Security Lacking in Previous AppleAVEDriver iOS Kernel Extension

An obscure Apple kernel extension patched in July in iOS 10.3.3 was originally built without security measures in place, according to the researcher who privately disclosed the flaws. Today at the Hack in the Box security conference in Singapore, Zimperium zLabs’ Adam Donenfeld was scheduled to...

Adware Spreading Via Social Engineering, Facebook Messenger

Attackers have taken to Facebook Messenger with a combination of social engineering and malicious JavaScript to spread adware, something that’s likely earning them a small chunk of change in the process. David Jacoby, a senior security researcher with Kaspersky Lab’s Global Research & Analysis...

Deprecated, Insecure Apple Authorization API Can Be Abused to Run Code at Root

A deprecated Apple authorization API, invoked by third-party installers, is still developers’ preferred choice for updating apps and services on macOS. And that’s a problem because of a massive security issue that could be abused by a local attacker to elevate privileges to root with a little...

Zerodium Offers $500K for Secure Messaging App Zero Days

Zerodium, a vendor operating in the nebulous exploit acquisition market, has put a premium on zero-day vulnerabilities in secure messaging applications in a new pricing structure announced today. Remote code execution and local privilege elevation zero days in messaging apps such as WhatsApp,...

ROPEMAKER Exploit Allows for Changing of Email Post-Delivery

Researchers say a new exploitable attack vector for email, one that could enable the changing of email content content post-delivery, could let attackers bypass security controls and trick victims into clicking through to a malicious site. Details of the exploit called ROPEMAKER, which stands for...

Business Email Compromise Campaign Harvesting Credentials in Numerous Industries

A business email compromise campaign emanating out of Western Africa is targeting companies in a wide swathe of industries, bucking a trend of these scams focusing on wire fraud and targeting CEOs. The criminals are using phishing emails with links redirecting victims to sites designed to harvest...

Neptune Exploit Kit Dropping Cryptocurrency Miners Through Malvertisements

Despite a marked decrease in activity, exploit kits haven’t completely disappeared just yet. The Neptune, or Terror Exploit Kit, is alive and well; during the last month, researchers have observed the kit as part of a campaign to abuse a legitimate popup ad service to drop cryptocurrency miners...

Android Spyware Linked to Chinese SDK Forces Google to Boot 500 Apps

More than 500 Android mobile apps have been removed from Google Play after it was discovered that an embedded advertising SDK could be leveraged to quietly install spyware on devices. The SDK, called Igexin, was developed by a Chinese company and may have been used to install malware that could,...

Foxit to Fix PDF Reader Zero Days by Friday

In an about-face, Foxit Software says it will fix a pair of zero days in its PDF reader Foxit Reader and PhantomPDF, its PDF editing software. Foxit said it would push a patch for Reader and PhantomPDF, bringing the software to version 8.3.2, later this week—by Friday at the latest. The fixes com...

Fuze Patches TPN Handset Vulnerabilties

Fuze, a maker of popular enterprise-grade voice-over-IP handsets, earlier this year patched three vulnerabilities that exposed user account information and enabled unauthorized authentication. The issues were made public today by researchers at Rapid7 who privately disclosed the flaws on April 12...

Industrial Cobots Might Be The Next Big IoT Security Mess

Researchers at IOActive have found nearly 50 vulnerabilities in industrial collaborative robots, machines that work side-by-side with people in manufacturing and other settings, that can be abused to possibly cause physical harm to workers, or even configured to spy on their surroundings. The...

Facebook Awards $100K to Researchers for Credential Spearphishing Detection Method

A group of researchers recently identified a real-time way to detect credential spearphishing attacks in enterprise settings. The discovery net the researchers $100,000 last week from Facebook, which awards money as part of its annual Internet Defense Prize partnership with USENIX Association. Th...

