December 16, SecurityWeek – (International) Joomla patches dangerous security flaws. Joomla released version 3.6.5 to resolve three security issues, including a high severity flaw plaguing all Joomla iterations from 1.6.0 – 3.6.4 which could be exploited to allow an attacker to modify existing user accounts including altering usernames, user group assignments, and passwords. In addition to the patches, the update included additional security hardening mechanisms. Source
December 15, SecurityWeek – (International) Suspect arrested in JPMorgan, Dow Jones data theft case. A U.S. citizen living in Moscow was arrested at John F. Kennedy International Airport in New York December 14 after he allegedly orchestrated computer hacking crimes against U.S. financial institutions, brokerage firms, and financial news publishers, including a hack that compromised the data on 7 million businesses and 76 million household customers of JPMorgan Chase & Co and other firms. The man and his co-conspirators also allegedly operated an Internet gambling scheme, an unlawful bitcoin exchange, and an illicit payment processing operation for fraudulent online pharmaceutical sellers. Source
December 15, SecurityWeek – (International) Over 8,800 WordPress plugins have flaws: Study. RIPS Technologies researchers released a report after analyzing 44,705 plugins in the official WordPress plugins directory, which found a total of 67,486 vulnerabilities in the plugins, including 41 critical flaws, 2,799 high severity flaws, and more than 4,600 medium severity security holes. The study also revealed that more than 68 percent of the vulnerabilities discovered are cross-site scripting (XSS) issues and over 20 percent are Structured Query Language (SQL) injection flaws. Source
December 15, SecurityWeek – (International) Nymaim trojan fingerprints MAC addresses to bypass virtualization. SophosLabs security researchers reported that the Nymaim trojan was spotted comparing a targeted machine’s media access control (MAC) address against a hardcoded list of blacklisted vendors, enabling the malware to avoid virtual environments and hinder analysis tools. The researchers also found that the trojan includes a list of checks and continues running even after those checks fail in order to hide its failure. Source
December 14, SecurityWeek – (International) SAP resolves multiple information disclosure flaws. SAP released its December 2016 security patches, which feature 20 Patch Day Security Notes and updates for 2 previously released notes to resolve a total of 31 vulnerabilities affecting several SAP products, including an information disclosure flaw in SAP Business Objects Explorer which could be leveraged to reveal additional information such as system data or debugging information, among other patched flaws. The updates also resolve three flaws in 2 SAP for Defense Forces & Public Security components that could allow an attacker to read, alter, or delete restricted data. Source
December 14, SecurityWeek – (International) Yahoo says newly discovered hack hit 1 billion accounts. Yahoo Inc. reported December 14 that the data associated with more than 1 billion user accounts may have been compromised in an August 2013 breach after attackers reportedly accessed the company’s proprietary code to learn how to forge cookies. Yahoo officials claimed the breach was conducted by a State sponsored actor and the breach remains under investigation. Source
December 14, SecurityWeek – (International) Ashley Madison dating site to pay $1.6 million over breach. Ruby Corp., the parent company of the Ashley Madison discrete dating Website, agreed December 14 to pay a $1.6 million penalty to settle charges with the U.S. Federal Trade Commission and State regulators after a hacker group released the data of 36 million users of the Website in 46 countries in 2015. The settlement requires Ashley Madison to implement a wide range of data security practice to better protect its users’ personal information from malicious actors in the future. Source
Above Reprinted from the USDHS Daily Open Source Infrastructure Report
December 19, DarkReading - Financial Data Worth Millions Unwittingly Exposed In Ameriprise Accounts. Leak of bank account and financial planning details emanated from a financial advisor's unsecured Internet-connected backup drive at home. Confidential financial data worth tens of millions of about 350 Ameriprise clients were exposed unwittingly by one of its financial advisors while taking a back-up on an Internet-connected drive at home, reports ZDNet. The discovery, by security researcher Chris Vickery of MacKeeper during a random scan with Shodan search engine, has raised questions about the security practices followed by the company’s franchise operators across the US. Source