JSON Libraries Patched Against Invalid Curve Crypto Attack

A number of JSON libraries using the JSON Web Encryption specification JWE to create, sign and encrypt access tokens have been patched against an attack that allows for the recovery of a private key. Researcher Antonio Sanso of Adobe said the go-jose, node-jose, jose2go, Nimbus JOSE+WT and jose4...

Where Have All The Exploit Kits Gone?

The bloom is off exploit kits. Once a mainstay for cybercriminals, attacks tied to exploit kits have now dried up to just a trickle. For sure, they haven’t gone away. But researchers say Angler, Neutrino and Nuclear, kits that once dominated the threat landscape, are gone; usurped by new threats...

Google Eliminates Android Adfraud Botnet Chamois

Google removed a handful of malicious apps from its Play marketplace recently that were found manipulating ad traffic, sending premium text messages, and downloading additional plugins. Bernhard Grill, Megan Ruthven, and Xin Zhao, security software engineers with the company, said Monday they...

Patch Tuesday Returns; Microsoft Quiet on Postponement

Patch Tuesday returned today as expected after last month’s postponement with a giant release of fixes that includes patches for vulnerabilities disclosed and exploited since the last set of updates in January. Microsoft, however, was relatively silent on the reasons why the February updates were...

Adobe Fixes Six Code Execution Bugs in Flash

Adobe on Tuesday patched seven vulnerabilities in Flash Player, six that could lead to code execution. The company said it isn’t aware of any of the vulnerabilities being exploited in the wild but is still encouraging users to update Flash for Windows, Macintosh, Linux and Chrome OS. The...

WordPress REST API Bug Could Be Used in Stored XSS Attacks

The recently patched WordPress REST API Endpoint vulnerability is the gift that keeps on giving. Already responsible for more than one million website defacements and attempts to monetize some of those attacks, the flaw also opens the door to a separate attack. Researchers at Sucuri who found the...

SAP Patches Critical HANA Vulnerability That Allowed Full Access

SAP patched a series of critical vulnerabilities in its cloud-based business platform HANA today that if exploited, could allow for a full system compromise without authentication. When chained together the flaws could lead to the theft of confidential information, financial fraud, and the...

38 Android Devices Infected with Malware Preinstalled in Supply Chain

Mobile devices manufactured by a diverse set of handset makers were discovered to be loaded with malware pre-installed somewhere along the supply chain. Check Point Software Technologies said that it found 38 Android handsets were infected with adware, information-stealing malware and ransomware,...

Hackers with Credit Card Scrapers Continue to Target Magento

Attackers continue to take aim at the e-commerce platform Magento. Researchers said last week they came across a malicious function snuck into one of the platform’s modules in order to steal credit card information. Code for the function was injected into a .php file for SF9 Realex, a module that...

March Android Security Update Breaks SafetyNet, Android Pay

An issue with the March Android over-the-air security update has been resolved after Nexus 6 users complained that Android Pay no longer worked after installation of the update. The update in fact broke Android’s SafetyNet API which provides a constant check on device integrity, blocking access t...

Telepresence Robots Patched Against Data Leaks

Double Robotics telepresence robots, marketed as a mobile conferencing tool giving remote workers a physical presence at an office, were recently patched against vulnerabilities that could be abused by an attacker. Researchers at Rapid7 today disclosed details on three vulnerabilities in the...

Cody Pierce on the Future of Exploit Development

Mike Mimoso talks to Cody Pierce, director of vulnerability research and prevention with Endgame, at RSA Conference 2017 about how attackers are changing their techniques in the face of mitigations and continuing to base exploits around legitimate APIs and functions to thwart detection. Download:...

Google Chrome 57 Browser Update Patches 'High' Severity Flaws

Google released an updated version of its Chrome browser on Thursday to fix nine high-severity vulnerabilities that if exploited could allow adversaries to take control of targeted systems. As part of the update, Google thanked nearly two dozen bug hunters with bug bounty payments totaling $38,00...

On IP Camera Backdoors, Comey, Going Dark, Hacking Back and More

Mike Mimoso and Chris Brook discuss the news of the week including a rash of new IP camera backdoors, James Comey’s talk at Boston College, hacking back vs. active defense, and the DOJ dropping one of its Playpen cases. Download: ThreatpostNewsWrapMarch102017.mp3 Music by Chris Gonsalves...

Apache Attack Traffic Dropping, Limited to Few Sources

Malicious traffic stemming from exploits against the Apache Struts 2 vulnerability disclosed and patched this week has tapered off since Wednesday. Researchers at Rapid7 published an analysis of data collected from its honeypots situated on five major cloud providers and a number of private...

Privilege Escalation Flaw Patched in Schneider Wonderware

Data analysis and visualization software deployed inside a larger operational intelligence software sold by Schneider Electric has been patched against a critical privilege escalation vulnerability. The vulnerability was discovered in-house by Schneider Electric engineers in the Tableau...

Zero Days Have Staying Power

It takes less than a month for most zero-day exploits to be developed, and about a quarter of those previously unknown and unpatched vulnerabilities will go undiscovered and undisclosed to the vendor for an average of 9.5 years. And the odds two hackers will find the same zero day are slim. RAND...

Hundreds of Thousands Vulnerable IP Cameras Easy Target for Botnet, Researcher Says

A researcher claims that hundreds of thousands of shoddily made IP cameras suffer from vulnerabilities that could make them an easy target for attackers looking to spy, brute force them, or steal their credentials. Researcher Pierre Kim disclosed the vulnerabilities Wednesday and gave a...

Attacks Heating Up Against Apache Struts 2 Vulnerability

Public attacks and scans looking for exposed Apache webservers have ramped up dramatically since Monday when a vulnerability in the Struts 2 web application framework was patched and proof-of-concept exploit code was introduced into Metasploit. The vulnerability, CVE-2017-5638, was already under...

Senator Demands Answers About CloudPets Breach

A U.S. senator has called Spiral Toys onto the carpet for its data security practices in light of the recent CloudPets breach. Sen. Bill Nelson D-FL, a ranking member of the Committee on Commerce, Science and Transportation and backer of a 2016 report on security and privacy concerns related to...

Confide Updates App After Critical Security Issues Are Raised

The makers of the popular messaging app Confide said Wednesday that it has patched multiple security vulnerabilities that could have allowed hackers to intercept messages sent using its secure end-to-end messaging platform. The flaws were identified in two separate reports, both released Wednesda...

Firefox 52 Expands Non-Secure HTTP Warnings, Enables SHA-1 Deprecation

Mozilla fixed 28 vulnerabilities, including some that could result in a crash and the bypass of ASLR and DEP, when it released Firefox 52 on Tuesday. Seven of the vulnerabilities are considered critical, according to an advisory posted by the Mozilla Foundation. One of those vulnerabilities would...

Comey Talks Strong Crypto, Silent on WikiLeaks

CHESTNUT HILL, Ma.—FBI director James B. Comey today revived the Going Dark discussion during a keynote address at the Boston Conference on Cyber Security, saying it’s time for an adult conversation on the prevalence of strong encryption and how it hinders criminal and national security...

WordPress 4.7.3 Patches Half-Dozen Vulnerabilities

WordPress released a security update on Tuesday that patched a half-dozen bugs, including one that could be chained with the recent REST API Endpoint flaw that led to a million website defacements. Given that the bug was introduced in WordPress 4.7 and the availability of a patch that backports...

Unpatched Western Digital Bugs Leave NAS Boxes Open to Attack

Western Digital Corporation network-attached storage owners were warned of critical flaws in the company’s My Cloud line of hardware that exposed data stored on the devices to attack. The flaws impact a dozen Western Digital drives that could allow remote adversaries to bypass logins, insert...