Meeting and Hotel Booking Provider's Data Found in Public Amazon S3 Bucket

Leaks of personal and business information from unsecured Amazon S3 buckets are piling up. The latest belongs to Groupize, a Boston-area business that sells tools to manage small group meetings as well as a booking engine that handles hotel room-block reservations. Researchers at Kromtech Securit...

Vendor Exposes Backup of Chicago Voter Roll via AWS Bucket

Voter registration data belonging to the entirety of Chicago’s electoral roll—1.8 million records—was found a week ago in an Amazon Web Services bucket configured for public access. The data was a backup stored in AWS by Election Systems & Software ES&S, a voting machine and election management...

It's Not Exactly Open Season on the iOS Secure Enclave

The black box that is Apple’s iOS Secure Enclave may have been pried open, but that doesn’t necessarily mean it’s open season on iPhones and iPads worldwide. Yesterday’s public disclosure of the decryption key for the Secure Enclave Processor firmware does indeed allow white and black hats to pok...

Threatpost News Wrap, August 18, 2017

Mike Mimoso and Tom Spring discuss this week’s security news, including recent abuse of Google Chrome extensions for fraud, a close look at Adobe’s decision to end of life Flash Player, and a backdoor discovered in NetSarang server management software’s update mechanism. Download: Threatpost News...

Hacker Publishes iOS Secure Enclave Firmware Decryption Key

A hacker Thursday afternoon published what he says is the decryption key for Apple iOS’ Secure Enclave Processor SEP firmware. The hacker, identified only as xerub, told Threatpost that the key unlocks only the SEP firmware, and that this would not impact user data. “Everybody can look and poke a...

Cisco Patches Privilege Escalation Bugs in APIC

Cisco patched two high-severity vulnerabilities in its Cisco Application Policy Infrastructure Controller APIC that could allow an attacker to elevate privileges on the host machine. The product automates and manages the APIC fabric, optimizing application performance and provisioning for physica...

Drupal Patches Critical Access Bypass Bug

Website management platform Drupal released several patches that address access bypass vulnerabilities in its Drupal 8 Core engine Wednesday, fixing one critical and two moderately critical security bugs. The most serious of the vulnerabilities is the access bypass vulnerability CVE-2017-6925 in...

Rowhammer Attacks Come to MLC NAND Flash Memory

The Rowhammer attacks developed by Google more than two years ago put the focus on hardware front and center. That research allowed attackers to flip dynamic random access memory DRAM bits in order to induce those memory cells to change their state. Google’s research enabled kernel-level privileg...

Locky Ransomware Variant Slips Past Some Defenses

A variant of the notorious Locky ransomware is part of a large scale email-based campaign managing to slip past the defenses of some unsuspecting companies. Beginning on Aug. 9, and lasting three days, ransomware called IKARUSdilapidated landed in tens of thousands of inboxes with email that...

Adobe Flash's Final Countdown Has Begun

Few times have there been technologies so reviled and celebrated at the same time as Adobe Flash. Since its introduction as Macromedia Flash Player in the mid-’90s, the technology has helped shape what the web has become today. At the same time, few internet technologies have united so many wanti...

Maersk Shipping Reports $300M Loss Stemming from NotPetya Attack

A.P. Moller-Maersk, the world’s largest container ship and supply vessel company, said Tuesday that it would incur hundreds of millions in U.S. dollar losses due to the NotPetya wiper malware attacks of late June. In its second quarter earnings report, Maersk executives said they were expecting...

Google Removes Chrome Extension Used in Banking Fraud

Google has removed from the Chrome Web Store a malicious browser extension used by criminals in Brazil to target corporate users with the aim of stealing banking credentials. The twist is that the attackers did their homework on their targets, learning via social networks whom inside an...

Seven More Chrome Extensions Compromised

The number of compromised Chrome browser extensions is growing beyond the initial Aug. 1 hijacking of the OCR add-on called Copyfish. Added to list are seven additional legitimate Chrome Extensions that attackers took over and used to manipulate internet traffic and web-based ads, according to...

