Skip to content

Gotham Security Daily Threat Alerts

August 2, Help Net Security – (International) 36,000 SAP systems exposed online, most open to attacks. ERPScan released a comprehensive SAP Cybersecurity Threat Report which revealed the average number of security patches for SAP products per year has decreased, while the amount of vulnerable platforms has increased and now includes modern cloud and mobile technologies such as HANA. The report also found that SAP’s Customer Relationship Management (CRM), Enterprise Portal (EP), and Supplier Relationship Management (SRM) products are most vulnerable to flaws, and that the U.S. is one of the three countries with the most exposed services, among other findings. Source

August 2, Softpedia – (International) Google SEO trick leads users to online scam, CryptMIC ransomware. Researchers from Malwarebytes discovered an active campaign where malicious actors were abusing Google search featured snippets to show links to compromised Websites and redirect users to online stores selling product keys for Microsoft Office or hosting the Neutrino exploit kits (EK), which would in turn infect the user’s device with the CryptMIC ransomware. Researchers found the attackers could also actively search for third-party Websites listed in featured snippets that run vulnerable content management systems (CMSs), and hack the sites to deliver the ransomware. Source

August 2, SecurityWeek – (International) Google patches tens of critical vulnerabilities in Android. Google released security patches for the Android operating system (OS) resolving 81 vulnerabilities including 3 remote code execution (RCE) flaws, 4 Elevation of Privilege (EoP) bugs, and 4 denial-of-service (DoS) flaws in Mediaserver, a DoS issue in system clock, and an RCE flaw in libjhead, among other vulnerabilities. Source

Above Reprinted from the USDHS Daily Open Source Infrastructure Report

August 3, Dark ReadingResearchers Show How To Steal Payment Card Data From PIN Pads. Attack works even against chip-enabled EMV smartcards. BLACK HAT USA—Las Vegas—The manner in which many PIN pads used by consumers to pay for purchases and communicate with point-of-sale systems make it very easy for attackers to steal payment card data, researchers warned here this week. Using a Raspberry Pi with specialized software and a laptop running a POS simulator, researchers Nir Valtman and Patrick Watson of NCR Corp showed how an attacker could intercept communications between a card reader and a POS system and extract sensitive cardholder data from it. Source

 

Gotham Security Daily Threat Alerts

August 2, Softpedia – (International) Windows flaw reveals Microsoft account passwords, VPN credentials. Researchers discovered an exploit affecting the way Microsoft Windows handles old authentication procedures for shared network resources where an attacker could embed a disguised link to a server message block (SMB) resource inside a Webpage or an email viewed via Outlook that sends the victim’s login credentials to authenticate on the malicious actor’s domain once the user accesses the link via Internet Explorer, Edge, or Outlook. The exploit gives the hacker access to the user’s Microsoft username, virtual private network (VPN) credentials, or password, which is leaked as a NT LAN Manager (NTLM) hash. Source

August 1, Softpedia – (International) Data of 200 million Yahoo users pops up for sale on the Dark Web. Yahoo is investigating a potential data breach after cyber-criminal Peace_of_Mind (Peace) published a listing on TheRealDeal Dark Web marketplace that reportedly offers data on over 200 million Yahoo users for 3 bitcoin, or approximately $1,800, including usernames, MD5-hashed passwords, dates of birth for all users, and in some cases, backup email addresses, country of origin, and ZIP codes for U.S. users. Source

August 1, Softpedia – (International) Trojan in 155 Google Play Android apps affects 2.8 million users. Security researchers from Dr. Web discovered a new variant of the Android.Spy family trojan, dubbed Anrdoid.Spy.305 was plaguing 155 Android apps on the official Google Play Store and affecting over 2.8 million users by collecting data about the user’s device, including the email address connected to their Google user account, the name of the app the trojan leverages for distribution, and the developer ID and software developer’s kit (SDK) version, among other details in order to deliver ads. Google released a list of all the apps potentially impacted by the trojan. Source

August 1, SecurityWeek – (International) SSL flaw in Intel Crosswalk exposes apps to MitM attacks. Intel released updates for its Crosswalk framework after security researchers from Nightwatch Cybersecurity discovered a serious vulnerability in the Crosswalk Project library that allows malicious actors to launch man-in-the-middle (MitM) attacks and capture sensitive information transmitted by the app after finding that when a user makes a network request and accepts the initial error message displayed by the app if an invalid Secure Socket Layer (SSL) certificate is found, the app accepts all future SSL certificates without validation even when connections are made via different WiFi hotspots and different certificates. Source

Above Reprinted from the USDHS Daily Open Source Infrastructure Report

 

Gotham Security Daily Threat Alerts

July 29, Help Net Security – (International) SpyNote Android RAT builder has been leaked. Palo Alto Networks’ researchers warned that a builder for the SpyNote Android remote access trojan (RAT) is being distributed freely on several underground hacker forums and configures the RAT to contact a specific command and control (C&C) server over a specific port, removing its icon once it is installed. The malware is capable of viewing messages on infected devices, collecting device information, and exfiltrating files, among other tasks. Source

July 28, IDG News Service – (International) The AdGholas malvertising campaign infected thousands of computers per day. Proofpoint researchers reported that the group behind the malvertising operation AdGholas managed to distribute malicious advertisements through more than 100 ad exchanges, attracted between 1 million and 5 million page hits a day, and redirected up to 20 percent of computers that loaded the rogue ads to servers hosting exploit kits (EK) through the use of a series of complex checks and the use of steganography. The operation was suspended July 20. Source

Above Reprinted from the USDHS Daily Open Source Infrastructure Report

 

Gotham Security Daily Threat Alerts

July 28, SecurityWeek – (International) Many web attacks come from United States: Sucuri. Researchers at Sucuri analyzed metadata from 30 days of Web traffic and blocked requests from its firewall product and found that the Structured Query Language (SQL) injection, brute force, and other exploit attempts had various browser user agents, more than one-third of the attacks came from the U.S. followed by Indonesia and China, and that when it came to operating systems (OS) 45 percent of attacks came from Microsoft Windows. Source

July 28, Help Net Security – (International) Media-stealing Android app targets developers. Google removed the “HTML Source Code Viewer” app from its Google Play distribution service after Symantec researchers discovered the malicious app stole photos and videos from victims’ mobile devices by requesting permissions to access the device’s external storage. The app targeted all versions of Android after and including Gingerbread. Source

July 28, Softpedia – (International) Chrome, Firefox vulnerable to crashes via search suggestions. Nightwatch Cybersecurity researchers found that Google Chromium, Android, and Mozilla Firefox do not protect browser built-in search suggestions via an encrypted Hypertext Transfer Protocol Secure (HTTPS) channel, which could allow an attacker on the local channel to intercept search suggestion inquiries and answer before the search provider. Firefox, Chrome, and Android are working to address the issue. Source

July 26, Whitehouse.gov– (National) Presidential Policy Directive – United States Cyber Incident Coordination. The U.S. President’s administration released Presidential Policy Directive/PPD-41 July 26 detailing the U.S. Cyber Incident Coordination, which sets forth principles that govern the Federal Government’s response to cyber incidents and the designation of responsibility to certain Federal agencies, including the FBI and DHS. Source

July 27, SecurityWeek – (International) PayPal abused in banking trojan distribution campaign. Proofpoint security researchers discovered malicious actors were distributing the Chthonic banking trojan, a variant of the Zeus malware, via legitimate-looking PayPal emails to request money from users by sending money request messages claiming an illicit $100 transfer was made to the victim’s account which could be returned by clicking the malicious Goo.gl link that redirects the user to “katyaflash[.]com/pp.php,” where the malware is downloaded onto the device in the form of an obfuscated JavaScript file that connects to the command and control (C&C) server. Researchers discovered the malware was also downloading a previously undocumented second-stage payload dubbed AZORult. Source

Above Reprinted from the USDHS Daily Open Source Infrastructure Report

 

Gotham Security Daily Threat Alerts

July 27, Softpedia – (International) Two vulnerabilities affect LastPass, both allow full password compromise. Researchers with Google Project Zero and Detectify discovered a vulnerability affecting LastPass through its JavaScript code that parsed the Uniform Resource Locator (URL) of the page LastPass was working on, potentially allowing an attacker to gain a user’s credentials by tricking the user into accessing a URL in the form of “attacker-site.com/@twitter.com/@script.php.” The vulnerability was patched; however a second vulnerability that could lead to a complete LastPass compromise was reported and is currently being evaluated by the service. Source

July 27, Help Net Security – (International) DDoS attacks increase 83%, Russia top victim. Nexusguard released a report showing that distributed denial-of-service (DDoS) attacks increased 83 percent to more than 182,900 attacks in the second quarter of 2016, with Russia as the top victim country. The U.S. and China were part of the top three targeted countries as the company also reported increases in routing information protocol (RIP) and multicast domain name service (mDNS) threats. Source

July 27, SecurityWeek – (International) Siemens patches flaws in industrial automation products. Siemens released software updates addressing several vulnerabilities found in SIMATIC and SINEMA products including a cross-site scripting (XSS) vulnerability in the integrated Web server of SINEMA Remote Connect Server which can be exploited by a remote attacker by tricking the user into clicking on a specially crafted link, as well as two high severity improper input validation bugs that were discovered in SIMATIC WinCC SCADA systems and PCS7 distributed control systems (DCS), among other vulnerabilities. Source

July 27, Help Net Security – (International) Osram’s intelligent home lighting system in riddled with flaws. A researcher from Rapid7 discovered nine vulnerabilities affecting the Home and Pro versions of Osram’s Lightify intelligent home lighting system running on Apple iOS7 or above and Android 4.1 or above that could allow attackers to discover the Wi-Fi Protected Access (WPA) pre-shared key of the user’s home Wi-Fi and the network’s password, to launch browser-based attacks against the user’s workstation, control the light installations, and access confidential data. The vendor addressed nearly all problems in its latest patch set, with the exception of Secure Sockets Layer (SSL) pinning and issues related to ZigBee rekeying. Source

July 26, Help Net Security – (International) Low-cost wireless keyboards open to keystroke sniffing and injection attacks. Bastille Networks researchers reported that a set of security flaws exploited via KeySniffer in low-cost wireless keyboards that are produced by at least 8 different vendors, can be exploited to collect passwords, security questions, and other sensitive financial and personal information due to a lack of encryption on keystroke data before it is transmitted wirelessly to the Universal Serial Bus (USB) dongle. Researchers noted that Bluetooth keyboards, wired keyboards, and higher-end wireless keyboards are not susceptible to KeySniffer. Source

July 26, Softpedia – (International) Patchwork cyber-espionage group evolves to target enterprises. Researchers from Cymmetria and Symantec reported that the Patchwork advanced persistent threat (APT), also known as Dropping Elephant, cyber-espionage group has begun targeting aviation, energy, financial, pharmaceutical, and software companies, among others, with malicious Microsoft PowerPoint and Word files in order to install Enfourks and Steladok backdoor trojans to obtain sensitive information from infected computers. Source

July 26, Help Net Security – (International) Amazon Silk browser removes Google’s default encryption. Amazon released version v51.2.1 of its Silk browser, patching a vulnerability that allows Google searches to be conducted without Secure Sockets Layer (SSL) protection, potentially allowing the flaw to be exploited in man-in-the-middle (MitM) attacks. Source

July 25, Softpedia – (International) Windows 10 disk cleanup utility abused to bypass UAC. Security researchers advised Microsoft Windows 10 users to disable or uncheck the “Run with the highest privileges” option in the Disk Cleanup utility following the discovery of a method to bypass the Windows User Access Control (UAC) security system, potentially allowing malicious files to be executed without alerting users. Once the Disk Cleanup app is executed, it copies DismHost.exe and Dynamic Link Libraries (DLL) files, and loads the LogProvider.dll as the last DLL file, allowing time for an attacker to launch an attack. Source

Above Reprinted from the USDHS Daily Open Source Infrastructure Report

July 26, Dark ReadingObama Issues Federal Government Policy For Cyberattack Response. New Presidential Policy Directive, PPD-41, solidifies just how key federal agencies coordinate, respond to cyberattacks on federal and private networks. President Obama today issued a key directive formalizing just how federal agencies operate, coordinate, and respond to major cyberattacks and cyber incidents considered a danger to national security, the government, the economy, and critical infrastructure. The new Presidential Policy Directive, PPD-41, specifies the FBI and the National Cyber Investigative Task Force of the US Department of Justice as the lead agencies for threat response, while the US Department of Homeland Security is the lead agency for “asset” response, via the National Cybersecurity and Communications Integration Center, aka the NCCIC. The Office of the Director of National Intelligence – via the Cyber Threat Intelligence Integration Center — is the lead agency for intelligence support and related efforts, the directive states. Source

 

 

Gotham Security Daily Threat Alerts

July 25, Help Net Security – (International) Critical holes in Micro Focus Filr found, plugged. Micro Focus released patches addressing a cross-site request forgery (CSRF) flaw, an Operating System (OS) Command Injection vulnerability, a persistent cross-site scripting (XSS) flaw, a path traversal, and an authentication bypass vulnerability in its Filr enterprise file management and collaborative file sharing solution after a SEC Consult researcher discovered the flaws during a quick security check. Source

July 24, Softpedia – (International) CTB-Faker ransomware uses WinRAR to lock data in password-protected ZIP files. Bleeping Computer and Check Point researchers found that the CTB-Faker ransomware family is currently being distributed via adult Websites, and encourages users to download a ZIP file which contains an executable that initiates the ransomware which moves files to a password-protected file at “C:Users.zip” through the use of the WinRAR application. Researchers determined that the ransomware is decryptable. Source

July 24, Softpedia – (International) Stampado ransomware stomped out before it could do any real damage. A malware analyst at Emsisoft created a free decrypter, unlocking files encrypted by the Stampado ransomware which presents itself as an ad for a Ransomware-as-a-Service (RaaS) offering on Dark Web cyber-crime forums for a low price. Source

July 24, Softpedia – (International) Hacker downloads Vine’s entire source code. Twitter secured an insecure Docker setup used by the company’s staff to manage Vine’s content after security researcher Avicoder discovered the critical security flaw which would have allowed an attacker to download Vine’s entire source code, its application program interface (API) keys, and third party keys, from its servers after determining that the Docker installations were publicly accessible and that Twitter was running Docker API v1 instead of the latest version of Docker (v2). Source

Above Reprinted from the USDHS Daily Open Source Infrastructure Report

July 15, Dark ReadingNew Portal Offers Decryption Tools For Some Ransomware Victims. Nomoreransom.org, a joint initiative between Europol, the Dutch National Police, Kaspersky Lab and Intel Security, offers help in getting encrypted data back. Victims of crypto ransomware now have an online portal they can turn to for help in trying to recover encrypted data. Kaspersky Lab in collaboration with Europol, the Dutch National Police and Intel Security have launched http://www.nomoreransom.org a site that currently provides decryption tools for four ransomware families and will soon feature tools for several more. Source

 

%d bloggers like this: