Gotham Security Daily Threat Alerts

By Nancy Rand
Posted in Security
On January 03, 2017

December 30, SecurityWeek – (International) Sundown exploit kit starts using steganography. Trend Micro security researchers reported that a new version of the Sundown exploit kit (EK) leverages steganography to hide its malicious traffic in legitimate-seeming Portable Network Graphics (PNG) image files to disguise various exploits, including those targeting Microsoft’s Internet Explorer and Adobe’s Flash Player. Source

December 29, SecurityWeek – (International) Topps customer data exposed after Website hack. The Topps Company, Inc. notified its customers the week of December 26 that one or more attackers hacked its Website and accessed sensitive information including names, addresses, payment card data, and phone numbers of those customers who placed an order via the company’s Website between July and October 2016. Source

December 28, SecurityWeek – (International) Destructive KillDisk malware turns into ransomware. A CyberX security researcher reported that a recently observed variant of the KillDisk malware encrypts each file with a specific Advanced Encryption Standard (AES) key, which are subsequently encrypted using an RSA 1028 key stored in the body of the malware, and holds the files for ransom instead of deleting them. The ransomware is designed to encrypt select types of files, including source code, emails and media files, and documents, among other file types, and requires elevated privileges. Source

December 28, SecurityWeek – (International) Vulnerabilities plague PHP 7’s unserialize mechanism. Check Point security researchers reported that PHP 7’s unserialize function is plagued with three vulnerabilities that can be exploited to read memory, forge objects, and achieve code execution on the impacted server. The researchers found that the first two flaws could enable a malicious actor to take total control of the affected server, while the third flaw can be used to create a denial-of-service (DoS) attack. Source

December 29, SecurityWeek – (National) FDA releases guidance for medical device cybersecurity. The U.S. Food and Drug Administration (FDA) released December 29 guidance on the management of cybersecurity risks for medical devices after they have been deployed on a patient’s home network, in a patient’s body, or on a hospital’s network, which advises medical device manufacturers to establish and maintain a process for detecting cybersecurity holes in their devices, evaluating and controlling the associated risks, and deploying hardware and software patches and updates before the vulnerabilities are exploited. The guidance states that manufacturers do not need to report the vulnerabilities to the FDA unless they result in patient death or other adverse events, or cannot be patched within 60 days. Source

December 27, SecurityWeek – (International) IBM reports significant increase in ICS attacks. IBM Managed Security Services reported that the number of attacks targeting industrial control systems (ICS) increased by 110 percent in 2016 compared to 2015 due to brute force attacks on supervisory control and data acquisition (SCADA) systems. IBM stated that the U.S. was both the top destination and top source of ICS attacks observed since the beginning of 2016, with nearly 90 percent of ICS attacks targeting the U.S. and 60 percent coming from the U.S. Source

December 27, SecurityWeek – (International) Critical RCE flaw patched in PHPMailer. The developers of PHPMailer released version 5.2.18 of the product to resolve a critical remote code execution (RCE) flaw after a security researcher from Legal Hackers found the flaw can be exploited by a remote, unauthenticated attacker for arbitrary code execution in the context of the Web server user in order to compromise a targeted Web application. The researcher found the vulnerability can exploited through Website components including feedback forms, registration forms, and password reset features that use a version of PHPMailer for sending emails that is impacted by the security hole. Source

December 23, SecurityWeek – (International) Phishers adopt malware distribution-like tactics. Proofpoint security researchers reported that a recently spotted phishing campaign designed to steal credit card information was employing a technique previously associated with malware distribution, which involves the distribution of a malicious Hypertext Markup Language (HTML) attachment that is XOR-encoded inside a password protected .zip archive to make detection more difficult and to convince victims that the email is legitimate. The spam emails also leveraged stolen branding and social engineering to trick users into giving away their credit card information by telling the spam recipients that they need to update their credit card security information in order to receive a new card equipped with a chip. Source

December 22, SecurityWeek – (International) Cisco CloudCenter Orchestrator flaw exploited in attacks. Cisco warned customers about a critical privilege escalation flaw that has been exploited against its CloudCenter Orchestrator (CCO) systems to allow an unauthenticated attacker to remotely install malicious Docker containers with arbitrary privileges, including root by abusing a flaw in the Docker Engine configuration. Cisco reported the flaw exists due to a misconfiguration that makes the Docker Engine management port accessible from the outside, and the flaw has been resolved with the release of CCO version 4.6.2. Source

December 21, SecurityWeek – (International) Rakos malware takes over embedded Linux devices. ESET security researchers warned that a newly observed piece of malware, dubbed Rakos is targeting embedded Linux devices via brute force Secure Shell (SSH) login attempts in order to infect the vulnerable devices and servers with an open SSH port, and use them to create a large botnet and further spread the malware. The researchers also found that Rakos is able to update its configuration file from a specific command and control (C&C) location, and provides the attacker with complete control over an impacted device as it sends information including the device’s Internet Protocol (IP) address, username, and password. Source

December 21, SecurityWeek – (International) Vulnerabilities found in Siemens Desigo PX, SIMATIC products. Siemens released patches and workarounds to address several flaws in all versions of its SIMATIC S7-300 and S7-400 programmable logic controllers (PLCs) after researchers from Beijing Acorn Network Technology found the security holes can be exploited to obtain credentials from a PLC configuration with protection level 2, and cause a denial-of-service condition by sending maliciously crafted packets to transmission control protocol (TCP) port 80. Siemens also described a cryptographic issue in its Desigo PX product which could allow a remote attacker to reconstruct the corresponding private key. Source

December 21, SecurityWeek – (International) Spam “hailstorms” deliver variety of threats. Researchers from Cisco Talos warned that a new type of spam campaign, dubbed hailstorm spam sends over 75,000 Domain Name System (DNS) queries per hour and relies on the use of a large number of Internet Protocol (IP) addresses from around the world to send the queries. Cisco determined that servers in the U.S. are targeted the most by hailstorm spam campaigns compared to other countries. Source

December 21, SecurityWeek – (International) VMware patches VDP, ESXi vulnerabilities. VMware released patches addressing a flaw in vSphere Data Protection (VDP) which could be exploited to log into the affected appliance with root privileges, as well as a cross-site scripting (XSS) vulnerability in the ESXi hypervisor where an attacker with permission to manage virtual machines (VM) via the ESXi Host Client can import a maliciously crafted VM to trigger the flaw, or can trick a vSphere administrator into importing the specially crafted VM. Source

December 20, SecurityWeek– (International) Cybercriminals make millions with ad fraud bot farm. White Ops researchers reported that cybercriminals can earn up to $5 million per day through a massive ad fraud operation, dubbed Methbot, which is powered by a bot farm that uses up to 1,200 servers housed by data centers in Dallas and other cities, and more than 570,000 Internet Protocol version 4 (IPv4) addresses to make it appear as though they belong to residential Internet service providers (ISPs) in the U.S. The bot farm generates a fake Webpage with only the elements needed to support an ad, and then requests an ad from a network using a spoofed Uniform Resource Locator (URL) matching that of a premium publisher, which is subsequently loaded in the simulated browser while Methbot’s various human-mimicking mechanisms are enabled to convince anti-fraud systems the activity is generated by real users. Source

Above Reprinted from the USDHS Daily Open Source Infrastructure Report

Nancy Rand

Nancy Rand

Nancy has more than 20 years’ experience in information technology and security, solving business issues and implementing best-practice solutions that support organizational objectives. Her expertise includes leveraging, optimizing, and implementing diverse technology platforms, and management of large-scale technology projects.