Security Alerts & News
by Tymoteusz A. Góral

History
#749 Attackers targeting critical SAP flaw since 2013
Three dozen global enterprises have been breached by attackers who exploited a single, mitigated vulnerability in SAP business applications.

The attacks were carried out between 2013 and are ongoing against large organizations owned by corporations in the United States, United Kingdom, Germany, China, India, Japan, and South Korea, spanning 15 critical industries, researchers at Onapsis said today.

The DHS-sponsored CERT at the Software Engineering Institute at Carnegie Mellon University also published an alert this morning, the first in its history for SAP applications.

The severity of these attacks is high and should put other organizations on notice that are running critical business processes and data through SAP Java apps.
#748 Viking horde malware co-ops Android devices for ad fraud
The latest Android malware campaign to wend its way through Google’s Play marketplace can leverage victims’ phones for ad fraud, carry out DDoS attacks, send spam, and more, researchers warn.

Dubbed Viking Horde, the campaign ropes Android devices into a botnet without their owners being any the wiser. A handful of apps that spread the malware family have managed to sneak into Play under Google’s watch – the most popular being a game named Viking Jump, according to researchers at Check Point, who discovered the family of malware and described it in detail earlier this week.

The malware has also reportedly spread through apps named Memory Booster, Parrot Copter, Simple 2048, and WiFi Plus. Before it was removed, Viking Jump was the most popular of the apps, garnering 50,000 to 100,000 downloads. The app even became a “top free app” in some markets.
#747 Microsoft zero-day exposes 100 companies to PoS attack
More than 100 North American companies were attacked by crooks exploiting a Windows zero day vulnerability. The attacks began in early March and involved the zero day vulnerability (CVE-2016-0167) reported and partially fixed in April’s Patch Tuesday security bulletins by Microsoft. The zero day was found by researchers at FireEye, who on Tuesday disclosed details.

FireEye said the flaw is a local elevation of privilege flaw in the win32k Windows Graphics subsystem. Attackers are able to exploit the flaw once they are able to remotely execute code on the targeted PC. Microsoft patched the vulnerability on April 12 and released a subsequent update (MS16-062) on Tuesday.
#746 Malware parasites feed on PerezHilton.com gossip fans
The gossip news site PerezHilton.com has exposed recent visitors to malware, according to a cybersecurity alert.

California-based Cyphort Labs said that it had detected ads placed on the site being used to spread harmful code on two separate visits during one week.

The celebrity scandal site has not yet commented but was known to have suffered a similar problem last year.

Experts suggested users install ad-blocking plug-ins to defend themselves.

The phenomenon is known as "malvertising", and users do not have to click on the ads to find their device infected.

PerezHilton.com is far from being the only publisher to have hosted the threat.

Cyphort identified 1,654 unique domains that had fallen victim to the parasitical attack in 2015, and said it believed it was on course to see more than 2,000 instances this year.

The New York Times, AOL and BBC.com are among other popular sites thought to have been hijacked in this way. since January.
#745 Wendy’s: Credit cards breach affected 5% of restaurants
Wendy’s said today that an investigation into a credit card breach at the nationwide fast-food chain uncovered malicious software on point-of-sale systems at fewer than 300 of the company’s 5,500 franchised stores. The company says the investigation into the breach is continuing, but that the malware has been removed from all affected locations.

wendysky“Based on the preliminary findings of the investigation and other information, the Company believes that malware, installed through the use of compromised third-party vendor credentials, affected one particular point of sale system at fewer than 300 of approximately 5,500 franchised North America Wendy’s restaurants, starting in the fall of 2015,” Wendy’s disclosed in their first quarter financial statement today.
#744 Mozilla launches Test Pilot, a Firefox add-on for trying experimental new features
Mozilla today launched Test Pilot, a program for trying out experimental Firefox features. To try the new functionality Mozilla is offering for its browser, you have to download a Firefox add-on from testpilot.firefox.com and enable an experiment. The main caveat is that experiments are currently only available in English (though Mozilla promises to add more languages “later this year”).

Test Pilot is supposed to help Mozilla figure out which features should ship and how they should work, by letting users provide feedback and suggestions to the teams behind each one. You can turn each experiment on and off at any time (there will be bugs, so this will naturally come in handy), and the add-on explains what information you’re sharing with Mozilla to help the team understand how the feature is used.
#743 Backdoor as a software suite: How TinyLoader distributes and upgrades PoS threats (PDF)
The tandem of TinyLoader backdoor and a point-of-sale (PoS) threat, AbaddonPOS was first reportedly seen in November 2015. When we noticed a sudden spike in AbaddonPOS detections just this January, TinyPOS, another PoS malware strain, has also reared its ugly head that time. This prompted us to probe further on these threats and check if they are in any way related to one another.

Our analysis reveals that TinyLoader, a backdoor used for secondary malware infection, is distributing and managing the upgrades of AbaddonPOS. Likewise, TinyLoader is also spreading TinyPOS variants. This leads us to conclude that the operators behind TinyPOS and AbaddonPOS are one and the same.

In this technical brief, we’ll discuss the ties that bind TinyLoader with two notorious PoS threats—AbaddonPOS and TinyPOS, including how the perpetrators behind this operation deployed their arsenals
#742 Microsoft Patch Tuesday 2016-05-10
Microsoft's browsers need a lot of work – Internet Explorer gets five fixes and the new Edge code has four. Both applications' patches have been named as critical by Redmond. There's also a five-fix bundle for Microsoft's graphics component and seven flaws found in Windows kernel drivers, mainly for 32-bit versions of the operating system.
#741 Software security suffers as startups lose access to Google’s virus data
(Reuters) – A number of young technology security companies are losing access to the largest collection of industry analysis of computer viruses, a setback industry experts say will increase exposure to hackers.

