Security Alerts & News
by Tymoteusz A. Góral

#2179 Millions of websites affected by unpatched flaw in Microsoft IIS 6 web server
A proof-of-concept exploit has been published for an unpatched vulnerability in Microsoft Internet Information Services 6.0, a version of the web server that's no longer supported but still widely used.

The exploit allows attackers to execute malicious code on Windows servers running IIS 6.0 with the privileges of the user running the application. Extended support for this version of IIS ended in July 2015 along with support for its parent product, Windows Server 2003.

Even so, independent web server surveys suggest that IIS 6.0 still powers millions of public websites. In addition, many companies might still run web applications on Windows Server 2003 and IIS 6.0 inside their corporate networks, so this vulnerability could help attackers perform lateral movement if they access such networks through other means.
#2178 This book reads you - using JavaScript
On a previous post about ePub parsers (This book reads you - exploiting services and readers that support the ePub book format), I mentioned using scripting capabilities in ePub to perform local attacks against users.

Apple just released a fix for one issue I reported last year in iBooks that allowed access to files on a users system when a book was opened. iBooks on El Capitan would open an ePub using the file:// origin, which would allow an attacker to access the users file system when they opened a book. (CVE-2017-2426)

To help demonstrate how this could be used to perform attacks against users, I added a WebSocket client to a book, so that all users who open the book will connect back to a WebSocket controller server that will feed them arbitrary instructions. The WebSocket client in the ePub will allow access as long as the user has the book open (expectation is that it could be open for a long time, if the user is provided with something worth reading).
#2177 Flatbed scanners used as relay point for controlling malware in air-gapped systems
Scientists from two Israeli universities have come up with a way to use flatbed scanners as relay points when sending commands to malware installed on an air-gapped computer. Further research also revealed the scanner could also be used to relay stolen data to a nearby attacker.

The technique they come up with revolves around the idea that a beam of light could be interpreted as a binary 1 and the lack of visual stimulant can be considered a binary 0.

For this technique to work, two conditions must be met. First, the flatbed scanner lid must be left open in an upright position so an attacker can aim light beams at its sensors.
#2176 Let’s Encrypt issues certs to ‘PayPal’ phishing sites: how to protect yourself
The modus operandi for phishing attacks is straightforward: thieves spam out legitimate-looking messages with malicious links that, when clicked, dupe the victim into giving up passwords, credit card numbers and the like.

When they set up their sites, crooks need SSL certificates, and for the most part there’s no stopping them from getting one. Just as people fall for fake sites that look like something from their bank or HR department, the certificate provider can fail to tell the difference between the legitimate and fraudulent cert seeker.

Such is the case with Let’s Encrypt, a free, automated certificate authority that has issued 15,270 “PayPal” certificates to sites used for phishing.
#2175 VMware patches critical virtual machine escape flaws
VMware has released critical security patches for vulnerabilities demonstrated during the recent Pwn2Own hacking contest that could be exploited to escape from the isolation of virtual machines.

The patches fix four vulnerabilities that affect VMware ESXi, VMware Workstation Pro and Player and VMware Fusion.

Two of the vulnerabilities, tracked as CVE-2017-4902 and CVE-2017-4903 in the Common Vulnerabilities and Exposures database, were exploited by a team from Chinese internet security firm Qihoo 360 as part of an attack demonstrated two weeks ago at Pwn2Own.
#2174 Skype users hit by ransomware through in-app malicious ads
Several users have complained that ads served through Microsoft's Skype app are serving malicious downloads, which if opened, can trigger ransomware.

News of the issue came from a Reddit thread on Wednesday, in which the original poster said that Skype's home screen -- the first screen that shows up on consumer versions of the software -- was pushing a fake, malicious ad, purporting to be a critical update for the Flash web plug-in.
#2173 One of the most prolific botnets is back - and now it's being used for stockmarket scams
After three months of near inactivity, one of the world's most prolific mailing botnets has returned - apparently re-purposed to carry out different cybercriminal activity.

The Necurs botnet was one of the biggest distributors of malware during 2016, sending millions of malicious emails in an effort to spread Locky ransomware. Locky became the most high profile form of ransomware of 2016, before mysteriously appearing to cease operations in late December.
#2172 Unskilled group behind many junk ransomware strains
A person or group of malware authors calling themselves "Mafia Malware Indonesia" claimed responsibility for writing a collection of ransomware families that includes threats such as KimcilWare, MireWare, MafiaWare, CryPy, and the recent SADStory and the L0CK3R74H4T ransomware.

The group's activity first came to light in March 2016, when various Magento stores were targeted and had their files locked with a Web-based ransomware called KimcilWare.
#2171 New IIS 6.0 0day exploited in live attacks since July 2016
Since July 2016, attackers have been using a zero-day in IIS 6.0 to compromise and take over Windows servers.

The zero-day was discovered by two Chinese researchers from the Information Security Lab & School of Computer Science & Engineering, South China University of Technology Guangzhou, China.

The two published proof-of-concept exploit code on GitHub two days ago, after Microsoft acknowledged the flaw, but said it couldn't patch it as it affected EOL products, for which it doesn't issue updates anymore.
#2170 Russian hacker pleads guilty in global botnet case
A Russian national has pleaded guilty to charges related to a botnet scheme that siphoned millions of dollars from victims worldwide.

On Tuesday, the US Department of Justice (DoJ) said that Maxim Senkh, from Velikii Novgorod, Russia, admitted to participating in what prosecutors call a "criminal enterprise that installed and exploited malicious computer software on tens of thousands of computer servers throughout the world."

The malware, known as Ebury, harvested OpenSSH login credentials from computers and servers that were infected. These stolen details were then used to create the Ebury botnet, a network of 'slave' computers and servers which all accepted instructions from Senkh and co-conspirators through a command and control (C&C) center.
#2169 About 90% of Smart TVs vulnerable to remote hacking via rogue TV signals
A new attack on smart TVs allows a malicious actor to take over devices using rogue DVB-T (Digital Video Broadcasting — Terrestrial) signals, get root access on the smart TV, and use the device for all sorts of nasty actions, ranging from DDoS attacks to spying on end users.

The attack, developed by Rafael Scheel, a security researcher working for Swiss cyber security consulting company Oneconsult, is unique and much more dangerous than previous smart TV hacks.
#2168 Someone is putting lots of work into hacking Github developers
Open source developers who use Github are in the cross-hairs of advanced malware that can steal passwords, download sensitive files, take screenshots, and self-destruct when necessary.

Dimnie, as the reconnaissance and espionage trojan is known, has largely flown under the radar for the past three years. It mostly targeted Russians until early this year, when a new campaign took aim at multiple owners of Github repositories. One commenter in this thread reported the initial infection e-mail was sent to an address that was used solely for Github, and researchers with Palo Alto Networks, the firm that reported the campaign on Tuesday, told Ars they have no evidence it targeted anyone other than Github developers.
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12