70588819
submission
msm1267 writes:
Pharming attacks are generally network-based intrusions where the ultimate goal is to redirect a victim’s web traffic to a hacker-controlled webserver, generally through a malicious modification of DNS settings. Some of these attacks, however, are starting to move to the web and have their beginnings with a spam or phishing email.
Proofpoint yesterday reported on the latest iteration of this attack, also based in Brazil. The campaign was carried out during a five-week period starting in December when Proofpoint spotted phishing messages, fewer than 100, sent to customers of one of the country’s largest telecommunications companies.
70512659
submission
msm1267 writes:
Advanced attackers targeting critical infrastructure aren't seeking intellectual property the way some APT gangs are. Instead, they want operational intelligence, stealing documents and files that give them an understanding of the inner workings of ICS infrastructure. The end game is sabotage, the weaponization of malware and other attacks that will ultimately lead to some kind of disruption of manufacturing, oil production or power distribution.
70368401
submission
msm1267 writes:
Module nls_933w.dll is the ultimate cyberweapon, the best indicator of the capabilities of the group behind the Equation cyberespionage platform, according to researchers at Kaspersky Lab. The module is the most advanced persistence module ever uncovered, and it's used rarely and only against very high-value targets.
69914309
submission
msm1267 writes:
It’s a tried-and-true plotline for many a corny movie: the lonely soldier on the front lines falling for a girl who turns out to be the enemy. If you apply a 2015 reality to that scenario, you have the lonely soldier Skyping with an alluring woman who turns out to be an enemy hacker dropping custom malware on your Android device or PC.
In the latter case, this is an all-too-real script for opposition fighters taking on the forces of Syrian leader Bashar al-Assad.
Researchers found a cache of stolen strategic and tactical documents, plans, maps and personal information belonging to opposition fighters stolen by an unknown group using social engineering and a custom version of the DarkComet remote access Trojan to learn the secrets of opposition forces.
Victims in Syria, Turkey, Lebanon, Jordan, Egypt and elsewhere in the Middle East and even Europe, fell for the same scam. In most cases, contact information from stolen Skype account databases were used to reach out to other opposition fighters over Skype. The hackers, using a female avatar who went by the name of Iman, would engage with the fighters over time, building a rapport, before enticing them with a malware-laden photograph of the supposed female. There were also corresponding Facebook and other social media accounts belonging to the same female avatar with links to malware-laden websites.
69791711
submission
msm1267 writes:
Less than 48 hours after the disclosure of the Ghost vulnerability in the GNU C library (glibc), researchers have uncovered that PHP applications, including the WordPress content management system, could be another weak spot and eventually in the crosshairs of attackers.
Ghost is a vulnerability in glibc that attackers can use against only a handful of applications right now to remotely run executable code and gain control of a Linux server. The vulnerability is a heap-based buffer overflow and affects all Linux systems, according to experts, and has been present in the glibc code since 2000.
“An example of where this could be a big issue is within WordPress itself: it uses a function named wp_http_validate_url() to validate every pingback’s post URL,” wrote Sucuri research Marc-Alexandre Montpas in an advisory published Wednesday. “And it does so by using gethostbyname(). So an attacker could leverage this vector to insert a malicious URL that would trigger a buffer overflow bug, server-side, potentially allowing him to gain privileges on the server.”
69707869
submission
msm1267 writes:
A critical vulnerability has been found in glibc, the GNU C library, that affects all Linux systems dating back to 2000. Attackers can use this flaw to execute code and remotely gain control of Linux machines.
The issue stems from a heap-based buffer overflow found in the __nss_hostname_digits_dots() function in glibc. That particular function is used by the _gethostbyname function calls.
“A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application,” said an advisory from Linux distributor Red Hat.
The vulnerability, CVE-2015-0235, has already been nicknamed GHOST because of its relation to the _gethostbyname function. Researchers at Qualys discovered the flaw, and say it goes back to glibc version 2.2 in Linux systems published in November 2000.
According to Qualys, there is a mitigation for this issue that was published May 21, 2013 between patch glibc-2.17 versions and glibc-2.18. The patch, however, was not labeled a security fix at the time.
69483181
submission
msm1267 writes:
Bypasses have been demonstrated for two new memory-corruption protections present in Internet Explorer since last summer, Heap Isolation and Delay Free. The mitigations were designed to prevent successful exploits of use-after-free vulnerabilities.
69312337
submission
msm1267 writes:
Legitimate security researchers, from bug hunters to pen-testers, are buckled in for a bumpy ride as vague language in President Obama’s proposed amendments to the Computer Fraud and Abuse Act (CFAA) is expected to be debated and sorted out as it makes its way through the legislature.
The amendments come with stiffer penalties for those convicted of hacking, with some sentences doubled and some offenses elevated to felonies.
One amendment to the CFAA contains language that is a redefinition of what it means to exceed authorized access; it broadens the scope of the CFAA considerably.
From section six in the amendment: ” ‘exceeds authorized access’ means to access a computer with authorization and to use such access to obtain or alter information in the computer (a) that the accesser is not entitled to obtain or alter; or (b) for a purpose that the accesser knows is not authorized by the computer owner.”
69198563
submission
msm1267 writes:
Hardware hacker and security researcher Samy Kamkar has released a slick new device that masquerades as a typical USB wall charger but in fact houses a keylogger capable of recording keystrokes from nearby wireless keyboards.
The device is known as KeySweeper and Kamkar has released the source code and instructions for building one of your own. The components are inexpensive and easily available, and include an Arduino microcontroller, the charger itself and a handful of other bits. When it’s plugged into a wall socket, the KeySweeper will connect to a nearby Microsoft wireless keyboard and passively sniff, decrypt and record all of the keystrokes and send them back to the operator over the Web.
69069825
submission
msm1267 writes:
Up until a few weeks ago, the number of people outside of North Korea who gave much thought to the Internet infrastructure in that country was vanishingly small. But the speculation about the Sony hack has fixed that, and now a security researcher has taken a hard look at the national browser used in North Korea and found more than a little weirdness.
The Naenara browser is part of the Red Star operating system used in North Korea and it’s a derivative of an outdated version of Mozilla Firefox. The country is known to tightly control the communications and activities of its citizens and that extends online, as well. Robert Hansen, vice president of WhiteHat Labs at WhiteHat Security, and an accomplished security researcher, recently got a copy of Naenara and began looking at its behavior, and he immediately realized that every time the browser loads, its first move is to make a request to a non-routable IP address, http://10.76.1.11./ That address is not reachable from networks outside the DPRK.
“Here’s where things start to go off the rails: what this means is that all of the DPRK’s national network is non-routable IP space. You heard me; they’re treating their entire country like some small to medium business might treat their corporate office,” Hansen wrote in a blog post detailing his findings. “The entire country of North Korea is sitting on one class A network (16,777,216 addresses). I was always under the impression they were just pretending that they owned large blocks of public IP space from a networking perspective, blocking everything and selectively turning on outbound traffic via access control lists. Apparently not!”
68939841
submission
msm1267 writes:
If you need more evidence that ransomware is here to stay, and could turn into cybercriminals’ weapon of choice, look no further than Cryptowall.
Researchers at Cisco’s Talos group today published an analysis of a Cryptowall 2.0 sample, peeling back many layers of known commodities around this threat, such as its use of the Tor anonymity network to disguise command-and-control communication.
But perhaps more telling about the commitment around ransomware is the investment attackers made in its capabilities to detect execution in virtual environments, building in many stages of decryption present before the ransomware activates, and its ability to detect 32- and 64-bit architectures and executing different versions for each.
68154697
submission
msm1267 writes:
More than 12 million devices running an embedded webserver called RomPager are vulnerable to a simple attack that could give a hacker man-in-the-middle position on traffic going to and from home routers from just about every leading manufacturer.
Mostly ISP-owned residential gateways manufactured by D-Link, Huawei, TP-Link, ZTE, Zyxel and several others are currently exposed. Researchers at Check Point Software Technologies reported the flaw they’ve called Misfortune Cookie, to all of the affected vendors and manufacturers, and most have responded that they will push new firmware and patches in short order.
The problem with embedded device security is that, with consumer-owned gear especially, it’s up to the device owner to find and flash new firmware, leaving most of the devices in question vulnerable indefinitely.
In the case of the RomPager vulnerability, an attacker need only send a single packet containing a malicious HTTP cookie to exploit the flaw. Such an exploit would corrupt memory on the device and allow an attacker to remotely gain administrative access to the device.
68110861
submission
msm1267 writes:
A popular Android smartphone sold primarily in China and Taiwan but also available worldwide, contains a backdoor from the manufacturer that is being used to push pop-up advertisements and install apps without users’ consent.
The Coolpad devices, however, are ripe for much more malicious abuse, researchers at Palo Alto Networks said today, especially after the discovery of a vulnerability in the backend management interface that exposed the backdoor’s control system.
The CoolReaper backdoor not only connects to a number of command and control servers, but is also capable of downloading, installing and activating any Android application without the user’s permission. It also sends phony over-the-air updates to devices that instead install applications without notifying the user. The backdoor can also be used to dial phone numbers, send SMS and MMS messages, and upload device and usage information to Coolpad.
The manufacturer has also taken steps via modifications to its version of Android to keep the backdoor hidden from users and security software that could be installed on the phone. For example, Olson said Coolpad has disabled the long-press system that allows a user to find out what application generated an pop-up advertisement or notification, for example.
68006581
submission
msm1267 writes:
A worm exploiting network attached storage devices vulnerable to the Bash flaw is scanning the Internet for more victims.
The worm opens a backdoor on QNAP devices, but to date it appears the attackers are using the exploit to run a click-fraud scam, in addition to maintaining persistence on owned boxes.
“The goal appears to be to backdoor the system, so an attacker could come back later to install additional malware,” said Johannes Ullrich, head of the Internet Storm Center at the SANS Institute.
QNAP of Taiwan released a patch in October for the Bash vulnerability in its Turbo NAS products. Like many other vulnerable products and devices, owners may not be aware that Bash is present and exposed. Bash was among a litany of Internet-wide vulnerabilities uncovered this year; the flaw in Bash, or Bourne Again Shell, affects Linux and UNIX distributions primarily, but also Windows in some cases. Bash is accessed, often quietly, by any number of functions which makes comprehensive patching difficult even though all major Linux distributions and most vendors have issued patches.
67779615
submission
msm1267 writes:
A researcher disclosed a problem with a loose cross-domain policy for Flash requests on Yahoo Mail that put email message content, contact information and much more at risk. The researcher said the weakness is relatively simple to exploit and puts users at high risk for data loss, identity theft, and more.
Yahoo has patched one issue related to a specific .swf file hosted on Yahoo’s content delivery network that contained a vulnerability that could give an attacker complete control over Yahoo Mail accounts cross origin. While the patch fixed this specific issue, the larger overall configuration issue remains, meaning that other vulnerable .swf files hosted outside the Yahoo CDN and on another Yahoo subdomain could be manipulated the same way.
