Security Alerts & News
by Tymoteusz A. Góral

#713 Qualcomm software flaw exposes Android user data
FireEye has disclosed the details of a serious information disclosure vulnerability affecting a Qualcomm software package found in hundreds of Android device models.

Google announced this week that it released an Android update to patch tens of vulnerabilities. The search giant’s security advisory also mentioned an information disclosure vulnerability in the Qualcomm tethering controller (CVE-2016-2060) that allows a malicious application to access user information.

The vulnerability, discovered by researchers at FireEye-owned Mandiant, has been rated “high severity,” but Google noted that it does not affect Nexus devices. The patch for the issue is not in the Android Open Source Project (AOSP) repository — instead, it should be included in the latest driver updates for affected devices.

FireEye said its researchers informed Qualcomm about the vulnerability in January and the vendor developed a fix by early March, when it started reaching out to OEMs to let them know about the issue. Now it’s up to the device manufacturers to push out the patch to customers.

The flaw exists in an open source software package maintained by Qualcomm and is related to the Android network daemon (netd).
#712 Diary of a ransomware victim
For online casinos, business begins to peak as gamblers punch out of work and belly-up to virtual blackjack tables. But on this Tuesday in February at 5p.m., the odds were not in the house’s favor. That’s when this virtual casino—with tens of millions of dollars in virtual transaction data, thousands of user profiles and millions invested in computer infrastructure—was hit with ransomware that risked turning a thriving business into an encrypted crime scene.

The criminals behind this attack couldn’t have picked a better target. This legal online casino, located outside the US, is one of the largest operators in the gambling and entertainment business. On the condition Threatpost would not identify the casino, we were given rare insight into a high-stakes ransomware attack that serves as a cautionary tale for any company.
#711 Petya: the two-in-one trojan
Infecting the Master Boot Record (MBR) and encrypting files is nothing new in the world of malicious programs. Back in 1994, the virus OneHalf emerged that infected MBRs and encrypted the disk contents. However, that virus did not extort money. In 2011, MBR blocker Trojans began spreading (Trojan-Ransom.Win32.Mbro) that infected the MBR and prevented the operating system from loading further. The victim was prompted to pay a ransom to get rid of the problem. It was easy to treat a system infected by these blocker Trojans because, apart from the MBR, they usually didn’t encrypt any data on the disk.

Today, we have encountered a new threat that’s a blast from the past. The Petya Trojan (detected by Kaspersky Lab products as Trojan-Ransom.Win32.Petr) infects the MBR preventing normal system loading, and encrypts the Master File Table (MFT), an important part of the NT file system (NTFS), thus preventing normal access to files on the hard drive.
#710 Kaspersky: IT threat evolution in Q1 2016 report (PDF)
2016 has only just got underway, but the first three months have already seen the same amount of cybersecurity events that just a few years ago would have seemed normal for a whole year. The main underlying trends remained the same, while there was significant growth in trends related to traditional cybercrime, especially mobile threats and global
ransomware epidemics.

Ransomware became the main theme of the quarter after knocking targeted attacks from the top of the most popular threat rating. Unfortunately, this is a situation that will continue to evolve, and those behind the extortion could well end up being named "problem of the year".
#709 Malware may abuse Android’s accessibility service to bypass security enhancements
Android’s recent API modifications have hampered some malware’s ability to determine which application is currently running in the foreground of a device at any given point of time. As Android begins to successfully block this attack method, attackers may adopt a trick used by adware so that their threats can work again. Though we have previously seen mobile potentially unwanted applications (PUAs) abuse accessibility services to install arbitrary applications, we believe financial malware could use the same technique to circumvent a significant security improvement specifically created to thwart this kind of threat.
#708 IBM just made a powerful research tool available to everyone for free
New quantum computing project is available to play with online.

IBM has a powerful new research project that anyone can use for free.

The business technology company’s research arm said on Wednesday that it’s giving everyone access to one of its quantum computing processors, an experimental technology that has the potential to quickly crunch huge amounts of data.

Anyone from university researchers to tech savvy teenagers can apply through IBM Research’s website to test the processor. IBM will determine how much access people receive to the processor depending on their technology background and how well versed they are in quantum technology, explained Jerry Chow, the manager of IBM’s experimental quantum computing group.

Generally speaking, in traditional computing, data is encoded in one of two states, as represented by the tiny transistors embedded on silicon chips being turned on or off. Quantum computing, however, uses particles called quantum bits, or qubits to handle the heavy duty processing.
#707 Big data breaches found at major email services - expert
Hundreds of millions of hacked user names and passwords for email accounts and other websites are being traded in Russia's criminal underworld, a security expert told Reuters.

The discovery of 272.3 million stolen accounts included a majority of users of (MAILRq.L), Russia's most popular email service, and smaller fractions of Google (GOOGL.O), Yahoo (YHOO.O) and Microsoft (MSFT.O) email users, said Alex Holden, founder and chief information security officer of Hold Security.
#706 Public exploits available for ImageMagick vulnerabilities
Within hours of the disclosure of serious vulnerabilities in ImageMagick, public exploits were available increasing the risk to thousands of websites that make use of the open source image-processing software.

Attackers can append malicious code to an image file that ImageMagick will process without question, leading to, in the case of one of the vulnerabilities, remote code execution. The scope of the issue is severe since image-processing plugins such as PHP imagick, Ruby rmagick and Ruby paperclip, and nodeJS imagemagick among others are built on top of the ImageMagick library.

Researcher Ryan Huber was among the first on Tuesday to publicly disclose that ImageMagick had a problem. A researcher from the team in Russia who goes by the handle Stewie found the flaw, while Nikolay Ermishkin, also of the team, found the remote code execution issue.

“We have collectively determined that these vulnerabilities are available to individuals other than the person(s) who discovered them,” Huber wrote on the ImageTragick website, a landing page complete with FAQ on the bugs. “An unknowable number of people having access to these vulnerabilities makes this a critical issue for everyone using this software.”
#705 Identity thieves used leaked PII to steal ADP payroll Info
Cybercriminals accessed a W-2 portal maintained by payroll company ADP recently to glean sensitive information about employees at a handful of companies.

The company is stressing that the company itself wasn’t hacked, but that it appears identity thieves may have been able to create ADP accounts in the names of victims using previously leaked personally identifiable information.

The problem ADP claims was a self-service registration portal that allowed attackers to set up fraudulent accounts in the names of employees at those undisclosed companies.

An investigation carried out by the company determined that attackers likely pieced together information on victims using other information published about them online. Any individuals who had their W-2 information compromised, likely had their information compromised previously, ADP claims.
#704 Apple updates Xcode’s Git implementation
Apple has updated its Xcode development environment, patching two vulnerabilities in its implementation of git.

Git is a version control system, and in March its handlers patched two flaws that exposed the software to remote code execution.

The new version of Xcode, 7.3.1, is available for El Capitain v 10.11 and later.

Apple said it updated git to version 2.7.4, patching a heap-based buffer overflow that occurred in the way it handled filenames. Belgian researcher Mattias Geniar wrote about the git flaws in March, saying that the bug had the potential to be huge because it enabled server and client side remote cod execution.
#703 Cisco patches critical TelePresence vulnerability
isco Systems said it has patched a critical flaw tied to its TelePresence hardware that allowed unauthorized third-parties to access the system via an API bug. The networking behemoth also alerted customers to a duo of denial of service attack vulnerabilities that represent a high risk for its FirePOWER firewall hardware.

The United States Computer Emergency Readiness Team (US-CERT) issued an alert on Wednesday and said Cisco has provided patches for the affected products.

The most serious of the flaws is tied to Cisco’s TelePresence XML application programming interface and allows hackers to bypass the authentication process for its TelePresence EX, MX, SX and VX hardware. Hackers with knowledge of the vulnerability are able to perform unauthorized configuration changes or issue control commands to TelePresence hardware running affected software.

Cisco issued a patch (CVE-2016-1387) for the TelePresence bug. Cisco wrote: “The vulnerability is due to improper implementation of authentication mechanisms for the XML API of the affected software. An attacker could exploit this vulnerability by sending a crafted HTTP request to the XML API.”
#702 Microsoft unveils new effort to make its developer, IT documentation great again
Microsoft's developer documentation used to be the model that all others should follow. The documentation itself was thorough, combining reference material with usage guides and sample code. Its use of, at the time, novel JavaScript and XML techniques (known in those days as dynamic HTML, or DHTML) made it easy to browse through the documentation and quickly switch between related portions. But successive "updates" to MSDN Library have made it harder and harder to use, obscuring the consistent structure and organization and becoming much less useful to developers as a result. These updates had other side effects, often breaking URLs, so that both internal and external links to the documentation broke or bounced you through numerous redirects.

After years of ad hoc changes to its documentation system, Microsoft has announced a new plan to overhaul both its TechNet and MSDN documentation to make it fit for the purpose. Documentation will have a new site,, with a new consistent look and features.
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12