Security Alerts & News
by Tymoteusz A. Góral

History
#1617 FruityArmor APT group used recently patched Windows zero-day
One of the four zero-day vulnerabilities Microsoft patched last week was being used by an APT group called FruityArmor to carry out targeted attacks, escape browser-based sandboxes, and execute malicious code in the wild.

Anton Ivanov, a researcher at Kaspersky Lab, was credited by Microsoft for discovering the vulnerability last Tuesday but little was known about how it was actually being exploited until today.

The vulnerability, CVE-2016-3393, stemmed from the way a component, Windows graphics device interface (GDI), handled objects in memory. GDI is an application programming interface in Windows that helps apps that use graphics and formatted text on the video display and printer.
#1616 Mobile applications leak device, location data
Both Android and iOS apps leak data, leaving users vulnerable to data theft, denial-of-service attacks, and remote SIM card rooting.

In a report released Thursday “Are mobile apps a leaky tap in the enterprise?” researchers at Zscaler assert that Android and iOS users are equally vulnerable to a wide range of mobile security threats tied to mobile apps.

According to the report, enterprises are challenged by both a growing number of BYOD devices invading the workplace along with users downloading risky apps from third-party sources. In its study of 45 million transactions during a three-month period, Zscaler identified privacy leakage as the most serious problem with too many apps sending metadata, location and personal identifiable information to the developer’s server or an ad server. The report calls on companies to enforce stricter mobile device management programs to protect users and network assets.
#1615 This ransomware is now one of the three most common malware threats
The threat of ransomware attacks continues to grow. One particular strain of the cryptographic file-locking malicious software has now risen to become one of the top three most prevalent forms of malware used by hackers and cybercriminals.

Ransomware has exploded in 2016 and is increasingly targeting business networks instead of individual users. The total cost of damages related to these attacks is set to top $1 billion this year.

It's the Locky family which is currently most prevalent family of ransomware. The malware infamously took down the network of a high-profile Los Angeles hospital in February, and its notoriety has led to it entering the top three most common forms of malware.
#1614 Locky ransomware learns new evasive tricks
For several weeks security experts have had success slowing Locky ransomware infection rates. That’s been due to aggressive efforts to combat the Trojan downloader Nemucod, used in recent campaigns to distribute Locky. But now researchers say hackers behind Locky are changing tactics, giving the ransomware new legs.

According to the Microsoft Malware Protection Center team, Locky ransomware authors have shifted the type of malicious attachments used in their spam campaigns to evade detection. They have observed Locky authors moving away from the use of .wsf files hiding Nemucod.
#1613 3.2 million debit cards compromised; SBI, HDFC Bank, ICICI, YES Bank and Axis worst hit
MUMBAI: Banks in India will either replace or ask users to change the security codes of as many as 3.2 million debit cards in what's emerging as one of the biggest ever breaches of financial data in India, people aware of the matter said. Several victims have reported unauthorised usage from locations in China.

Of the cards, 2.6 million are said to be on the Visa and Master-Card platform and 600,000 on the RuPay platform. The worst-hit of the card-issuing banks are State Bank of India, HDFC Bank, ICICI Bank, YES Bank and Axis Bank, the people said.
#1612 Weebly confirms hack; millions of Foursquare accounts also exposed
Another day, another hack.

Weebly and Foursquare are the latest in a long line of tech companies under scrutiny for their security practices. On Thursday, breach notification site LeakedSource posted details of the attacks in a blog post explaining what happened.

More than 43.4 million accounts were stolen in the attack, thought to have been carried out in February.

According to a sample of the data seen by ZDNet, each record in this mega breach contains a username, email address, password, and IP address. Stolen passwords were stored with bcrypt, a strong system for scrambling passwords.
#1611 The Reign of Ransomware (PDF)
By the end of 2015, we predicted that 2016 would be the Year of Online Extortion. This particular forecast was influenced by the proliferation of stolen data from data breach incidents used for online extortion, and an increasing number of similar online threats.

True enough, the first half of 2016 witnessed a surge of ransomware attacks launched against a variety of industries. During the first half of 2016 we blocked and detected almost 80 million ransomware threats. The rapid rise of ransomware cases could be a clear indication of ransomware’s effectiveness in granting cybercriminals the satisfaction of easy monetary reward. With the rising number of ransomware cases and more enterprises continuously losing money and opting to pay ransom, we believe that the Reign of Ransomware will stay prevalent.
#1610 Cisco ASA software identity firewall feature buffer overflow vulnerability
A vulnerability in the Identity Firewall feature of Cisco ASA Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code.

The vulnerability is due to a buffer overflow in the affected code area. An attacker could exploit this vulnerability by sending a crafted NetBIOS packet in response to a NetBIOS probe sent by the ASA software. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or cause a reload of the affected system.

Note: Only traffic directed to the affected system can be used to exploit this vulnerability. This vulnerability affects systems configured in routed and transparent firewall mode and in single or multiple context mode. This vulnerability can be triggered by IPv4 traffic.

Cisco has released software updates that address this vulnerability. There is a workaround that addresses this vulnerability.
#1609 “Most serious” Linux privilege-escalation bug ever is under active exploit
A serious vulnerability that has been present for nine years in virtually all versions of the Linux operating system is under active exploit, according to researchers who are advising users to install a patch as soon as possible.

While CVE-2016-5195, as the bug is cataloged, amounts to a mere privilege-escalation vulnerability rather than a more serious code-execution vulnerability, there are several reasons many researchers are taking it extremely seriously. For one thing, it's not hard to develop exploits that work reliably. For another, the flaw is located in a section of the Linux kernel that's a part of virtually every distribution of the open-source OS released for almost a decade. What's more, researchers have discovered attack code that indicates the vulnerability is being actively and maliciously exploited in the wild.

"It's probably the most serious Linux local privilege escalation ever," Dan Rosenberg, a senior researcher at Azimuth Security, told Ars. "The nature of the vulnerability lends itself to extremely reliable exploitation. This vulnerability has been present for nine years, which is an extremely long period of time."
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12