Skip to content

Gotham Security Daily Threat Alerts

August 12, Softpedia – (International) Locky ransomware uses vulnerable PHP forms for spam distribution. Researchers from Cisco’s OpenDNS team discovered that the group behind the Locky ransomware is leveraging security flaws in a PHP: Hypertext Preprocessor (PHP)-based Web-to-email service that allows the cybercriminals to brute-force the Web from and make it send a message with the Locky payload attached to any email address due to a vulnerability in a PHP contact form script. Researchers advised users to update their PHP Web-to-email form to the latest version to fix the problem. Source

August 12, SecurityWeek – (International) Microsoft patches flaw related to “malicious butler” attack. Microsoft released a patch addressing a serious Windows authentication bypass vulnerability, dubbed a “remote malicious butler” attack after researchers discovered the flaw can be leveraged remotely to bypass authentication on the Windows login screen, and found that in a patched version of Windows, a device’s password could be changed if the rogue domain controller was disconnected in the middle of the password reset process. Researchers stated the patch addresses both the local evil maid attack and the remote butler version of the attack. Source

August 11, Help Net Security – (International) Hundreds of millions of cars can be easily unlocked by attackers. Security researchers discovered two remote system attacks capable of unlocking millions of cars including one attack that targets Volkswagen Group cars and involves recovering the cryptographic algorithms and keys from electronic control units, which allows an attacker to clone the signal to open the vehicle, and another attack that exploits the cryptographically weak cipher in Hitag2 rolling code scheme used by manufacturers like Chevrolet and Ford, among others, to unlock the vehicle. Source

Above Reprinted from the USDHS Daily Open Source Infrastructure Report

Gotham Security Daily Threat Alerts

August 11, SecurityWeek – (International) Linux flaw allows attackers to hijack web connections. Researchers from the University of California at Riverside and the U.S. Army Research Laboratory discovered a vulnerability affecting the Transmission Control Protocol (TCP) specification implemented in Linux kernel could be leveraged to intercept TCP-based connections between two hosts on the Internet, to track users’ activity, terminate connections, and inject arbitrary data into a connection after an off-path attacker deduced the sequence numbers that identify TCP data packets exchanged between hosts using the Internet Protocol (IP) addresses of the targeted communicating devices. Developers of various Linux distributors were working to fix the security hole. Source

August 10, Softpedia – (International) Chrome, Firefox, and IE browser hijacker distributed via legitimate software. Intel McAfee security researchers discovered recent versions of the Bing.vc malware were being delivered to Google Chrome, Mozilla Firefox, and Microsoft’s Internet Explorer via legitimate-looking applications distributed by Lavians Inc., in order to take over the Website’s homepage and insert ads into visited sites, and redirect all users to Bing.vc in an attempt to sell victims an expensive utility to fix the browser hijacking problem. Researchers stated users must remove the registry keys or use an automated PC clean-up utility, as well as clean the shortcuts for each browser in order clear the malware from an infected app. Source

August 10, SecurityWeek – (International) Secure Boot vulnerability exposes Windows devices to attacks. Two researchers, dubbed MY123 and Slipstream discovered the new type of Secure Boot policy introduced in the Microsoft Windows 10 Anniversary Update, v1607, can be exploited to bypass the security feature and install rootkits and bootkits on Windows devices after finding that the new supplemental policies are loaded by the boot manager without being properly checked and can be used to enable “test-signing,” a feature that allows an attacker to bypass Secure Boot and load the malware once it is activated. Researchers stated the attack can only be carried out by an attacker with admin privileges or physical access to the targeted device and Microsoft was working to release a patch for the issue. Source

Above Reprinted from the USDHS Daily Open Source Infrastructure Report

Gotham Security Daily Threat Alerts

August 10, Softpedia – (International) Data of nearly 2 million users exposed in Dota2 forum hack. Researchers from LeakedSource reported that the Dota2 official developers forum was breached after hackers stole the usernames, email addresses, user identifiers, passwords, and IP addresses of nearly 2 million of the forum’s users July 10 by hashing and salting the password with the MD5 algorithm. Forum administrators patched the vulnerability and reset all user account passwords. Source

August 10, SecurityWeek – (International) Microsoft patches flaws in Windows, Office, browsers. Microsoft released 9 security bulletins patching a total of 27 important and critical vulnerabilities including 9 critical vulnerabilities in Internet Explorer and 8 critical flaws in Edge that can be exploited for remote code execution and information disclosure by tricking a targeted user into visiting a malicious Website, remote code execution issues in Windows, Office, Skype for Business and Lync caused by the way Windows font library handles specially crafted embedded fonts, and critical flaws in Office that can be leveraged for remote code execution if a victim opens a malicious file, among other vulnerabilities. Source

August 10, SecurityWeek – (International) Juniper starts fixing IPv6 processing vulneraibility. Juniper Networks released hotfixes for its JUNOSe F3 and F2 products resolving a vulnerability in its JUNOSe and Junos routers after Cisco researchers discovered the flaw can be exploited to cause a denial-of-service (DoS) condition by sending a flood of specially crafted IPv6 Neighbor Disovery (ND) packets from non-link-local sources to affected devices in order to fill up the packet processing queue and cause legitimate IPv6 ND packets to drop. The company was working to release patches for the issue. Source

August 9, Softpedia – (International) Researchers hide malware inside digitally signed files without breaking hashes. Security researchers from Deep Instinct discovered attackers could inject malware inside a digitally signed binary without affecting the overall file hash after finding that Microsoft Windows does not include three fields from a file’s Portable Executable (PE) headers during the file hash validation process and that modifying these fields does not break the certificate’s validity, allowing the malicious files to avoid detection by security and antivirus software. Researchers stated the technique does not require attackers to hide the malicious code via packers and bypasses any secondary checks of security software. Source

August 9, SecurityWeek – (International) Go-based Linux trojan used for cryptocurrency. Doctor Web researchers reported that a new Linux trojan, dubbed Linus.Lady.1 allows hackers to earn a profit by exploiting infected systems for cryptocurrency mining after finding that the trojan collects information on an infected machine, including the operating system, central processing unit (CPUs), and processes, and sends the harvested data back to a command and control (C&C) server, which then provides a configuration file for downloading a cryptocurrency mining application designed for Monero (XMR) mining. Researchers also found the trojan is capable of spreading to other Linux computers on an infected network by connecting to remote hosts over port 6379 without a password and downloading a script from a specified Uniform Resource Locator (URL) which is responsible for downloading and installing a copy of the trojan. Source

August 9, Softpedia – (International) Criminal group uses LogMeIn to compromise PoS systems with malware. Researchers from PandaLabs discovered a criminal group was using compromised LogMeIn accounts belonging to systems running point-of-sale (PoS) software and connected to PoS terminals to access over 200 devices and infect them with the PunkeyPOS, Multigrain, or PosCardStealer malware. The researchers reported that the hackers exploited weak login credentials or discovered the login credentials from other sources.  Source

Above Reprinted from the USDHS Daily Open Source Infrastructure Report

Gotham Security Daily Threat Alerts

August 9, SecurityWeek – (International) Vulnerabilites found in several Fortinet products. Vulnerability Lab released the details of several flaws affecting the Web interface of the Fortinet FortiManager and FortiAnalyzer security management and reporting appliances including a vulnerability that can be exploited by a remote attacker with access to a low-privileged user account to inject arbitrary code into the application if a victim clicks on a link or visits a Webpage containing the malicious code, a filter bypass issue, and multiple persistent cross-site scripting (XSS) flaws in the FortiVoice enterprise phone systems that can be exploited by a remote, authenticated attacker, among other security flaws. Fortinet released patches for all of the vulnerabilities and advised users to update their Fortinet product installations. Source

August 8, SecurityWeek – (International) Serious flaws found in Netgear, NUUO network video recorders. U.S. Computer Emergency Readiness Team (CERT) Coordination Center researchers warned that select network video recorders from NUUO Inc., and Netgear, Inc., were plagued by seven vulnerabilities including two input validation issues that could allow unauthenticated attackers to execute arbitrary code with root or admin privileges, an information disclosure bug that could allow a remote, unauthenticated attacker to view details on system processes, available memory and filesystem status by accessing a hidden page with a hardcoded username and password, and two flaws that can be leveraged to carry out arbitrary operating system (OS) commands and arbitrary code by any remote attacker who obtains admin privileges, among other flaws. Source

August 8, Help Net Security – (International) New vulnerabilities affect over 900 million Android devices, enable complete control of devices. Security researchers from Check Point reported four vulnerabilities, dubbed QuadRooter were affecting the software drivers in Qualcomm chipsets used in over 900 million Android smartphones and tablets and could trigger privilege escalations and gain root access to a device, allowing an attacker to change or remove system-level files, delete or add apps, and access the device’s screen, among other privileges, if any one of the four vulnerabilities is exploited. Check Point released a free QuadRooter scanner app that allows Android users to determine if their device is vulnerable, and advised Android users to download and install the latest software updates, among other practices, in order to avoid attacks. Source