Dahua Patching Backdoor in DVRs, IP Cameras

A California firm is rushing to patch a backdoor that apparently exists in a host of DVRs, CCTV and IP cameras it manufactures. Engineers with Dahua Technology USA began pushing firmware updates for the issue on Monday, something the company says stems from “a small piece of code.” The company sa...

Active Defense Bill Raises Concerns Of Potential Consequences

A discussion draft of a bill proposed on Friday by Rep. Tom Graves R-GA that would exclude organizations from prosecution for hacking back is already stirring up some concerns about potential unintended consequences. The Active Cyber Defense Certainty Act would exempt victims of computer crimes...

DOJ Dismisses Playpen Case to Keep Tor Hack Private

Intent on keeping details private about how it hacked the Tor browser, prosecutors with the U.S. Department of Justice on Friday asked to dismiss a case involving a suspect who visited the Playpen dark web child pornography site in 2015. “The government must now choose between disclosure of...

Spammer's Leaky Backup Exposes Massive Empire

A massive spam operation that sent more than one billion messages a day was exposed by researchers who credit a poorly configured remote synchronization backup for tipping them off to what they say is a “tangible threat to online privacy and security.” The faulty backup publicly exposed data...

Destructive StoneDrill Wiper Malware On The Loose

There have been a handful of wiper malware attacks in the wild in the last decade with Shamoon’s destruction of more than 35,000 workstations at Saudi Aramco in 2012 and the Dark Seoul attacks on Sony Pictures Entertainment the most high profile. However, since last fall, Shamoon has resurfaced...

Bruce Schneier on IoT Regulation

Mike Mimoso talks to Bruce Schneier, CTO of IBM Resilient, at RSA 2017 about the early days of the conference, his campaign for IoT regulation, and how the technical community needs to get involved with policy. Music by Chris Gonsalves...

New Fileless Attack Using DNS Queries to Carry Out PowerShell Commands

A unique attack called DNSMessenger uses DNS queries to carry out malicious PowerShell commands on compromised computers, a method that researchers said makes it difficult to detect that a remote access Trojan is being dropped onto targeted systems. According to experts at Cisco’s security resear...

HackerOne Offers Open Source Projects Free Access to Platform

HackerOne announced on Thursday the availability of a free version of its bug bounty platform called HackerOne Community Edition that will give open source projects tools for managing vulnerability submissions and creating bounty programs to improve software security. Eligible open source project...

On Howard Schmidt, CloudBleed, and the CloudPets Breach

Mike Mimoso and Chris Brook look back at the life of Howard Schmidt then recap the news of the week, including fallout from CloudBleed, the CloudPets breach, and a quickly fixed Slack bug. Download: ThreatpostNewsWrapMarch32017.mp3 Music by Chris Gonsalves...

Howard Schmidt's Legacy of Service Remembered

Howard Schmidt, one of the security industry’s groundbreaking public policy mavens who served as the top White House cybersecurity advisor under two presidents, died on Thursday. He was 67. Schmidt’s legacy stretches from the private sector, where he was CISO at Microsoft and eBay, to a lengthy...

Cisco Warns of High Severity Bug in NetFlow Appliance

Warning the device is susceptible to denial of service attacks, Cisco Systems on Wednesday released a patch for its NetFlow Generation Appliance. The flaw traces back to the hardware’s Stream Control Transmission Protocol SCTP used by the appliance, according to a Cisco Security Advisory posted...

132 Google Play Apps Booted For Having Malicious IFrames

Google removed 132 apps infected with malicious iFrames from its Google Play store after security researchers discovered a development platform used to create the apps was infected with malware and in turn compromised the apps. Palo Alto Networks’ Unit 42 researchers said the apps were infected...

Keys for Dharma Ransomware Released

Victims of the Dharma strain of ransomware can now get their files back, free of charge. Decryption keys for the ransomware were added to the Kaspersky Lab’s Rakhni decryptor tool Thursday morning. Dharma ransomware .dharma decryptor released pic.twitter.com/sIQorypOzj — Anton Ivanov @antonivanov...

Cloudbleed Triggered 1.2M Times, Damage Kept to Minimum

Having had more than a week to digest Cloudbleed’s causes and impact, Cloudflare CEO Matthew Prince assessed the damage yesterday in a lengthy post-mortem as relatively low. Prince said there is no evidence the vulnerability, which leaked customer data from memory, was exploited by attackers. The...

Yahoo Tells SEC Executives Failed to Act on Breach

Yahoo’s quarterly SEC filings have been the only window into the massive data breaches that have exposed more than 1.5 billion records in the past four years. This week, Yahoo’s Q4 2016 filing was made public, and the view got uglier. The company admitted to the SEC and its investors that its...

Google reCaptcha Bypass Technique Uses Google's Own Tools

A proof of concept bypass of Google’s reCaptcha V2 verification system, posted online Tuesday, uses Google’s own web-based tools to pull off the skirting of the system. The tool dubbed ReBreakCaptcha “lets you easily bypass Google’s reCaptcha v2 anywhere on the web,” according to the author of th...

CloudPets Notifies California AG of Data Breach

Spiral Toys, the parent company behind CloudPets, yesterday sent the California Attorney General a breach notification that on many fronts contradicts what experts have said about a database breach that exposed user data and private voice messages, many of which were made by children. The...

Slack Fixes Cross-Origin Token Theft Bug

The cloud-based collaboration tool Slack was quick to fix a bug earlier this month that could have allowed an attacker to steal a user’s private Slack token. Frans Rosén, a knowledge advisor at the Swedish web security firm Detectify, uncovered the bug last week while poking around the service...

Robots Rife With Cybersecurity Holes

Robots with inadequate security could be hacked and cause physical harm or be used to spy on unsuspecting owners in the near future. Researchers at IOActive Labs released a report Wednesday warning that consumer, industrial and service robots in use today have serious security vulnerabilities...

Million-Plus WordPress Sites Exposed by Vulnerable Plugin

A popular WordPress gallery plugin with more than one million active installations was recently patched to address a vulnerability exposing website databases to attack. The NextGEN Gallery is a photo gallery management system used by professional photographers and artists upload, sort and group...

Siemens RUGGEDCOM NMS Equipment Vulnerable to CSRF, XSS

Enterprise network management equipment made by Siemens suffers from vulnerabilities that could allow an attacker to perform administrative actions. Two flaws, a cross-site scripting XSS vulnerability and a cross-site request forgery CSRF vulnerability, exist in the company’s RUGGEDCOM NMS line o...

Dridex Trojan Gets A Major 'AtomBombing' Update

The Dridex banking Trojan has been updated and now sports a new injection method for evading detection based on the technique known as AtomBombing. Researchers with IBM X-Force identified the new Dridex v4 sample earlier this month and said it is already in use in active campaigns against U.K...

Unpatched SMB Zero Day Easily Exploitable

In what’s turning out to be the zero day that keeps on giving, researchers are still finding ways to exploit an unpatched denial of service vulnerability that exists in the way Windows implements the Server Message Block protocol. Details around the bug aren’t a mystery. Laurent Gaffié, the...

Children's Voice Messages Leaked in CloudPets Database Breach

More than two million voice messages, many of them from children, along with the personal information of more than 800,000 registered users was swiped from an exposed MongoDB instance storing data collected from a internet-connected toy called CloudPets. These IP-enabled teddy bears allow childre...

Torvalds Downplays SHA-1 Threat to Git

When researchers demonstrated the first practical collision attack for the cryptographic hash function SHA-1 last week, they also identified related vulnerabilities impacted by the now-compromised algorithm. According to the SHAttered research post, co-authored by Google and a host of cryptograph...