July 7, Softpedia – (International) Dangerous GNU wget vulnerability still not patche din all Linux distros. Security researchers from Golunski and SecuriTeam discovered a GNU wget vulnerability that could be exploited to allow an attacker to upload arbitrary files and achieve code execution due to wget’s improper handling of file names when redirecting users from an initial Hypertext Transfer Protocol (HTTP) Uniform Resource Locator (URL) to a File Transfer Protocol (FTP) link. Source
July 7, Help Net Security – (International) Google fixes 108 bugs in July Android security update. Google released its July Android Security Bulletin that patched 108 vulnerabilities in several of its products including seven critical remote code execution (RCE) flaws affecting the Mediaserver component and several elevation of privilege and information disclosure flaws in several of its services, libraries, Bluetooth, and the Framework application program interfaces (APIs). Source
July 7, Softpedia – (International) Over 6,000 Redis database servers ready for taking. Security researchers from Risk Based Security released a report detailing that 6,338 Redis servers were compromised after performing a non-intrusive scan using Shodan which revealed that the hacked servers featured the “crackit” Secure Socket Shell (SSH) key and were attached to an email address that was previously seen in other incidences. Researchers recommended that Webmasters update their Redis database to the recent version and activate “protected mode” feature. Source
July 6, Softpedia – (International) Campaign of infected WordPress and Joomla sites leads to CryptXXX ransomware. Security researchers from Sucuri discovered that a new campaign dubbed Realstatistics was using outdated Content Management Systems (CMSs), primarily WordPress and Joomla Web sites, to hack Web sites using vulnerabilities in plugins rather than using core vulnerabilities after discovering at least 2,000 Web sites were affected by the campaign. Source
July 6, Softpedia – (International) Caja toolkit vulnerability exposed Google Docs domain to XSS attacks. Google released patches for several cross-site scripting (XSS) issues in its Caja toolkit used inside its Docs and Developers series after a security researcher found the tool failed to sanitize various types of XSS attacks, potentially allowing attackers to create malicious Google Docs files containing Google Apps Script, that when loaded, could steal cookies and execute malicious actions. Source
Above Reprinted from the USDHS Daily Open Source Infrastructure Report
July 7, Dark Reading - Landmark Cybersecurity Law Passed By European Union. New rules impose obligations to strengthen cyber defense and report network threats and incidents. The European Union (EU) now has its first cybersecurity law as members of the 28-nation EU Parliament passed legislation that requires service operators, search engines, and online market portals and other businesses to improve their network defense measures and report cyber incidents, Bloomberg reports. Source
July 8, Dark Reading - Wendy’s Gives Details On Payment Card Breach. Fast food chain provides details on franchisees hit and offers support services for affected customers. Fast-food restaurant chain Wendy’s has issued details on the specific outlets that may have been impacted in its recently reported data breach. The company is offering one year of free fraud consultation and identity restoration services for affected customers. Source