The policy change at the information-sharing pioneer VirusTotal takes aim mainly at a new generation of security companies, some with valuations of $1 billion or more, that haven’t been contributing their analysis. Older companies, some with market valuations much smaller than the upstart rivals, had pressed for the shift.

Alphabet’s Google runs the VirusTotal database so security professionals can share new examples of suspected malicious software and opinions on the danger they pose. On Wednesday, the 12-year-old service quietly said it would cut off unlimited ratings access to companies that do not share their own evaluations of submitted samples.

Analysts and executives at several companies said the changes will leave some services more likely to mistakenly classify legitimate software as malicious and less able to protect their customers from real threats, at least in the short term.

“If they no longer have access to VirusTotal, their detection scores will drop,” said Andreas Marx, chief executive of security software evaluation firm AV-TEST. With detection rates down, hackers will find easier entry.
#740 Adobe warns of Flash zero-day, patches Acrobat
Adobe rolled out security updates for three of its products on Tuesday, including 95 fixes it pushed for Acrobat, Reader, and ColdFusion.

Users will have to wait until later this week, however, to patch a critical vulnerability that exists in Flash Player. It may only be a matter of time until the vulnerability is publicly exploited; Adobe claims that it isn’t aware of any active exploits for the issue but is aware of a report that an exploit for the vulnerability, CVE-2016-4117, exists in the wild.

The zero day, dug up by Genwei Jiang, a researcher at FireEye, exists in Flash 21.0.0.226 and earlier versions for Windows, Mac, Linux, and Chrome OS, Adobe warned Tuesday. If exploited, the vulnerability could cause a crash and let an attacker take control of the system. A fix for the issue was not ready in time to ship with this week’s Patch Tuesday patches but the company claims it is planning to address the issue later in the week, potentially as early as Thursday.

As far as today’s patches go, 92 of the 95 issues that were fixed, address vulnerabilities in either Acrobat and Reader, the bulk of which were use-after-free vulnerabilities or memory corruption vulnerabilities that could lead to code execution, Adobe warns.
#739 Microsoft patches JScript, VBScript flaw under attack
Microsoft released a hefty load of security bulletins today, which included a patch for a JScript and VBScript scripting engine vulnerability being publicly exploited.

The flaw is addressed in its own bulletin, MS16-053, but users need to pay attention to, and apply MS16-051 as well since the attack vector is through Internet Explorer.

MS16-051 addresses the issue in IE 9, 10 and 11; MS16-053 patches the flaw in IE 7 and earlier supported versions of the browser.

The flaw, CVE-2016-0189, is one of two memory corruption vulnerabilities in the scripting engines. Both enable arbitrary code execution if a victim, via IE, lands on an attacker’s site hosting the exploit; CVE-2016-0187 is the other flaw in the scripting engines patched today. Microsoft said the flaws exist because of how JScript and VBScript handle objects in memory in IE. VBScript 5.7 is vulnerable on Windows Vista, Windows Server 2008 and the Server Core installation option, while JScript 5.8 and VBScript 5.8 are vulnerable on Windows Server 2008 R2 for x64 Systems Service Pack 1 are vulnerable on the Server Core installation only.
#738 Internet Explorer zero-day exploit used in targeted attacks in South Korea
Attackers have exploited an Internet Explorer zero-day vulnerability in limited targeted attacks that affected South Korea. The exploit for the Microsoft Internet Explorer Scripting Engine Remote Memory Corruption Vulnerability (CVE-2016-0189) appears to have been hosted on a web page, which suggests that attackers used spear-phishing emails or watering hole attacks to compromise users.

Microsoft fixed the zero-day vulnerability in its latest Patch Tuesday release.
#737 Checking in with spear phishing, criminals check out with hotel credit card data
Hotel chains focus on hospitality, but their security practices have made them entirely too hospitable a target for data theft. Hotels have been brutalized over the past year by a wave of point-of-sale system breaches that have exposed hundreds of thousands of guests' credit card accounts. And those attacks, as a recent episode described by Panda Security's Luis Corrons demonstrates, have become increasingly targeted—in some cases using "spear-phishing" e-mails and malware crafted specifically for the target to gain access to hotels' networks.

In one incident that was uncovered recently, the target "was a small luxury hotel chain," Corrons told Ars. "We discovered the attack, and it was really customized for the specific hotel. This was 100 percent tailored to the specific target."

The attackers used a Word document from the hotel itself—one frequently used by the hotel to allow customers to authorize credit card charges in advance of a stay. The document was actually enclosed as part of a self-extracting file, which also installed two other files on the target machine—one of them an installer for backdoor malware named "adobeUpd.dll" to disguise it and the other a Windows .cmd batch script that both opens the Word document and launches the backdoor.
#736 IBM’s Watson supercomputer takes on security
IBM is leveraging the power of its Watson supercomputer to thwart viruses, ransomware and DDoS attacks. On Tuesday it unveiled an ambitious plan to feed Watson billions of data points from security sources daily so that Watson can spot anomalies as they happen and stop them dead in their tracks before they can cause any harm.

Called Watson for Cyber Security, IBM says the service is about year off from being rolled out in beta form to select customers. It will be cloud-based and leverage Watson’s “cognitive technology.” But first, IBM says, it will need to be trained to better understand structured and unstructured security data.

“Watson, like anyone new to security, needs to learn what the differences between malware, ransomware, Trojans, viruses, scripting vulnerabilities and so much more are,” said Caleb Barlow, vice president, IBM Security.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12