December 30, SecurityWeek – (International) Linode hit by DDoS attacks. The Cloud hosting company, Linode, reported that its website, Manager mobile application, Doman Name System (DNS) infrastructure, and data centers in Atlanta, Newark, and London were compromised after the company discovered hackers had conducted distributed denial-of-service (DDoS) attacks for several hours. Security researchers from the company were able to patch the vulnerabilities. Source
December 29, SecurityWeek – (International) Verizon’s Hum website found leaking credentials. Verizon Communications reported that it patched an information disclosure vulnerability in its Hum web site after an independent researcher discovered the source code of the shopping page included a username and password “Weblogic12” and several domains listed. Source
December 29, Los Angeles Times – (National) State officials investigating potential data leak on millions of California voters. California State officials are conducting an investigation December 29 to verify media reports that the information of 191 million U.S. voters were compromised after a security researcher discovered an online database exposed voters’ names, addresses, and dates of birth, among other information. Source
December 29, Softpedia – (International) AVG forcibly installs vulnerable Chrome extension that exposes users’ browsing history. A researcher from Google Project Zero discovered a serious vulnerability in the AVG Web TuneUp Chrome extension, which was forcibly installed when users downloaded the AVG Antivirus that allowed attackers to access users’ cookies, browsing history, and other details by executing cross-site scripting (XSS) attacks and cross-domain requests. AVG Web TuneUp Version 4.2.5.169 patched the flaw and Google blocked AVG’s inline installation of the extension. Source
December 28, SecurityWeek – (International) Android malware uses firewall rules to block security apps. Researchers from Symantec discovered a new Microsoft Android malware, dubbed Android.Spywaller, that allows attackers to block mobile security applications, exfiltrate sensitive data from compromised mobile devices including personally identifying information (PII), and collect data belonging to specific third-party communication applications including BlackBerry Messenger, Oovoo, and Skype, among others, through a reverse payload attack that drops and runs the DroidWall firewall binary to create firewall rules and block the application’s security using its own unique identifier (UID). The malware was seen targeting users in China via the Qihoo 360 application and researchers advised users to install security solutions to block mobile threats, update software regularly, and install applications from trusted sources. Source
December 28, SecurityWeek – (International) Adobe issues emergency patch for flash zero-day under attack. Adobe released out-of-band security updates that addressed several vulnerabilities in its Flash Player products including a type confusion vulnerability, an integer overflow vulnerability, a use-after-free vulnerability, and a memory corruption vulnerability that affects all platforms and can allow an attacker to take control of an affected system through a spear phishing campaign. Source
December 28, Softpedia – (International) ProxyBack malware turns infected computers into internet proxies. Researchers from Palo Alto Networks discovered that a total of 11,149 computers were infected by the new malware, ProxyBack, which targets personal computers (PC) and educational institutes in Europe by altering infected devices into Internet proxies while illegally using them to transfer Internet traffic via an established connection with a malicious proxy server, where it receives instructions to route traffic to attackers’ web servers. Each affected device works as a bot inside a larger network to send commands and updated instructions via simple Hypertext Transfer Protocol (HTTP). Source
December 28, SecurityWeek – (International) Vulnerable Joomla Servers see 16,000 daily attacks. Researchers from Symantec reported that hackers have been averaging about 16,000 daily attack attempts to exploit a previously patched Joomla vulnerability by finding vulnerable servers via sending Hypertext Transfer Protocol (HTTP) requests and analyzing responses when functions such as phpinfo() and eval(chr()) are executed. Once an attacker discovers a vulnerable server, a backdoor can be installed to execute commands, redirect victims to exploit kits (EK), upload and download files, and modify websites hosted on the server. Source
December 23, SecurityWeek – (International) Threat group uses new malware to target Russian organizations. Palo Alto Networks reported that a new threat group, similar to Roaming Tiger operation, has been using a new malware tool dubbed “BBSRAT” to infect devices by using the same command and control (C&C) domains, but deploying different malware variants and separate infrastructure for each of the targeted entities via droppers and downloaders, which creates registry entries for persistence. Once installed on a system, the malware collects data from the infected device and sends it back to a remote server via POST request, allowing attackers to send commands to uninstall or kill the malware, execute a shellcode, start or stop a service, manipulate processes, and execute commands, among other actions. Source
December 23, SecurityWeek – (International) Man charged for hacking celebrity emails. The U.S. Attorney’s Office for the Southern District of New York reported December 22 that a man from the Bahamas was charged for allegedly hacking into the email accounts of 130 individuals working in the entertainment, media, and professional sports industries to steal private files including movie and TV scripts, Social Security numbers, and passport copies via malware and phishing campaigns. The suspect was arrested December 21 after attempting to sell 15 scripts and the personal information of 3 professional athletes and 1 actress for $80,000. Source
December 23, SecurityWeek – (International) Ramnit botnet returns. Researchers from IBM Security discovered a new botnet and a new variant of the Ramnit trojan that uses a different command and control (C&C) structure, relies on shorter configuration files, and uses web injections leveraged by other trojans including Dridex, Shifu, and Neverquest to infect banking websites from a remote server. The malware is distributed via malvertising campaigns that rely on the Angler exploit kit (EK), but researchers reported that the malware could also be distributed through other infection vectors. Source
December 24, SecurityWeek – (International) Hyatt Hotels finds malware on payment systems. Hyatt Hotels Corporation reported December 23 that an investigation is ongoing into a potential breach of its payment processing systems following the discovery of malware on its systems. The company has taken additional steps to strengthen security measures and advised its customers to monitor their payment card statements for any suspicious activity. Source
December 23, SecurityWeek – (International) Recently patched NTP flaws affect Siemens RUGGEDCOM devices. Siemens released an advisory stating that its industrial communications devices, running all versions ROX I and certain versions of ROX II operating systems (OS) had several previously patched network time protocol (NTP) vulnerabilities including an improper input validation issue, an authentication bypass issue, and a configured time server issue, among other flaws, that if exploited, can be reconfigured to use the NTP daemon from ntp.org for time synchronization in electric utility substations and traffic control cabinets. Siemens released firmware updates to address the flaws on ROX II devices and advised customers to use firewalls to block NTP packets from unknown sources, as well as use NTP time synchronization in trusted networks. Source
December 22, SecurityWeek – (International) RCE, SQLi flaws found in popular web apps. Researchers from High-Tech Bridge discovered several vulnerabilities in popular web applications including various versions of osCmax application and osCommerce’s Online Merchant store solution, Roundcube, Osclass, and SocialEngine that are susceptible to remote code execution (RCE), cross-site request forgery (CSRF) attacks, Structured Query Language (SQL) injection vulnerabilities, and path traversal vulnerabilities. Roundcube and Osclass developers are reportedly working to patch the vulnerabilities. Source
December 23, Softpedia – (International) Botnet of Aethra Routers used for Brute-Force WordPress Sites. Security researchers from VoidSec discovered a botnet that used vulnerable Aethra Internet routers and modems to perform various reflected cross-site scripting (XSS) attacks, cross-site request forgery (CSRF) attacks, and brute-force attacks through six Internet Service Providers (ISP) including Fastweb, Albacom (BT-Italia), Clouditalia, Qcom, WIND, and BSI Assurance UK to compromise WordPress websites. The botnet easily accessed approximately 12,000 Aethra routers worldwideas the routers were still using their default login credentials. Source
December 23, Associated Press – (International) Hello Kitty owner Sanrio says fansite security leak fixed. Sanrio Co., Ltd reported December 22 that it fixed a security vulnerability on an online fan website, SanrioTown.com after the personal informationof 3.3 million users were compromised following a security researcher’s discovery December 19 that names, birthdays, and encrypted passwords can be extracted by usingmultiple Internet Protocol (IP) addresses. Source
December 22, SecurityWeek – (International) Oracle settles FTC charges over Java security updates. The U.S. Federal Trade Commission reported that the computer technology company, Oracle Corporation agreed to settle charges that the company deceived its customers by failing to notify its users that the Java Standard Edition (SE) updates only removed the most recent version of SE and not previously vulnerable versions, which exposed users to potential attacks. Oracle will be required to warn users during a SE update if older software version are present, to inform users about risks, and to present options to remove the vulnerable applications, among other requirements. Source
December 21, SecurityWeek – (International) TeslaCrypt delivered via recently patched flash exploit. Researchers from Malwarebytes reported that the previously patched Flash Player heap buffer overflow vulnerability (CVE-2015-8446), which was added to the Angler exploit kit, was exploited by attackers to deliver a new variant of the TeslaCrypt ransomware that encrypts files and renames them with a .vvv extension. Once the files are encrypted, victims are instructed to pay the attackers monetary funds to receive the private key needed to decrypt the files. Source
