July 28, Softpedia – (International) One in 600 Web sites lists its .git folder, exposing sensitive data. A web developer discovered that out of 1.5 million web sites scanned, 2,402 had an inadvertently exposed .git folder, possibly exposing sensitive information. Source
July 28, Securityweek – (International) Cybercriminals use Angler exploit kit to target PoS systems. Trend Micro researchers reported that cybercriminals have been utilizing the Angler exploit kit (EK) to deliver a reconnaissance trojan that detects mitigation tools before downloading one of three point-of-sale (PoS) malware payloads. Source
July 28, IDG News Service – (International) Over 10 million Web surfers possibly exposed to malvertising. Cyphort released tracking data from malicious advertisement campaigns revealing that since July 18, over 10 million people may have visited Web sites containing malicious ads which redirect visitors to directories hosting the Angler exploit kit (EK). Source
July 28, Softpedia – (International) Darkode forum returns with enhanced security measures. MalwareTech researchers reported that the Darkode hacker forum was back online with enhanced security and authentication processes to prevent future infiltrations, after July raids by the FBI and international partners led to the shutdown of the Web site and the detainment of multiple individuals associated with it. Source
July 28, SC Magazine – (International) Apple App Store and iTunes buyers hit by zero-day. Security researchers from Vulnerability Lab published a zero-day filter bypass flaw in Apple’s online invoicing system used in its App Store and iTunes that could allow an attacker to hijack a user’s purchasing session to buy and download any app or content they want, before charging it to the original user. Source
July 28, Network World– (International) Software vulnerabilities hit a record high in 2014, report says. Secunia released analysis from its Vulnerability Review 2015 revealing that the number of recorded software vulnerabilities hit a record high of 15,435 in 2014, an increase of 18 percent from the previous year, and that many organizations are too slow to release security fixes, among other findings. Source
July 27, Dark Reading – (International) Phishing attacks drive spike in DNS threat. Infoblox and Internet Identity published data revealing that the Domain Name System (DNS) Threat Index jumped nearly 60 percent in the second quarter of 2015, reportedly due to a corresponding 74 percent increase in phishing and phishing domains over the same period. Source
July 27, Threatpost – (International) Android Stagefright flaws put 950 million devices at risk. Security researchers at Zimperium zLabs reported that about 950 million Android devices are vulnerable to flaws in the operating system’s (OS) Stagefright media engine, in which excessive permissions could allow an attacker to send a Multimedia Messaging Service (MMS) or Google Hangouts message to trigger the vulnerability, granting system access on the affected device. Source
July 27, Securityweek – (International) Many high-profile firms using vulnerable PHP File Manager: researcher. A security researcher identified several vulnerabilities in Revived Wire Media’s PHP File Manager application, including the existence of a default user account with backdoor access to systems running the software, lack of protection for the user database, and arbitrary file upload vulnerabilities, among other flaws. Many firms reportedly still use the application even though it has not been updated since its release in 2010 – 2011. Source
July 27, Help Net Security – (International) Over 5,000 mobile apps found performing in-app ad fraud. Security researchers from Forensiq discovered at least 5,000 mobile applications being used for mobile hijacking ad fraud worldwide that were observed affecting 12 million unique devices over a 10-day period. Source
July 27, Threatpost – (International) Pair of bugs open Honeywell home controllers up to easy hacks. Researchers discovered vulnerabilities in Honeywell’s Tuxedo touch devices used for controlling home systems, including an authentication bypass bug that could grant access to restricted systems, and a cross-site request forgery bug that an attacker could use during an active authenticated session to execute the same commands as the user. Source
July 25, Military Times – (National) GAO: defense installation utilities at risk of cyber attack. A recent report released by the U.S. Government Accountability Office warned against vulnerabilities in the military’s industrial control systems (ICS) network controlling essential services to military installations worldwide. A 2018 deadline set by the Pentagon to address limited cyber defenses for the ICS will be difficult to meet due to delays and unreliable data, according to the report. Source