Skip to content

Gotham Security Daily Threat Alerts

July 22, Softpedia – (International) Decrypter available for ODCODC ransomware. Security researchers from BloodyDolly released a decrypter for the ODCODC ransomware that circumvents ODCODC’s RSA-2048 encryption to recover the victim’s files without paying the ransom. Source

July 21, SecurityWeek – (International) Persistent XSS patched in WooCommerce WordPress plugin. WooCommerce released version 2.6.3 of its ecommerce plugin for WordPress addressing a persistent cross-site scripting (XSS) vulnerability after a researcher from Securify discovered an attacker could exploit the flaw to steal session tokens or a victim’s login credentials by creating a special image file containing malicious JavaScript code in the metadata that injects the code into a targeted Website when an administrator uploads the malicious image as a product image or gallery item. Source

Above Reprinted from the USDHS Daily Open Source Infrastructure Report

Gotham Security Daily Threat Alerts

July 21, Help Net Security – (International) Vulnerabilities affecting SAP HANA and SAP Trex put 10,000 customers at risk. Onapsis released security advisories reporting on vulnerabilities in SAP High-Performance Analytic Appliance (HANA) and SAP Trex including a critical risk brute force attack affecting SAP HANA that could allow an attacker to gain unrestricted access to business information, and a critical risk remote command execution flaw affecting SAP Trex that could allow an unauthenticated attacker to modify arbitrary database information, among other vulnerabilities. Researchers from Onapsis reported the flaws pose a risk to over 10,000 SAP customers running different versions of SAP HANA. Source

July 21, Help Net Security – (International) Cisco plugs critical flaw in data center operations management solution. Cisco patched a critical vulnerability affecting its Unified Computing System (UCS) Performance Manager software’s Web framework after a researcher from the Adidas Group discovered that an attacker could exploit the vulnerability by sending crafted Hypertext Transfer Protocol Secure (HTTP) GET requests to an affected system, allowing the attacker to execute arbitrary commands with root user privileges. Source

July 21, SecurityWeek – (International) Chrome 52 patches 48 vulnerabilities. Google released Chrome 52 patching 48 security flaws including 11 high risk flaws and 6 medium severity flaws after external researchers found a high risk sandbox escape flaw in Pepper Plugin application programming interface (PPAPI), a high risk uniform resource locator (URL) spoofing on iOS, a use-after-free in Extensions, and a heap-buffer-overflow issue affecting sfntly, among other vulnerabilities. Source

July 20, Softpedia – (International) Backdoor account found in Dell network security products. Researchers from Digital Defense, Inc., (DDI) released patches addressing six serious security flaws affecting the Dell SonicWALL Global Management System (GMS) after discovering the equipment had a hidden account that could be exploited to add non-administrative users via the command-line interface (CLI) Client, thereby elevating an attacker’s privilege and allowing the malicious actor full control of the GMS interface and all attached SonicWALL appliances. DDI researchers also discovered two unauthenticated root command injections that lead to remote code execution (RCE) with root privileges on Dell equipment, among other vulnerabilities. Source

July 20, SecurityWeek – (International) CrypMIC ransomware emerges as CryptXXX copycat. Trend Micro security researchers discovered a ransomware dubbed CrypMIC was mimicking the CryptXXX ransomware family, in that it exploits the Neurtino exploit kit (EK) to distribute the malware, utilizes the same ransom note and payment site, and employs a custom protocol via transmission control protocol (TCP) Port 443 to communicate with its command and control (C&C) servers, among other similarities. Researchers reported that the source code and capabilities of the two families are different after finding the CrypMIC ransomware cannot harvest credentials and related information from the affected device, as it does not download and execute an information-stealing module on its process memory. Source

Above Reprinted from the USDHS Daily Open Source Infrastructure Report

Gotham Security Daily Threat Alerts

July 20, SecurityWeek – (International) Oracle’s critical patch update for July contains record number of fixes. Oracle released its July Critical Patch Update (CPU) that addressed a total of 276 vulnerabilities in several of its products including 19 critical security flaws affecting the Oracle WebLogic Server component, the Hyperion Financial Reporting component, and the Oracle Health Sciences Clinical Development Center component, among other applications. The update also resolves 36 security flaws in applications specifically designed for the insurance, health, financial, and utility sectors, as well as 159 remote code execution (RCE) flaws that can be exploited without authentication. Source

