Gotham Security Daily Threat Alerts

By Nancy Rand
Posted in Security
On August 18, 2016

August 8, Help Net Security – (International) Remote Butler attack; APT groups’ dream come true. Microsoft security researchers developed an extension of the “Evil Maid” attack dubbed “Remote Butler” which allows attackers to bypass local Windows authentication to defeat full disk encryption without physical access to the targeted device. A patch released by Microsoft for the “Evil Maid” attack also prevents attackers from carrying out a “Remote Butler” attack. Source

August 6, Softpedia – (International) Cerber ransomware v2 spotted online, is now undecryptable. Trend Micro researcher PanicAll discovered that the Cerber ransomware was updated in versions v1.5 and v2 to break a previous decryption tool that allowed users to recover their hacked files for free. The updates changed the extension added at the end of each encrypted file from “.cerber” to “.cerber2,” and extended encryption keys generated by CryptGenRandom Microsoft application programming interface (API) from 16 bytes to 32 bytes, among other updates. Source

August 6, Softpedia – (International) Linux botnets dominate the DDoS landscape. Kaspersky Lab released its distributed denial-of-service (DDoS) Intelligence Report which reported that Linux botnets accounted for 70.2 percent of all DDoS attacks initiated during quarter 2 (Q2) of 2016, while only 44.5 percent of DDoS attacks were carried out by Linux botnets in quarter 1. The report also stated that SYN DDoS attacks were the most popular methods for DDoS attacks during Q2, followed by transmission control protocol (TCP), Hypertext Transfer Protocol Secure (HTTP), and Internet control message protocol (ICMP) floods. Source

August 5, Softpedia – (International) New Remcos RAT available for purchase on underground hacking forums. Symnatec researchers reported that a malware developer dubbed Viotto posted the Remcos Remote Access Trojan (RAT) targeting Microsoft Windows versions XP and higher for sale on underground hacking forums, which allows hackers the ability to take screenshots of infected computers, log keystrokes offline or in real times, and record content via the infected device’s camera, among other malicious actions, and send the stolen data encrypted via Hypertext Transfer Protocol Secure (HTTPS) to the command and control (C&C) server. Researchers also discovered the trojan can queue operations to be carried out when the victim goes online and includes a password dumping component that can dump passwords from applications like Microsoft’s Internet Explorer, Mozilla Firefox, and Apple Inc.’s Safari, among others. Source

August 5, SecurityWeek – (International) VMware Tools flaw allowed code execution via DLL hijacking. VMware published an advisory describing two vulnerabilities in several of its products including a dynamic-link library (DLL) hijacking issue in the Windows version of VMware Tools related to the VMware Host Guest Client Redirector component that could be exploited to execute arbitrary code on a targeted system after finding that when a document is opened from a uniform naming convention (UNC) path, the Client Redirector injects a DLL named “vmhgfs.dll” into the file in order to open the file, allowing an attacker to load a malicious DLL into the application and to compromise the system. The second vulnerability is a Hypertext Transfer Protocol Secure (HTTP) header injection issue in vCenter Server and ESXi caused by a lack of input validation that could allow a hacker to launch cross-site scripting (XSS) or malicious redirect attacks. Source

Above Reprinted from the USDHS Daily Open Source Infrastructure Report

August 8, Dark Reading - Symantec Discovers Strider, A New CyberEspionage Group. In action five years, highly selective threat actor has only been known to compromise seven organizations. Symantec has discovered a previously unknown cyberespionage group so selective in its targets that it is only known to have compromised seven organizations and 36 endpoints since it started operating five years ago. Dubbed "Strider" by Symantec, the threat actor's malware of choice is a custom, Windows infostealer called Remsec -- stealthy, modular, and written in Lua. Source

August 8, Dark Reading - Newly Announced Chipset Vuln Affects 900 Million Android Devices. Check Point Research Team details four vulnerabilities that can easily lead to full privilege escalation. Over 900 million Android smartphones and tablets are at risk of a full device compromise due to a dangerous grouping of vulnerabilities found and discussed at length at Defcon yesterday by researchers with Check Point Research Team. Dubbed the QuadRooter vulnerabilities, each of the foursome uncovered by these researchers enables attackers to trigger privilege escalation and eventually achieve root in affected devices. Source

Nancy Rand

Nancy Rand

Nancy has more than 20 years’ experience in information technology and security, solving business issues and implementing best-practice solutions that support organizational objectives. Her expertise includes leveraging, optimizing, and implementing diverse technology platforms, and management of large-scale technology projects.