June 11, Securityweek – (International) Serious flaw in iOS mail app exposes users to phishing attacks. A Czech security researcher discovered a vulnerability in Apple’s iOS mobile operating system (OS) in which an attacker can create emails that load remote Hypertext Markup Language (HTML) content when opened, prompting users to input credentials that are sent back to the attacker. Source
June 11, Softpedia – (International) Malvertising campaign hits Bejeweled Blitz game on Facebook, CNN Indonesia. Security researchers from Websense discovered a malvertising campaign impacting up to 50 million users a month that is distributed through popular online locations, including the Bejeweled Blitz game on Facebook via the OpenX advertising platform and an old Adobe Flash Player glitch. The campaign directs users to a site hosting the Angler exploit kit (EK) and delivers payloads including ransomware, ad-fraud, backdoor, and malware downloaders. Source
June 10, Threatpost – (International) New APT Duqu 2.0 hits high-value victims, including Kaspersky Lab. Security researchers from Kaspersky Lab discovered that the Duqu advanced persistent threat (APT) group had used a new platform dubbed Duqu 2.0 to compromise the lab’s systems along with about 100 other victims between 2014 – 2015, most of whom were related to P5 + 1 talks over Iran’s nuclear program. The APT group seeks to gain access to intellectual property by attacking systems using modules residing entirely in-memory via Windows zero-day vulnerabilities to inject a backdoor and a larger espionage platform with extensive capabilities. Source
June 10, SC Magazine – (International) Stuxnet still a threat to critical infrastructure. Findings from Kleissner & Associates “Internet Attacks Against Nuclear Power Plants” report revealed that the Stuxnet malware was found on at least 153 devices worldwide in almost 5 years, at least 6 of which were running supervisory control and data acquisition (SCADA) development software. The researchers reiterated the threat posed by malware developed on behalf of foreign nation states. Source
June 10, SC Magazine – (International) U.S. National Vulnerability Database vulnerable to XSS attack. A security consultant discovered that the National Institute of Standards and Technology’s National Vulnerability Database (NVD) housing common vulnerabilities and exposures (CVE) flaws is vulnerable to a cross-site scripting (XSS) attack by replacing the document object mode (DOM) with a phishing page to collect personal identifiable information (PII) and card information. NVD officials reported that the agency is working to address the issue. Source
June 10, Securityweek – (International) Weak remote access practices contributed to nearly all PoS breaches: Trustwave. Trustwave released a report revealing that 40 percent of the 574 breaches the company investigated from 2014 were in point-of-sale (PoS) systems and that 94 percent of the incidents were a result of weak remote security and passwords. The retail sector comprised 43 percent of the PoS breach investigations, among other findings. Source
June 10, Threatpost – (International) Microsoft brings HSTS to Windows 7 and 8.1. Microsoft released patches introducing Hypertext Transfer Protocol (HTTP) Strict Transport Security (HSTS) to users running Internet Explorer 11 on Windows 7 and 8.1, in an effort to increase security against man-in-the-middle (MitM) Web sessions and attacks using invalid digital certificates. The protocol forces HTTP sessions to be sent over HTTP Secure (HTTPS) connections according to a list of preloaded sites supporting it. Source