Search Results for “Sergiu Gatlan”


June 13, 2019
Sergiu Gatlan / Bleeping Computer

Sergiu Gatlan / Bleeping Computer  
Two Microsoft NTLM Flaws Leave All Unpatched Windows Machines Vulnerable to Remote Code Execution Attacks

Windows machines that don’t have the latest security patches installed are vulnerable to remote code execution (RCE) attacks as the result of two critical flaws affecting Windows NTLM (short for NT LAN Manager) Authentication Protocol, according to researchers at Preempt. NTLM is used for client/server authentication purposes to authenticate remote users and to provide session security when requested by application protocols. Although Microsoft provides mitigations to block NTLM relay attacks, several flaws in those mitigations could be exploited by hackers. Microsoft issued security advisories and patches for the two flaws, the CVE-2019-1040 Windows NTLM Tampering Vulnerability and the CVE-2019-1019 Microsoft Windows Security Feature Bypass Vulnerability as part of this months Patch Tuesday fixes.

Related: Cyber Defense Magazine, TechNadu, The Daily Swig, Computer Business Review, SC Magazine, TechRepublic, Threatpost, MSPowerUser, Preempt


July 11, 2019
Sergiu Gatlan / Bleeping Computer

Sergiu Gatlan / Bleeping Computer  
Pale Moon Says That Hackers Infected Old Versions of Browser With Malware Dropper in Just-Discovered 2017 Breach

The Pale Moon web browser team said that their Windows archive servers were breached and the hackers infected all archived installers of Pale Moon 27.6.2 and below with a malware dropper on December 27, 2017 but stressed that the browser’s main distribution channels were in no way affected.  Although not discovered by Pale Moon until July 9, the script was used by the attackers so that users who subsequently downloaded Pale Moon browser installers and self-extracting archives would be infected with malware. Pale Moon offered steps that users can go through to check if the installers they downloaded were tampered with and advised those who downloaded an infected file should “do a full scan and clean of your system with reputable antivirus software to clean this malware.”

July 10, 2019
Sergiu Gatlan / Bleeping Computer

Sergiu Gatlan / Bleeping Computer  
New Ransomware Strain ‘eCh0raix’ Targets QNAP Network Attached Storage Devices Used in Backups, File Storage

A new ransomware strain written in Go and dubbed eCh0raix is being used in the wild to infect and encrypt documents on consumer and enterprise QNAP Network Attached Storage (NAS) devices used for backups and file storage the Anomali Threat Research Team reports. “The devices appear to be compromised by brute forcing weak credentials and exploiting known vulnerabilities in targeted attacks,” according to the researchers. The malware uses a hardcoded public key that appears to be compiled for the target with a unique key for each target. An eCh0raix decryptor is not yet available although the Anomali researchers say it is likely possible to write a decryptor.

July 8, 2019
Sergiu Gatlan / Bleeping Computer

Sergiu Gatlan / Bleeping Computer  
Wave of Seemingly Automated Magecart Group 7 Card Skimming Malware Infections Breached 962 E-Commerce Stores Within One Day

A large-scale, seemingly automated payment card skimming campaign that successfully breached 962 e-commerce stores was discovered by Sanguine Security researcher Willem de Groot. The script for the malware appeared within a 24-hour timeframe and although Sanguine Security didn’t specify it, the procedure would most likely entail scanning for and exploiting security flaws in the stores’ software platform.  Several victims were missing patches against PHP object injection exploits according to de Groot. The skimmer was used by the attackers to collect e-commerce customers’ payment info on breached stores, including full credit card data, names, phones, and addresses. The group behind this campaign is Magecart Group 7, known to have used “automated exploits for known bugs” in previous attacks, RiskIQ’s head of threat research Yonathan Klijnsma said. Security researcher Micham spotted a malicious skimmer being injected within the site of The Guardian via old AWS S3 bucket and using wix-cloud[.]com as a skimmer gate. Malwarebytes’ Jérôme Segura said this latest wave is part of a Magecart campaign abusing Amazon CloudFront CDN discovered during June, with a number of compromises on Amazon CloudFront’s CDN where hosted JavaScript libraries were tampered with and injected with web skimmers.

Related: CBR, github gist, Infosecurity Magazine, Security Affairs

Tweets:@profwoodward @micham @jeromesegura @ecomscam @ydklijnsm


June 21, 2019
Sergiu Gatlan / Bleeping Computer

Sergiu Gatlan / Bleeping Computer  
LoudMiner Uses Virtualization Software, Cracked Windows, macOS VST Software to Target Audio Engineering Systems for Monero Mining

An unusual persistent cryptocurrency miner called LoudMiner, based on XMRig which mines for Monero and uses an untraceable mining pool, has been distributed for macOS and Windows since August 2018, researchers at ESET report. LoudMiner uses virtualization software, QEMU on macOS and VirtualBox on Windows, to mine Monero on a Tiny Core Linux virtual machine, making it cross-platform. The malware comes bundled within cracked copies Windows and macOS VST software such as Propellerhead Reason, Ableton Live, Sylenth1, Nexus, Reaktor, and AutoTune. It is distributed via an attacker-controlled website which currently links to 137 VST-related apps, 42 of them for Windows and 95 for the macOS platform, all of them frequently updated and hosted on 29 servers. To conceal itself,  LoudMiner seemingly targets audio production systems known for having high-end hardware and for being under constant load while processing audio content.

