Skip to content

Gotham Security Daily Threat Alerts

by on December 15, 2014

December 12, The Register – (International) Hackable intercom lets you SPY on fellow apartment-dwellers. A researcher presenting at the Kiwicon security conference detailed how he was able to use several vulnerabilities in the GrandStream GXV3175 video intercom, including directory traversal and command injection flaws, to potentially spy on any resident in an apartment building equipped with the devices. The issues were patched by the manufacturer after the researcher reported them. Source

December 12, The Register – (International) Microsoft pulls a patch and offers PHANTOM FIX for the mess. Microsoft took down an update included in its monthly Patch Tuesday release due to the patch causing issues on systems running Windows 7 Service Pack (SP1) and Windows Server 2008 R2 SP1. A second patch was then published to address the issue. Source

December 12, Securityweek – (International) Malwarebytes anti-exploit upgrade mechanism vulnerable to MitM attacks. A Fox-IT researcher identified and reported vulnerabilities in consumer versions of Malwarebytes Anti-Malware 2.0.2 and earlier, and Malwarebytes Anti-Exploit 1.03 and earlier that could have left the security products vulnerable to man-in-the-middle (MitM) attacks and allowed the download of malicious content. The vulnerabilities were reported in July and August and patched in September and October. Source

December 10, Softpedia – (International) Red October cyber spy op goes mobile via spear-phishing. Researchers with Blue Coat and Kaspersky Lab identified and analyzed a cyber-espionage campaign that appears similar to the RedOctober campaign dubbed Cloud Atlas or Inception Framework that has been targeting the Android, iOS, and BlackBerry devices of specific users in the government, finance, energy, military, and engineering sectors in several countries via spearphishing. The malware appears to primarily be designed to record phone conversations and can also track locations, monitor text messages, and read contact lists. Source

December 11, The Register – (International) Elderly zombie Asprox botnet STILL mauling biz bods, says survey. A report by Palo Alto Networks found that the Asprox botnet (also known as Kuluoz) was responsible for around 80 percent of recorded attacks during October across almost 2,000 organizations in sectors including the healthcare, financial services, and retail industries. The botnet malware plants malicious code in vulnerable Web sites via SQL injection attacks and has been used in phishing, malware distribution, and other attacks. Source

December 11, Softpedia – (International) Patch against critical flaw in HD FLV Player still leaves the plug-in vulnerable. A researcher with Sucuri reported that a recent patch closing a vulnerability that could have allowed unauthenticated arbitrary file downloads in the HD FLV Player component for Joomla, WordPress, and custom Web sites did not close a similar vulnerability that could allow an unauthenticated attacker to send out emails from an affected site. Source

December 11, The Register – (International) FreeBSD developers VANQUISH Demon bug. Researchers with Norse identified and reported a vulnerability in FreeBSD that could have allowed an attacker to inject malicious code into systems running the software. The developers of FreeBSD released a patch after receiving the report, closing the vulnerability. Source

December 11, Threatpost – (International) Black Energy malware may be exploiting patched WinCC flaw. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued an update to a previous alert concerning the Black Energy malware seen targeting human-machine interface (HMI) products, which stated that the malware may be exploiting vulnerabilities in the Siemens SIMATIC WinCC software that was patched by Siemens November 11. Source

December 10, The Register – (International) Taxi app Uber plugs ‘privacy- threatening’ web security flaw. Ride-sharing service Uber closed a cross-site scripting (XSS) vulnerability in its Web site after a security researcher identified and reported the issue. The vulnerability could have exposed users’ cookies, personal information, browser history, and authentication credentials. Source

December 10, The Register – (International) ‘Critical’ security bugs dating back to 1987 found in X Window. The developers of the X Window System for Linux and other Unix operating systems issued patches closing several vulnerabilities that could be exploited to crash the system or run malicious code as the root user after they were identified and reported by a researcher at IOActive. Source

December 10, Softpedia – (International) Red October cyber spy op goes mobile via spear-phishing. Researchers with Blue Coat and Kaspersky Lab identified and analyzed a cyber-espionage campaign that appears similar to the RedOctober campaign dubbed Cloud Atlas or Inception Framework that has been targeting the Android, iOS, and BlackBerry devices of specific users in the government, finance, energy, military, and engineering sectors in several countries via spearphishing. The malware appears to primarily be designed to record phone conversations and can also track locations, monitor text messages, and read contact lists. Source

December 10, Securityweek – (International) Trihedral fixes vulnerability in SCADA monitoring and control software. Trihedral Engineering Ltd., released software updates for its VTScada (VTS) supervisory control and data acquisition (SCADA) software to close a vulnerability that could be used by an unauthenticated attacker to crash VTS servers. The software is used in industries including the energy, chemical, manufacturing, agriculture, transportation, and communications sectors. Source

December 10, Softpedia – (International) Flash Player 16.0.0.235 fixes remote code execution bug exploited in the wild. Adobe released patches for six vulnerabilities in its Flash Player software, including a vulnerability reported by a researcher that could allow arbitrary code to be executed on affected systems. The arbitrary code execution vulnerability has been observed being exploited in the wild and all users were advised to update their versions of Flash Player as soon as possible. Source

December 10, Securityweek – (International) SQL injection, other vulnerabilities found in InfiniteWP admin panel. A researcher with Slik identified and reported several vulnerabilities in the InfiniteWP administration application for WordPress Web sites, including SQL injection vulnerabilities that could be used by an unauthenticated attacker to gain control of WordPress sites. Source

December 10, Securityweek – (International) Flaw in AirWatch by VMware leaks info in multi-tenant environments. VMware released an update for its AirWatch enterprise mobile management and security platform December 10 that closes vulnerabilities that could allow a user that manages a deployment in a multi-tenant environment to view the statistics and organizational information of another tenant. Source

December 10, Securityweek – (International) Recursive DNS resolvers affected by serious vulnerability. The Computer Emergency Response Team Coordination Center (CERT/CC) reported December 9 that recursive Domain Name System (DNS) resolvers are vulnerable to an issue where a malicious authoritative server can cause them to follow an infinite chain of referrals, leading to a denial of service (DoS) state. Source

December 10, Securityweek – (International) Third-party bundling made IBM products most vulnerable: Study. Secunia released a report on security vulnerabilities disclosed between August and October and found that vulnerabilities increased by 40 percent compared to the previous year to a total of 1,841 vulnerabilities in the 20 most vulnerable products, among other findings. The report also found that Google Chrome had the largest number of disclosed security issues, and that IBM was the most vulnerable vendor due to products being bundled with third-party software. Source

December 9, Securityweek – (International) Microsoft releases critical IE security update on Patch Tuesday. Microsoft released its monthly Patch Tuesday round of updates for its products December 9, which included 7 security bulletins addressing 24 vulnerabilities. Three vulnerabilities were considered critical and affected Internet Explorer, Microsoft Word and Office Web Apps, and the VBScript scripting engine. Source

December 9, Threatpost – (International) New version of Destover malware signed by stolen Sony certificate. Researchers at Kaspersky Lab identified a new variant of the Destover malware used in an attack on Sony Pictures Entertainment that uses a stolen, legitimate certificate from Sony. The malware is basically identical to previous versions except for the use of a certificate. Source

December 9, SC Magazine – (International) SEO poisoning campaign ensnares several thousand websites, security expert finds. A webmaster identified and researchers from Websense and High-Tech Bridge confirmed that several thousand legitimate Web sites hosted on GoDaddy and other services had been compromised to improve the search engine optimization (SEO) ranking of other sites by inserting links into the legitimate sites. GoDaddy stated that the company was investigating the issue. Source

December 9, U.S. Consumer Product Safety Commission – (International) Lenovo recalls computer power cords due to fire and burn hazards. Lenovo announced a recall for around 544,000 Lenovo LS-15 AC power cords in the U.S. and Canada due to the potential for the power cords to overheat, posing fire and burn hazards. Source

December 9, Securityweek – (International) Hackers breached payment solutions provider CHARGE Anywhere: Undetected since 2009. Electronic payment solutions provider CHARGE Anywhere stated December 9 that attackers had gained access to its network as early as November 2009 using a previously unknown and undetected piece of malware and were able to capture payment card data from some communications that did not have encryption. The company discovered the compromise September 22 and an investigation found that network traffic capture occurred between August 17 and September 24. Source

 

From → Security

Comments are closed.

%d bloggers like this: