Security Alerts & News
by Tymoteusz A. Góral

History
#1197 Ransomware gang claims Fortune 500 company hired them to hack the competition
In an exchange with a security researcher pretending to be a victim, one ransomware agent claimed they were working for a Fortune 500 company.

“We are hired by [a] corporation to cyber disrupt day-to-day business of their competition,” the customer support agent of a ransomware known as Jigsaw said, according to a new report by security firm F-Secure.

“The purpose was just to lock files to delay a corporation’s production time to allow our clients to introduce a similar product into the market first.”
#1196 PayPal fixes CSRF vulnerability in PayPal.me
PayPal recently fixed a vulnerability on its PayPal.me site that could have let an attacker change a user’s profile without permission.

The issue stemmed from a cross-site request forgery (CSRF) vulnerability that existed in PayPal.me, a site the company launched last year to let its users request money; similar to what Venmo, another property it owns, does.

Florian Courtial, a French software engineer who hunts for bugs in his spare time discovered the vulnerability and discussed it on his personal blog earlier this week. Courtial previously disclosed bugs in Slack and the project management app Trello.

Courtial found the bug while rooting around both PayPal.com and PayPal.me for CSRF vulnerabilities. Using Burp Suite, he discovered he could remove or edit the CSRF token and in turn update a user’s PayPal profile picture. The HTML was missing a few headers, like X-Frame-Options: DENY, something that allowed him to submit the form without redirection.
#1195 PowerWare ransomware masquerades as Locky to intimidate victims
A new variant of the PowerWare ransomware is stealing street creds from the Locky strain of ransomware in an attempt to spoof the malware family. A new sample of PowerWare found by Palo Alto Networks’ Unit 42 reveals the ransomware’s quickly evolving tactics.

According to researchers, a new version of the ransomware is using Locky’s “.locky” file extension to encrypt files and make it appear the files have been infected with Locky. The ransomware has also adopted Locky’s ransom note and uses the same wording as Locky in the ransomware’s “help” instructions.
#1194 Flaws in Oracle file processing SDKs affect major third-party products
Seventeen high-risk vulnerabilities out of the 276 flaws fixed by Oracle Tuesday affect products from third-party software vendors, including Microsoft.

The vulnerabilities were found by researchers from Cisco's Talos team and are located in the Oracle Outside In Technology (OIT), a collection of software development kits (SDKs) that can be used to extract, normalize, scrub, convert and view some 600 unstructured file formats.

These SDKs, which are part of the Oracle Fusion Middleware, are licensed to other software developers who then use them in their own products. Such products include Microsoft Exchange, Novell Groupwise, IBM WebSphere Portal, Google Search Appliance, Avira AntiVir for Exchange, Raytheon SureView, Guidance Encase and Veritas Enterprise Vault.
#1193 Canadian man behind popular ‘Orcus RAT’
Far too many otherwise intelligent and talented software developers these days apparently think they can get away with writing, selling and supporting malicious software and then couching their commerce as a purely legitimate enterprise. Here’s the story of how I learned the real-life identity of Canadian man who’s laboring under that same illusion as proprietor of one of the most popular and affordable tools for hacking into someone else’s computer.

Earlier this week I heard from Daniel Gallagher, a security professional who occasionally enjoys analyzing new malicious software samples found in the wild. Gallagher said he and members of @malwrhunterteam and @MalwareTechBlog recently got into a Twitter fight with the author of Orcus RAT, a tool they say was explicitly designed to help users remotely compromise and control computers that don’t belong to them.
#1192 Google fixes 48 bugs, sandbox escape, in Chrome
Google has patched a high-risk vulnerability in its Chrome browser that allows an attacker to escape the Chrome sandbox.

That vulnerability is one of 48 bugs fixed in version 52 of Chrome released Wednesday.

Four dozen of those flaws are rated as high risks and Google paid out more than $22,000 in rewards to researchers who reported vulnerabilities to the company. Payment on an additional 11 bugs found by bug bounty hunters is pending, Google said.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12