June 19, 2019
Sergiu Gatlan / Bleeping Computer

Sergiu Gatlan / Bleeping Computer  
Online Food Ordering Service EatStreet Disclosed Data Breach That Gave Hacker Access to Customer Payment Data, Sensitive Information on Partners

In a series of data breach alerts sent to delivery and restaurant partners as well as end customers, online food ordering service EatStreet disclosed a security incident from May which led to a data breach involving customer payment card information and sensitive info of delivery and restaurant partners. EatStreet, which services more than 15,000 restaurants in more than 1,100 cities, and counts at least 100,000 Android app installs, says that the hacker was able to access its database between May 3 and May 17 when the breach was detected. EatStreet said it notified credit card payment processors so that they are aware of the breach and act accordingly to protect their customers.

June 17, 2019
Sergiu Gatlan / Bleeping Computer

Sergiu Gatlan / Bleeping Computer  
CISA Achieved a Working BlueKeep RCE Exploit, Issues Alert for Windows Users to Patch the Critical Severity Flaw

The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) achieved remote code execution (RCE) on a computer running a vulnerable version of Windows 2000 and published an alert for Windows users to patch the critical severity Remote Desktop Services (RDS) RCE security flaw known as BlueKeep. This alert represents the fourth warning to users to patch against the “wormable” flaw following two others from Microsoft and one from the U.S. National Security Agency (NSA). The BlueKeep flaw, tracked as CVE-2019-0708, is present in Remote Desktop Services and it allows remote unauthenticated attackers to run arbitrary code, conduct denial of service attacks, and potentially take control of vulnerable systems. In its alert, CISA offers a series of mitigation measures that users and administrators should consider.

Related: TechCrunch, US-CERT, Security Week, DataBreachToday.com, Dark Reading, Cyberscoop, Engadget, TechSpot, SecurityWeek


June 13, 2019
Sergiu Gatlan / Bleeping Computer

Sergiu Gatlan / Bleeping Computer  
Now-Patched Major Vulnerability in Evernote Web Clipper for Chrome Could Allow Attackers to Steal Data From User-Visited Third-Party Websites

A critical vulnerability in Evernote Web Clipper for Chrome could allow attackers to break domain-isolation mechanisms and execute code on behalf of the user,  granting access to sensitive user information not limited to Evernote’s domain, including third-party websites, researchers at Guardio report. The problem is a Universal Cross-site Scripting (UXSS) (aka Universal XSS) tracked as CVE-2019-12592 and stemming from an Evernote Web Clipper logical coding error that made it possible to “bypass the browser’s same origin policy, granting the attacker code execution privileges in Iframes beyond Evernote’s domain.” Evernote has fully patched the vulnerability in under a week after receiving Guardio’s and rolled out the fix to all users on May 31, with the patch being confirmed as fully functional on June 4.

Related: SecurityWeek, Sensors Tech Forum, Help Net Security Newslocker, Security Affairs, The Daily Swig, The Hacker News, DataBreaches.net,  Guardio


June 6, 2019
Sergiu Gatlan / Bleeping Computer

Sergiu Gatlan / Bleeping Computer  
Millions of Mail Servers Are Impacted by Critical RCE Flaw That Is Instantly Exploitable by Local and Remote Attackers

A critical remote code execution (RCE) vulnerability, dubbed “The Return of the WIZard,” present in versions 4.87 to 4.9 of the Exim mail transfer agent (MTA) software, makes it possible for unauthenticated remote attackers to execute arbitrary commands on mail servers for some non-default server configurations, Qualsys discovered doing a code review of the latest changes in the Exim mail server. The flaw, tracked as CVE-2019-10149, stems from the improper validation of recipient addresses in the deliver_message() function in /src/deliver.c which leads to RCE with root privileges on the mail server. The vulnerability is exploitable instantly by a local attacker and by a remote attacker in certain non-default configurations. The bug was patched by Exim’s developers in version 4.92 on February 10, although it “was not identified as a security vulnerability” at the time “and most operating systems are therefore affected.” According to a Shodan search, vulnerable versions of Exim are currently running on roughly over 4,800,000 machines, with more than 588,000 servers already running the patched Exim 4.92 release.

May 28, 2019
Sergiu Gatlan / Bleeping Computer

Sergiu Gatlan / Bleeping Computer  
HawkEye Keylogging Malware Campaign Targeting Businesses Worldwide Escalated During April, May

An increase in HawkEye v9 keylogger infection campaigns targeting businesses worldwide was observed in campaigns during April and May by researchers at IBM X-Force. Hawkeye is designed to steal both account credentials and sensitive information but can also be used as a loader, “leveraging its botnets to fetch other malware into the device as a service for third-party cybercrime actors.” The attackers used spam servers located in Estonia and disguised the malicious spam emails as messages from Spanish banks or legitimate companies. The researchers also found another malware spam campaign launched from a server from Turkey between February 11, 2019 and March 3, 2019 but with an IP address from the same class C network, leading them to believe the same actor is behind both campaigns.