GameStop Online Shoppers Officially Warned of Breach

GameStop customers received breach notification warnings this week, cautioning them that their personal and financial information could have been compromised nine months ago. According to postal letters sent to customers, GameStop said an undisclosed number of online customers had their credit ca...

Google Releases reCAPTCHA API for Android

Google announced today that it has made a new reCAPTCHA API available for Android. The API is part of Google Play Services, Google said, and developers can now add the verification to mobile applications to distinguish between bots and human users. The technology is more than a decade old and...

Platinum APT First to Abuse Intel Chip Management Feature

Advanced attackers operating in Southeast Asia are abusing a feature in Intel chips to quietly load malware and exploits onto compromised machines. Microsoft on Thursday published its latest research into a group it calls Platinum, which is keen on using previously untapped resources to stealthil...

On Porting EternalBlue to Windows, Facebook Phishing, and More

Mike Mimoso and Chris Brook discuss the news of the week, including how EternalBlue was ported to Windows 10, a Facebook phishing study, QakBot, and this week’s Apple announcements. Download: ThreatpostNewsWrapJune92017.mp3...

Motorola Moto G4, G5 Vulnerable to Local Root Shell Attacks

UPDATE Researchers say several Motorola handset models are vulnerable to a critical kernel command line injection flaw that could allow a local malicious application to execute arbitrary code on the devices. The two affected Motorola models are the Moto G4 and Moto G5. The warnings come from Alep...

VMware Patches Critical Vulnerabilities in vSphere Data Protection

VMware fixed two critical vulnerabilities in its vSphere Data Protection solution this week that could have allowed an attacker to execute commands on the virtual appliance, among other outcomes. The Department of Homeland Security’s CERT encouraged users and admins on Wednesday to apply the...

Cisco Patches Critical Flaws in Prime Data Center Network Manager

A debugging tool left on in deployments of Cisco’s large-scale data center management software could be remotely accessed and allow an attacker to run code with root privileges. Cisco made an update available that patches this and one other critical vulnerability in the same management software,...

Authentication Bypass, Potential Backdoors Plague Old WiMAX Routers

WiMAX routers manufactured by several companies, including Huawei and ZyXEL, are vulnerable to an authentication bypass that could let an attacker change the password of the admin user, gain access to the device, or the network behind it. Stefan Viehböck, a researcher with SEC Consult Vulnerabili...

Google Removes Rooting Trojan Dvmap From Play Store

Google removed a nasty Trojan from Google Play earlier this week that could have rooted Android devices and injected malicious code into an infected device’s system library. The malware, dubbed Dvmap, was disguised as a game that had been downloaded more than 50,000 times prior to its removal,...

EFF Sues DOJ Over National Security Letter Disclosure Rules

The Electronic Frontier Foundation sued the United States Department of Justice Wednesday demanding to know whether the agency is complying with rules that mandate a periodic review of National Security Letter gag orders. The suit, filed in U.S. District Court for the Northern District of...

Windows 10 Mitigations Make Future EternalBlue Attacks Difficult

The emergence of a port of the EternalBlue exploit to Windows 10 signals that white-hat researchers have likely done what the NSA has already long ago accomplished. The leaked version of the powerful Windows SMB attack shared by the ShadowBrokers in April was built only to attack Windows XP and...

Zusy Malware Installs Via Mouseover – No Clicking Required

Researchers are warning of several recent spam campaigns delivering PowerPoint files that when opened contain a mouseover link that installs a variant of the Zusy malware. The malware is novel because it does not rely on macros, JavaScript or VBA macros to be enabled for the dropper file to...

Curiosity Kills Security When it Comes to Phishing

Regardless of the amount of training and technology applied to phishing prevention, people are going to click on links, trust messages from supposedly known sources and get into trouble online. A recent academic paper collates the results of an experiment conducted with more than 1,200 German...

IBM Backup Bug Gets Workaround After Nine Months of Exposure

IBM quietly released last week a workaround for a vulnerability in its enterprise backup software it has known about since September 2016. The flaw is serious and allows a local adversary to exfiltrate data from IBM’s Spectrum Protect backup-archive and data protection service. “This is a really...

Google Fixes 30 Vulnerabilities, Five High Severity, in Chrome 59

Google on Monday released the latest stable version of Chrome that includes patches for 30 vulnerabilities, including five high severity issues. The company paid out $23,500 to external researchers for the vulnerabilities, including $7,500 for a type confusion vulnerability in V8, the open source...

NSA's EternalBlue Exploit Ported to Windows 10

The NSA’s EternalBlue exploit has been ported to Windows 10 by white hats, meaning that every unpatched version of the Microsoft operating system back to Windows XP—and likely earlier—can be affected by one of the most powerful attacks ever made public. Researchers at RiskSense, among the first t...

QakBot Returns, Locking Out Active Directory Accounts

QakBot, a worm-like strain of information-stealing malware that’s been around since 2009, has resurfaced again. The malware has been a thorn in the side of administrators as of late. After a recent stretch of inactivity, researchers now link a rash of recent Microsoft Active Directory lockouts to...

