Security Alerts & News
by Tymoteusz A. Góral

History
#1902 Dutch developer added backdoor to websites he built, phished over 20,000 users
A Dutch developer illegally accessed the accounts of over 20,000 users after he allegedly collected their login information via backdoors installed on websites he built.

According to an official statement, Dutch police officials are now in the process of notifying these victims about the crook's actions.

The hacker, yet to be named by Dutch authorities, was arrested on July 11, 2016, at a hotel in Zwolle, the Netherlands, and police proceeded to raid two houses the crook owned, in Leeuwarden and Sneek.
#1901 Ukraine's power outage was a cyber attack: Ukrenergo
A power blackout in Ukraine's capital Kiev last month was caused by a cyber attack and investigators are trying to trace other potentially infected computers and establish the source of the breach, utility Ukrenergo told Reuters on Wednesday.

When the lights went out in northern Kiev on Dec. 17-18, power supplier Ukrenergo suspected a cyber attack and hired investigators to help it determine the cause following a series of breaches across Ukraine.

Preliminary findings indicate that workstations and Supervisory Control and Data Acquisition (SCADA) systems, linked to the 330 kilowatt sub-station "North", were influenced by external sources outside normal parameters, Ukrenergo said in comments emailed to Reuters.

"The analysis of the impact of symptoms on the initial data of these systems indicates a premeditated and multi-level invasion," Ukrenergo said.
#1900 GCHQ encourages teenage girls to become cybersecurity professionals of the future
Government surveillance agency GCHQ is running a tech skills competition for teenage girls as part of an initiative designed to encourage more women to join the fight to protect the UK from cyberattacks and hackers.

Reflecting a gender balance issue in the technology sector as a whole, women make up just ten percent of the global cybersecurity workforce. GCHQ is looking to change that with the launch of the CyberFirst Girls Competition.

Orchestrated by GCHQ's National Cyber Security Centre, the competition looks to knock down barriers to entry into the profession by inviting girls between the ages of 13 and 15 to enter in teams of four. They will have their cybersecurity skills tested against other schoolgirls from across the UK in a series of online challenges.
#1899 Project Zero finds XSS bug in auto-installed Adobe Acrobat Chrome extension
Last week Adobe released an update to Acrobat that had a potentially unwanted passenger along for the ride, an automatically installed Chrome extension that prompted the user to allow it to view and manipulate web pages visited, and manage downloads on the next time Chrome was loaded.

Upon its release, Project Zero security researcher Tavis Ormandy found it left users vulnerable to cross-site scripting attacks.

"I think CSP [Content Security Policy] might make it impossible to jump straight to script execution, but you can iframe non web_accessible_resources, and easily pivot that to code execution, or change privacy options via options.html, etc," Ormandy wrote in the Project Zero issue tracker.
#1898 Uncovering the inner workings of EyePyramid
Two Italians referred to as the “Occhionero brothers” have been arrested and accused of using malware and a carefully-prepared spear-phishing scheme to spy on high-profile politicians and businessmen. This case has been called “EyePyramid”, which we first discussed last week. (Conspiracy theories aside, the name came from a domain name and directory path that was found during the research.)

The court order was published by AGI, an Italian news agency, around noon on January 11. It (surprisingly) contains multiple technical details which we used to bootstrap our initial analysis. This post builds on the details of the case to provide a more complete and in-depth view of the activities of this campaign.
#1897 Oracle's monster security update: 270 fixes and over 100 remotely exploitable flaws
Oracle has released its first quarterly critical patch update of the year, urging customers to immediately apply the bundle's 270 fixes to a number of its products.

Product families fixed in this update include Oracle Database Server, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite, Oracle Industry Applications, Oracle Fusion Middleware, Oracle Sun Products, Oracle Java SE, and Oracle MySQL.

Oracle's updates are typically large but the 270 fixes in this advisory are just short of Oracle's record critical update last July, which contained 276 fixes.
#1896 Newly discovered Mac malware found in the wild also works well on Linux
A newly discovered family of Mac malware has been conducting detailed surveillance on targeted networks, possibly for more than two years, a researcher reported Wednesday.

The malware, which a recent Mac OS update released by Apple is detecting as Fruitfly, contains code that captures screenshots and webcam images, collects information about each device connected to the same network as the infected Mac, and can then connect to those devices, according to a blog post published by anti-malware provider Malwarebytes. It was discovered only this month, despite being painfully easy to detect and despite indications that it may have been circulating since the release of the Yosemite release of OS X in October 2014. It's still unclear how machines get infected.
#1895 EITest nabbing Chrome ssers with a “Chrome Font” social engineering scheme
“EITest” is a well-documented infection chain that generally relies on compromised websites to direct users to exploit kit (EK) landing pages. EITest has been involved in the delivery of a variety of ransomware, information stealers, and other malware, with clear evidence of its use dating back to 2014. Elements of EITest may be much older, though, with hints pointing to EITest being an evolution of the “Glazunov” infection chain from 2011 [1]. The first server side documentation of this evolution came from Sucuri in July 2014 [2] associated with waves of Wordpress exploitation via the MailPoet plugin vulnerability. KahuSecurity recently analyzed the server side script in October 2016 [3].
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12