The recently observed Trojan, Sathurbot, offers a fascinating insight into the various parts of the malware spreading ecosystem. The bot compromises websites – primarily those running WordPress – and uses this to spread malware to end-users. Once it infects the end-users, it then uses them to hack more websites, and then uses the newly compromised sites to spread more malware, use for attacks, as malware C&C servers or SEO spam.

The entire process starts by compromising a site. Once this site is compromised, it serves torrent files, masquerading as legitimate torrents. These torrents appear well seeded and show up on Bing or Google searches. Users trust these torrents and use them to download the movies or software that the torrents seem to offer. The downloaded files convince the user into running them by masquerading as legitimate software and infect the user’s computer. Once the malware has launched, the bot then connects to its C&C servers and uses this to update itself. The C&C server can also push other malware executables to the infected system to perform further tasks.

[Read more…]

This month’s roundup has stories of newly found vulnerabilities – and their immediate impact. One of these vulnerabilities is the Apache Struts 2 vulnerability, that was used almost immediately to hack Canadian government sites. We also see a directory traversal vulnerability in a very unusual location, a number of breaches – some due to improperly secured API’s and two reports – one from Google and the other from IBM – that show that website attacks and data breaches are growing over the last year.

Google Says Number of Hacked Sites Grew by 32% in 2016

The past year was a difficult one for security as the number of hacked sites rose by 32% compared to the previous year, shows Google’s State of Website Security Report for 2016. 

Patch Unlikely for Widely Publicized Flaw in Microsoft IIS 6.0

A zero-day vulnerability in Microsoft’s IIS 6.0 Web server software remains unfixed even after two Chinese researchers recently posted a proof-of-concept exploit for it, Threatpost reports. Microsoft recommends “that customers upgrade to our latest operating systems and benefit from robust, modern protection.”

Content-Type: Malicious – New Apache Struts2 0-day Under Attack

Talos has observed a new Apache vulnerability that is being actively exploited in the wild. The vulnerability (CVE-2017-5638) is a remote code execution bug that affects the Jakarta Multipart parser in Apache Struts, referenced in this security advisory. Talos began investigating for exploitation attempts and found a high number of exploitation events. The majority of the exploitation attempts seem to be leveraging a publicly released PoC that is being used to run various commands. Talos has observed simple commands (i.e. whoami) as well as more sophisticated commands including pulling down a malicious ELF executable and execution…

StatsCan hacked after government sites made vulnerable: officials

…The problem was identified last Wednesday at around 10:30 p.m., Glowacki said. It was flagged in the frequent communications the government receives from online security partners around the world about potential threats. This time it was through widely used website design software, Apache Struts 2, which was identified as a gateway to potential hackers and needed to be updated, the officials explained…

A Hackable Dishwasher Is Connecting Hospitals to the Internet of S***

…Jens Regel, a security consultant, found a “web server directory traversal” bug in the Miele PG 8528 when he was prodding a network for vulnerabilities during a consulting gig, what’s known in the industry as a penetration test or “pentest.” That kind of vulnerability allows an unauthorized attacker to gain access to the file system of the server to which the machine connects to…

How anyone could have used Uber to ride for free!

This post is about an interesting bug on Uber which could have been used to ride for free anywhere in the world. Attackers could have misused this by taking unlimited free rides from their uber account…

McDonalds India is leaking 2.2 million users data

The McDonald’s India app, McDelivery is leaking personal data for more than 2.2 million of its users which includes name, email address, phone number, home address, accurate home co-ordinates and social profile links…

…An unprotected publicly accessible API endpoint for getting user details coupled with serially enumerable integers as customer IDs can be used to obtain access to all users personal information.

Hackers Breached Department of Labor Job Seekers Portal

Hackers have breached America’s Job Link Alliance (AJLA), a job portal offered by the Department of Labor (DOL), and stolen personal details from an undisclosed number of job seekers…

..According to AJLA officials, hackers registered an account on the job portal and then used a vulnerability in the AJLA source code to extract data from other users…

…AJLA said the vulnerability the attacker used was introduced in its codebase in October 2016 but was patched March 14, two days after the initial attack. Investigators didn’t find evidence it was exploited in the past…

IBM Security Report: 4 Billion Records Leaked in 2016, 10K New Vulnerabilities

According to IBM’s 2017 X-Force Threat Intelligence Index, on top of the 4 billion records that ended up on the Internet last year, there were also 10,000 software vulnerabilities documented, which is the highest single-year number in the 20 years it has published its report…

..Another trend noticed by IBM regards targeted attacks on unstructured data. If in past years data breaches focused on various structured information sets, such as credit card data, passwords, personal health information and so on, 2016 saw a shift. In fact, hundreds of gigabytes of email archives, documents, intellectual property and source code were targeted by criminals and exposed along with all the other data that we’ve become “accustomed” to…

Barracuda Web Application Firewall

Barracuda Web Application Firewall gives your DevOps and application security teams comprehensive security that is easy to deploy and manage. Physical, virtual, and in the cloud—Barracuda Web Application Firewall eliminates application vulnerabilities and protects your web applications against application DDoS, SQL Injection, Cross-Site Scripting, and other advanced attacks.  Click here to request a free 30-day trial.

Barracuda Cloud Ready initiative

Migrating to the cloud can be a complex process. While the cloud can simplify your IT and make it easier to scale your business, moving sensitive business data to the cloud carries new security risks. In addition, you still need to secure your on-premises infrastructure.

Barracuda’s new “Cloud Ready” initiative is intended to eliminate obstacles and help you move to the cloud faster, more cost-effectively, and with greater confidence. When you purchase an on-premises physical or virtual Barracuda NextGen Firewall or Web Application Firewall, you will receive a 90-day license for the same solution in both Amazon Web Services (AWS) and Microsoft Azure at no extra cost.  Visit our Cloud Ready site here for more information.

Tushar Richabadas is a Product Manager for the Barracuda Web Application Firewall team in our India office. You can connect with him on LinkedIn here.

This month has brought us hacks from the world over – including a breach at Yahoo, which is possibly linked to a state-sponsored hacker, an XSS Bug in Steam, and reports of a Russian hacker who has sold access details to over 60 universities and Govt agencies, all harvested using SQLi. The WordPress vulnerability that was fixed last month has now been used to deface over a million sites and counting, and a Mirai successor may be on the rise.

Yahoo Warns Users Of Forged Cookies In Third Breach

Yahoo is sending messages to some users alerting them to the use of forged cookies to access their data in a third breach of customer accounts in 2015-2016, CNBC reports. Some of these hacks are attributed to a “state-sponsored actor” also involved with the 2014 Yahoo breach in which 500 million accounts were compromised.

[Read more…]

On January 26, WordPress released a security update (4.7.2) to fix a set of vulnerabilities on its platform, including an SQLi and XSS vulnerability. They recommended that this version be installed immediately for security reasons. What they did not disclose was that a serious vulnerability existed in their REST API endpoint, which was introduced in the 4.7 version; however, this was fixed in version 4.7.2.

WordPress released a blog post on February 1 that revealed the endpoint vulnerability. The announcement was initially delayed because they needed to inform security companies about the vulnerability, as well as help them build rules to block these attacks. This would prevent the numerous attacks that typically follow a disclosure. Kudos to the WordPress team for taking immediate action on a serious issue.

[Read more…]