Latest Warnings

A Stopgap Fix for the IE8 Zero-Day Flaw

Microsoft has released an stopgap solution to help Internet Explorer 8 users blunt the threat from attacks against a zero-day flaw in the browser that is actively being exploited in the wild.

Microsoft is working on an official fix for the IE8 bug. In the meantime affected users should take advantage of the interim fix that the company released today. It is a one-click fix-it tool that does not require a system restart to take effect.

To do that, visit this link with IE8 and click the fix-it icon under the “Enable” heading. If you need to remove this workaround for any reason, just head back to that page and click the fix-it image beneath the “Disable” heading.

Latest Warnings — 47 Comments
6
May 13

Zero-Day Exploit Published for IE8

Security experts are warning that a newly discovered vulnerability in Internet Explorer 8 is being actively exploited to break into Microsoft Windows systems. Complicating matters further, computer code that can be used to reliably exploit the flaw is now publicly available online.

In an advisory released May 3, Microsoft said it was investigating reports of a vulnerability in IE8, and that it was aware of attacks that attempt to exploit this bug. The company stresses that other versions of IE — including IE6, 7, 9 and 10 are not affected by the vulnerability. However, all versions of IE8 are vulnerable, including copies running on Windows XP, Vista and Windows 7.

Meanwhile, a new module that exploits this IE8 bug is now available for the Metasploit Framework, a free penetration testing tool. I would expect this exploit or some version of it will soon be rolled into commercial exploit kits that are sold in the cybercrime underground (assuming this has not already happened).

Update, May 9, 9:00 a.m. ET: Microsoft has released a fix-it tool to blunt attacks on this bug. See this story for more information.

Original post:

The security hole has already been leveraged in at least one high-profile attack. Over the weekend, several security vendors reported that the U.S. Department of Labor Web site had been hacked and seeded with code designed to exploit the flaw and download malicious software.

The attack on the Labor Department site is seen as a watering hole attack, which involves the targeted compromise of legitimate websites thought to be of interest to or frequented by end users who belong to organizations that attackers wish to infiltrate. Previous watering hole attacks have targeted the Web site for the Council on Foreign Relations, the Association of Southeast Asian Nations, and the National Democratic Institute.

According to CrowdStrike, the server used to control this latest attack on the Labor Department site was microsoftupdate.ns1.name. The company said analysis of the logs from the attacker’s infrastructure revealed that visitors from 37 different countries browsed the site during the time it was compromised with the malicious code. AlienVault, Invincea and Cisco Systems have published additional details on this attack. AlienVault also said it has since spotted the same exploit used on at least nine other hacked Web sites, including several non-profit groups and a large European company.

Continue reading →

Latest Warnings / The Coming Storm — 68 Comments
12
Apr 13

Brute Force Attacks Build WordPress Botnet

Security experts are warning that an escalating series of online attacks designed to break into poorly-secured WordPress blogs is fueling the growth of an unusually powerful botnet currently made up of more than 90,000 Web servers.

Source: Cloudflare.com

Over the past week, analysts from a variety of security and networking firms have tracked an alarming uptick in so-called “brute force” password-guessing attacks against Web sites powered by WordPress, perhaps the most popular content management system in use today (this blog also runs WordPress).

According to Web site security firm Incapsula, those responsible for this crime campaign are scanning the Internet for WordPress installations, and then attempting to log in to the administrative console at these sites using a custom list of approximately 1,000 of the most commonly-used username and password combinations.

Incapsula co-founder Marc Gaffan told KrebsOnSecurity that infected sites will be seeded with a backdoor the lets the attackers control the site remotely (the backdoors persist regardless of whether the legitimate site owner subsequently changes his password). The infected sites then are conscripted into the attacking server botnet, and forced to launch password-guessing attacks against other sites running WordPress.

Gaffan said the traffic being generated by all this activity is wreaking havoc for some Web hosting firms.

“It’s hurting the service providers the most, not just with incoming traffic,” Gaffan said. “But as soon as those servers get hacked, they are now bombarding other servers with attack traffic. We’re talking about Web servers, not home PCs. PCs maybe connected to the Internet with a 10 megabit or 20 megabit line, but the best hosting providers have essentially unlimited Internet bandwidth. We think they’re building an army of zombies, big servers to bombard other targets for a bigger cause down the road.”

Indeed, this was the message driven home Thursday in a blog post from Houston, Texas based HostGator, one of the largest hosting providers in the United States. The company’s data suggests that the botnet of infected WordPress installations now includes more than 90,000 compromised sites.

Continue reading →

Latest Warnings — 39 Comments
12
Apr 13

Microsoft: Hold Off Installing MS13-036

Microsoft is urging users to who haven’t installed it yet to hold off on MS13-036, a security update that the company released earlier this week to fix a dangerous security bug in its Windows operating system. The advice comes in response to a spike in complaints from Windows users who found their machines unbootable after applying the update.

The MS13-036 update, first released on Tuesday, fixes four vulnerabilities in the Windows kernel-mode driver. In an advisory released April 9, the company said it had removed the download links to the patch while it investigates the source of the problem:

“Microsoft is investigating behavior wherein systems may fail to recover from a reboot or applications fails to load after security update 2823324 is applied. Microsoft recommends that customers uninstall this update. As an added precaution, Microsoft has removed the download links to the 2823324 update while we investigate.”

The problems with the patch appear to be centered around Windows 7 and certain applications on Windows 7, such as Kaspersky Anti-Virus. Microsoft has issued instructions on how to uninstall this update in the “resolution” section of this advisory.

Update, Apr. 23: Microsoft has re-released the problematic security update to address the problems that some Windows users were experiencing with the MS13-036 patch. The new update, KB62840149, replaces the faulty one, which was KB2823324.

Latest Warnings / Time to Patch — 35 Comments
9
Apr 13

Critical Fixes for Windows, Flash & Shockwave

The second Tuesday of the month is upon us, and that means it’s once again time to get your patches on, people (at least for readers running Windows or Adobe products). Microsoft today pushed out nine patch bundles to plug security holes in Windows and its other products. Separately, Adobe issued updates for its Flash and Shockwave media players that address four distinct security holes in each program.

Microsoft called special attention to a cumulative update for Internet Explorer that fixes two critical vulnerabilities present in virtually every version of IE ever produced, including IE 9, 10 and IE on Windows RT, the operating system for mobile devices and tablets.

The other critical patch in the bunch addresses a dangerous vulnerability in the Windows Remote Desktop Client, which allows systems to be managed remotely. For a rundown of the other updates released today, check out the Qualys blog, the Microsoft Security Bulletin Summary for April 2013 and the Microsoft Security Response Blog.

Adobe’s update brings Adobe Flash Player to v. 11.7.700.169 on Windows and Mac devices (the latest version numbers for other operating systems are listed in the chart below). Internet Explorer 10 and Google Chrome should automatically update to the latest version. Google has already pushed out the Flash update with Chrome v. 26.0.1410.63 for Mac and Linux, and v. 26.0.1410.64 for Windows; if your Chrome version isn’t at the latest (you can check which version by clicking the customize tab to the right of the address bar and then “About Google Chrome’), try closing and restarting the browser. Continue reading →

A Little Sunshine / Latest Warnings / The Coming Storm — 37 Comments
1
Apr 13

DHS Warns of ‘TDos’ Extortion Attacks on Public Emergency Networks

As if emergency responders weren’t already overloaded: Increasingly, extortionists are launching debilitating attacks designed to overwhelm the telephone networks of emergency communications centers and personnel, according to a confidential alert jointly issued by the Department of Homeland Security and the FBI.

“TDos” warning

The alert, a copy of which was obtained by KrebsOnSecurity, warns public safety answering points (PSAPs) and emergency communications centers and personnel about a recent spike in so-called “telephony denial-of-service” (TDoS) attacks:

“Information received from multiple jurisdictions indicates the possibility of attacks targeting the telephone systems of public sector entities. Dozens of such attacks have targeted the administrative PSAP lines (not the 911 emergency line). The perpetrators of the attack have launched high volume of calls against the target network, tying up the system from receiving legitimate calls. This type of attack is referred to as a TDoS or Telephony Denial of Service attack. These attacks are ongoing. Many similar attacks have occurred targeting various businesses and public entities, including the financial sector and other public emergency operations interests, including air ambulance, ambulance and hospital communications.”

According to the alert, these recent TDoS attacks are part of a bizarre extortion scheme that apparently starts with a phone call to an organization from an individual claiming to represent a collections company for payday loans. The caller usually has a strong accent of some sort and asks to speak with a current or former employee concerning an outstanding debt. Failing to get payment from an individual or organization, the perpetrator launches a TDoS attack. The organization will be inundated with a continuous stream of calls for an unspecified, but lengthy period of time.

Continue reading →

A Little Sunshine / Latest Warnings — 55 Comments
21
Mar 13

Privacy 101: Skype Leaks Your Location

The events of the past week reminded me of a privacy topic I’ve been meaning to revisit: That voice-over-IP telephony service Skype constantly exposes your Internet address to the entire world, and that there are now numerous free and commercial tools that can be used to link Skype user account names to numeric Internet addresses.

A Skype resolver service in action.

The fact that Skype betrays its users’ online location information is hardly news. For example, The Wall Street Journal and other news outlets warned last year about research showing that it was possible to coax Skype into revealing the IP addresses of individual Skype users. But I believe most Skype users still have no clue about this basic privacy weakness.

What’s changed is that over the past year, a number of services have emerged to help snoops and ne’er-do-wells exploit this vulnerability to track and harass others online. For example, an online search for “skype resolver” returns dozens of results that point to services (of variable reliability) that allow users to look up the Internet address of any Skype user, just by supplying the target’s Skype account name.

In the above screen shot, we can see one such service being used to display the IP address most recently used by the Skype account “mailen_support” (this particular account belongs to the tech support contact for Mailien, a Russian pharmacy spam affiliate program by the same name).

A Skype IP resolver service in action.

Typically, these Skype resolvers are offered in tandem with “booter” or “stresser” services, online attack tools-for-hire than can be rented to launch denial-of-service attacks (one of these services was used in an attack on this Web site, and on that of Ars Technica last week). The idea being that if you want to knock someone offline but you don’t know their Internet address, you can simply search on Skype to see if they have an account, and then use the resolvers to locate their IP. The resolvers work regardless of any privacy settings the target user may have selected within the Skype program’s configuration panel.

Many of these resolver services offer “blacklisting,” which for a fee will allow users to prevent other users from looking up the IP address attached to a specific Skype account, said Brandon Levene, an independent security researcher.

“It’s basically a protection scheme,” Levene said.

Continue reading →

Latest Warnings / Time to Patch — 38 Comments
4
Mar 13

Oracle Issues Emergency Java Update

Oracle today pushed out the third update in less than a month to fix critical vulnerabilities in its Java software. This patch plugs a dangerous security hole in Java that attackers have been exploiting to break into systems.

Java 7 Update 17 and Java 6 Update 43 address a critical vulnerability (CVE-2013-1493) in Java that security experts warned last week was being used in targeted attacks against high-profile targets. Oracle had intended to quit shipping updates for Java 6 at the end of February, but apparently reversed course for the time being to help Java 6 users address this latest crisis.

I thought this was unusually speedy patch response for Oracle, that is until I read an Oracle blog post that accompanied the patch release. Oracle said that while reports of active exploitation against the vulnerability were recently received, this bug was originally reported to Oracle on Feb. 1, 2013, “unfortunately too late to be included in the Critical Patch Update that it released on Feb. 19.

“The company intended to include a fix for CVE-2013-1493 in the April 16, 2013 Critical Patch Update for Java SE (note that Oracle recently announced its intent to have an additional Java SE security release on this date in addition to those previously scheduled in June and October of 2013),” wrote Oracle’s Eric Maurice. “However, in light of the reports of active exploitation of CVE-2013-1493, and in order to help maintain the security posture of all Java SE users, Oracle decided to release a fix for this vulnerability and another closely related bug as soon as possible through this Security Alert.”

What makes Java vulnerabilities so dangerous is that Java is a cross-platform product, meaning exploits against vulnerabilities in Java can be used to deliver malicious payloads to Mac and Linux systems just the same as they can Windows PCs. The previous Java update released on Feb. 19 came amid revelations by Apple, Facebook and Twitter that employees at these organizations and dozens of others were hacked using exploits that attacked Java vulnerabilities on Mac and Windows machines.

Continue reading →

Latest Warnings — 26 Comments
2
Mar 13

Evernote Forces Password Reset for 50M Users

Online note-syncing service Evernote is forcing all of its 50 million users to reset their passwords after detecting suspicious activity on its network.

In an email message sent to users today and posted on its blog, Evernote said digital intruders gained accessed to customer usernames, email addresses and encrypted passwords. The company says it has found no evidence that any of the content that users store in Evernote was accessed, changed or lost, and that there is no indication payment information for Evernote Premium or Business customers was accessed.

“Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms, they are hashed and salted),” the company advised. “While our password encryption measures are robust, we are taking additional steps to ensure that your personal data remains secure. This means that, in an abundance of caution, we are requiring all users to reset their Evernote account passwords. Please create a new password by signing into your account on evernote.com.”

If you use Evernote (heck, even if you don’t), now is a great time to review your password practices. At the top of the password no-no’s list is reusing your email password at any other site. Also, while password hashing and salting can be effective at preventing attackers from working out your password should a company that stores that information get breached, it is far from solid protection. Evernote didn’t say which scheme it was using to hash passwords, but the industry standard is a fairly weak approach in which a majority of passwords can be cracked in the blink of an eye with today’s off-the-shelf hardware.

See this widely-read interview for more information on the ease with which most hashed passwords can be cracked today and what organizations might do differently to better secure their users’ information. This post has some tips on how to pick a strong password (e.g., some of the strongest passwords aren’t words at all but multi-word phrases). Finally, if you receive an email with a link in it telling you to click a link to reset your Evernote password — or any other password assigned to an online service you use — don’t click: Visit the site manually instead to avoid email phishing schemes.

Latest Warnings / The Coming Storm — 16 Comments
1
Mar 13

New Java 0-Day Attack Echoes Bit9 Breach

Once again, attackers are leveraging a previously unknown critical security hole in Java to break into targeted computers. Interestingly, the malware and networks used in this latest attack match those found in the recently disclosed breach at security firm Bit9.

The discovery of the Java zero-day is being co-credited to FireEye and CyberESI, two companies that specialize in tracking cyber espionage attacks. In its writeup, FireEye said multiple customers had been attacked using a newly-found flaw in the latest versions of Java — Java 6 Update 41, and Java 7 Update 15.

FireEye said the Java exploit used in this attack downloaded a remote access Trojan called McRat. This threat, also known as HiKit and Mdmbot.F, calls home to a malicious control server at the Internet address 110.173.55.187. Turns out, this is the same malware and control server that was used in the attack on Bit9, according to details that Bit9 released in a blog post this week documenting a sophisticated attack that resulted in a breach of its own systems last year.

Alex Lanstein, a senior security researcher at FireEye, said it’s unlikely in this case that multiple attack groups are using the same infrastructure and malware.

“Same malware, same [command and control server], I’d have to say it’s the same group that hit Bit9,” Lanstein said.

Continue reading →

Krebs on Security

In-depth security news and investigation

Latest Warnings