December 21, Softpedia – (International) Gomasom ransomware decrypted, get your files back for free. A security researcher at Emsisoft created a tool for decrypting files, previously encrypted by the Gomasom ransomware that allows affected users to take the encrypted files and obtain the decryption key without paying the ransomware. The tool allows victims to use files in both its ransomware-encrypted and original version, or a ransomware-encrypted PNG file to retrieve the lost data. Source
December 21, SecurityWeek – (National) Operation Black Atlas continues to compromise PoS systems. Trend Micro researchers announced December 21 that cybercriminals behind Operation Black Atlas are using a variety of pen testing tools to exploit vulnerable systems within the healthcare and commercial sector to spread a variety of malware such as BlackPoS; steal user credentials to websites that contain sensitive information; abuse the Windows Background Intelligent Transfer Service (BITS) or bitsadmin.exe; and build a replica of the Gorynych / Diamond Fox botnet malware and repurposed it to specifically look for the output file of the BlackPoS malware, which includes harvested credit card data, among other malicious actions. Source
December 21, SecurityWeek – (International) High severity flaw found in Schneider PLC products. Schneider Electric will release a second round of firmware updates for its Modicon M340 programmable logic controller (PLC) product line following the discovery of a buffer overflow vulnerability that can be used to remotely execute arbitrary code in the device’s memory and cause the affected devices to crash when an attacker inputs a 90-100 character password. The devices are used in sectors such as Energy, Defense Industrial Base, Nuclear, Transportation, Government Facilities, and Water and Wastewater. Source
December 18, Agence France-Presse – (National) Congress passes long-stalled Cybersecurity Bill. The U.S. Congress passed the Cybersecurity Act December 18 which aims to fight cyber threats and effectively identify and prevent cyber-attacks, after the legislation was embedded into the “omnibus” funding bill that funds the Federal government through September 2016. The legislation would establish DHS as a “portal” for cyber threat information and help authorize defensive actions to counter a cybersecurity threat. Source
December 18, SecurityWeek – (International) Several vulnerabilities found in eWON industrial routers. eWON, a company that specializes in virtual private network (VPN) routers and remote connectivity solutions, released firmware versions 10.1s0 for its industrial routers after an independent researcher discovered several vulnerabilities in the firmware including a user rights management issue that can be exploited by an authenticated hacker using a forged Uniform Resource Identifier (URL); a password visibility vulnerability that allows a man-in-the-middle (MitM) attacker to intercept information; a cross-site request forgery (CSRF) vulnerability that can be exploited to perform actions on a victim’s behalf; and a cross-site scripting (XSS) vulnerability found in the web application’s configuration fields, among other flaws. Source
December 18, Help Net Security – (International) Critical ScreenOS bugs allow undetectable decryption of VPN connections, device hijacking. Juniper Networks released patches for a critical flaw, CVE-2015-7755, found in its NetScreen devices that affects various ScreenOS software using unauthorized code to allow illicit remote administrative access to the infected device over secure shell (SSH) or telnet, enabling an attacker to decrypt encrypted virtual private network (VPN) traffic. Researchers stated the company has not received reports that the vulnerability has been exploited. Source
December 18, Help Net Security – (International) Microsoft will stop trusting certificates from 20 certificate authorities. Microsoft reported that its Trusted Root Certificate Program will no longer include twenty trusted Certificate Authorities (CA) and will remove CA root certificates from the Trusted Root CA store after the company could not comply with CA new program prerequisites that added more stringent technical and auditing requirements. Microsoft advised users to choose another trusted CA program. Source
December 17, USA Today – (Pennsylvania) Feds: Pa. teen charged with providing support to Islamic State. A Pennsylvania man was arrested and charged December 17 for conspiracy and for allegedly providing material support to the Middle East terrorist group by advocating violence against the U.S. by using 57 Twitter accounts and posting hyperlink contacts on the Internet of potential targets’ names and personal information of 100 members of the U.S. military. The man was also allegedly found providing the maps and telephone numbers to the terrorist organization. Source
December 18, Softpedia– (International) SlemBunk Android banking trojan targets 31 banks across the world. Security researchers from FireEye reported a new banking trojan, dubbed SlemBunk, was discovered targeting 33 international financial institutes, 31 banks, and 2 online payment systems by installing a fake Android Flash Player application, encoded with the trojan, that can perform attacks such as gaining administrative privileges, communicating with command and control (C&C) servers, watching over processes, and injecting a fake login page onto legitimate banking applications. Source