Attackers Backdoor NetSarang Software Update Mechanism

Attackers infiltrated the update mechanism for a popular server management software package as recently as last month and modified it to include a backdoor. NetSarang, which has headquarters in South Korea and the United States, has removed the backdoored update, but not before it was activated o...

Spam Domains Imitating Popular Banks Spreading Trickbot Banking Trojan

Santander Bank customers should be aware of an effective spam campaign spreading the Trickbot banking Trojan that is coming from domains similar to those used by the financial institution. Researchers at My Online Security and the SANS Institute’s Internet Storm Center say that Santander is not t...

Blizzard Entertainment Hit With Weekend DDoS Attack

Blizzard Entertainment reported a crippling DDoS attack over the weekend creating chronic latency and connection issues for players of games Overwatch, World of Warcraft and others. The DDoS attack has since subsided, according to Blizzard, but users are still grousing on Twitter over lingering...

Windows Search Bug Worth Watching, and Squashing

Between Conficker and WannaCry, there was a nearly a decade when network worms went dark. WannaCry changed that, riding into enterprises globally on the coattails of a leaked nation-state exploit. In the months since the May 12 ransomware attack, vendors, researchers and network admins have been ...

Smart Locks Bricked by Bad Update

A botched wireless update for a remotely accessible smart lock system has bricked hundreds of them. The locks suffered a “fatal error,” according to device’s manufacturer LockState, rendering them unable to locked. Customers are asked to either return impacted locks for repair, or request a...

Researchers Find Phishing Site Encrypted with AES

Scammers chasing Apple credentials and payment card information have ramped up their efforts to hide their phishing page by encrypting it with AES. Researchers at Ring 0 Labs disclosed details about the operation last week, pointing out that the criminals behind this activity are buffering a fair...

APT28 Using EternalBlue to Attack Hotels in Europe, Middle East

Russian-speaking cyberespionage group APT28, also known as Sofacy, is believed to be behind a series of attacks last month against travelers staying in hotels in Europe and the Middle East. APT28 notably used the NSA hacking tool EternalBlue as part of its scheme to steal credentials from busines...

Many Factors Conspire in ICS/SCADA Attacks

Critical infrastructure operators can’t be blamed for a perpetual case of whiplash. They are mired between hackers targeting internet-facing and air-gapped systems with equal precision, and vendors and management unwilling to properly tackle security for fear of downtime and incompatibility. “The...

Apps Infected With SonicSpy Spyware Removed From Google Play

Three messaging apps in the Google Play store contained spyware called SonicSpy. According to researchers, the spyware also infected more than 1,000 additional apps hosted at third-party Android app stores. Researchers at Lookout traced the spyware-infected apps to an Iraqi developer identified a...

Mamba Ransomware Returns, APT Trends, And More

Mike Mimoso and Chris Brook discuss the news of the week including the return of the Mamba ransomware, Kaspersky Lab’s Q2 APT report, Bugcrowd’s 250K mystery bounty, and a high schooler’s $10K bug bounty from Google. Download: ThreatpostNewsWrapAugust112017.mp3 Music by Chris Gonsalves Show notes...

Ukrainian Man Arrested, Charged in NotPetya Distribution

The Cyber Police of Ukraine arrested a suspect they allege distributed the destructive NotPetya/ExPetr malware resulting in the infection of 400 computers. NotPetya/ExPetr was the malware behind a massive global cyberattack that took place earlier this year. It infected computers worldwide with...

Patched Flash Player Sandbox Escape Leaked Windows Credentials

One of the patches included in Tuesday’s Adobe Flash Player update was a do-over after the researcher who privately reported the problem earlier this year discovered the original patch incompletely resolved the issue. Dutch researcher Bjorn Ruytenberg disclosed details after Adobe updated the...

Juniper Issues Security Alert Tied to Routers and Switches

Juniper Networks warned customers Thursday of a high-risk vulnerability in the GD graphics library that could allow a remote attacker to take control of systems running certain versions of the Junos OS. The alert was in conjunction with a warning from the U.S. Computer Emergency Readiness Team...

