November 17, SecurityWeek – (International) iOS lockscreen bypass gives access to contacts, photos. Security researchers discovered a vulnerability in Apple’s mobile operating system (iOS) that could allow an attacker with physical access to a device that has Siri enabled on the lockscreen to bypass the phone’s lockscreen and access photos and contact information on a victim’s iPhone or iPad. The researchers reported the flaw affects iOS versions 8.0 – 10.2 and can be avoided by disabling Siri on the lockscreen. Source
November 17, Help Net Security – (International) Ransoc browser locker/ransomware blackmails victims. Security researchers discovered the Ransoc ransomware is being distributed via malvertising to target and blackmail Microsoft Windows users who frequent adult Websites, and scans an infected device to collect information from the victim’s Facebook, LinkedIn, and Skype accounts, as well as scans local media filenames for strings associated with files downloaded via torrents in order to uncover illegal or illicit content. The ransomware then displays a ransom note, or “penalty notice” tailored to the information it finds, threatening to expose a victim’s illicit online activity to the user’s social and professional network connections if the fine is not paid. Source
November 18, SecurityWeek – (International) Moxa, Vanderbilt surveillance products affected by serious flaws. The Industrial Control Systems-Computer Emergency Readiness Team (ICS-CERT) released an advisory which reported that Moxa’s SoftCMS central management software was plagued with three serious vulnerabilities after security researchers discovered a Structured Query Language (SQL) injection flaw that could be remotely exploited to access the software with administrator privileges, a double free condition that could lead to a denial-of-service (DoS) condition, and an improper input validation flaw that could lead to a crash of the application. ICS-CERT and Siemens also informed customers that several Siemens-brand Vanderbilt IP cameras were affected by a flaw that could allow an attacker with network access to obtain administrative privileges using maliciously crafted requests. Source
November 18, SecurityWeek – (International) Over-the-air update mechanism exposes millions of Android devices. Security researchers reported that over 2.8 million Android devices across 55 device models were vulnerable to Man-in-the-Middle (MitM) attacks and could allow a remote, unauthenticated attacker to replace server responses with their own and execute arbitrary commands as root on the device due to an insecure implementation of the over-the-air (OTA) update mechanism from Ragentek Group, which failed to use an encrypted channel for transactions from the binary to third-party endpoint. Source
November 20, Softpedia – (International) Microsoft Xbox, PlayStation, other popular Twitter accounts hacked. Twitter Counter confirmed its service experienced a security breach and several high-profile Twitter accounts, including those owned by Microsoft Xbox, the U.S. National Transportation Safety Board, and the Minnesota governor, among others were hacked to post links to services that increase a user’s number of followers for other accounts. Twitter Counter stated an investigation into the breach is ongoing and the hackers can no longer post on another user’s behalf. Source
November 21, SecurityWeek – (International) Palo Alto Networks patches flaws found by Google researcher. Palo Alto Networks, Inc. patched several vulnerabilities in its PAN-OS operating system after a Project Zero researcher found three security flaws affecting the products including an issue that could allow an attacker with network access to the Web management interface to execute arbitrary code or cause a denial-of-service (DoS) condition due to how the Web management server handles a buffer overflow. The patches also addressed two local privilege escalation bugs that could be exploited to obtain root permissions, an OpenSSH flaw, and a post-authentication flaw that could allow XPath manipulation. Source
November 21, Help Net Security – (International) Malware masquerading as an image spreads via Facebook. A malware researcher discovered malware is spreading via Facebook in the form of Scalable Vector Graphics (SVG) image files that contain embedded content and are automatically sent from compromised user accounts in order to redirect users to a Website impersonating YouTube where a victim is required to install a specific codec extension before viewing the video, which gives the malware the capability to alter a user’s data on the Websites they visit. The researcher reported the SVG file also contains the Nemucod downloader; however it has not been spotted downloading the Locky ransomware or other malware. Source
November 22, Softpedia – (International) US Government invites hackers to attack US Army domains. The U.S. Department of Defense (DOD) and partner company HackerOne reported November 22 that hackers can now register for the Hack the Army bug bounty challenge, which will allow 500 security researchers to hack U.S. Army domains and find unpatched vulnerabilities in exchange for a reward. DOD officials reported the program concerns any public-facing Website that is owned, operated, or controlled by the department, and is part of an effort to explore new security approaches. Source
November 21, SecurityWeek – (International) Code execution flaws patched in HDF5 library. The HDF Group released version 1.8.18 of its HDF5 library after researchers from Cisco’s Talos Vulnerability Development Team discovered the library was plagued with a total of 4 local heap-buffer overflow flaws that could allow an attacker to execute arbitrary code in the context of the application using the library if they trick a victim into opening a maliciously crafted file. The vulnerabilities are the result of a failure to check if the number of dimensions for an array from a file is within bounds, failure to check if certain message types support a specific flag, and insufficient handling of select values in memory when parsing a Hierarchical Date Format (HDF) file, among other failures. Source
November 22, SecurityWeek – (International) Office 365 flaw made fake Microsoft emails look legitimate. A Turkey-based security researcher discovered a flaw in Microsoft Office 365 that could be exploited by attackers to send malicious emails and make them appear as if they were sent from a legitimate microsoft.com email address after a test of different email services’ spam filters found that some of his phishing emails that were marked as valid came from a spoofed microsoft.com address and were forwarded through Outlook 365 to the Yandex email service. Additional testing found that Gmail also accepted the spoofed microsoft.com emails that were forwarded from Outlook as legitimate. Source
November 22, SecurityWeek – (International) Siemens releases firmware updates to patch SIMATIC flaws. Siemens released firmware updates for its SIMATIC S7-300 and S7-400 controllers, and its SIMATIC CP 343-1 and CP 443-1 Advanced communications processors resolving several medium-severity flaws after security researchers discovered the affected devices contain an integrated Web server on port 80/TCP or 443/TCP that enables a malicious actor to carry out operations with privileges of an authenticated user. The researchers also discovered a flaw related to the Web server delivering cookies without the “secure” flag, among other patched flaws. Source
November 22, SecurityWeek – (International) Several DoS vulnerabilities patched in NTP. The Computer Emergency Response Team (CERT) Coordination Center and the Network Time Foundation reported the release of Network Time Protocol (NTP) version 4.2.8p9 which includes roughly 40 security patches, bug fixes, and system improvements including a patch for a high severity oversized User Datagram Protocol (UDP) packet denial-of-service (DoS) flaw in Microsoft Windows, as well as patches for 9 other security holes. Source
November 23, SecurityWeek – (International) Information disclosure flaws patched in VMware products. VMware released two security advisories, one of which includes patches for three flaws in VMware vCenter Server, vSphere Client, and vRealize Automation after security researchers from Positive Technologies discovered XML External Entity (XXE) flaws that could lead to information disclosure and a denial-of-service (DoS) condition. The second advisory describes a medium-severity information disclosure bug in Identity Manager and vRealize Automation that could allow an attacker to access folders that do not contain sensitive data. Source
November 23, Help Net Security – (International) Telecrypt Decryptor foils ransomware’s simple encryption method. A malware analyst released Telecrypt Decryptor, a tool that is able to decrypt files encrypted by the Telecrypt ransomware when running on an Administrator account and if an affected user has .NET 4.0 and above or has at least one of the encrypted files in an unencrypted form. Source
November 24, Softpedia – (International) Hackers can steal Tesla cars using Android app. Security researchers from Promon discovered a flaw in Tesla Motors companion applications for Android and Apple iOS that could enable hackers to locate, unlock, and steal Tesla vehicles by convincing a Tesla owner to download a malicious version of the companion app by offering a free burger upon installation, which allows the hacker to connect to the phone and begin the hijack process. As the flaw is in the mobile apps and not the vehicles, researches advised users to update their systems and apps and to avoid downloading apps from untrusted sources. Source
November 24, Softpedia – (New York) Hackers hijack Madison Square Garden payment systems, credit card data at risk. The Madison Square Garden Company reported November 24 that it detected an attack on its payment system that may have exposed the credit card information of all of its customers between November 9, 2015 and October 24, 2016, including card numbers, verification codes, cardholder names, and expiration dates. The firm stated the attack took place outside of its network and did not leverage accessories attached to the Point-of-Sale (PoS) systems, and the hack remains under investigation. Source
November 25, SecurityWeek – (International) Flaws in Uber’s UberCENTRAL tool exposed user data. A security researcher discovered several issues in Uber Technologies Inc.’s UberCENTRAL service including a flaw that allows attackers to enumerate users’ universally unique identifiers (UUIDs) by sending requests with possible email addresses, and an issue that can be exploited to obtain full names, phone numbers, and email addresses of customers, among other flaws. Uber released patches for the flaws. Source
November 25, SecurityWeek – (International) Cerber 5.0 ransomware uses new IP ranges. Check Point security researchers discovered that version 5.0 of the Cerber ransomware was released and now uses new Internet Protocol (IP) ranges for the command and control (C&C) communication, skips 640 bytes when encrypting a file, targets files that feature the secret extension, and no longer encrypts files smaller than 2,560 bytes, among other new features. Check Point also found that the ransomware leverages spam email campaigns and the Rig-V exploit kit for distribution, and as with previous versions, Cerber 5.0 randomly generates encrypted file extensions using four alphabetic numbers. Source
November 28, SecurityWeek – (International) cURL security audit reveals several vulnerabilities. The developer of cURL released version 7.51.0 to resolve a total of 11 vulnerabilities following a security audit by Cure53, which revealed the open source tool was plagued with 23 issues and 9 security flaws including 4 high severity issues that could lead to remote code execution. Source
Above Reprinted from the USDHS Daily Open Source Infrastructure Report