosting the phishing page. Source

December 16, Securityweek – (International) CA Technologies fixes vulnerable CA Release Automation. CA Technologies released a patch for its CA Release Automation continuous delivery system that closes a cross-site request forgery (CSRF), cross-site scripting (XSS), and SQL injection vulnerability in previous versions of the product. Source

December 15, Threatpost – (International) Shellshock worm exploiting unpatched QNAP NAS devices. Researchers with the SANS Institute stated that network attached storage (NAS) devices manufactured by QNAP may still be vulnerable to attackers exploiting the Bash flaw that was patched previously due to the complexity and lack of automation in the patching process. The researchers published two hashes that have been used in recent attacks to perform click fraud against the JuiceADV advertising network. Source


Gotham Security Daily Threat Alerts

December 15, Softpedia – (International) CloudFlare SSL certificate used for phishing scam. A researcher with Malwarebytes identified a new phishing email campaign that utilized a free CloudFlare certificate in order to make a malicious link appear more trustworthy. CloudFlare has since revoked the certificate. Source

December 15, Softpedia – (International) SoakSoak malware campaign affects over 100,000 websites. A Sucuri researcher reported that malware delivered from the Russian Web site has affected over 100,000 WordPress Web sites adding a code that adds a malicious JavaScript on every page viewed on the affected sites. Google then blacklisted more than 11,000 domains connected to the malware. Source

December 12, Securityweek – (International) Ursnif malware steals data, infects files in US, UK. Trend Micro researchers detected an increase in the number of Ursnif malware infections caused by a variant known as PE_URSNIF.A-O that is capable of infecting files as well as stealing passwords and other information. The largest number of the new infections were found in the U.S. and U.K. Source

December 12, The Register – (International) Batten down the patches: New vuln found in Docker container tech. A security researcher identified an arbitrary code execution vulnerability in Docker that was introduced in a November patch and could be exploited by including malicious .xz binaries in image files. The developers of Docker released a new patch that closes the vulnerability, and all users were advised to apply the patch as soon as possible. Source


Gotham Security Daily Threat Alerts

December 12, The Register – (International) Hackable intercom lets you SPY on fellow apartment-dwellers. A researcher presenting at the Kiwicon security conference detailed how he was able to use several vulnerabilities in the GrandStream GXV3175 video intercom, including directory traversal and command injection flaws, to potentially spy on any resident in an apartment building equipped with the devices. The issues were patched by the manufacturer after the researcher reported them. Source

December 12, The Register – (International) Microsoft pulls a patch and offers PHANTOM FIX for the mess. Microsoft took down an update included in its monthly Patch Tuesday release due to the patch causing issues on systems running Windows 7 Service Pack (SP1) and Windows Server 2008 R2 SP1. A second patch was then published to address the issue. Source

December 12, Securityweek – (International) Malwarebytes anti-exploit upgrade mechanism vulnerable to MitM attacks. A Fox-IT researcher identified and reported vulnerabilities in consumer versions of Malwarebytes Anti-Malware 2.0.2 and earlier, and Malwarebytes Anti-Exploit 1.03 and earlier that could have left the security products vulnerable to man-in-the-middle (MitM) attacks and allowed the download of malicious content. The vulnerabilities were reported in July and August and patched in September and October. Source

December 10, Softpedia – (International) Red October cyber spy op goes mobile via spear-phishing. Researchers with Blue Coat and Kaspersky Lab identified and analyzed a cyber-espionage campaign that appears similar to the RedOctober campaign dubbed Cloud Atlas or Inception Framework that has been targeting the Android, iOS, and BlackBerry devices of specific users in the government, finance, energy, military, and engineering sectors in several countries via spearphishing. The malware appears to primarily be designed to record phone conversations and can also track locations, monitor text messages, and read contact lists. Source

December 11, The Register – (International) Elderly zombie Asprox botnet STILL mauling biz bods, says survey. A report by Palo Alto Networks found that the Asprox botnet (also known as Kuluoz) was responsible for around 80 percent of recorded attacks during October across almost 2,000 organizations in sectors including the healthcare, financial services, and retail industries. The botnet malware plants malicious code in vulnerable Web sites via SQL injection attacks and has been used in phishing, malware distribution, and other attacks. Source

