ID: IRCNE2014072262
Date: 2014-07-22

According to “ComputerWorld”, Cybercriminals are spreading a new file-encrypting ransomware program that's more powerful and resilient than Cryptolocker, a threat recently shut down by the U.S. Department of Justice.
The new ransomware threat is called CTB-Locker (Curve-Tor-Bitcoin Locker), but Microsoft anti-malware products detect it as Critroni. Its creator has been advertising the program to other cybercriminals on Russian-language forums since the middle of June and it seems that he's been trying to fix most of Cryptolocker's faults.
Critroni uses a file encryption algorithm based on elliptic curve cryptography, which its creator claims is significantly faster than encryption schemes used by other ransomware threats. This also makes decrypting the affected files impossible without paying the ransom, if there are no implementation flaws.
Like Cryptolocker, Critroni generates a public and private key pair for every infected system. The public key is stored on the infected computer and given to the victim, who is then asked to pay a ransom in Bitcoin in order to recover the files.
The private key, which is used to decrypt the files, is stored on a remote command-and-control server that, in the case of Critroni, can only be accessed over the Tor anonymity network. This is a precaution that the creator has taken in order to make it difficult for law enforcement agencies or security researchers to identify and shut down the server.
In early June, the DOJ along with law enforcement agencies from several other countries took control of the Gameover Zeus botnet which was distributing the Cryptolocker ransomware. During the operation the authorities also seized the Cryptolocker command-and-control servers.
To prevent a similar takedown Critroni was designed to complete the file encryption operation locally before connecting to the command-and-control server. This also makes it hard for network security products to detect it early and block it by analyzing traffic.
Blocking Tor traffic only prevents the user from paying, not the program from functioning, the Critroni author said in his advertisement.
The new ransomware program initially targeted Russian-speaking users, but variants seen lately also display the ransom message in English, suggesting that the threat is now distributed more widely, said an independent malware researcher known online as Kafeine in a blog post Friday. "It seems to be a strong, well thought piece of malware."

ID: IRCNE2014072264
Date: 2014-07-26

According to “CNet”, The European Central Bank (ECB) admitted Thursday that a security breach has led to the theft of personal data.
The central bank for the euro announced that a database linked to its public website has been compromised, resulting in the theft of personal data related to people registering for events at the ECB via the organization's website.
A cybercriminal was able to penetrate a database storing details of people who had registered for conferences, visits and other events, but the database is physically separate from internal ECB systems. According to the ECB, "no internal systems or market sensitive data were compromised," however email addresses, physical addresses, and phone numbers were stolen.
The ECB said most of the data was encrypted, but the contact information of registrants was not. Approximately 20,000 email addresses and a smaller number of phone numbers and physical addresses were lifted. Also stolen, in encrypted form, was "data on downloads from the ECB website."
The theft came to light after an anonymous email was sent to the ECB demanding money in exchange for the data.
The organization is now contacting people whose email addresses or other data might have been compromised, all passwords have been changed on the system as a precautionary measure, and ECB security staff have addressed the vulnerability responsible.
"The ECB takes data security extremely seriously," the organization said. "German police have been informed of the theft and an investigation has started."

ID: IRCNE2014072265
Date: 2014-07-26

According to “ComputerWorld”, A critical vulnerability found recently in a popular newsletter plug-in for WordPress is actively being targeted by hackers and was used to compromise an estimated 50,000 sites so far.
The security flaw is located in MailPoet Newsletters, previously known as wysija-newsletters, and was fixed in version 2.6.7 of the plug-in released on July 1. If left unpatched, it allows attackers to upload arbitrary PHP files on the Web server and take control of the site.
MailPoet Newsletters has been downloaded almost 2 million times from the official WordPress plug-in repository to date.
Several days ago researchers from Web security firm Sucuri spotted an automated attack that injected a PHP backdoor file into many WordPress sites. A deeper analysis revealed that the attack exploited the MailPoet file upload vulnerability patched at the beginning of the month.
"The backdoor is very nasty and creates an admin user called 1001001," the Sucuri security researchers said Wednesday in a blog post. "It also injects a backdoor code to all theme/core files. The biggest issue with this injection is that it often overwrites good files, making very hard to recover without a good backup in place."
The Sucuri free website scanner, which people use voluntarily, detects a few thousand sites compromised by this attack every day, according to Daniel Cid, chief technology officer at Sucuri. However, Sucuri estimates that up to 50,000 sites were infected so far, he said Thursday via email.
Some sites that didn't have MailPoet installed or were not even using WordPress were also compromised, because of what Cid calls cross-contamination. If one Web hosting account has a WordPress site vulnerable to this attack, the PHP backdoor uploaded through it can infect all sites hosted under that same account.
"On most shared hosting companies -- GoDaddy, Bluehost, etc. -- one account can not access files from another account, so the cross-contamination would be restricted to sites within the same account," Cid said. However, in other cases, "if the server is not properly configured, which is not uncommon, then [the infection] can spread to all sites and accounts on the same server."
The injection script used in the initial attack had a bug that damaged legitimate site files, resulting in obvious errors. That's no longer the case, as attackers fixed their code and the latest variation of the malware no longer breaks websites, Cid said.
In order to protect their WordPress websites from this attack, administrators should update the MailPoet plug-in to the latest version, which at this time is 2.6.9. Version 2.6.8 of the plug-in, released on July 4, addressed an additional security issue.

Number: IRCNE2014092311
Date: 2014/09/10

According to “zdnet”, Microsoft has released four security bulletins and updates to address them. A total of 42 vulnerabilities are addressed in these updates.

• MS14-052: Cumulative Security Update for Internet Explorer (2977629) — This update fixes 37 vulnerabilities, one of them publicly-disclosed back in February. The other 36 are all memory corruption vulnerabilities. The worst of them could allow an attacker to run code on the user's system in the context of the user. All versions of Windows other than the Server Core versions are affected by these bugs.
• MS14-053: Vulnerability in .NET Framework Could Allow Denial of Service (2990931) — This is a single vulnerability which affects all current versions of the Microsoft .NET Framework except version 3.5 Service Pack 1. All versions of Windows, including the Server Core versions except for the non-R2 versions of Windows Server 2008 are affected by this vulnerability.
• MS14-054: Vulnerability in Windows Task Scheduler Could Allow Elevation of Privilege (2988948) — An attacker who logged on to the system and ran a malicious program could elevate privilege to that of the local system account. This single vulnerability affects only the current generations of Windows: Windows RT, Windows 8.x and Windows Server 2012 and Windows Server 2012 R2, including Server Core.
• MS14-055: Vulnerabilities in Microsoft Lync Server Could Allow Denial of Service (2990928) — An attacker who sends a specially-crafted request to Microsoft Lync Server 2010 or 2013 could cause a denial of service in the server.

At the same time, Microsoft has released 11 non-security updates and a new version of the Windows Malicious Software Removal Tool.

ID: IRCNE2014072269
Date: 2014-07-31

According to "ComputerWorld", Symantec's Endpoint Protection product has three zero-day flaws that could allow a logged-in user to move to a higher access level on a computer, according to a penetration testing and training company.
The three flaws, all known as privilege escalation vulnerabilities, were found during a security test of a financial services company, said Mati Aharoni, lead trainer and developer for Offensive Security, in a phone interview late Tuesday.
Offensive Security, famous for its Kali Linux penetration testing software, released a short video on Tuesday demonstrating a successful exploit. It plans to preview proof-of-concept code during its "Advanced Windows Exploitation" training class at the Black Hat security conference in Las Vegas next month.
The flaws have been reported to computer emergency response teams. Symantec said it is aware of the reported flaws and is investigating.
The flaws allow greater access to a computer where a person is already logged in. From there, that access can eventually be parlayed into system access, which opens up the potential for other attacks, such as dumping hashes or identifying the cache credentials of domain administrators, Aharoni said.
Offensive Security didn't specifically target Endpoint Security during its penetration test, but realized that if it did have a flaw, it would result in a catastrophic compromise, Aharoni said. Endpoint Protection was running on "hundreds if not thousands of computers" in the financial services company, Aharoni said.

ID: IRCNE2014082292
Date: 2014-08-18

According to “ZDNet”, since Patch Tuesday this past week, Microsoft has been receiving reports of severe system errors caused by one or more of the updates. In response, the company has pulled several updates from download channels and offered advice on how to remove them. In one case, it recommends that users uninstall the update.
The most severe case appears to be MS14-045 (Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation of Privilege). The security advisory recommends that users uninstall that update.
Microsoft reports problems with three other updates and has pulled them from download and provided uninstallation instructions, but has not specifically recommended that users uninstall. Two of these are non-security updates released on Tuesday. The third is a re-release ("Revision: 7.0") on Thursday, August 14 of an older update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2; only metadata was supposed to change in the new version and users who had previously installed it did not need to reinstall.

Number: IRCNE2014092312
Date: 2014-09-13

According to “techworld”, malicious advertisements have popped up on websites such as YouTube, Amazon and Yahoo, part of a sophisticated campaign to spread malware, Cisco said Monday.
When encountered, the malicious advertisements cause a person to be redirected to a different website, which triggers a download based on whether the computer is running Windows or Apple's OS X, wrote Armin Pelkmann, a threat researcher.
Cisco didn't identify the advertising network that is serving the malicious advertisements. Although ad networks try to filter out malicious ones, occasionally bad ones slip in, which for a high-traffic site means a large pool of potential victims.
Some of the malicious ads were served on youtube.com, amazon.com and ads.yahoo.com, Pelkmann wrote. All told, 74 domains were serving the ads.
When a victim is redirected by one of the ads, the computer downloads a piece of malware with a unique checksum, making it harder for security software to detect. The download may also contain legitimate software such as a media player. To be infected, the user must be convinced to open the file.
"The attackers are purely relying on social engineering techniques in order to get the user to install the software package," Pelkmann wrote. "No drive-by exploits are being used thus far."

Number: IRCNE2014092313
Date: 2014-09-13

According to “techworld”, VMware and Cisco Systems released security fixes this week for serious vulnerabilities in networking virtualization and server software typically used in data centers.
Cisco patched a persistent denial-of-service vulnerability that could prevent the out-of-band management of Cisco Unified Computing System (UCS) E-Series Blade servers that are deployed in Cisco Integrated Services Routers Generation 2 (ISR G2).
The vulnerability is located in the SSH (Secure Shell) service of the Cisco Integrated Management Controller (Cisco IMC), a specialized micro-controller embedded in server motherboards that allows systems administrators to monitor and manage servers from outside their OS.
Cisco released version 2.3.1 of the Cisco IMC firmware for UCS E-Series servers on Monday. Customers need to use the Host Upgrade Utility in order to deploy the new firmware.
If left unpatched, an attacker could exploit the vulnerability by sending a specially crafted packet to the vulnerable SSH server, forcing the IMC to become unresponsive. This could impact the availability of the entire server.
VMware released security updates Thursday for its NSX and vCloud Networking and Security (vCNS) products in order to patch what the company called "a critical information disclosure" vulnerability. The company's advisory does not clarify what kind of information can be disclosed by exploiting the issue, but both the NSX and vCNS products are used for virtualizing network services.

ID: IRCNE2014092314
Date: 2014-09-13

According to “ComputerWorld”, security experts are urging Gmail users to change their passwords amid reports that hackers gained access to the credentials of 5 million users of the free email service. Some password combinations have been spotted on Russian cybercrime forums.
Peter Kruse, head of the eCrime unit at CSIS Security Group in Copenhagen, told Computerworld that most of the nearly 5 million stolen Gmail passwords are about three years old, but many are still legitimate and functioning.
He said that CSIS experts suspect that several hackers worked on an endpoint compromise to exploit vulnerable network protocols.
Google did not respond to a Computerworld request for comment but has told other news outlets that it has found no evidence that their systems have been compromised.
Google’s cloud-based email service is used by individuals as well as enterprises.
Russian media outlet RIA Novosti reported that hackers have stolen and published a database containing the Google account logins and passwords to a Bitcoin Security online forum.
The database reportedly contains 4.93 million Google accounts from English, Russian and Spanish users.

Number: IRCNE2014092315
Date: 2014-09-13

According to “techworld”, a group of hackers known for past cyberespionage attacks against the U.S. Defense Industrial Base, as well as companies from the electronics and engineering sectors, has recently started using a backdoor program to target Mac OS X systems.
"The backdoor code was ported to OS X from a Windows backdoor that has been used extensively in targeted attacks over the past several years, having been updated many times in the process," security researchers from FireEye said Thursday in a blog post.
The malicious program is dubbed XSLCmd and is capable of listing and transferring files and installing additional malware on an infected computer. The OS X variant can also log keystrokes and capture screen shots, the FireEye researchers said.
When installed on a Mac the malware copies itself to /Library/Logs/clipboardd and $HOME/Library/LaunchAgents/clipboardd. It also creates a com.apple.service.clipboardd.plist file to ensure its execution after system reboots.
The malware contains code that checks the OS X version, but does not account for versions above 10.8 (Mountain Lion). This suggests that version 10.8 was either the latest OS X version when the program was written or at least the most common one used by its intended targets.
The XSLCmd backdoor was created and is used by a cyberespionage group that has been operating since at least 2009 and has been dubbed GREF by the FireEye researchers. "Historically, GREF has targeted a wide range of organizations including the US Defense Industrial Base (DIB), electronics and engineering companies worldwide, as well as foundations and other NGOs, especially those with interests in Asia," they said.
According to FireEye, GREF is known to have used zero-day exploits in the past. These are exploits for vulnerabilities that didn't have a patch available when they started being targeted.
This new XSLCmd variant is the latest of several backdoor programs for Mac OS X that have been used in cyberespionage attacks in the past couple of years.