High Schooler Nets $10,000 For Google Bug

Google fixed a bug last month that could have let anyone access an internal Google website and in turn access sensitive data. The company awarded a hefty $10,000 bounty to the researcher that uncovered it, Ezequiel Pereira, an Uruguayan high school student, last Friday. Pereira stumbled upon the...

SAP Patch Tuesday Update Resolves 19 Flaws, Three High Severity

SAP released 19 patches on Tuesday, fixing a trio of vulnerabilities marked high severity in its business management software. The most pressing fixes are for a directory traversal vulnerability in the company’s Netweaver AS Java Web Container, a code injection vulnerability in its Visual Compose...

Mystery Company Offers $250,000 Bounty for VM Escape Vulnerabilities

An unnamed company will start an eight-week, invite-only bug bounty program in September that offers a $250,000 payout for virtual-machine escape vulnerabilities tied to an unreleased product. Bugcrowd announced the program today, and said the high-priced bounty is the largest advertised bounty o...

Signed Mughthesec Adware Hijacking Macs for Profit

A variant of an older piece of adware built for Macs called OperatorMac has been seen in the wild, and while like most adware it tries to turn a profit, it also illustrates some defensive shortcomings native to Apple’s ecosystem and the industry. Components of the new strain, which is called...

Mozilla Fixes 29 Vulnerabilities in Firefox, Makes Flash Click-To-Activate

Mozilla fixed three critical vulnerabilities when it released Firefox 55 on Tuesday, including bugs that could have triggered a crash of the browser and allowed for the execution of arbitrary code. The code execution vulnerability stems from an XUL injection vulnerability due to improper...

Mamba Ransomware Resurfaces in Brazil, Saudi Arabia

Mamba was among the first samples of ransomware that encrypted hard drives rather than files that was detected in public attacks, primarily against organizations in Brazil and in a high-profile incursion against the San Francisco Municipal Transportation Agency last November. Researchers at...

Microsoft Patches Critical Windows Search Vulnerability

Microsoft patched more than two dozen remote code execution vulnerabilities today, many of them rated critical. One was a RCE bug that allowed an attacker to take complete control of a server or workstation via Windows Search. The fixes were part of Microsoft’s August Patch Tuesday update that...

Updates to Sofacy, Turla Highlight 2017 Q2 APT Activity

Attackers behind advanced persistent threat campaigns have kept busy over the past several months, adding new ways to bypass detection, crafting new payloads to drop, and identifying new zero days and backdoors to help them infect users and maintain persistence on machines. Juan Andres...

Engineering Firm Leaks Data on Dell, SBC and Oracle

A Texas-based firm called Power Quality Engineering publicly exposed sensitive electrical infrastructure data on the public internet. Firms impacted by the leak were Dell Technologies, SBC, Freescale, Oracle, Texas Instruments and the City of Austin. Chris Vickery, cyber risk analyst at security...

Flash Player Marches Toward End, Patches Two Code Execution Bugs in Latest Update

Adobe today pushed out its first Flash Player update since announcing two weeks ago that it would stop distributing and updating the software in 2020. Flash has been at the center of many targeted attacks and exploit kit activity, and despite numerous improvements to the product including...

Complaint Alleges Hotspot Shield VPN Engages in Deceptive Trade Practices

A complaint has been filed with the U.S. Federal Trade Commission alleging that a free VPN service marketed as a provider of secure and anonymous internet access shares user data and redirects traffic to partners, including online advertising companies. The Center for Democracy and Technology CDT...

Google Patches 10 Critical Bugs in August Android Security Bulletin

Google patched 10 critical remote code execution bugs in its August Android Security Bulletin issued Monday. It warned the most severe RCE vulnerabilities could enable a remote attacker, using a specially crafted file, to execute arbitrary code within the context of a privileged process. The...