Information Technology Sector
Get the point!
38. May 3, Help Net Security – (International) RedKit exploit kit spotted in the wild. A new exploit kit Trustwave researchers spotted in the wild is aiming to enter a market
practically monopolized by the BlackHole and Phoenix exploit kits. This new kit has no official name, so the researchers dubbed it RedKit due to the red coloring scheme of its administration panel. RedKit’s creators decided to promote it by using banners, and potential buyers are required to share their Jabber username by inputting it into an online form hosted on a compromised site of a Christian church. Equipped with this piece of data, the developers contact the buyers and provide them with a demo account so they can examine the software. The admin panel looks similar to other kits, and offers the usual tools: statistics for incoming traffic and the option to upload a payload executable and scan it with 37 different antivirus programs. As each malicious URL gets blocked by most security firms in the first 24 to 48 hours, the kit developers also provide an API that produces a fresh URL every hour, so customers can set up an automated process for updating traffic sources to point to the new URL. To deliver the malware, RedKit exploits two popular bugs: the Adobe Acrobat and Reader LibTIFF vulnerability (CVE-2010-0188) and the Java AtomicReferenceArray vulnerability (CVE-2012-0507), lately used by the criminals behind the massive Flashback infection. Source: http://www.net-security.org/malware_news.php?id=2096&utm
39. May 3, Help Net Security – (International) ‘Free additional storage’ phishing emails doing rounds. Symantec researchers warned about a variety of fake e-mails supposedly coming from popular e-mail and online storage services, offering “storage quota upgrades.” A click on the offered link takes the potential victims to a bogus page mimicking the service’s legitimate one. The page offers a variety of storage plans — from 20 GB to 1 TB — supposedly free of charge. “Your new plan will automatically renew each year, but you can disable auto-renewal at any time by returning to this page and choosing additional free plan,” says the poorly worded offer. “We will contact you 30 days prior to renewal. Please allow up to 24 hours for your new storage amount to appear in all services,” the scammers conclude, so that the users are not alarmed when they do not see an immediate change. In order to select one of the offered storage plans, users must input e-mail address (username) and password, which are promptly sent to the scammers. In the meantime, the users are redirected first to another bogus page notifying them of a successful storage quota upgrade, then to the service’s legitimate Web sites. Source: http://www.net-security.org/secworld.php?id=12858&utm
40. May 3, Threatpost – (International) Serious remote PHP bug accidentally disclosed. A serious remote-code execution vulnerability in PHP was accidentally disclosed May 2, leading to fears of an outbreak of attacks on sites built using vulnerable versions of PHP. The bug was known privately since January when a team of researchers used it in a game and then subsequently reported it to the PHP Group. The developers were still in the process of building the patch for the flaw when it was disclosed May 2. The vulnerability is simple, but it has serious consequences — the researchers found when they passed a specific query string containing the -s command to PHP in a CGI setup, PHP would interpret the -s as the command line argument and result in the disclosure of the source code for the application. They extended their testing and found they could pass whatever command-line arguments they wanted to the PHP binary. “A remote unauthenticated attacker could obtain sensitive information, cause a denial of service condition or may be able to execute arbitrary code with the privileges of the web server,” according to an advisory published May 2 by the U.S. Computer Emergency Readiness Team. The team that found the bug, Eindbazen, said they waited for several months for the PHP Group to release a patch for the vulnerability to publish information about it. However, someone accidentally marked an internal PHP bug as public and it was eventually posted online. As a result, Eindbazen published the details of their findings and how it can be exploited. Source: http://threatpost.com/en_us/blogs/serious-remote-php-bug-accidentally-disclosed-050312 41.
May 3, Nextgov – (International) Companies increasingly are dissecting malware in the cloud. Companies increasingly are looking at malware as a source of intelligence to learn more about the threats they face, Dark Reading reports. One of the ways to do this is by using products that provide malware analysis in the cloud. Companies that chance on suspected malware on their networks can upload it to an Internet — or cloud-based — service and get an automated report back detailing how malicious the worm is. These products help firms analyze how malware enters their systems if they do not have the expertise to do it on their own. Companies have historically tapped software or hired security consultants to carry out malware analysis. Of course, organizations concerned that others would gain sensitive information about their system vulnerabilities will have to do the analysis in-house, the report notes. Source: http://www.nextgov.com/cloud-computing/2012/05/companies-increasingly-are-dissecting-malware-cloud/55559/
42. May 3, Computerworld – (International) Microsoft plans big May patch slate for next week. May 3, Microsoft said it would ship 7 security updates the week of May 7 to patch 23 bugs in Windows, Office, and its Silverlight and .Net development platforms. Of the seven updates, Microsoft tagged three as “critical,” and the other four as “important.” Four updates will address vulnerabilities in Windows; four will impact Office; and one will affect the Silverlight development framework. That count exceeds seven because one of the updates tackles bugs in all three of those lines. Source: http://www.computerworld.com/s/article/9226846/Microsoft_plans_big_May_patch_slate_for_next_week?source=rss_security&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+computerworld/s/feed/topic/17+(Computerworld+Security+News)&utm_content=Google+Re
43. May 2, Krebs on Security – (International) OpenX promises fix for rogue ads bug. Hackers are actively exploiting a dangerous security vulnerability in OpenX — an online ad-serving solution for Web sites — to run booby-trapped ads that serve malware and browser exploits across countless Web sites that depend on the solution. For months, security experts have been warning about mysterious attacks on OpenX installations in which the site owners discovered new rogue administrator accounts. That access allows miscreants to load tainted ads on sites that rely on the software. The bad ads usually try to foist malware on visitors, or frighten them into paying for bogus security software. OpenX is only now just starting to acknowledge the attacks, as more users are coming forward with unanswered questions about the mysteriously added administrator accounts. Source: http://krebsonsecurity.com/2012/05/openx-promises-fix-for-rogue-ads-bug/
44. May 2, ZDNet – (International) A first: Hacked sites with Android drive-by download malware. Cyber criminals often put drive-by download malware on Web sites they have hacked in order to quickly infect visitors’ PCs. For the first time thoughhacked Web sites with Android drive-by download malware were discovered. A new trojan, called NotCompatible, appears to serve as a simple TCP relay while posing as asystem update named “Update.apk.” It does not currently appear to cause any direct harm to a target Android device, but could potentially be used to gain access to privatenetworks by turning an infected smartphone into a proxy. IT administrators should nota device infected with NotCompatible could potentially be used to infiltrate normally protected information or systems, such as those maintained by enterprises or governments. The device needs to be set to approve applications not from the Google Play store, and the user has to agree to install the app. Source: http://www.zdnet.com/blog/security/a-first-hacked-sites-with-android-drive-by-download-malware/11810 For more stories, see items 5, 29, 33, and 34
Internet Alert Dashboard
To report cyber infrastructure incidents or to request information, please contact US-CERT at email@example.com or visit their Web site: http://www.us-cert.gov Information on IT information sharing and analysis can be found at the IT ISAC (Information Sharing and Analysis Center) Web site: https://www.it-isac.org [Return to top]