September 30, Help Net Security – (International) Scammers use Google AdWords, fake Windows BSOD to steal money from users. Security researchers from Malwarebytes discovered that cybercriminals are using Google’s AdWords to place malicious links at the top of Google’s search page for common searches, which would lead to a fake “Blue Screen of Death” (BSOD) page prompting users to call a toll-free “helpline” with scammers that would solicit payments for support services and personal and bank account information. Source
September 30, Softpedia – (International) Microsoft Exchange Server fixed against information disclosure bug. Microsoft released an update for Exchange Server 2013 addressing a vulnerability in Outlook Web Access (OWA) that could allow an attacker to gain access to an active Webmail session by forcing Exchange Server to dump debug data via a maliciously crafted Uniform Resource Locator (URL), granting access to previously inaccessible cookie session information. Source
September 30, Threatpost – (International) Apple Gatekeeper bypass opens door for malicious code. Security researchers from Synack discovered that Apple’s Gatekeeper security platform could be bypassed by tricking a user into downloading a signed and infected application from a third-party source, or by loading a malicious library over an insecure HyperText Transfer Protocol (HTTP) download via a man-in-the-middle (MitM) position to gain access to the system. Source
September 29, Threatpost – (International) Dyreza trojan targeting IT supply chain credentials. Security researchers from Proofpoint published research revealing that the Dyreza trojan has been used to phish information technology (IT) supply chain credentials for up to 20 organizations, including software companies supporting fulfillment and warehousing, and computer distributors. Researchers believe that hackers intend to infect all points of the supply chain to possibly divert physical shipments, issue payments and invoices to artificial companies, or enact large-scale gift-card issuances. Source
September 29, Threatpost – (International) SAP patches 12 SQL injection, XSS vulnerabilities in HANA. SAP released updates addressing 12 structured query language (SQL), cross-site scripting (XSS), and memory corruption vulnerabilities in its HANA in-memory management system that could allow an attacker to abuse management interfaces and compromise stored information, or lock users out of the platform, among other exploits. Source
September 29, Securityweek – (International) Linux XOR DDoS botnet flexes muscles with 150+ Gbps attacks. Security researchers from Akamai Technologies released details of a botnet targeting primarily corporations in Asia that is capable of launching 150+ gigabit-per-second (Gbps) distributed denial-of-service (DDoS) attacks from Linux systems compromised by the XOR DDoS trojan, as well as being able to download and execute arbitrary code and self-update. Source
September 30, Softpedia – (New Jersey) Despite new equipment, Rutgers University goes down after DDoS attack. Rutgers University announced September 28 that the university experienced network issues due to a distributed-denial-of-service (DDoS) attack, which limited access to the Internet for several hours. The attack was allegedly orchestrated by a hacker known as Exfocus, and followed four previous attacks against the university between March and May. Source