April 17, Help Net Security – (International) Pawn Storm cyberspies still at work, target NATO and the White House. Security researchers at Trend Micro reported that cybercriminals are concentrating attacks in the Pawn Storm cyber-espionage operation on the North Atlantic Treaty Organization (NATO) and White House personnel in the U.S., in addition to government and military officials and media companies. The attacks seek to compromise targets’ computers and Microsoft Outlook accounts via spear-phishing emails and compromised Web sites that deliver the SEDNIT/Sofacy trojan malware. Source
April 17, Softpedia – (International) Flash Player bug allows video, audio recording without user consent. A security researcher from Klikki Oy discovered a vulnerability in versions of Adobe Flash Player prior to 17.0.0.169 in which an information disclosure could be leveraged to deliver audio and/or video streams captured on victims’ devices to remote locations controlled by attackers. The flaw is connected to another double-free vulnerability that could allow an attacker to execute arbitrary code on the affected system. Source
April 17, Help Net Security – (International) 1 in 4 employees enable cloud attacks. CloudLock released research from a study of over 750 million files, 77,500 apps, and 6 million users in the cloud that concludes nearly 1 in 4 employees violate corporate data security policy in public cloud applications, culminating in an average of 4,000 instances of exposed credentials in each organization, among other findings. Source
April 16, Securityweek – (International) Users warned of serious flaw in deprecated Cisco Secure Desktop feature. Cisco released a security advisory warning of a high severity command execution vulnerability affecting Cisco-signed Java Archive (JAR) executables in Cache Cleaner for Cisco Secure Desktop that could allow an unauthenticated attacker to run arbitrary commands on affected systems. The company deprecated the Cache Cleaner product over 2 years ago and advised users to transition to the Cisco Host Scan standalone package. Source
April 16, Securityweek – (International) D-Link failed to patch HNAP flaws in routers: Researcher. D-Link published security advisories for multiple router models that identify vulnerabilities related to the Home Network Administration Protocol (HNAP) that could allow unauthenticated attackers to inject commands through HNAP requests, leverage flaws to gain access to information on hosts connected to the network, change system settings, and reset the devices to factory settings. D-Link is working on fixing the flaws through additional firmware updates. Source
April 16, SC Magazine – (International) PCI SSC releases version 3.1, eschews SSL, early TLS. The Payment Card Industry Security Standards Council (PCI SSC) announced in its release of PCI Data Security Standard (PCI DSS) Version 3.1 that secure-sockets layer (SSL) support would be discontinued in favor of current transport layer security (TLS) encryption, due to weaknesses that were identified in SSL by the National Institute of Standards and Technology that could put payment data at risk. The change also occurred as a result of previous Web browser attacks that took advantage of SSL vulnerabilities such as POODLE and BEAST. Source
April 16, SC Magazine – (International) POS threat ‘Punkey’ allows additional malware download for greater access. An investigation by the U.S. Secret Service and Trustwave researchers discovered a new point-of-sale (POS) malware threat resembling NewPosThings that utilizes advanced encryption standard (AES) encryption with an embedded key, and has the capability to download additional malware on affected systems. Authorities revealed that up to 75 unique POS terminals may be infected with the malware. Source
April 16, ZDNet – (International) IBM’s X-Force Exchange to make decades worth of cyber-threat data public. IBM announced that that it will release a raw cyber-threat database of over 700 terabytes to cyber-threat data and intelligence companies, as well as malware threat data from 270 million computers and devices, 25 billion Web pages and images, and spam and phishing attack emails in an initiative called X-Force Exchange, which seeks to help companies mobilize against ongoing threats. Source