A proof-of-concept exploit has been published for an unpatched vulnerability in Microsoft Internet Information Services 6.0, a version of the web server that's no longer supported but still widely used.
The exploit allows attackers to execute malicious code on Windows servers running IIS 6.0 with the privileges of the user running the application. Extended support for this version of IIS ended in July 2015 along with support for its parent product, Windows Server 2003.
Even so, independent web server surveys suggest that IIS 6.0 still powers millions of public websites. In addition, many companies might still run web applications on Windows Server 2003 and IIS 6.0 inside their corporate networks, so this vulnerability could help attackers perform lateral movement if they access such networks through other means.
On a previous post about ePub parsers (This book reads you - exploiting services and readers that support the ePub book format), I mentioned using scripting capabilities in ePub to perform local attacks against users.
Apple just released a fix for one issue I reported last year in iBooks that allowed access to files on a users system when a book was opened. iBooks on El Capitan would open an ePub using the file:// origin, which would allow an attacker to access the users file system when they opened a book. (CVE-2017-2426)
To help demonstrate how this could be used to perform attacks against users, I added a WebSocket client to a book, so that all users who open the book will connect back to a WebSocket controller server that will feed them arbitrary instructions. The WebSocket client in the ePub will allow access as long as the user has the book open (expectation is that it could be open for a long time, if the user is provided with something worth reading).
Scientists from two Israeli universities have come up with a way to use flatbed scanners as relay points when sending commands to malware installed on an air-gapped computer. Further research also revealed the scanner could also be used to relay stolen data to a nearby attacker.
The technique they come up with revolves around the idea that a beam of light could be interpreted as a binary 1 and the lack of visual stimulant can be considered a binary 0.
For this technique to work, two conditions must be met. First, the flatbed scanner lid must be left open in an upright position so an attacker can aim light beams at its sensors.
The modus operandi for phishing attacks is straightforward: thieves spam out legitimate-looking messages with malicious links that, when clicked, dupe the victim into giving up passwords, credit card numbers and the like.
When they set up their sites, crooks need SSL certificates, and for the most part there’s no stopping them from getting one. Just as people fall for fake sites that look like something from their bank or HR department, the certificate provider can fail to tell the difference between the legitimate and fraudulent cert seeker.
Such is the case with Let’s Encrypt, a free, automated certificate authority that has issued 15,270 “PayPal” certificates to sites used for phishing.
VMware has released critical security patches for vulnerabilities demonstrated during the recent Pwn2Own hacking contest that could be exploited to escape from the isolation of virtual machines.
The patches fix four vulnerabilities that affect VMware ESXi, VMware Workstation Pro and Player and VMware Fusion.
Two of the vulnerabilities, tracked as CVE-2017-4902 and CVE-2017-4903 in the Common Vulnerabilities and Exposures database, were exploited by a team from Chinese internet security firm Qihoo 360 as part of an attack demonstrated two weeks ago at Pwn2Own.
Several users have complained that ads served through Microsoft's Skype app are serving malicious downloads, which if opened, can trigger ransomware.
News of the issue came from a Reddit thread on Wednesday, in which the original poster said that Skype's home screen -- the first screen that shows up on consumer versions of the software -- was pushing a fake, malicious ad, purporting to be a critical update for the Flash web plug-in.
After three months of near inactivity, one of the world's most prolific mailing botnets has returned - apparently re-purposed to carry out different cybercriminal activity.
The Necurs botnet was one of the biggest distributors of malware during 2016, sending millions of malicious emails in an effort to spread Locky ransomware. Locky became the most high profile form of ransomware of 2016, before mysteriously appearing to cease operations in late December.
A person or group of malware authors calling themselves "Mafia Malware Indonesia" claimed responsibility for writing a collection of ransomware families that includes threats such as KimcilWare, MireWare, MafiaWare, CryPy, and the recent SADStory and the L0CK3R74H4T ransomware.
The group's activity first came to light in March 2016, when various Magento stores were targeted and had their files locked with a Web-based ransomware called KimcilWare.
Since July 2016, attackers have been using a zero-day in IIS 6.0 to compromise and take over Windows servers.
The zero-day was discovered by two Chinese researchers from the Information Security Lab & School of Computer Science & Engineering, South China University of Technology Guangzhou, China.
The two published proof-of-concept exploit code on GitHub two days ago, after Microsoft acknowledged the flaw, but said it couldn't patch it as it affected EOL products, for which it doesn't issue updates anymore.
A Russian national has pleaded guilty to charges related to a botnet scheme that siphoned millions of dollars from victims worldwide.
On Tuesday, the US Department of Justice (DoJ) said that Maxim Senkh, from Velikii Novgorod, Russia, admitted to participating in what prosecutors call a "criminal enterprise that installed and exploited malicious computer software on tens of thousands of computer servers throughout the world."
The malware, known as Ebury, harvested OpenSSH login credentials from computers and servers that were infected. These stolen details were then used to create the Ebury botnet, a network of 'slave' computers and servers which all accepted instructions from Senkh and co-conspirators through a command and control (C&C) center.
A new attack on smart TVs allows a malicious actor to take over devices using rogue DVB-T (Digital Video Broadcasting — Terrestrial) signals, get root access on the smart TV, and use the device for all sorts of nasty actions, ranging from DDoS attacks to spying on end users.
The attack, developed by Rafael Scheel, a security researcher working for Swiss cyber security consulting company Oneconsult, is unique and much more dangerous than previous smart TV hacks.
Open source developers who use Github are in the cross-hairs of advanced malware that can steal passwords, download sensitive files, take screenshots, and self-destruct when necessary.
Dimnie, as the reconnaissance and espionage trojan is known, has largely flown under the radar for the past three years. It mostly targeted Russians until early this year, when a new campaign took aim at multiple owners of Github repositories. One commenter in this thread reported the initial infection e-mail was sent to an address that was used solely for Github, and researchers with Palo Alto Networks, the firm that reported the campaign on Tuesday, told Ars they have no evidence it targeted anyone other than Github developers.