40,000 Subdomains Tied to RIG Exploit Kit Shut Down

Tens of thousands of illegally established subdomains used by criminals involved with the RIG Exploit Kit were recently taken down after an investigation revealed that hackers were phishing domain account credentials to set up these subdomains. Most of the subdomains used GoDaddy as the primary...

53 Percent of Enterprise Flash Installs are Outdated

The number of outdated versions of Adobe Flash running on enterprise computers grew 10 percent year-over-year to 53 percent of endpoints, despite numerous devastating attacks targeting the maligned software and endless calls to deprecate it. Duo Security said in its 2017 Duo Trusted Access Report...

Jaff Malware Probe Uncovers Link to Cybercrime Marketplace

An investigation into a new strain of Jaff ransomware uncovered a shared backend infrastructure between the malware and a black market bazaar selling stolen bank and credit card account information. Researchers at Heimdal Security said the cybercrime marketplace they found appeared mature, offeri...

EternalBlue Exploit Spreading Gh0st RAT, Nitol

EternalBlue, the exploit used in the WannaCry ransomware outbreak, is now being leveraged to distribute the Nitol backdoor and Gh0st RAT malware. Security researchers at FireEye said, just as WannaCry criminals did, threat actors are leveraging the same Microsoft Server Message Block SMB protocol...

SSH Configuration on Nexpose Servers Allowed Weak Encryption Algorithms

Rapid7 encouraged owners of its Nexpose appliances this week to apply an update to their systems to tweak how SSH is configured by default. The company warned on Wednesday the devices were shipped with an SSH configuration that could have let some obsolete KEX, encryption and MAC algorithms be us...

On ShadowBrokers, WannaCry, Samba, and the OneLogin Breach

Mike Mimoso and Chris Brook discuss the news of the week, including the ShadowBrokers crowdfunding attempt, errors in WannaCry, a new Wikileaks dump, last week’s Samba vulnerability, and the OneLogin breach. Download: ThreatpostNewsWrapJune22017.mp3 Music by Chris Gonsalves...

WikiLeaks Dumps CIA Patient Zero Windows Implant

WikiLeaks on Thursday made public a CIA implant that is used to turn a Windows file server into a malware distribution point on the local network. The documents describing the tool, Pandemic, explain how remote machines on the local network trying to download and-or execute documents from the fil...

Fireball Malware Infects 250 Million, Targets Windows and Mac OS

A Chinese digital marketer is to blame for the spread of malware called Fireball that reportedly has turned 250 million web browsers into ad-revenue generating “zombies” and infected 20 percent of corporate networks around the world. The malware hijacks browsers and generates revenue for a...

Insecure Backend Databases Blamed for Leaking 43TB of App Data

Insecure backend databases and mobile apps are making for a dangerous combination, exposing an estimated 280 million records that include a treasure-trove of private user data. According to a report by Appthority, more than 1,000 apps it looked at on mobile devices leaked personally identifiable...

Crowdfunding Effort to Buy ShadowBrokers Exploits Shuts Down

Heeding the advice of attorneys, law enforcement and peers in the security industry, a crowdfunding campaign that spun up to purchase the next batch of ShadowBrokers leaks has been squashed. The group announced this week more details on its impending Dump of the Month Service in which it promises...

OneLogin Breach Compromised Customer Data, Ability to Decrypt Encrypted Data

A breach at OneLogin, a company that provides customers with a single sign on for logging into multiple sites and apps, appears to have compromised customer data, including the ability to decrypt encrypted data. The company notified customers via email Wednesday that the incident stemmed from...

WannaCry Development Errors Enable File Recovery

WannaCry may have caused worldwide havoc on May 12 when it rode the coattails of the NSA’s weaponized EternalBlue exploit to infect computers in 150 countries, but that doesn’t mean it was a quality piece of ransomware. A number of programming errors in the code are floating to the surface and...

Hack Department of Homeland Security Act Would Bring Bug Bounty Program to DHS

Hackers will soon be able to poke holes in networks and systems belonging to the Department of Homeland Security if four senators get their way and a bill is passed that would institute a DHS bug bounty similar to programs recently implemented for the Army, Air Force and Pentagon. The bill, known...

Patches Available for Linux Sudo Vulnerability

Red Hat, Debian and other Linux distributions yesterday pushed out patches for a high-severity vulnerability in sudo that could be abused by a local attacker to gain root privileges. Sudo is a program for Linux and UNIX systems that allows standard users to run specific commands as a superuser,...

Cisco, Netgear Readying Patches for Samba Vulnerability

Device manufacturers are combing through code again this week to determine whether their products are affected by a vulnerability tied to the SMB file-sharing protocol. The vulnerability, CVE-2017-7494 disclosed last Wednesday, affects versions of 3.5.0 onward of Samba, the free software...

Dedicated Machine Learning Behind Early Phishing Detection in Gmail

Cybercrime and state-sponsored advanced attacks continue to cling to email as a primary distribution vehicle for first-stage malware. Phishing campaigns thrive in targeted attacks, and criminals have even resuscitated old-school macro malware in attachments to gain that initial foothold on a...

