June 10, SearchSecurity – (International) June 2015 Patch Tuesday brings critical IE security fix, Flash update. Microsoft today released its June 2015 Patch Tuesday updates, delivering a total of eight bulletins that address 45 unique vulnerabilities. The two updates marked "critical" -- one each for Internet Explorer and Windows Media Player vulnerabilities that could result in remote code execution -- are paired with six "important" updates affecting Microsoft Office, Windows and Exchange Server. MS15-056 fixes 24 critical Internet Explorer vulnerabilities, 20 of which could lead to remote code execution (RCE) that an attacker could execute through a malicious website. Source
June 9, BBC – (International) Cyber-thieves cash in from malware. Security researchers at Trustwave reported that cyber-thieves can earn almost 1,500 percent potential profit from ransomware kits by spending approximately $5,900 on kits that could earn about $90,000 a month in an attack campaign via a compromised Web site. Source
June 9, Softpedia – (International) HDD firmware altering modules from Equation Group may exist for Apple devices. Security researchers from the Intel Corporation’s McAfee Labs analyzed samples of EquationDrug hard-drive reprogramming modules in their May McAffee Labs Threats Report and found indications that versions of the module exist for Apple iOS and OS X systems, as well as Microsoft Windows. Source
June 9, Reuters – (International) High-tech extortion attacks nearly doubled in first quarter, report says. Findings from the Intel Corporation’s May McAfee Labs Threats Report revealed that high-tech extortion schemes via ransomware surged by 165 percent to 700,000 samples in the first quarter of 2015, and that Adobe Flash malware increased by 317 percent to 200,000 samples. Source
June 8, SC Magazine – (International) Vawtrak banking malware found to use Tor2Web. Security researchers from Fortinet reported that the Vawtrak banking malware, also known as Neverquest, is using Tor2Web as a method to steal banking credentials undetected by accessing Tor anonymous network sources without directly connecting to the network or using a Tor client. The malware typically used fixed command-and-control (C&C) servers, which are easier to trace. Source
June 8, White House Office of Management and Budget – (International) HTTPS-everywhere for government. The White House Office of Management and Budget issued the HTTPS-Only Standard directive June 8, requiring that all publicly accessible Federal Web sites and Web services only provide service through Hyper Text Transfer Protocol Secure (HTTPS) connections by December 31, 2016. The U.S. Chief Information Officer set up a Web site to provide technical assistance and best-practices for migration as well as a public dashboard to monitor progress. Source
June 8, Securityweek – (International) XZERES fixes CSRF vulnerability in small wind turbine. XZERES Wind released a patch to address a cross-site request forgery (CSRF) vulnerability in its 442SR wind turbine web-based interface in which a remote attacker could hijack user sessions and cause a loss of power for all attached systems. Source
June 8, Threatpost – (National) Many drug pumps open to variety of security flaws. A security researcher revealed severe vulnerabilities in several drug-infusion pumps manufactured by Hospira, including the Plum A+, PCA LifeCare, and Symbiq pumps, which run the same software as the known-susceptible PCA3 and PCA5 pumps. An unauthenticated remote root shell and hard-coded local credentials are among the vulnerabilities which leave the devices open to security risks. Source
June 8, Securityweek – (National) US Army website hacked: officials. The U.S. Army’s official Web site was shut down June 8 after hackers claiming to be affiliated with the “Syrian Electronic Army” posted messages denouncing U.S. training of rebel fighters in Syria. No classified or personal data was housed on the Web site, and officials reported that no data was stolen. Source