December 11, Softpedia – (International) Patch against critical flaw in HD FLV Player still leaves the plug-in vulnerable. A researcher with Sucuri reported that a recent patch closing a vulnerability that could have allowed unauthenticated arbitrary file downloads in the HD FLV Player component for Joomla, WordPress, and custom Web sites did not close a similar vulnerability that could allow an unauthenticated attacker to send out emails from an affected site. Source

December 11, The Register – (International) FreeBSD developers VANQUISH Demon bug. Researchers with Norse identified and reported a vulnerability in FreeBSD that could have allowed an attacker to inject malicious code into systems running the software. The developers of FreeBSD released a patch after receiving the report, closing the vulnerability. Source

December 11, Threatpost – (International) Black Energy malware may be exploiting patched WinCC flaw. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued an update to a previous alert concerning the Black Energy malware seen targeting human-machine interface (HMI) products, which stated that the malware may be exploiting vulnerabilities in the Siemens SIMATIC WinCC software that was patched by Siemens November 11. Source

December 10, The Register – (International) Taxi app Uber plugs ‘privacy- threatening’ web security flaw. Ride-sharing service Uber closed a cross-site scripting (XSS) vulnerability in its Web site after a security researcher identified and reported the issue. The vulnerability could have exposed users’ cookies, personal information, browser history, and authentication credentials. Source

December 10, The Register – (International) ‘Critical’ security bugs dating back to 1987 found in X Window. The developers of the X Window System for Linux and other Unix operating systems issued patches closing several vulnerabilities that could be exploited to crash the system or run malicious code as the root user after they were identified and reported by a researcher at IOActive. Source

December 10, Softpedia – (International) Red October cyber spy op goes mobile via spear-phishing. Researchers with Blue Coat and Kaspersky Lab identified and analyzed a cyber-espionage campaign that appears similar to the RedOctober campaign dubbed Cloud Atlas or Inception Framework that has been targeting the Android, iOS, and BlackBerry devices of specific users in the government, finance, energy, military, and engineering sectors in several countries via spearphishing. The malware appears to primarily be designed to record phone conversations and can also track locations, monitor text messages, and read contact lists. Source

December 10, Securityweek – (International) Trihedral fixes vulnerability in SCADA monitoring and control software. Trihedral Engineering Ltd., released software updates for its VTScada (VTS) supervisory control and data acquisition (SCADA) software to close a vulnerability that could be used by an unauthenticated attacker to crash VTS servers. The software is used in industries including the energy, chemical, manufacturing, agriculture, transportation, and communications sectors. Source

December 10, Softpedia – (International) Flash Player fixes remote code execution bug exploited in the wild. Adobe released patches for six vulnerabilities in its Flash Player software, including a vulnerability reported by a researcher that could allow arbitrary code to be executed on affected systems. The arbitrary code execution vulnerability has been observed being exploited in the wild and all users were advised to update their versions of Flash Player as soon as possible. Source

December 10, Securityweek – (International) SQL injection, other vulnerabilities found in InfiniteWP admin panel. A researcher with Slik identified and reported several vulnerabilities in the InfiniteWP administration application for WordPress Web sites, including SQL injection vulnerabilities that could be used by an unauthenticated attacker to gain control of WordPress sites. Source

December 10, Securityweek – (International) Flaw in AirWatch by VMware leaks info in multi-tenant environments. VMware released an update for its AirWatch enterprise mobile management and security platform December 10 that closes vulnerabilities that could allow a user that manages a deployment in a multi-tenant environment to view the statistics and organizational information of another tenant. Source

December 10, Securityweek – (International) Recursive DNS resolvers affected by serious vulnerability. The Computer Emergency Response Team Coordination Center (CERT/CC) reported December 9 that recursive Domain Name System (DNS) resolvers are vulnerable to an issue where a malicious authoritative server can cause them to follow an infinite chain of referrals, leading to a denial of service (DoS) state. Source

December 10, Securityweek – (International) Third-party bundling made IBM products most vulnerable: Study. Secunia released a report on security vulnerabilities disclosed between August and October and found that vulnerabilities increased by 40 percent compared to the previous year to a total of 1,841 vulnerabilities in the 20 most vulnerable products, among other findings. The report also found that Google Chrome had the largest number of disclosed security issues, and that IBM was the most vulnerable vendor due to products being bundled with third-party software. Source

December 9, Securityweek – (International) Microsoft releases critical IE security update on Patch Tuesday. Microsoft released its monthly Patch Tuesday round of updates for its products December 9, which included 7 security bulletins addressing 24 vulnerabilities. Three vulnerabilities were considered critical and affected Internet Explorer, Microsoft Word and Office Web Apps, and the VBScript scripting engine. Source

December 9, Threatpost – (International) New version of Destover malware signed by stolen Sony certificate. Researchers at Kaspersky Lab identified a new variant of the Destover malware used in an attack on Sony Pictures Entertainment that uses a stolen, legitimate certificate from Sony. The malware is basically identical to previous versions except for the use of a certificate. Source

December 9, SC Magazine – (International) SEO poisoning campaign ensnares several thousand websites, security expert finds. A webmaster identified and researchers from Websense and High-Tech Bridge confirmed that several thousand legitimate Web sites hosted on GoDaddy and other services had been compromised to improve the search engine optimization (SEO) ranking of other sites by inserting links into the legitimate sites. GoDaddy stated that the company was investigating the issue. Source

December 9, U.S. Consumer Product Safety Commission – (International) Lenovo recalls computer power cords due to fire and burn hazards. Lenovo announced a recall for around 544,000 Lenovo LS-15 AC power cords in the U.S. and Canada due to the potential for the power cords to overheat, posing fire and burn hazards. Source

December 9, Securityweek – (International) Hackers breached payment solutions provider CHARGE Anywhere: Undetected since 2009. Electronic payment solutions provider CHARGE Anywhere stated December 9 that attackers had gained access to its network as early as November 2009 using a previously unknown and undetected piece of malware and were able to capture payment card data from some communications that did not have encryption. The company discovered the compromise September 22 and an investigation found that network traffic capture occurred between August 17 and September 24. Source


Gotham Security Daily Threat Alerts

December 9, Securityweek – (International) Newly discovered ‘Turla’ malware targets Linux systems. Kaspersky Lab researchers identified a piece of malware targeting Linux systems associated with the Turla advanced persistent threat (APT) group (also known as Uroburos or Snake) that is based on the cd00r proof-of-concept backdoor and is capable of hidden network communications, remote management, and arbitrary remote command execution. Previous versions of Turla malware have targeted Windows systems in government agencies, military groups, educational institutions, pharmaceutical companies, and other targets in more than 45 countries. Source:

December 9, Reuters – (International) Fraud from bots represents a loss of $6 bln in digital advertising. The Association of National Advertisers and researchers with White Ops released a report December 9 which found that around 25 percent of video ads and 11 percent of display ads online are viewed by automated bots set up by cyber criminals to inflate Web site audiences. The researchers stated that such fraud could cost advertisers an estimated $6.3 billion in the next year. Source:

December 9, Softpedia – (International) POODLE attack also affects some TLS implementations. A researcher with Google reported that certain implementations of Transport Layer Security (TLS) with an SSL 3.0 decoding function can be exploited through POODLE attacks to decrypt sensitive information. The researcher identified the vulnerability in older versions of Network Security Services (NSS) as well as in Web sites administered by Bank of America with load balancing devices from A10 Networks and F5 Networks. Source:

December 9, Help Net Security – (International) Info on millions of AliExpress customers could have been harvested due to site flaw. A security researcher identified and reported a flaw in the AliExpress online marketplace that could have allowed a logged-in user to exploit an insecure direct object reference vulnerability to view other users’ names, addresses, and phone numbers. Alibaba, parent company of AliExpress, closed the vulnerability after the researcher’s report. Source:

December 8, Softpedia – (International) Yik Yak flaw de-anonymizes user, allows control over account. SilverSky researchers identified and reported a vulnerability in the Yik Yak anonymous social media platform for iOS that could allow an attacker to discover the identity of a user and take over their account due to the Flurry advertising tool sending the app’s secure ID used by the app in the place of a password without encryption. The researchers reported the issue to Yik Yak and a patch was released in December. Source:

