BF-SIRT Newsletter 2015-17

Welcome to the newsletter! This week you can read about how Cash register maker used same password – 166816 – non-stop since 1990, and multiple stories about APTs such as The CozyDuke APT.

In other news, you can find articles about how Taking Down Fraud Sites is Whac-a-Mole, and that Google shuts off NPAPI in Chrome.

Top 5 Security links
The CozyDuke APT
Pawn Storm cyberspies still at work, target NATO and the White House
Your city’s not smart if it’s vulnerable, says hacker
Russian APT group actively exploiting Flash, Windows 0-day flaws
Cash register maker used same password – 166816 – non-stop since 1990

Top 5 Business Intelligence links
Taking Down Fraud Sites is Whac-a-Mole
Iran Increasing Both Sophistication and Frequency of Cyber Attacks
Google Shuts Off NPAPI in Chrome
Netflix’s house of cards to be fortified with HTTPS appliance
Nork hackers no pantomime villains, but a hugely unpredictable menace

BF-SIRT Newsletter 2015-16

Head news this week is of course MS15-034, which we’ve also covered in our own blog. Those who still haven’t patched are advised to do so as soon as possible to avoid falling victim to this attack. There’s also been Patch Tuesday for April 2015 this month, with patches from Microsoft, Oracle and Adobe.

In other news, Majority of Orgs Anticipate Attacks, But One-Third Can’t Find Security Talent, and security companies have also started releasing their yearly threat reports; amongst them Verizon’s which states how Phishing, RAM scrapers and web app insecurity were the main sources of data breaches during 2014.

Top 5 Security links
MS15-034: HTTP.sys (IIS) DoS And Possible Remote Code Execution. PATCH NOW
Don’t Be Fodder for China’s ‘Great Cannon’
Police operation disrupts Beebone botnet used for malware distribution
Coordinated Takedown Puts End to Simda Botnet
Russia pulls alleged ‘Svpeng’ kingpin

Top 5 Business Intelligence links
Majority of Orgs Anticipate Attacks, But One-Third Can’t Find Security Talent
FireEye Uncovers Decade-Long Cyber Espionage Campaign Targeting South East Asia
Symantec 2015 Internet Security Threat Report
Verizon 2015 Data Breach Investigation Report
Microsoft MS15-034 (HTTP.sys DoS, Memory Disclosure and potential Remote Code Execution)
Patch Tuesday April 2015

Microsoft MS15-034 (HTTP.sys DoS, Memory Disclosure and potential Remote Code Execution)

As mentioned in our post for Patch Tuesday April 2015, the MS15-034 has now work a working exploit which causes a DoS for unpatched Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2, if they’re running a service that’s using IIS (or any other service uding HTTP.sys) and have kernel caching turned on (which it is by default).

This DoS is extremely simple to cause (just a simple curl/wget), and will cause your server to have a BSOD.

Update: It seems like this issue also does information disclosure à la heartbleed. With small modifications to yesterdays published exploit one can disclose memory regions from a vulnerable server.
There has also been rumours that Exchange servers with autodiscovery turned on are vulnerable for DNS hijacking/corruption.

There are various ways to see if you are vulnerable, but they are not fool-proof and because of this it is extremely advised to just apply the patch.

It is just a matter of time now before a remote code execution exploit is released, which means someone would gain control of your server, so do not wait to patch your systems.

Patch Tuesday April 2015

Another month, another patch Tuesday!

Microsoft released a large amount of updates, some which require special attention. One of these deal with an issue in http.sys, meaning that a lot of Internet facing services may end up being exploited unless patched, as the vulnerability is a remote code execution vulnerability. Many other issues are also covered, with some additional ones also being remote code execution vulnerabilities. Due to this, we cannot stress highly enough the need to apply these patches without waiting too long.

Oracle has also released updates for their large software catalogue, which, for example fixes vulnerabilities in their java and database software. You’re highly advised to check the link below to see if any of the software you’re using is vulnerable.

Adobe also released patches, fixing critical issues that are currently being exploited in the wild. Fixes went out for Flash, ColdFusion and Flex. Make sure you keep your computers and servers up-to-date with these patches.

More information
Adobe Flash
Adobe ColdFusion
Adobe Flex

BF-SIRT Newsletter 2015-15

Welcome back from the easter holidays! This week we cover stories such as how Silk Road investigators are being charged with stealing bitcoin, and how Islamist hackers take French broadcaster TV5Monde off air.

In other news, you can read how Hackers are selling Uber credentials on underground markets, and you can also read about what can happen with stolen data after a breach.

Top 5 Security links
Silk Road investigators charged with stealing bitcoin
Day FOUR of the GitHub web assault: Activists point fingers at ‘China’s global censorship’
Audit Concludes No Backdoors in TrueCrypt
Anonabox Analysis
Islamist hackers take French broadcaster TV5Monde off air

Top 5 Business Intelligence links
What happens to data after a breach?
Most top corporates still Heartbleeding over the Internet
Hackers Selling Uber Credentials on Underground Market
How the U.S. thinks Russians hacked the White House
Stuxnet Five Years Later: Did We Learn The Right Lesson?