December 2, Help Net Security – (International) AirDroid app opens millions of Android users to device compromise. Zimperium security researchers reported that tens of millions of users of Android’s remote management tool, AirDroid are vulnerable to man-in-the-middle (MitM) attacks that could compromise their devices through fraudulent updates and result in data theft. If a user is on the same unsecured network as a malicious actor, the attacker could perform a MitM network attack to access the device authentication information, decrypt any Hypertext Transfer Protocol (HTTP) request the application performs, and redirect and modify the HTTP traffic sent and received by the device when it checks for updates, and then plant a malicious update for the app to use. Source
December 1, SecurityWeek – (International) Bug allows activation lock bypass on iPhone, iPad. Security researchers discovered two variations of a flaw that can be exploited to bypass Apple’s Activation Lock feature and access the homescreen of locked iPhones and iPads running Apple’s mobile operating system (iOS) 10.1 and iOS 10.1.1. Once a locked device is started, users are required to connect to a WiFi network and attackers can enter long strings into the username and password fields to trigger a crash that display’s the device’s homescreen. Source
December 1, Softpedia – (International) PayPal fixes security flaw allowing hackers to steal OAuth tokens. PayPal Holdings, Inc. patched a critical security flaw in its application after an Adobe Systems security researcher found a vulnerability that could allow attackers to steal OAuth tokens due to the way PayPal allows developers to register their apps with PayPal through a dashboard that generates token requests which are submitted to a central authentication server. The researcher found a hacker can trick the authentication server into using a localhost as a redirect_uri parameter to redirect a PayPal validation to a third-party domain where an attacker could access the data. Source
December 1, SecurityWeek – (International) Kelihos botnet spreading Troldesh ransomware. Security researchers reported the Kelihos botnet was spotted distributing the Troldesh encryption ransomware to targeted devices via spam emails that contain URLs that redirect a victim to a JavaScript file and a Microsoft Word document before encrypting users’ files and adding the .no_more_ransom extension. The Troldesh ransomware displays a spam message impersonating Bank of America that convinces a user to open a malicious attachment claiming to have information on an outstanding debt, but instead downloads the malware and Pony info-stealer onto a victim’s device. Source
November 30, Help Net Security – (International) Gooligan Android malware used to breach a million Google accounts. Check Point security researchers discovered a new variant of an Android malware campaign dubbed Gooligan that has breached the security of more than 1 million Google accounts since August 2016 by rooting Android devices and stealing email addresses and authentication tokens stored on them, thereby enabling a malicious actor to access users’ sensitive data from Gmail, Google Docs, Google Photos, and Google Drive, among other programs. The researchers found the Gooligan campaign infects 13,000 devices daily and installs at least 30,000 apps on those infected devices each day, among other findings. Source
November 30, SecurityWeek – (International) Flaws found in Emerson DeltaV, Liebert products. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) published three advisories outlining flaws affecting Emerson’s DeltaV and Liebert products after a security researcher from Positive Technologies found that Emerson’s Liebert SiteScan tool versions 6.5 and earlier are plagued with an Extensible Markup Language (XML) external entity (XXE) flaw that can be remotely exploited to execute arbitrary code or access files from a server or connected network. The advisory also describes a vulnerability in the DeltaV Easy Security Management app that could be exploited to elevate privileges on the control system, among other flaws. Source
November 30, SecurityWeek– (International) Tor users targeted with Firefox zero-day exploit. Mozilla’s Firefox team and Tor Browser developers are working to release updates after Trail of Bits security researchers spotted a JavaScript exploit leveraging a zero-day use-after-free vulnerability in the Scalable Vector Graphics (SVG) parser in Firefox to target Tor users. The exploit reportedly consists of one Hypertext Markup Language (HTML) file and one Cascading Style Sheet (CSS) file. Source
November 30, Help Net Security – (International) 158% increase in Android platform vulnerabilities. Quick Heal released a report which revealed a 14 percent increase in the detection count of malware on Microsoft Windows-based computers in the third quarter of 2016, a 33 percent rise in the amount of mobile ransomware in comparison to the second quarter, and a 25 percent increase in the detection of mobile banking trojans in the third quarter, among other findings. Source
November 28, Softpedia; San Francisco Examiner – (California) San Francisco metro system hacked, everyone getting free rides. The San Francisco Municipal Railway (MUNI) was hacked November 25 to provide free rides to all passengers through November 26, and the attacker demanded a ransom of 100 Bitcoin, or $73,000 if the transit system wanted the ransomware removed from its ticketing systems and its services restored. MUNI officials reported the service was not impacted during the hack and the investigation is ongoing. Source
Above Reprinted from the USDHS Daily Open Source Infrastructure Report