July 20, Softpedia – (International) Free decrypter available for Bart ransomware. A security researcher for AVG released a free decrypter for the Bart ransomware that recovers files locked by the ransomware after discovering Bart uses one password for all files placed inside a password-protected ZIP archive. Source

July 19, SecurityWeek – (International) Petya ransomware gets encryption upgrade. A security researcher dubbed Hasherezade discovered the Petya ransomware no longer allows for easy data recovery after finding that the malware operators bundled Petya with Mischa, a failsafe designed to encrypt user files one at a time if Petya was unsuccessful in manipulating the Master Boot Record (MBR) to take over the boot process and encrypt the entire hard disk after a reboot. Source

July 19, IDG News Service – (International) Security software that uses ‘code hooking’ opens the door to hackers. Researchers from enSilo discovered 6 security vulnerabilities affecting over 15 different products, including antivirus programs from Kapersky Lab, Trend Micro, and Symantec, among others, using hooking to intercept, monitor, or modify potentially malicious behavior in applications and operating systems (OS), can be exploited by malicious attackers to easily bypass the anti-exploit mitigations provided by Microsoft Windows or third-party applications in order to exploit the vulnerabilities and inject malicious code into any process running on a victim’s device while remaining undetected . Source

July 19, Softpedia – (International) Gmail security filters can be bypassed just by splitting a word in two. Security researchers from SecureState discovered that an attacker can bypass Gmail’s security features responsible for detecting malicious macros in Microsoft Office document attachments by separating “trigger words” into two words or across a row of text after finding that the security filters failed to detect malicious macros in the script when an attacker split a sensitive term on two different lines of the exploit code. Source

July 19, SecurityWeek – (International) DoS vulnerability patched in BIND. The Internet Systems Consortium (ISC) released BIND versions 9.9.9-P2 and 9.10.4-P2 addressing a medium severity, remote code execution (RCE) vulnerability that could cause systems using the lightweight resolver protocol (lwresd) to resolve names to enter a denial-of-service (DoS) condition due to an error in the way the protocol was implemented after finding that the server can terminate when the lwresd is asked to resolve a query name that exceeds the maximum allowable length when combined with a search list entry. Source

July 20, Softpedia – (National) DDoS attack takes down U.S. Congress Web site for three days. A U.S. Library of Congress spokesperson reported that the U.S. Library of Congress, U.S. Copyright Office, and U.S. Congress Web sites were inaccessible July 17 – July 20 following a distributed denial-of-service (DDoS) attack involving a type of Domain Name System (DNS) attack that affected the infrastructure of the server hosting the Web sites. Officials reported the Web sites have recovered and no other U.S. Government portals appear to have been affected by the attack. Source

Above Reprinted from the USDHS Daily Open Source Infrastructure Report


Gotham Security Daily Threat Alerts

July 19, SecurityWeek – (International) Apple patches tens of vulnerabilities in iOS, OS X. Apple Inc., released security updates for several of its products including OS X El Capitan version 10.11.6, which patched a total of 60 security bugs affecting components such as audio, FaceTime, and CFNetwork, among others after a Zscaler researcher discovered the flaws could allow unprivileged applications to access cookies stored in the Safari browser. Apple also released iOS version 9.3.3., resolving 43 vulnerabilities, one of which could allow an attacker with physical access to the device to abuse Siri and view private contact information, among other patches. Source

July 18, Softpedia – (International) HTTPoxy vulnerability affects CGI-based apps in PHP, Python, and Go. A developer from Vend discovered CGI applications written in Hypertext Preprocessor (PHP), Python, and Go were plagued by a HTTPoxy vulnerability after finding that CGI-based environments receiving incoming Hypertext Transfer Protocol Secure (HTTP) requests containing a “Proxy” header were dropping the header’s content in the HTTP_PROXY environment without sanitization, which could allow an attacker to force a vulnerable CGI-based application to use a malicious proxy for its outgoing HTTP requests, carry out Man-in-the-Middle (MitM) attacks, and poison servers. Source

July 18, SecurityWeek – (International) CryptXXX now being distributed via spam emails. Security researchers from Proofpoint warned that the CryptXXX malware was leveraging a spam email campaign after discovering that the emails, using subjects such as “Security Breach – Security Report #123456789,” were tricking users into activating malicious macros embedded in the emails’ document attachments, which were designed to download and install the ransomware when the victim interacted with them. Source

July 18, Softpedia – (International) Steemit social network hacked, user funds stolen, DDoS attack ensued. Steemit, a social networking platform, announced July 14 that an unknown attacker exploited the network’s browser-side vulnerabilities to steal $85,000 worth of Steem Dollars and Steem Power from approximately 260 users’ funds after a user reported mysterious transactions that transferred funds from his account to another Bittrex account, a Bitcoin trading portal. Steemit’s servers also faced a distributed denial-of-service (DDoS) attack, prompting the network to bring down its servers for maintenance and service upgrades. Source

Above Reprinted from the USDHS Daily Open Source Infrastructure Report


Gotham Security Daily Threat Alerts

July 18, Help Net Security – (International) Ubuntu Forums hacked again, 2 million users exposed. Canonical chief executive officer (CEO) reported that an attacker exploited a Structured Query Language (SQL) injection flaw in its Ubuntu Forums to access and download part of the Forums database, containing usernames, email addresses, and internet protocol addresses (IPs) for 2 million users. Canonical shut down the database, reset all users’ passwords, and installed a Web application firewall after being notified that an individual was claiming to have a copy of the Forums database. Source

July 17, Softpedia – (International) Researcher finds way to steal money from Instagram, Google, and Microsoft. An independent Belgian security researcher discovered a flaw in Facebook, Google, and Microsoft’s two-factor authorization (2FA) voice-based token distribution systems that could allow an attacker, who has created premium phone services and linked them together with fake Instagram, Google, and Microsoft Office 365 accounts, to use automated scripts to request 2FA tokens for all accounts, and by doing so, place legitimate phone calls to their premium phone service, thereby earning a substantial profit. Source

July 15, IDG News Service – (International) Cisco patches serious flaws in router and conferencing server software. Cisco Systems released patches addressing several vulnerabilities in its Cisco internetwork operating system (IOS), IOS XR, ASR 5000, WebEx Meetings Server, and Cisco Meeting Server including a high severity denial-of-service flaw and an arbitrary code execution issue in its Cisco IOS XR software, two cross-site scripting (XSS) vulnerabilities in the WebEx Meetings Server version 2.6, and an insure Simple Network Management Protocol (SNMP) implementation flaw in the ASR 5000 Series platform, among other vulnerabilities. Source

July 15, SecurityWeek – (International) Locky ransomware gets offline encryption capabilities. Security researchers from Avira discovered an update to the Locky ransomware that allows the ransomware to enter an offline encryption mode when it cannot connect to the command and control (C&C) server. The development mimics the Bart ransomware, in that it ensures that the ransomware can carry out malicious actions even when its Internet connectivity is blocked, making detection more difficult. Source

July 17, Softpedia – (International) Pokemon GO servers suffer DDoS attack at the hands of PoodleCorp. The popular gaming app, Pokemon GO, went offline for several hours July 16 due to a distributed denial-of-service (DDoS) attack carried out by hacker group PoodleCorp. Source

Above Reprinted from the USDHS Daily Open Source Infrastructure Report


Gotham Security Daily Threat Alerts

July 15, SecurityWeek – (International) New trojan helps attackers recruit insiders. Researchers at Gartner Research and Diskin Advanced Technologies found a new trojan dubbed “Delilah” that uses social engineering and extortion to recruit insiders by collecting personal information and capturing video from the targeted user’s webcam while instructing users to use virtual private networks (VPNs) and the Tor network in order to manipulate or blackmail the targeted individual. Source

July 15, SecurityWeek – (International) IE exploit added to Neutrino after experts public PoC. FireEye and Symantec researchers found that Neutrino exploit kit (EK) researchers use an Adobe Flash file to deliver exploits in order to profile a victim’s system to determine which exploit to use after researchers published a proof-of-concept (PoC) exploit on two remote code execution (RCE) vulnerabilities that were patched by Microsoft in May. Researchers determined that the exploit added to Neutrino is identical to the one published, except for the code that runs after initial control. Source