Privacy Issue Fixed in Yopify Ecommerce Notification Plugin

A plugin used by a number of popular ecommerce platforms has an over-sharing problem. Yopify, which provides popup notifications about the last 50 purchases made on a site for Shopify, BigCommerce and other platforms, leaks a significant amount of customers’ personal information to a determined...

FreeRADIUS Update Resolves Authentication Bypass

Developers behind FreeRADIUS, an open source implementation of the 26-year-old RADIUS networking protocol, are encouraging users to update to address an authentication bypass found in the server. While FreeRADIUS is usually run on Linux systems, it can be configured to run on Windows machines. Th...

ShadowBrokers Put Price on Monthly Zero Day Leaks

The threat posed by the first wave of ShadowBrokers leaks of Equation Group hacking tools was relatively benign. Some vendors had to scramble to patch zero days in older versions of products, but for the most part, the leaks and accompanying auction were more of a novelty. That obviously changed...

Microsoft Quietly Patches Another Critical Malware Protection Engine Flaw

Microsoft quietly patched a critical vulnerability Wednesday in its Malware Protection Engine. The vulnerability was found May 12 by Google’s Project Zero team, which said an attacker could have crafted an executable that when processed by the Malware Protection Engine’s emulator could enable...

Mark Dowd on Exploit Mitigation Development

Mark Dowd, fresh off his 2017 Security Analyst Summit keynote, discusses why certain exploit mitigations have been so successful in driving up the cost of exploit development for attackers...

Pacemaker Ecosystem Fails its Cybersecurity Checkup

Pacemakers continue to be the front line of medical device security debates after a research paper published this week described a frightening list of cybersecurity issues plaguing devices built by leading manufacturers, including a lack of authentication and encryption, and the use of third-part...

On EternalRocks, WannaCry, and More

Mike Mimoso and Chris Brook recap the news of the week, including the EternalRocks worm, the latest on WannaCry, a subtitle hack, and a Twitter flaw. Download: ThreatpostNewsWrapMay262017.mp3 Music by Chris Gonsalves...

Rash Of Phishing Attacks Use HTTPS To Con Victims

Scammers are increasingly abusing consumer awareness of sites that encrypt data sent over the internet using HTTPS, particularly through a spike in phishing attacks that hope to win the confidence of victims by using the protocol on spoofed sites. “For quite a while now, the security community ha...

Keybase Extension Brings End-to-End Encrypted Chat To Twitter, Reddit, GitHub

A recently released Chrome extension, developed by the public key crypto database Keybase, brought end-to-end encrypted messaging to several apps this week. Keybase, a service that allows users to identify themselves with a public encryption key, introduced its end-to-end encrypted chat feature...

Revised Active Defense Bill Allows Victims to Recover or Destroy Stolen Data

A controversial bill that would allow organizations that have been breached to hack back has undergone revisions that include an exemption permitting victims to recover or destroy their data on an attacker’s infrastructure. Rep. Tom Graves R-GA introduced the updated Active Cyber Defense Certaint...

WannaCry Ransom Note Written by Chinese, English Speaking Authors

The WannaCry ransom note was likely written by Chinese- and English-speaking authors, adding more intrigue to the investigation into whether it was indeed a North Korean APT using stolen NSA exploits to spread ransomware worldwide. Analysts at Flashpoint, including some fluent in Chinese, said th...

Samba Patches Critical Bug Exploitable With One Line Of Code

A patch for a critical vulnerability impacting the free networking software Samba was issued Wednesday. The flaw poses a severe threat to users, with approximately 104,000 Samba installations vulnerable to remote takeover. More troubling, experts say, the vulnerability can be exploited with just...

Password Breaches Fueling Booming Credential Stuffing Business

The market for credential stuffing software and services is thriving thanks in large part to an epidemic of breaches of usernames and passwords. Digital Shadows said today in a new report that credential leaks, such as this past month’s Anti Public Combo List and others, have buoyed the market fo...

Android Overlay and Accessibility Features Leave Millions at Risk

University researchers are warning that two features, not flaws, core to Google’s Android mobile operating system can be used together to launch clickjacking attacks to gain control of a target’s phone. The discovery was made by researchers at Georgia Institute of Technology, who call the researc...

Twitter Flaw Could Have Allowed Attacker to Tweet From Any Account

Before it was fixed earlier this year, a flaw in Twitter could have allowed an attacker to tweet as any user. Twitter was quick to resolve the issue, fixing it three days after the researcher–a bug hunter who goes by the handle Kedrisch–reported it via HackerOne. Kedrisch found the vulnerability ...

Malware Network Communication Provides Better Early Warning Signal

Research is expected to be unveiled today that challenges the industry’s current reliance on dynamic malware analysis as the best means of early detection of infections. Instead, researchers from the Georgia Institute of Technology, the IMDEA Software Institute and EURECOM posit that a better...

Subtitle Hack Leaves 200 Million Vulnerable to Remote Code Execution

A proof of concept attack using malicious video subtitle files reveals how adversaries can execute remote code on PCs, Smart TVs and mobile devices using popular video players and services such as VLC Media Player, Kodi, Stremio and Popcorn Time. “This is a brand new attack vector. We haven’t see...