WEEKLY SECURITY BRIEF: July 14 2015

Posted on by

secmat1

WEEKLY SECURITY BRIEF: July 14 2015

UPDATES: Microsoft Patch Tuesday: Critical Updates for RDP and Explorer

There are urgent fixes required for Internet Explorer, as one more zero day is added to the growing pile of fallout from the Hacking Team hack. This flaw is being actively exploited by hackers, so IE users need to get the patch on ASAP. And there are equally urgent fixes to apply for RDP Remote Desktop Protocol, Office and Windows because of active exploits in play. Other fixes address issues of remote code exploitation and elevation of privilege.

THE BIG STORY: Get the Flash Outta Here!
flashOr better yet – how many zero days can you release in a week? Seriously, the time has come and the time is now to get rid of Adobe Flash Player. After Hacking Team got hacked a week ago Sunday, some of the spillage included several zero day vulnerabilities they had been sitting on. And while Flash seems to be a manufacturing plant of flaws that was no excuse. Hackers have been lying in wait for the good stuff to emerge. When it did, they were ready and jumped all over it. Exploits are booming. If we thought we had problems with folks clicking on stuff they shouldn’t before this, it’s going to be malware-palooza if Flash remains enabled. Mozilla was first to take direct response, and Firefox has blacklisted Flash Player. Who’s next?

Java Zero Day

Adding to all the fun is a zero day for Java, due to an unpatched flaw by Oracle. Note that this is the first Java exploit to be reported in almost 2 years. And users cannot downgrade to earlier versions which aren’t susceptible because of the way Oracle does things. A cybercrime group, out of Russia? Pawn Storm, has been using this nifty little flaw in their attacks on various nation-states and governments & armed forces. Yes, like in “War Games”. The recommendation by security experts is to disable java in browsers for now until it’s patched, especially given the triple-header of Flash zero days on hand.

Oh Windows XP Users … ripwinxp

With all this talk of zero days, folks still using Win XP have not been getting any security patches since April 2014. Just imagine. Today, support for Microsoft’s Malicious Software Removal Tool and updates officially ends. There will be no more. But there are still approximately 180 million users out there, which amounts to 12% of all Windows users. Be warned: an anti-virus product isn’t going to fix Windows vulnerabilities and flaws. If the saying holds true that you get what you pay for, then expect that you will pay for not upgrading to a patchable, safer version of Windows.
And let’s not forget Windows Server 2003. End of Life is also today.

https://grahamcluley.com/2015/07/anti-virus-updates/

The OpenSSL Patch or Much Ado about Nothing

Given all the advance hype leading to this mysterious flaw and its urgent patch, I am happy to report that this issue is not another HeartBleed or worse. Infact, only newer versions of OpenSSL are affected.
Apparently, any application that verifies certificates, including SSL and TLS, could be compromised by this problem: OpenSSL tried to find an alternative certificate chain if its first try to build a chain fails. If an error occurs during the implementation of this logic, an attacker would be able to cause certain checks to be bypassed on untrusted certificates. They would then be able to forge a trusted certificate and then set up Man in the Middle attacks. BUT this won’t have a widespread impact as most web browsers currently do not use OpenSSL and not affected. OpenSSL 1.0.2b/1.0.2c users are urged to upgrade to 1.0.2d, whereas those with OpenSSL 1.0.1n/1.0.1o should upgrade to 1.0.1p.

A New Threat in Corporate Espionage takes Wing

A corporate espionage group dubbed “Butterfly” has been raiding a varied selection of civilian firms for valuable intellectual property. Companies run the gamut from tech, legal, pharmaceuticals, commodities. Most are listed in the Fortune 200 and are publicly traded. Those attacked include multi-billion firms like Microsoft and Facebook.
What sets this group apart from other cybercrime gangs is that they are very well resourced, utilize customized malware tools and zero days, and are not going after credit card or customer data. They were first identified in 2013, then seemingly went undercover, but were actually operating without detection, hitting 49 companies in 20 countries. They track their prey to favoured online “watering holes” – sites visited frequently by people within the target company. Vigilance, anti-virus and intrusion detection systems are as this group is disciplined, and increasing their attacks.

TeslaCrypt/CryptoWall

TeslaCrypt is the newest variant of ransomware, having made its dubious debut in Feb 2015. It likes to target computer game files, like saves and profiles. And has become a chameleon, taking on new identities eg TeslaCrypt, AlphaCrypt and now pretending to be CryptoWall, with a variety of file extensions to match: .ecc, .ezz, exx.teslacrypt
The latest version differs in its enhanced encryption. Bad news for victims because at this time it is impossible to decrypt files hit by TeslaCrypt. And it now uses an HTML page and not a GUI. The methodology: a victim visits an infected website; malicious code uses vulnerabilities in the browser – plugins like Adobe Flash – to install target malware in the system. The best safeguard is backing up data daily, and stored away from systems that could become infected.
https://securelist.com/blog/research/71371/teslacrypt-2-0-disguised-as-cryptowall/?utm_source=dlvr.it&utm_medium=twitter

Thanks for reading! 

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s