July 14, Softpedia – (International) CryptXXX devs provide free decryption keys for some ransomware versions. Bleeping Computer researchers released a category of users who could obtain a free decryption key by visiting the Tor-based payment sites of the CryptXXX ransomware after their files were encrypted by the ransomware using the “.crypz” and “.cryp1” file extensions at the end. Source

July 14, Softpedia – (International) Maxthon browser collects sensitive data even if users opt out. Maxthon is investigating after Exatel and Fidelis Cybersecurity researchers found that the Maxthon Web browser collects sensitive information and sends it to its servers, even if the user opts out of the option due to an issue in the current implementation of User Experience Improvement Program (UEIP) that lets the browser manufacturer collect analytical information about how users utilize their product. Source

July 15, SecurityWeek – (National) Hundreds of flaws found in Philips Healthcare product. Philips advised Xper Connect users to update their operating system (OS) to Microsoft Windows 2008-R2 and install Xper version 1.5 service pack 13 after Whitescope LLC and Synopsys researchers discovered 460 vulnerabilities in Philips Xper Information Management Connect, which include code injections, information exposure flaws, and resource management and numeric errors, among others, that can allow an attacker to compromise the system. Source

July 14, Threatpost – (International) Cisco patches DoS flaw in NCS 6000 routers. Cisco Systems released patches for two products addressing a Simple Network Management Protocol (SNMP) configuration management flaw in the Cisco ASR 5000 Series, prior to versions 19.4 and 20.1 that could allow a remote attacker to read and modify device configurations using the SNMP read-write community strings. The second patch addresses a critical flaw in Cisco IOS XR for the Cisco Network Convergence System series router found in the management of system timer resources which could allow an attacker to remotely crash the router by sending a number of Secure Shell (SSH), Secure Copy Protocol (SCP), and Secure File Transfer Protocol (SFTP) management connections to an affected device. Source

Above Reprinted from the USDHS Daily Open Source Infrastructure Report


Gotham Security Daily Threat Alerts

July 14, IDG News Service – (International) Juniper patches high-risk flaws in Junos OS. Juniper Networks fixed several vulnerabilities in the Junos operating system (OS) used on its networking and security appliances, including an information leak in the J-Web interface, vulnerabilities that could lead to denial of service conditions, a potential kernel crash, a potential memory buffer (mbuf) leak, a crypto vulnerability, and an issue with SRX Series devices. Source

July 14, Softpedia – (International) Microsoft discovers new version of Troldesh ransomware. Microsoft Malware Protection Center researchers discovered a new version of the Troldesh ransomware, also known as Encoder.858 and Shade Ransomware, that contains new modifications including a dedicated payment portal where users can get information on how to pay the ransom, utilization of a Tor Web site, and two new extensions, “.da_vinci_code” and “.magic_software_syndicate,” which are added to the end of encrypted files. Source

July 14, Softpedia – (International) Huge spam wave drops Locky variant that can work without an internet connection. F-Secure researchers examined a July 12 campaign utilizing the Locky ransomware where the group sent out 120,000 spam email messages every 2 hours in 2 instances of activity. Avira researchers also found that a new Locky variant works in “offline mode,” making it harder to block. Source

July 13, IDG News Service – (International) Three popular Drupal modules patch site-takeover flaws. Drupal, a content management system, worked with three third-party module maintainers, RESTWS, Coder, or Webform Multiple File Upload, to address critical vulnerabilities that could allow attackers to take control of Web sites, including a flaw that allows attackers to execute rogue Hypertext Preprocessor (PHP) code Web servers that host Drupal Web sites with the modules, as well as flaws that could lead to remote code execution (RCE). Source

July 13, Softpedia – (International) Ransomware permanently deletes your files then has the nerve to ask for money. Cisco Talos researchers discovered a new piece of ransomware dubbed Ranscam that deletes the victim’s files after infecting the computer, and removes core Microsoft Windows executables responsible for the System Restore feature, hard drive shadow copies, and several registry keys associated with booting into Safe Mode, among other modifications. Once the removal is complete, the ransomware shows its ransom note and falsely informs the victim that their files are encrypted and moved into a hidden partition. Source

Above Reprinted from the USDHS Daily Open Source Infrastructure Report


%d bloggers like this: