Skip to content

Gotham Security Daily Threat Alerts

by on September 5, 2014

September 4, Softpedia – (International) Old Slider Revolution vulnerability massively exploited. Researchers at Sucuri found that attackers began heavily exploiting an old vulnerability in unpatched versions of the Slider Revolution Premium plugin for WordPress during August, which could allow a Local File Inclusion (LFI) attack. The vulnerability was fixed in February and all users were advised to update to the latest version as soon as possible. Source:

September 4, Securityweek – (International) CERT warns of Android apps vulnerable to MitM attacks. The Computer Emergency Response Team Coordination Center at Carnegie Mellon University (CERT/CC) published a list of popular Android apps that expose users to man-in-the-middle (MitM) attacks due to the apps not properly validating SSL certificates. CERT/CC released its findings in a spreadsheet detailing their results and is attempting to contact the authors of every app that failed the organization’s tests. Source:

September 4, Softpedia – (International) Home router DNS settings changed via Web-based attack. Kaspersky Lab researchers identified a Web-based attack that uses Web pages with malicious scripts to attempt to change users’ home router Domain Name System (DNS) settings in order to redirect users to phishing pages of financial institutions. The attack was mostly observed in Brazil but also targeted some users in the U.S., Canada, Mexico, and other countries. Source:

September 4, The Register – (International) VirusTotal mess means YOU TOO can track Comment Crew! A researcher released findings on how he was able to use structured data and analysis to identify a subgroup of the Comment Crew group and an unnamed Iranian group using Google’s VirusTotal service to test new versions of malware against security software and check for detection rates. Source

September 3, Help Net Security – (International) Semalt botnet hijacked nearly 300k computers. Incapsula researchers reported that the Semalt botnet is spreading quickly and is currently made up of around 290,000 infected machines. The botnet is linked to a Ukrainian search engine optimization (SEO) service and spams millions of Web sites in a referrer spam campaign designed to fraudulently boost a site’s search engine ranking. Source:

September 4, Softpedia – (International) Updated Vawtrak banking malware strain expands target list. Researchers with PhishLabs identified a new variant of the Vawtrak financial malware (also known as Neverquest) that has added features in the last month enabling it to expand its targets to users in the U.S., Canada, and Europe. The malware targets financial institutions as well as social networks, online retailers, gaming portals, and analytics firms and can steal credentials and automate fraudulent transactions. Source:

September 3, Help Net Security – (International) Linux systems infiltrated and controlled in a DDoS botnet. Researchers at Akamai Technologies reported that Linux systems could be at risk of infections using IptabLes and IptabLex to compromise systems and use them in distributed denial of service (DDoS) attacks. The researchers reported that the infections appeared to be caused by a large number of Linux-based Web servers being compromised via Apache Struts, Tomcat, and Elasticsearch vulnerabilities. Source:

September 3, The Register – (International) Firefox 32 moves to kill MITM attacks. The Mozilla Foundation released version 32 of its Firefox browser, which adds new features including public key pinning to help protect users against man-in-the-middle (MitM) attacks. Source:

September 2, Threatpost – (International) Apple fixes glitch in Find My iPhone app connected to celebrity photo leak. A security issue in Apple’s Find My iPhone app that researchers demonstrated could be exploited in brute force attacks was fixed by the company. Apple stated that a recent breach of celebrities’ personal photos stored in its iCloud service was not the result of the researchers’ findings, but instead involved targeted attacks on the individuals’ accounts. Source:

September 3, Help Net Security – (International) Cybercriminals love PayPal, financial phishing on the rise. Kaspersky Lab researchers released statistics on spam and phishing emails for the month of July, which found that phishing emails targeting financial services increased 7.9 percent during the month, with PayPal being the most targeted company. The researchers also found that the overall share of spam in all email traffic increased 2.2 percent to a total of 67 percent during July, among other findings. Source:

September 3, SecurityWeek – (International) Goodwill blames credit card breach on third-party vendor. Goodwill Industries International representatives reported September 2 that a payment card breach which was detected in July was the result of hackers using an unidentified piece of malware to breach the systems of a third-party vendor that processes payments for some Goodwill members between February 2013 and August 2014. Servers at 20 Goodwill stores across several States were compromised during the breach, and the personal information, including name and payment card information, of the stores’ customers was accessed. Source:

September 2, Los Angeles Times – (International) Home Depot probing possible hacking; customer data may be at risk. Home Depot representatives announced September 2 that the company is investigating a potential security breach and are working with law enforcement and banking institutions to investigate reported unusual activity. Source:

September 2, Softpedia – (International) FBI starts investigation of celeb photo hack. The FBI stated that it began an investigation to identify and apprehend the individuals behind a leak of personal photos belonging to several celebrities that were stored in Apple’s iCloud service. Source:

September 2, The Register – (International) SHARE ‘N’ SINK: OneDrive corrupting Office 2013 files. Users of Microsoft’s OneDrive cloud service began reporting August 27 that some Microsoft Office 2013 files stored on OneDrive were inaccessible. Users found that only individuals running Windows 8.1 appeared to be affected and that syncing OneDrive to a computer running Windows 7 would make the files accessible again. Source

September 2, The Register – (International) iOS phone phlaw can UNMASK anonymous social media users. Researchers found that users of iOS devices could have their phones forced to dial numbers without prompting or have photos taken through their phone’s cameras due to a feature in iOS that is not properly implemented in several popular services such as Twitter, Google, and Facebook. Source

September 2, IDG News Service – (International) Namecheap says accounts compromised in hacking incident. Hosting provider Namecheap reported September 1 that several of its users’ accounts were compromised using brute force attacks to gain control of accounts. Source:

September 1, Securityweek – (International) Tor-enabled Bifrose variant used in targeted attack. Trend Micro researchers identified a new variant of the Bifrose backdoor after it was used in an attack on an unnamed device manufacturer. The new variant uses the Tor network for command and control communications and can perform actions including downloading and uploading files, deleting content, and performing actions as the infected user. Source:

August 29, Softpedia – (International) MangaGamer alerts customers of security breach. Games distributor MangaGamer informed its customers that it was the victim of a data breach that may have exposed customers’ email addresses, usernames, and passwords. The company advised users to change their passwords and indicated that no financial information was compromised. Source:

August 29, SC Magazine – (International) Syrian Malware Team makes use of enhanced BlackWorm RAT. FireEye researchers reported that a hacktivist group known as the Syrian Malware Team has used an enhanced version of the BlackWorm remote access trojan (RAT) known as “Dark Edition” in its campaigns. The new variant allows attackers to bypass user account control (UAC) features, spread itself over network drives, and disable firewalls. Source:

September 1, IDG News Service – (International) Rigged industrial software site points to watering hole attack. Researchers at AlienVault reported that the Web site of an unnamed industrial software company was compromised with a piece of reconnaissance malware called Scanbox that collected information on visitors to the site, including visitors’ IP addresses, language, operating system, and security programs. The unnamed company produces system engineering and simulation software for several industries including manufacturing, automotive, and aerospace firms. Source:

August 29, Softpedia – (International) Hackers steal customer payment data from ClamCase. Keyboard and iPad case manufacturer ClamCase stated that attackers compromised the company’s systems and obtained an undisclosed number of customers’ personal information including names, addresses, and payment card data. The company stated that the attack occurred between April 15 and August 6 and is offering identity theft prevention services to affected customers. Source:

August 29, The Register – (International) KER-CHING! CryptoWall ransomware scam rakes in $1 MEEELLION. Dell SecureWorks researchers published an analysis of the CryptoWall ransomware and found that it continues to be the largest ransomware threat, extorting at least $1 million from victims. The researchers detected around 625,000 systems infected with the ransomware between mid-March and late August, encrypting over 5.25 billion files, among other findings. Source:

August 29, Help Net Security – (International) Phishers targeting crypto currency and retail sites. The Anti-Phishing Working Group (APWG) released its report for the second quarter of 2014 (Q2) and found that the number of phishing attacks was the second-highest number since recording began in 2008, with online payment services and cryptocurrency sites being frequent targets, among other findings. Source:

August 29, Softpedia – (International) New BlackPoS strain disguises as antivirus service. Researchers with Trend Micro identified a new variant of the BlackPoS point-of-sale (PoS) malware that disguises itself as an antivirus product and contains other changes to improve efficiency and avoid detection. The malware can reach PoS systems by the infection of company servers, breaching network communication, or infecting the PoS device before deployment. Source:

August 28, Softpedia – (International) Malvertising hits high-profile websites, Java, deviantART, TMZ, Photobucket. Researchers at Fox-IT identified a malvertising campaign that used ads on popular Web sites such as those belonging to Java, deviantART, Photobucket, TMZ, and others to expose users with outdated Java, Flash Player, and Silverlight versions to compromise using the Angler exploit kit. The ads ran between August 19 and August 23 and did not require users to click on them in order to attempt to drop the Rerdom trojan. Source:

August 28, IDG News Service – (International) Mozilla reports user data leak from Bugzilla project. Mozilla disclosed August 27 that the email addresses and encrypted passwords of around 97,000 users who tested early versions of the Bugzilla bug tracking tool were exposed for 3 months after a server migration. The breach was caused by database dump files being left in an unprotected server location starting May 4. Source:

August 28, Computerworld – (International) Microsoft purges 1,500 copycat, fraudulent Windows 8.1 apps. Microsoft stated August 27 that it removed over 1,500 fake Windows 8 and 8.1 apps from its Windows Store marketplace due to the apps attempting to charge users for free software. Source:

August 27, The Register – (International) Scratched PC-dispatch patch patched, hatched in batch rematch. Microsoft released an updated version of a security patch following reports that some users experienced ‘blue screen of death’ crashes after applying the original patch. Source:

August 27, Softpedia – (International) Crypto-malware steals email addresses and passwords, spreads itself. Avast researchers analyzed a new piece of ransomware that uses several freely available tools to infect users, encrypt files, and demand a ransom. The ransomware also steals email credentials to attempt to propagate itself and is currently targeting users in Russian-speaking countries. Source:

August 28, IDG News Service – (International) FBI, Secret Service studying ‘scope’ of reported bank cyberattacks. A spokesperson for the FBI stated August 27 that the FBI and U.S. Secret Service are investigating to determine the scope of recently reported cyberattacks against several major U.S. financial services institutions. Source:

August 27, Softpedia – (International) Updated NetTraveler backdoor has encrypted configuration file. Researchers at Kaspersky Labs identified an updated variant of the NetTraveler (also known as Travnet or Netfile) malware being used in a spearphishing campaign that contains an encrypted configuration file. The NetTraveler malware has been used for as long as 10 years and is frequently used in attacks targeting diplomatic, government, military, and activist groups. Source:

August 27, Help Net Security – (International) 470 million sites exist for 24 hours, 22% are malicious. Blue Coat researchers reported the results of an analysis of over 660 million unique hostnames requested by users and found that 71 percent of hostnames were sites that appeared for only 1 day, with around 22 percent found to be malicious sites used in short-lived attacks or botnet management. The largest number of 1-day sites were legitimate sites used by major online organizations. Source:

August 27, The Register – (International) Ouch…right in the VIDEO GAME: Lizard Squad attacks Xbox, Twitch. Attackers calling themselves Lizard Squad launched distributed denial of service (DDoS) attacks against video game-streaming service Twitch and the Microsoft Xbox Live service August 26, disrupting service on Twitch for a time but failing to impact Xbox Live service. Source:

August 26, Softpedia – (International) Hardcoded password in Netis, Netcore routers offers backdoor to devices. Trend Micro researchers found that some routers sold under the Netis brand in the U.S. and other countries, and under the Netcore brand in China, contain a backdoor that can be accessed if the routers provide external access. The researchers also found a hardcoded password in the devices that can allow anyone with the password to access the router. Source:

August 26, Threatpost – (International) 50 security flaws fixed in Google Chrome. Google released an update for its Chrome browser, addressing 50 security issues, including a series of critical vulnerability that could be exploited to execute arbitrary code outside of the Chrome sandbox. Source:

August 25, Help Net Security – (International) Researchers exploit flaw to tie Secret users to their secrets. Researchers from Rhino Security Labs demonstrated a proof-of-concept attack against the Secret app that could allow a user to deduce the identity behind a posting on the anonymous social network. The attack method was previously reported to Secret and closed before the researchers’ demonstration. Source:

August 26, Softpedia – (International) Backoff PoS malware has at least eight variants. Researchers at Symantec conducted an analysis of the Backoff point-of-sale (PoS) malware and identified eight variants, with differences in registry entries and values, command and control servers, and the variants’ installation paths. Source:


From → Security

Comments are closed.

%d bloggers like this: