Google to Make Certificate Transparency Mandatory By 2017

Google is making Certificate Transparency mandatory for its Chrome web browser by October 2017. Google software engineer Ryan Sleevi made the announcement in conjunction with the CA/Browser Forum that took place in Redmond, Washington last week. The move is an attempt to reduce the number of doma...

Mirai Vulnerability Disclosed, But Exploits May Constitute Hacking Back

The Mirai botnet apparently has a weakness that could shut down its ability to flood targets with HTTP requests. But exploiting that vulnerability puts defenders in a gray area with regard to hacking back. Researchers at Invincea Labs discovered three vulnerabilities in Mirai, one of which is the...

Apple Patches iTunes, iCloud for Windows, Xcode Server

Apple’s iTunes and iCloud software for Windows PCs received updates on Thursday for vulnerabilities that could allow for the disclosure of personal information and arbitrary code execution. In addition to the Windows fixes, Apple also alerted Mac and iOS app developers to nearly a dozen security...

On the Dyn DDoS Attack, Keen Team, and a Phony Windows Installer

Mike Mimoso and Chris Brook recap the news of the week, including the storylines around last week’s Dyn DDoS attack, Keen Team winning big again at Pwn2Own, and a fake Windows installer. Download: ThreatpostNewsWrapOctober282016.mp3 Music by Chris Gonsalves...

Cisco Patches Critical Vulnerability in Facility Events Response System

Cisco Systems issued a security bulletin Wednesday for a critical vulnerability found in its IP Interoperability and Collaboration System IPICS. The feature is a key part of a mechanism used by Cisco to facilitate emergency responses for “facility events.” The vulnerability CVE-2016-6397, accordi...

Microsoft Extends Macro Protection to Office 2013

Microsoft is combating a surge in macro-based malware with a new feature that allows system administrators to configure Office 2013 to block Word, Excel, and PowerPoint macros. The capability had previously been introduced in March by Microsoft for its Office 2016 software. Microsoft said inciden...

Dyn DDoS Could Have Topped 1 Tbps

As more time passes, researchers are getting insight into the size and structure of the DDoS attack against DNS provider Dyn last week, and the capabilities of the Mirai botnet. First, Dyn released a truncated post-mortem on the attack with admittedly some omissions as a law enforcement...

Keen Lab Takes Down iPhone 6S, Nexus 6P, at Mobile Pwn2Own

Hackers identified a series of vulnerabilities in Android and iOS to take down a Google Nexus 6P and an Apple iPhone 6S this week at Mobile Pwn2Own. The mobile version of the popular hacking challenge, put on by Trend Micro and Tipping Point’s Zero Day Initiative, was held in tandem with the...

Windows Atom Tables Can Be Abused for Code Injection Attacks

Researchers have identified a way attackers could use atom tables in all versions of Windows to inject malicious code into a computer and bypass detection by security products at the same time. The technique has been nicknamed AtomBombing by researchers at enSilo, and opens the door to perform...

Joomla Update Fixes Two Critical Issues, 2FA Error

Web developers who run the content management system Joomla! are strongly encouraged to update their sites immediately. The company on Tuesday pushed out the most recent version of the CMS, 3.6.4, fixing two critical issues that can lead to account creation and elevated privileges, according to a...

Remote Code Execution Vulnerabilities Plague LibTIFF Library

A researcher is warning this week of three vulnerabilities, all which can lead to remote code execution, that exist in the LibTIFF library. The library is a set of functions that helps support TIFF image files. While there hasn’t been an official LibTIFF release that fixes the issues, users can g...

Adobe Patches Flash Zero Day Under Attack

Adobe today released an emergency Flash Player update that includes a patch for a vulnerability being exploited in targeted attacks. The vulnerability, CVE-2016-7855, was privately disclosed by Neel Mehta and Billy Leonard of the Google Threat Analysis Group. Mehta was one of four researchers...

Lawmakers Asking What ISPs Can Do About DDoS Attacks

IoT botnets and DDoS attacks have prominent lawmakers asking government agencies some probing questions about what can be done. Sen. Mark Warner D-VA on Tuesday sent a letter to the Federal Communications Commission—as well as the Federal Trade Commission and Homeland Security—querying among othe...

Major Security Vulnerability Found In Schneider Electric ICS Gear

Schneider Electric is grappling with a critical vulnerability found in its flagship industrial controller management software called Unity Pro that allows hackers to remotely execute code on industrial networks. The warning comes from Indegy, an industrial cybersecurity firm. Indegy discovered th...

Dyn DDoS Work of Script Kiddies, Not Politically Motivated Hackers

New research on the source of Friday’s DDoS attack against DNS provider Dyn indicates that script kiddies are likely responsible, rather than a politically motivated actor. Researchers at Flashpoint dismissed numerous claims of responsibility that separately linked the attack to the Russian...

Following Lull, New Campaigns Pushing Retooled 'Pumpkin' Locky

New and increasingly diverse variants of ransomware are released weekly, but developers behind the Locky strain have managed to keep the malware fresh in the face of changing trends. Researchers with Cisco’s Talos Security Intelligence and Research Group said this week they observed three separat...

Apple Patches iOS Flaw Exploitable by Malicious JPEG

Apple on Monday patched a code execution vulnerability in iOS that could be exploited via a JPEG file crafted to take advantage of the flaw. Apple also issued its first round of patches for macOS Sierra as part of a large update that also included fixes for vulnerabilities found in Safari, Apple...

Election Leaks Failed to Move Needle on Polls

The barrage of information leaks, state-sponsored espionage and hacktivism related to the U.S. presidential election has had a mixed bag of effects on the race and voter confidence. For the most part, attacks against organizations supporting both major political parties, extensive email leaks and...

Tracking Devices Latest Privacy Risk to Users

Update: TrackR has responded to Rapid7’s disclosure. First, it said it has addressed the authentication issue months ago, but the deprecated call remained online even though it was no longer used by its apps. “We are grateful that Rapid7 brought this possible point of confusion to our attention; ...

St. Jude Faces New Claim Heart Devices are Hackable

St. Jude Medical is facing fresh allegations its heart implant devices are vulnerable to cyberattacks. The claims were introduced by the defense as part of St. Jude’s defamation lawsuit against short seller Muddy Waters and security firm MedSec. In a legal filing submitted Monday, experts hired b...

Chinese Manufacturer Recalls IOT Gear Following Dyn DDoS

Hangzhou Xiongmai said that it will recall millions of cameras sold in the U.S. in response to Friday’s DDoS attack against DNS provider Dyn that kept a number of web-based services such as Twitter, Github and others offline for much of the day. The Chinese manufacturer sells OEM white-label...

Fake Microsoft Installer Hicurdismos Leads to Malware, Support Call Scam

Malware that uses a fake but realistic looking Windows message to convince users it’s a Microsoft Security Essentials installer has been making the rounds through drive-by download attacks, experts warn. If installed, the malware triggers a phony blue screen of death BSoD window that warns users...

Critical Android Vulnerability 'Drammer' Impacts Millions of Handsets

Researchers have published details of a new method for exploiting a problem with Android devices tied to a hardware flaw within DRAM memory modules that can allow attackers to get root-level access to target machines. The vulnerability, dubbed Drammer, could give an attacker root access to millio...

Mirai-Fueled IoT Botnet Behind DDoS Attacks on DNS Providers

A botnet of connected things strung together by the Mirai malware is responsible for Friday’s distributed denial-of-service attacks against DNS provider Dyn. The DDoS attacks impacted Internet service on the East Coast of the United States, and were responsible for keeping Dyn and a number of its...

Mozilla Turning TLS 1.3 On By Default With Firefox 52

When Mozilla ships Firefox 52, on or around March 7, 2017, the browser will come with the cryptographic protocol TLS 1.3 on by default. Martin Thomson, a principle engineer at Mozilla broke the news Wednesday in an email to Mozilla Development Platform members. “TLS 1.3 removes old and unsafe...

Serious Dirty Cow Linux Vulnerability Under Attack

A nine-year-old Linux vulnerability that affects most of the major distributions has been recently used in public attacks. The flaw, nicknamed Dirty Cow because it lives in the copy-on-write COW feature in Linux, is worrisome because it can give a local attacker root privileges. While the Linux...

On the Dangers of Skyping and Typing, Fingerprint Warrants, and More

Mike Mimoso and Chris Brook briefly talk about the Dyn DDoS attack and the Linux bug Dirty Cow before discussing the dangers of Skyping and typing, the fingerprint warrant story, hiding credit card numbers in images, and more. Show notes: Dyn Confirms DDoS Attack Affecting Twitter, Github, Many...

DYN Confirms DDoS Attack Knocking Out Twitter, Spotify Other Major Sites

Update DNS provider Dyn has confirmed two massive distributed denial of service attacks against its servers Friday impacting many of its customers including Twitter, Spotify and GitHub. The attacks came in two waves, one early Friday morning and a second just a few hours later. “This attack is...

iCloud Phishing Campaign Zycode Back From the Dead

A phishing campaign aimed at Chinese Apple users that was thought to be in hibernation has been roused from its slumber. Researchers in June spotted the campaign, dubbed Zycode, targeting Apple iCloud users. A rash of suspended domains that month led to a lull for the campaign however; researcher...

Locky Ransomware Learns New Evasive Tricks

For several weeks security experts have had success slowing Locky ransomware infection rates. That’s been due to aggressive efforts to combat the Trojan downloader Nemucod, used in recent campaigns to distribute Locky. But now researchers say hackers behind Locky are changing tactics, giving the...

Yahoo Asks DNI to De-Classify Email Scanning Order

Yahoo continues to seek high ground with regard to public reports that last year it scanned user email messages in compliance with a classified government order. General counsel Ron Bell yesterday sent a letter to Director of National Intelligence James R. Clapper asking the government to confirm...

Bypassing ASLR in 60 Milliseconds

Address Space Layout Randomization was a champion hardening technology introduced in most major desktop and mobile operating systems as a mitigation against memory-based code-execution attacks. Bypassing ASLR, however, has become somewhat of a parlor game for attackers and white-hat researchers,...

Mobile Applications Leak Device, Location Data

Both Android and iOS apps leak data, leaving users vulnerable to data theft, denial-of-service attacks, and remote SIM card rooting. In a report released Thursday “Are mobile apps a leaky tap in the enterprise?” researchers at Zscaler assert that Android and iOS users are equally vulnerable to a...

FruityArmor APT Group Used Recently Patched Windows Zero Day

One of the four zero-day vulnerabilities Microsoft patched last week was being used by an APT group called FruityArmor to carry out targeted attacks, escape browser-based sandboxes, and execute malicious code in the wild. Anton Ivanov, a researcher at Kaspersky Lab, was credited by Microsoft for...

Skyping And Typing Threatens Privacy

Multitasking while on a work-related Skype call may be good for productivity, but perhaps not so much for privacy. Typing while using Skype or over other Voice over Internet Protocol VoIP services presents an opportunity for an attacker to record the conversation, separate out the emanations from...

Oracle Fixes 253 Vulnerabilities in Last CPU of 2016

Oracle fixed 253 vulnerabilities across 76 product lines on Tuesday as part of its quarterly Critical Patch Update. Many of the fixes addressed by Oracle tackled vulnerabilities tied to securing critical enterprise data. Vulnerabilities in Oracle Fusion Middleware, a family of infrastructure...

Adult FriendFinder Vulnerability Leaves Millions Exposed, Report Claims

Adult website Adult FriendFinder may have been compromised by a hacker who said he has gained access to the site’s backend servers and posted allegedly compromised data to his Twitter feed. The breach has not been confirmed by the site’s parent company FriendFinder Networks, which says it is...

Mirai Bots More Than Double Since Source Code Release

The Mirai malware continues to recruit vulnerable IoT devices into botnets at a record pace, one that’s only gone up since the source code for Mirai was made public two weeks ago. Level 3 Communications, a telecommunications company and Internet service provider in Colorado, has identified the...

Search Warrant Targets Fingerprints to Crack Open iPhones

Civil libertarians and security experts say a Department of Justice search warrant goes too far in seeking fingerprint data to crack open smartphones. The warrant in question would allow law enforcement to search a Lancaster, Calif., residence for an undisclosed number of smartphones. The warrant...

Attackers Hiding Stolen Credit Card Numbers in Images

Researchers are encouraging developers who use Magento to remain vigilant about securely configuring their sites, as attackers have been embedding credit card swipers in sites running the open source e-commerce platform. The swipers, or scrapers, are bits of malicious code that collect credit car...

Critical Vulnerabilities Uncovered in VeraCrypt Audit Patched

An audit of open source file and disk encryption package VeraCrypt turned up a number of critical vulnerabilities that have been patched in the month since the assessment was wrapped up. The audit, which began Aug. 16, was funded by the Open Source Technology Improvement Fund OSTIF and executed b...

TrickBot Banking Trojan Could Be Dyre Rewrite

Despite the fact that the criminals allegedly behind the creation and distribution of the Dyre banking Trojan are in a Russian jail, a new piece of malware in the wild has enough similarities to Dyre that researchers are wondering whether there’s a connection. The new malware is called TrickBot a...

Free SSL Sparks Unprecedented Growth in Encrypted Traffic

If recent telemetry from Mozilla is indeed representative of the Internet, then it would appear that half of all traffic in transit is encrypted, a more than 10 percent jump from last December. The emergence of free Certificate Authorities such as Let’s Encrypt, and similar gratis HTTPS certifica...

U.S. Reps Requesting Further Intelligence Around Yahoo Surveillance Story

Nearly 50 representatives from 27 different states are still looking to clear the air around this month’s Yahoo surveillance story. In a letter on Friday addressed to Attorney General Loretta Lynch and Director of National Intelligence James Clapper, government officials asked for clarity around...

Sierra Wireless Warns Cellular Data Gear Targeted by Mirai Malware

Sierra Wireless is warning customers to change default factory credentials on its AireLink gatway communications gear or risk being infected by Mirai malware. Mirai malware scans the Internet for IoT gear such as DVRs and IP-enabled cameras and other devices that are protected by default or...

Malicious Links Top Source of Mobile Trojans

Cheetah Mobile says the scourge of Ghost Push malware is still taking its toll on Android devices nearly two years after making its debut. Now the research firm is trying to track down how Ghost Push and other Trojans have remained so prolific despite mitigation efforts. In a report released Frid...

On IoT Botnets, StrongPity, and Nuclear Power Plant 'Disruptions'

Mike Mimoso and Chris Brook discuss the news of the week, including the nuclear power plant ‘disruption,’ the StrongPity APT group, and the proliferation of IoT botnets. Download: ThreatpostNewsWrapOctober142016.mp3 Music by Chris Gonsalves...

Leftover Factory Debugger Doubles as Android Backdoor

A leftover factory debugger in Android firmware made by Taiwanese electronics manufacturer Foxconn can be flipped into a backdoor by an attacker with physical access to a device. The situation is a dream for law enforcement or a forensics outfit wishing to gain root access to a targeted device...

Popular Android App Leaks Microsoft Exchange User Credentials

A popular Android app used to access corporate email, calendar and contacts via Microsoft Exchange servers is vulnerable to leaking user credentials to attackers. The application called Nine, according to researchers at Rapid7, could allow an attacker to launch a man-in-the-middle attack, allowin...

Google Plugs 21 Security Holes in Chrome Browser

Google on Wednesday patched 21 security vulnerabilities in Chrome, including a half dozen rated high severity that were reported by external researchers and were eligible for a bounty. Bug hunters earned a total of $30,000 in bounties, with a top payout of $7,500 to an unnamed researcher for a...