Security Alerts & News
by Tymoteusz A. Góral

#1785 Buffer overflow in BSD libc library patched
The BSD libc library was updated recently to address a buffer overflow vulnerability that could have allowed an attacker to execute arbitrary code.

The library is part of the POSIX library, which is used in BSD operating systems, like FreeBSD, NetBSD, OpenBSD. The libc library is also used in Apple’s OS X operating system.

According to Garret Wassermann, a vulnerability analyst at Carnegie Mellon’s Software Engineering Institute CERT/CC who disclosed the vulnerability yesterday, only a handful of implementations that use the library have publicly applied the fix.

The issue stems from problem with the obuf variable in the link_ntoa() function in linkaddr.c. Because of improper bounds checking, an attacker could have been able to read or write from memory.
#1784 Phishing made easy: Time to rethink your prevention strategy? (PDF)
By examining a phishing campaign, researchers at the Imperva Defense Center have uncovered new ways cybercriminals are leveraging compromised servers to lower the cost of phishing. Phishing is the starting point for most network and data breaches. The campaigns run mostly from compromised web servers and distribute all kinds of malware including ransomware. In this report, we present the different tools used to compromise web servers, phishing platforms offered as a service, fi nancial motivations and the business models of phishing campaigns. We also highlight the importance of intelligence sharing which helped attribute with high confi dence the phishing campaign to a group of known cybercriminals.

Phishing campaigns are often orchestrated from compromised web servers while hosting providers and businesses remain totally unaware of the malicious activity. Compromised web servers used in Phishing as a Service (PhaaS) platforms signifi cantly lower the costs of a phishing campaign and help the cybercriminals hide their tracks. The 2016 Verizon Data Breach Investigations Report (VZ DBIR) documents a signifi cant increase in phishing success over 2015 primarily due to human factors. Endpoint protection mechanisms have failed to contain the spread of malware. If more web servers are hardened, there is a good chance the phishing threat can be mitigated.

The best way to protect web servers from being compromised is to deploy web application fi rewalls (WAFs) that can detect and block advanced injection techniques. The phishing-based malware distribution mechanism relying on compromised servers can be contained only by increasing the security on web servers. If WAFs were deployed as ubiquitously as network fi rewalls, the cybercriminal industry would be seriously crippled.
#1783 Phishing-as-a-service is making it easier than ever for hackers to steal your data
Phishing is already the easiest way for hackers to steal data and it's getting even easier thanks to the rise of organised criminal groups on the dark web offering phishing-as-a-service schemes to budding cybercriminals and ever-lowering the cost of entry.

According to cybersecurity researchers, this approach to phishing is about a quarter of the cost and twice as profitable as traditional unmanaged -- and labour intensive -- phishing campaigns and follows in the footsteps of other cybercrime-as-a-service campaigns.

The 'Phishing made easy' report from Imperva's Hacker Intelligence Initiative details how a Phishing-as-a-Service (PhaaS) store on the Russian black market offers a "complete solution for the beginner scammer" including databases of emails, templates of phishing scams, and a backend database to store stolen credentials.
#1782 Millions exposed to malvertising that hid attack code in banner pixels
Millions of people visiting mainstream websites over the past two months have been exposed to a novel form of malicious ads that embed attack code in individual pixels of the banners.

Researchers from antivirus provider Eset said "Stegano," as they've dubbed the campaign, dates back to 2014. Beginning in early October, its unusually stealthy operators scored a major coup by getting the ads displayed on a variety of unnamed reputable news sites, each with millions of daily visitors. Borrowing from the word steganography—the practice of concealing secret messages inside a larger document that dates back to at least 440 BC—Stegano hides parts of its malicious code in parameters controlling the transparency of pixels used to display banner ads. While the attack code alters the tone or color of the images, the changes are almost invisible to the untrained eye.

The malicious script is concealed in the alpha channel that defines the transparency of pixels, making it extremely difficult for even sharp-eyed ad networks to detect. After verifying that the targeted browser isn't running in a virtual machine or connected to other types of security software often used to detect attacks, the script redirects the browser to a site that hosts three exploits for now-patched Adobe Flash vulnerabilities.
#1781 Hackers gamify DDoS attacks with collaborative platform
A Turkish hacking crew is luring participants to join its DDoS platform to compete with peers to earn redeemable points that are exchangeable for hacking tools and click-fraud software. The goal, security researchers say, is to “gamify” DDoS attacks in order to attract a critical mass of hackers working toward a unified goal.

The hacking platform is called Surface Defense and is being promoted in Turkish-language Dark Web forums including Turkhackteam and Root Developer, according to Forcepoint Security Labs, the security firm that first uncovered and reported the DDoS platform.

Promoters of Surface Defense are actively recruiting Turkish hackers that may be sympathetic to Turkish nationalist beliefs, Forcepoint believes. Targets of the DDoS attacks range from the Kurdistan Workers Party, German Christian Democratic Party and the Armenian National Institute website in Washington D.C., said Carl Leonard, principal security analyst at Forcepoint. “It’s unclear if those behind the Surface Defense platform are indeed politically motivated or they are simply using politics as a marketing tool to lure hackers into their network.”
#1780 Critical vulnerability patched in Roundcube webmail
Open source webmail provider Roundcube has released an update that addresses a critical vulnerability in all default configurations that could allow an attacker to run arbitrary code on the host operating system.

The flaw is serious because it’s relatively simple to exploit and can allow an attacker to access email accounts or move deeper onto the network.

Researchers at RIPS Technologies, a German company specializing in PHP application security analysis, privately disclosed the bug Nov. 21. Roundcube had the vulnerability fixed on Github a day later, and made an updated version publicly available Nov. 28. Versions 1.0 to 1.2.2 are vulnerable, and users are advised to update to 1.2.3.
#1779 Backdoor accounts found in 80 Sony IP security camera models
Many network security cameras made by Sony could be taken over by hackers and infected with botnet malware if their firmware is not updated to the latest version.

Researchers from SEC Consult have found two backdoor accounts that exist in 80 models of professional Sony security cameras, mainly used by companies and government agencies given their high price.

One set of hard-coded credentials is in the Web interface and allows a remote attacker to send requests that would enable the Telnet service on the camera, the SEC Consult researchers said in an advisory Tuesday.

The second hard-coded password is for the root account that could be used to take full control of the camera over Telnet. The researchers established that the password is static based on its cryptographic hash and, while they haven’t actually cracked it, they believe it’s only a matter of time until someone does.
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12