December 8, Securityweek – (International) Google App Engine plagued by tens of vulnerabilities: Researchers. Security Explorations researchers reported identifying several vulnerabilities in the Google App Engine platform-as-a-service (PaaS) product, including issues that could be used to achieve a complete sandbox escape. Google confirmed that it received the researchers’ report and was analyzing the reported issues. Source:

December 8, IDG News Service – (International) Attackers knock PlayStation Network offline for hours. Sony Computer Entertainment America acknowledged that some users of its Sony Playstation Network (PSN) were unable to access the service for several hours December 7 due to an apparent attack. Attackers identifying themselves as the Lizard Squad group claimed credit for the disruption. Source:

December 8, Securityweek – (International) New variant of Neverquest banking trojan targets North America. Researchers with IBM Trusteer reported December 5 that they have observed a new variant of the Neverquest banking trojan being used predominantly against financial institutions in North America, with some additional targets in the media, gaming, and social networking industries. The malware has been distributed by drive-by downloads using exploit kits as well as by the Chaintor and Zemot trojan downloaders. Source:

December 8, Tampa Tribune – (Florida) Fugitive arrested in Tampa credit-card fraud ring. Federal authorities announced December 8 that the alleged leader of a payment card skimming and fraud ring in Tampa that stole more than $650,000 from financial institutions by using keyloggers on point of sale terminals was arrested after more than a year as a fugitive. Several co-conspirators were previously convicted and sentenced for their roles in the fraud ring. Source:

The End of Promiscuous Computing

As I get older I find myself using the phrase “Remember When?” more and more often.

Remember when candy bars cost a nickel?

Remember when kids would just go out and play after school?

Remember when you could get hired by a company, work your whole life there, and retire with a pension?

As the cyber-attacks mount, I think we’re seeing the emergence of a new “remember when”.

Remember when we used to go on the Internet and download code from vaguely anonymous servers that we would run on our personal computers? Often inside our “secure” business networks?

Of course this isn’t really going to have the nostalgic feel of 5-cent candy bars. It’s going to have the feel of some old hippy telling you about random unprotected sex in the bathroom of Studio 54.

Oh sure, Java’s got a security model and every browser explains how it keeps you safe. There are plenty of new technologies coming out to make this sort of promiscuous behavior less dangerous. Listen, I’m all for antibiotics and vitamins, but that doesn’t mean you lick the inside of the subway car as part of your morning NYC commute.

Read more…

Citrix Receiver 4.2

Citrix recently released Receiver 4.2 and there are some major enhancements. Typically receiver updates are not worth all that much fanfare but this release has some really noteworthy features.

New Features

The following is a high-level list of new features:

  • Start menu integration and shortcut management
  • Support for Windows tablet and multi touch with virtual apps and desktops
  • HDX Mobility
  • USB Device Selection
  • Device selection for seamless apps
  • Improved graphic performance with XenApp and XenDesktop 7.6

These may not seem like a big deal, but let’s explore the new features and what they really mean.

  • Start menu integration and shortcut management
    • This is huge as it brings back a feature that was previously supported with PNAgent. If you are looking to seamlessly present published applications on the Start Menu of the user’s physical desktop you now have that ability. I know many customers that have been waiting for this feature ever since migrating to Receiver/StoreFront.
  • USB Device Selection
    • Citrix now supports USB 3.0 redirection along with an updated connection center that allows the user to manage USB device connections.
  • Improved graphic performance with XenApp and XenDesktop 7.6
    • HD resolution H.264 video playback is now available, which is beneficial to thin clients using multi-monitor configurations at higher screen resolutions.
  • Desktop Lock
    • Initially desktop lock (hot desktop) came out many years ago and utilized Password Manager. There have been various iterations since then. Receiver 4.2 greatly improves on this as it can be utilized on a locked down thin client or recycled workstation. Of course it doesn’t require password manager.

Overall there are some great features/enhancements with Receiver 4.2.

One other note: Citrix has decided to disable use of SSL v3 to improve security.

%d bloggers like this: