• Zero-day XML External Entity (XXE) Injection Vulnerability in Internet Explorer Can Let Attackers Steal Files, System Info
    For example, an attacker can use a malicious XML file with external entity reference that abuses the ‘file://’ protocol to access local files, or ‘http://’ to access files on web servers. Once the user opens the malicious .mht file, the attacker would be able to exfiltrate files from the user’s system. A malicious XML file that specifies the files to extract from the user’s system As shown in Figure 3, the vulnerable IE client will send a GET request to the attacker’s server to retrieve the malicious XML file once the malicious MHTML file is opened. Sample MHTML file that uses the XXE vulnerability in IE to download a malicious XML file from the attacker’s machine The contents of the files that the attacker referenced in the malicious XML are sent back to the attacker’s server as per the URI path mentioned in the same XML file.Read More
  • Formjacking and the new threats to government
    Federal agencies dodged a proverbial cyber bullet in January when the Department of Homeland Security (DHS) issued its first-ever emergency directive giving agencies 10 days to implement protections against a global campaign to hijack Domain Name Servers (DNS). The DNS attack was just one of many threats aimed at federal agencies. Symantec’s Internet Security Threat Report (ISTR, Volume 24) found a number of threat trends to keep federal agencies on alert. Findings of concern for feds Of the many threat vectors identified by the report, the following are of particular concern to federal agencies: - Cloud. This has become one of the biggest security concerns in the federal government – so much so that a recently released report by the Navy found military systems have been so extensively targeted and compromised “their reliability is questionable.” Many of the supply chain threats worldwide were driven by living-off-the-land techniques, which uses tools that are already installed on targeted computers, especially those in newer versions of Microsoft Windows, and runs scripts or shellcode that becomes embedded in memory.Read More
  • New INPIVX Service May Change the Ransomware Game
    A new service called Inpivx pushes the ransomware business to a new stage of evolution, making it easy to set up shop for those that lack the technical skills to develop the malware from scratch and build a management panel. For a specific price, they provide source code for the file-encrypting (symmetrical, AES encryption + RSA public-key cryptography) malware and for the management dashboard for a specific price. "If the client has no skill, we provide a tutorial based on our own ransomware dashboard each line of code has an explanation," Inpivx told us. The dashboard is coded in PHP and it is intended to be fast, lightweight, and responsive, with a modern, flat design, as Inpivx developers say on the project's page. After the malware encrypts a victim's files, the dashboard becomes the central point of the operation. With access to the source code, they can alter the original ransomware product and create new strains that could evolve to something new by combining code from other malware.Read More
  • Hacker dumps thousands of sensitive Mexican embassy documents online
    A hacker stole thousands of documents from Mexico’s embassy in Guatemala and posted them online. The hacker told TechCrunch in a message: “A vulnerable server in Guatemala related to the Mexican embassy was compromised and I downloaded all the documents and databases.” He said he contacted Mexican officials but he was ignored. More than 4,800 documents were stolen, most of which related to the inner workings of the Mexican embassy in the Guatemalan capital, including its consular activities, such as recognizing births and deaths, dealing with Mexican citizens who have been incarcerated or jailed and the issuing of travel documents. (Image: supplied) We found more than a thousand highly sensitive identity documents of primarily Mexican citizens and diplomats — including scans of passports, visas, birth certificates and more — but also some Guatemalan citizens. One of the diplomatic visas issued to a Mexican diplomat stolen in the files. (Image: supplied) The stolen data also included dozens of letters granting diplomatic rights, privileges and immunities to embassy staff.Read More
  • Hacking 'hero' Marcus Hutchins pleads guilty to US malware charges
    A British man hailed as a hero for stopping a global cyber-attack that was threatening the NHS has pleaded guilty to US malware charges. Marcus Hutchins, 24, has pleaded guilty to two charges related to writing malware - or malicious software - court documents show. Writing on his website, Hutchins said he regretted his actions and accepted "full responsibility for my mistakes". "As you may be aware, I've pleaded guilty to two charges related to writing malware in the years prior to my career in security," he wrote on his website. Hutchins, from Ilfracombe in Devon, was credited with stopping the WannaCry malware which was threatening the NHS and other organisations in May 2017. FBI agents arrested Hutchins on 2 August 2017 at Las Vegas's McCarran International Airport as he started his journey home after attending the Def Con hacker conference.Read More
  • “Funky malware format” found in Ocean Lotus sample
    Loader As it turned out, both files are loaded by hp6000.dll: 67b8d21e79018f1ab1b31e1aba16d201 The loading function is executed in an obfuscated way: when the DllMain is executed, it patches the  main executable that loaded the DLL. Then, the analogical module that is loaded in the memory is set as an executable: Using VirtualProtect to make the main module writable Finally, the bytes are patched so that the entry point will redirect back to the appropriate function in the loading DLL: Patching the entry point of the main module, byte by byte This is how the entry point of the main module looks after the patch is applied: The Entry Point of the main module (sporder.exe) after patching We see that the Virtual Address (RVA 0x1210 + DLL loading base) of the function within the DLL is moved to EAX, and then the EAX is used as a jump target. The function that starts at RVA 0x1210 is a loader for BLOB and CAB: Beginning of the loading function This redirection works, thanks to the fact that when the executable is loaded into the memory, before the Entry Point of the main module is hit, all the DLLs that are in its Import Table are loaded, and the DllMain of each is called.Read More
  • Cyberattack hits Augusta municipal operations; City Center closed
    AUGUSTA — A malicious computer virus that targeted — and squarely hit — the city early Thursday morning forced the closure of Augusta City Center. Because so many municipal functions there rely on computers — and restoring servers and fixing the damage done is expected to be a cumbersome process — Augusta City Center will remain closed until at least Monday, while the network and servers are restored. Fred Kahl, director of the information technology department for both the city and schools, said a piece of malicious software somehow got into the city’s computer network, spread rapidly and damaged servers. It just became inaccessible,” Kahl said late Thursday afternoon about data stored on city servers.”Nothing went anywhere, guaranteed.” The virus, which officials said was inflicted upon the city’s servers intentionally, also shut down computers used by public safety dispatchers — but not the city’s phone system or the public safety radio system used by dispatchers and police, fire and ambulance staff members in the field to communicate.Read More
  • McAfee joins Sophos, Avira, Avast—the latest Windows update breaks them all
    As of publication time, client-side antivirus software from Sophos, Avira, ArcaBit, Avast, and most recently McAfee are all showing problems with the patch. Sophos additionally reports that adding the antivirus software's own directory to the list of excluded locations also serves as a fix, which is a little strange. Microsoft is currently blocking the update for Sophos, Avira, and ArcaBit users, with McAfee still under investigation. Avast recommends leaving systems at the login screen for about 15 minutes and then rebooting; the antivirus software should then update itself automatically in the background. Avast and McAfee also provide a hint at the root cause: it appears that Microsoft has made a change to CSRSS ("client/server runtime subsystem"), a core component of Windows that coordinates and manages Win32 applications. Given that patches have appeared from antivirus vendors rather than an update from Microsoft, it suggests (though does not guarantee) that whatever change Microsoft made to CSRSS is revealing latent bugs in the antivirus software.Read More
  • Fraudsters Exploit Sympathies Surrounding Notre Dame Tragedy
    According to research by security company ZeroFOX, cyber-criminals are "spreading misinformation about the disaster," which includes fake donation pages and launching new phishing campaigns. Creating fake donation campaigns on crowdfunding sites "People looking to donate quickly may easily mistake a fraudulent donation page for the real page – losing their money and putting money in the hands of bad actors, not those in need," says the blog post. One example the ZeroFox Alpha Team found was on justgiving.com, where an anonymous user created this crowdfunding campaign supporting “Friends of Notre-Dame De Paris Inc.” "Based on the information provided (and lack of details) in the post, any supporter should be hesitant to donate to this particular fundraising effort," the post goes on to say. "In the case of the Notre Dame disaster, we have seen multiple instances of posters using the hashtag #NotreDameCathedralFire looking to capitalize on the tragedy," explains the post. "[This example of one such post] is looking to sell 'services' using the Notre Dame fire hashtag."Read More
  • Wipro Hackers Also Targeted Other Major IT Giants Including Infosys, Cognizant and Capgemini
    KrebsOnSecurity reported that the threat actors responsible for launching an advanced phishing campaign against Bengaluru, India-based Wipro in March also went after the following global outsourcers, systems integrators and MSPs: Avanade, Capgemini, Cognizant, Infosys, PCM, Rackspace and Slalom. I hope it’s working for them, because if it’s not, this problem got a lot bigger.” [Related: Wipro Hack Snags At Least 23 Workers, Breached Systems Still Being Found: Report] An Avanade spokesperson confirmed that the Seattle-based solution provider was also a target of the multi-company security incident, with 34 of the company's employees being impacted in February. "And we continue to take our responsibility to safeguard our clients' data with the utmost seriousness." Rackspace, meanwhile, said it doesn't have any evidence indicating that there has been an impact to the company's environment, according to a company spokesperson. It's unknown exactly how successful the adversaries have been in compromising the systems of solution providers other than Wipro and Avanade, which both admitted this week they had been breached.Read More