November 17, SecurityWeek – (International) Several vulnerabilities patched in Drupal 7, 8. Drupal released versions 7.52 and 8.2.3 addressing four vulnerabilities including a flaw in Drupal 8 that can be exploited to cause a denial-of-service (DoS) condition with specially crafted URLs via the transliteration mechanism. The updates also resolved a flaw in Drupal 7 that could allow a malicious actor to build a confirmation form Uniform Resource Locator (URL) that redirects victims to third-party Websites after they interact with the form, among other flaws. Source
November 17, Softpedia – (International) Raspberry Pi-based hacking device can break into any computer in seconds. A security researcher created a hijacking device, dubbed PoisonTap, which is an inexpensive Raspberry Pi Zero device that leverages a backdoor installed on a targeted device via USB and imitates an Internet over USB connection to convince the computer it is connected via the Ethernet, causing the device to be configured to prioritize the USB connection and begin sending unencrypted Internet traffic to PoisonTap. Once the hacking device hijacks all the Web traffic, it collects Hypertext Transfer Protocol (HTTP) authentication cookies and session data, thereby allowing an actor to bypass two-factor authentication (2FA) and access a user’s online accounts. Source
November 16, SecurityWeek – (International) Firefox 50 patches 27 vulnerabilities. Mozilla released Firefox 50 to address 27 vulnerabilities including a critical heap-buffer-overflow in the Cairo programming library when processing Scalable Vector Graphics (SVG) content that could lead to a crash due to compiler optimization, as well as a series of critical memory safety issues that could potentially be exploited by a malicious actor to run arbitrary code, among other flaws. The new browser also adds Download Protection for many executable file types on Microsoft Windows, Apple Mac, and Linux to improve overall security for users. Source
November 16, SecurityWeek – (International) Backdoor in some Android phones sends data to server in China. Kryptowire security researchers reported that several Android models sold in the U.S. were found to include a backdoor in their firmware that transmits personal identifiable information (PII) including contact lists, call history, and text messages to third-party servers without the victim’s authorization via a commercial Firmware Over The Air (FOTA) update software system managed by Shanghai ADUPS Technology Co. Ltd. The researchers found the firmware could remotely install applications without user consent, target specific users and text messages by matching remotely defined keywords, and collect data on the use of applications on an affected device. Source
November 16, SecurityWeek – (International) CryptoLuck ransomware emerges. A Proofpoint security researcher discovered a new ransomware family, dubbed CryptoLuck that leverages the RIG-Empire exploit kit (EK) for distribution, and abuses the legitimate GoogleUpdate.exe executable and dynamic-link library (DLL) hijacking to infect devices. The malware spreads in the form of a RAR self-extracting archive (SFX) file and performs a series of checks to ensure it is not running in a virtual machine before scanning all mounted drives and unmapped network shares for files it can encrypt. Source
November 16, U.S. Department of Justice – (International) Fourth defendant convicted in scheme that defrauded software company of over $16 million worth of virtual currency. A Whittier, California resident was convicted November 16 for his role in a scheme where he and 3 co-conspirators defrauded software company and FIFA Football video game publisher, Electronic Arts (EA) out of more than $16 million by creating software that fraudulently logged thousands of FIFA Football matches to circumvent security mechanisms created by the firm and illicitly earn FIFA coins, which the trio subsequently exchanged on a secondary market where the coins are exchanged for dollars. The three co-conspirators previously pleaded guilty for their roles in the scheme. Source
Above Reprinted from the USDHS Daily Open Source Infrastructure Report