Above Reprinted from the USDHS Daily Open Source Infrastructure Report

Gotham Security Daily Threat Alerts

August 8, Help Net Security – (International) Remote Butler attack; APT groups’ dream come true. Microsoft security researchers developed an extension of the “Evil Maid” attack dubbed “Remote Butler” which allows attackers to bypass local Windows authentication to defeat full disk encryption without physical access to the targeted device. A patch released by Microsoft for the “Evil Maid” attack also prevents attackers from carrying out a “Remote Butler” attack. Source

August 6, Softpedia – (International) Cerber ransomware v2 spotted online, is now undecryptable. Trend Micro researcher PanicAll discovered that the Cerber ransomware was updated in versions v1.5 and v2 to break a previous decryption tool that allowed users to recover their hacked files for free. The updates changed the extension added at the end of each encrypted file from “.cerber” to “.cerber2,” and extended encryption keys generated by CryptGenRandom Microsoft application programming interface (API) from 16 bytes to 32 bytes, among other updates. Source

August 6, Softpedia – (International) Linux botnets dominate the DDoS landscape. Kaspersky Lab released its distributed denial-of-service (DDoS) Intelligence Report which reported that Linux botnets accounted for 70.2 percent of all DDoS attacks initiated during quarter 2 (Q2) of 2016, while only 44.5 percent of DDoS attacks were carried out by Linux botnets in quarter 1. The report also stated that SYN DDoS attacks were the most popular methods for DDoS attacks during Q2, followed by transmission control protocol (TCP), Hypertext Transfer Protocol Secure (HTTP), and Internet control message protocol (ICMP) floods. Source

August 5, Softpedia – (International) New Remcos RAT available for purchase on underground hacking forums. Symnatec researchers reported that a malware developer dubbed Viotto posted the Remcos Remote Access Trojan (RAT) targeting Microsoft Windows versions XP and higher for sale on underground hacking forums, which allows hackers the ability to take screenshots of infected computers, log keystrokes offline or in real times, and record content via the infected device’s camera, among other malicious actions, and send the stolen data encrypted via Hypertext Transfer Protocol Secure (HTTPS) to the command and control (C&C) server. Researchers also discovered the trojan can queue operations to be carried out when the victim goes online and includes a password dumping component that can dump passwords from applications like Microsoft’s Internet Explorer, Mozilla Firefox, and Apple Inc.’s Safari, among others. Source

August 5, SecurityWeek – (International) VMware Tools flaw allowed code execution via DLL hijacking. VMware published an advisory describing two vulnerabilities in several of its products including a dynamic-link library (DLL) hijacking issue in the Windows version of VMware Tools related to the VMware Host Guest Client Redirector component that could be exploited to execute arbitrary code on a targeted system after finding that when a document is opened from a uniform naming convention (UNC) path, the Client Redirector injects a DLL named “vmhgfs.dll” into the file in order to open the file, allowing an attacker to load a malicious DLL into the application and to compromise the system. The second vulnerability is a Hypertext Transfer Protocol Secure (HTTP) header injection issue in vCenter Server and ESXi caused by a lack of input validation that could allow a hacker to launch cross-site scripting (XSS) or malicious redirect attacks. Source

Above Reprinted from the USDHS Daily Open Source Infrastructure Report

August 8, Dark ReadingSymantec Discovers Strider, A New CyberEspionage Group. In action five years, highly selective threat actor has only been known to compromise seven organizations. Symantec has discovered a previously unknown cyberespionage group so selective in its targets that it is only known to have compromised seven organizations and 36 endpoints since it started operating five years ago. Dubbed “Strider” by Symantec, the threat actor’s malware of choice is a custom, Windows infostealer called Remsec — stealthy, modular, and written in Lua. Source

August 8, Dark ReadingNewly Announced Chipset Vuln Affects 900 Million Android Devices. Check Point Research Team details four vulnerabilities that can easily lead to full privilege escalation. Over 900 million Android smartphones and tablets are at risk of a full device compromise due to a dangerous grouping of vulnerabilities found and discussed at length at Defcon yesterday by researchers with Check Point Research Team. Dubbed the QuadRooter vulnerabilities, each of the foursome uncovered by these researchers enables attackers to trigger privilege escalation and eventually achieve root in affected devices. Source

 

 

 

Gotham Security Daily Threat Alerts

August 5, Softpedia – (International) HEIST attack can steal data from HTTP-encrypted traffic. Two security researchers discovered hackers could carry out a Web-based attack, dubbed HEIST to steal encrypted content from Hypertext Transfer Protocol Secure (HTTPS) traffic by embedding special JavaScript code on a Webpage that fetches content via a hidden JavaScript call from a private page containing sensitive information including credit card numbers and Social Security numbers, then pinpoints the size of the embedded data transferred in small transmission control protocol (TCP) packets using a repeated probing mechanism in order to guess the content exchanged in the HTTPS traffic. Researchers advised users to disable support for third-party cookies or JavaScript execution in their browsers to block HEIST attacks. Source

August 5, Help Net Security – (International) 58% of orgs have no controls in place to prevent insider threats. Veriato and other firms released the Insider Threat Spotlight Report which found that nearly half of the 500 cybersecurity professionals surveyed experienced an increase in insider attacks since 2015, 58 percent of organizations lack appropriate control to prevent insider attacks, and 44 percent of those surveyed were unaware if their organization had experienced an insider attack. The survey also found that the endpoint is the most common point for a malicious actor to launch an insider attack, followed by mobile devices. Source

Above Reprinted from the USDHS Daily Open Source Infrastructure Report

August 5, Dark ReadingNew Internet Security Domains Debut. Meet the new .security and .protection domains. Registry operator gen.xyz these week launched two new top-level Internet domains — .security and .protection — aimed at creating websites with higher security as well as a safer online experience for end users. Registrants can use domains to reinforce a brand, organization name, service locations, or industry keywords, says Nils Decker, director of business development for gen.xyz. Big security players such as Norton, FireEye, and Masterlock, have already registered names with the new .security and .protection domains. An organization in Southern California, for example, might select la.security; spam.protection could do the trick for an email filtering company. Source

 

Gotham Security Daily Threat Alerts

August 4, SecurityWeek – (International) Critical flaws found in Cisco small business routers. Cisco released patches for its small business RV series routers after researchers discovered a critical flaw affecting the Web interface that allows remote, unauthenticated attackers to execute arbitrary code with root privileges, a high severity flaw that can be exploited remotely to perform a directory traversal and access arbitrary files on the system, and a medium severity command shell injection flaw that could allow a local attacker to inject arbitrary shell commands that are then executed by the device, among other vulnerabilities. Source

August 4, SecurityWeek – (International) Google patches 10 vulnerabilities in Chrome 52. Google released an update for Chrome 52 resolving 10 security vulnerabilities after third-party developers discovered 4 high risk flaws affecting the Web browser including an address bar spoofing flaw, a use-after-free bug in Blink, and heap overflow bugs in pdfium, as well as 3 medium risk bugs including a same origin bypass for imagines in Blink, and parameter sanitization failure bugs in DevTools. Source

August 3, Help Net Security – (International) Four high-profile vulnerabilities in HTTP/2 revealed. Imperva released a report at the Black Hat USA 2016 conference documenting four high-profile vulnerabilities in Hypertext Transfer Protocol (HTTP)/2 after researchers from the Imperva Defense Center found a HPACK Bomb attack resembling a zip bomb, a dependency cycle attack that takes advantage of HTTP/2’s flow control mechanisms for network optimization, stream multiplexing abuse that results in denial-of-service to legitimate users, and Slow Read attacks in server implementations from Apache, Microsoft, NGINX, Jetty, and nghttp2. The vendors of the HTTP/2 protocol mechanisms released patches for the issues. Source

August 3, Softpedia – (International) Venmo fixes hole that allowed attackers to steal $2,999.99 per week using Siri. Venmo patched an attack vector in its digital wallet service after a security researcher discovered attackers could exploit design flaws in Venmo and Apple’s iPhone operating system (iOS) to approve roughly $3,000 a week in money requests if a malicious actor had physical access to a victim’s iPhone by instructing Siri to send a message to a Venmo five-digit phone number on an iOS device that would handle the payment request instead of showing app notifications to the user. Venmo removed the Short Message Service (SMS) “reply-to-pay” functionality, as well as other smaller patches that made the service vulnerable to similar attacks. Source

Above Reprinted from the USDHS Daily Open Source Infrastructure Report

 

 

 

%d bloggers like this: