Highly advanced backdoor trojan cased high-profile targets for years

Researchers have unearthed highly advanced malware they believe was developed by a wealthy nation-state to spy on a wide range of international targets in diverse industries, including hospitality, energy, airline, and research.

Backdoor Regin, as researchers at security firm Symantec are referring to the trojan, bears some resemblance to previously discovered state-sponsored malware, including the espionage trojans known as Flame and Duqu, as well as Stuxnet, the computer worm and trojan that was programmed to disrupt Iran's nuclear program. Regin likely required months or years to be completed and contains dozens of individual modules that allowed its operators to tailor the malware to individual targets.

To remain stealthy, the malware is organized into five stages, each of which is encrypted except for the first one. Executing the first stage triggers a domino chain in which the second stage is decrypted and executed, and that in turn decrypts the third stage, and so on. Analyzing and understanding the malware requires researchers to acquire all five stages. Regin contains dozens of payloads, including code for capturing screenshots, seizing control of an infected computer's mouse, stealing passwords, monitoring network traffic, and recovering deleted files. Other modules appear to be tailored to specific targets. One such payload included code for monitoring the traffic of a Microsoft IIS server. Another sniffed the traffic of mobile telephone base station controllers.

Read 4 remaining paragraphs | Comments

#1337day WordPress wpDataTables 1.5.3 SQL Injection Vulnerability [webapps #exploits #Vulnerability #0day #Exploit]

#1337day WordPress wpDataTables 1.5.3 shell Upload Exploit [webapps #exploits #0day #Exploit]

#1337day DukaPress 2.5.2 Path Traversal Vulnerability CVE-2014-8799 [webapps #exploits #Vulnerability #0day #Exploit]

#1337day MyBB 1.8.2 – unset_globals() Function Bypass and Remote Code Execution Vulnerability [#0day #Exploit]

#1337day Supr Shopsystem 5.1.0 – Persistent UI Vulnerability [webapps #exploits #Vulnerability #0day #Exploit]

#1337day Netgear Wireless Router WNR500 Local File Inclusion Vulnerability [webapps #exploits #Vulnerability #0day #Exploit]

#1337day Privacyware Privatefirewall 7.0 Privilege Escalation Vulnerability [remote #exploits #Vulnerability #0day #Exploit]

#1337day Liferay Portal 6.2 EE SP8 Cross Site Scripting Vulnerability [webapps #exploits #Vulnerability #0day #Exploit]

#1337day WordPress SP Client Document Manager 2.4.1 SQL Injection Vulnerability [webapps #exploits #Vulnerability #0day #Exploit]

Has the PlayStation Network really been hacked? Should you change your password?

A smallish list of usernames and passwords allegedly stolen from the PlayStation Network (PSN), Windows Live and 2K Gaming Studio has been leaked by a trio of crackers. Real or hoax?

Privacy Groups Release ‘Detekt’ Tool to Spot Spyware

Privacy advocates have joined together to release a tool for identifying cyber espionage malware.

Target to judge: Banks’ losses in our card breach aren’t our problem

Target’s massive data breach, in which criminals were able to drop malware onto point-of-sale systems and compromise at least 40 million credit and debit cards, is now the subject of a federal lawsuit by banks who issued those cards. And Target is arguing in court today that those claims should be thrown out, Bloomberg reports—because the company claims it had no obligation to protect the banks from damages.

The suit has been brought by five banks—First Federal Savings, Village Bank, Umpqua Bank, Mutual Bank, and Louisiana’s CSE Federal Credit Union. As a group, the banks are claiming losses because the breach exceeded $5 million. The lawsuit is playing out as representatives from financial organizations, including the US’ two major credit union industry associations, are pressing Congress to take action to hold retailers more accountable for payment data breaches and to bring them under the same privacy standards as financial institutions with regard to financial data.

Major retailer data breaches over the past year, including the ones at Target and Home Depot, have caused banks and credit unions to have to reissue hundreds of millions of payment cards. The Home Depot breach, first reported in September, was revealed last week to have exposed 53 million customer e-mail addresses, as well as 56 million payment cards.

Read 2 remaining paragraphs | Comments

Using a password manager on Android? It may be wide open to sniffing attacks

Aurich Lawson

In early 2013, researchers exposed some unsettling risks stemming from Android-based password managers. In a paper titled "Hey, You, Get Off of My Clipboard," they documented how passwords managed by 21 of the most popular such apps could be accessed by any other app on an Android device, even those with extremely low-level privileges. They suggested several measures to help fix the problem.

Almost two years later, the threat remains viable in at least some, if not all, of the apps originally analyzed. An app recently made available on Google Play, for instance, has no trouble divining the passwords managed by LastPass, one of the leading managers on the market, as well as the lesser-known KeePassDroid. With additional work, it's likely that the proof-of-concept ClipCaster app would work seamlessly against many other managers, too, said Xiao Bao Clark, the Australia-based programmer who developed it. While ClipCaster does nothing more than display the plaintext of passwords that LastPass and KeePassDroid funnel through Android handsets, a malicious app with only network privileges could send the credentials to an attacker without the user having any idea what was happening.

"Besides the insecurity of it, what annoyed me was that I was never told any of this while I was signing up or setting up the LastPass app," Clark wrote in an e-mail. "Instead, I got the strong impression from LastPass that everything was very secure, and I needn't worry about any of it. If they at least told users the security issues using these features brings, then the users themselves could decide on their own trade-off between usability and security. Not mentioning it at all strikes me as disingenuous."

Read 12 remaining paragraphs | Comments

#1337day WordPress CM Download Manager 2.0.0 Code Injection Vulnerability [webapps #exploits #Vulnerability #0day #Exploit]

#1337day Advantech WebAccess 7.2 Stack-Based Buffer Overflow Vulnerability [remote #exploits #Vulnerability #0day #Exploit]

#1337day Advantech EKI-6340 2.05 Command Injection Vulnerability [remote #exploits #Vulnerability #0day #Exploit]

#1337day Advantech AdamView 4.3 Buffer Overflow Vulnerability CVE-2014-8386 [remote #exploits #Vulnerability #0day #Exploit]

Surveillance Cameras Next On The Insecure IoT List

Three buffer overflow vulnerabilities leave HikVision video recorders open to remote code execution.

Hackers blamed for unusual tweets from Jeremy Clarkson, Columbian FARC rebels

TV presenter Jeremy Clarkson and Colombian militia group FARC may not have much in common, but this week they were linked by headlines blaming hackers for potentially embarrassing Twitter messages.

How Splitting A Computer Into Multiple Realities Can Protect You From Hackers

How Splitting A Computer Into Multiple Realities Can Protect You From Hackers

Jelle Martens Eight years ago, polish hacker Joanna Rutkowska was experimenting with rootkits—tough-to-detect spyware that infects the deepest level of a computer’s operating system—when she came up with a devious notion: What if, instead of putting spyware inside a victim’s computer, you put the victim’s computer inside the spyware? At the time, a technology known […]

The post How Splitting A Computer Into Multiple Realities Can Protect You From Hackers appeared first on WIRED.

#1337day Hikvision DVR RTSP Request Remote Code Execution Exploit [remote #exploits #0day #Exploit]

#1337day Faronics Deep Freeze Arbitrary Code Execution Vulnerability [remote #exploits #Vulnerability #0day #Exploit]

#1337day Compaq/Hewlett Packard Glance 11.00 Privilege Escalation Vulnerability [remote #exploits #Vulnerability #0day #Exploit]

#1337day Dolibarr ERP And CRM 3.5.3 SQL Injection Vulnerability CVE-2014-7137 [webapps #exploits #Vulnerability #0day #Exploit]

#1337day Joomla Simple Email Form 1.8.5 Cross Site Scripting Vulnerability [webapps #exploits #Vulnerability #0day #Exploit]

SSCC 174 – Who says law enforcement isn’t tackling cybercrime? [PODCAST]

Here's the latest epsiode of our weekly Chet Chat podcast, for your listening pleasure. From a carder ring that got busted to a spamming system that ran amuck, let yourself be amused and educated at the same time...

Citadel attackers aim to steal victims’ master passwords

Aurich Lawson / Thinkstock

Cyber criminals have started targeting the password managers that protect an individual's most sensitive credentials by using a keylogger to steal the master password in certain cases, according to research from data-protection company IBM Trusteer.

The research found that a configuration file, which attackers use to tailor the Citadel trojan for specific campaigns, had been modified to start up a keylogger when the user opened either Password Safe or KeePass, two open-source password managers. While malware has previously targeted the credentials stored in the password managers included in popular Web browsers, third-party password managers have typically not been targeted.

While the current impact of the attack is low, the implications of the attacker’s focus is that password managers will soon come under more widespread assault, Dana Tamir, director of enterprise security for IBM Trusteer, told Ars Technica.

Read 8 remaining paragraphs | Comments

The Rise Of The Resilient Mobile Botnet

New report on what researchers call one of the 'most sophisticated mobile botnets online' shows how profitable mobile malware has become.

Microsoft “tops up” Patch Tuesday, issues delayed fix for zero-day hole in logon security

Microsoft has issued a "top up" security bulletin for a fix that didn't quite make it into the November 2014 Patch Tuesday. The vulnerability can be used to turn any user into a domain administrator, and it's been exploited in the wild...

#1337day Snowfox CMS 1.0 Cross Site Request Forgery / Open Redirect Vulnerabilities [#0day #Exploit]

[webapps] – Snowfox CMS 1.0 – CSRF Add Admin Exploit

Snowfox CMS 1.0 - CSRF Add Admin Exploit

#1337day Paid Memberships Pro Path Traversal Vulnerability [webapps #exploits #Vulnerability #0day #Exploit]

#1337day D-Link DCS-2103 Directory Traversal Vulnerability [webapps #exploits #Vulnerability #0day #Exploit]

Unscheduled Windows update kills critical security bug under active attack

The "Security ID" and AAccount Name" fields in this event log don't match even though they should. The bug allowed the user account "nonadmin" to elevate privileges to "TESTLAB\Administrator."

Microsoft has released an unscheduled update to patch a critical security hole that is being actively exploited to hack Windows-based servers.

A flaw in the Windows implementation of the Kerberos authentication protocol allows attackers with credentials for low-level accounts to remotely hijack extremely sensitive Windows domain controllers that allocate privileges on large corporate or government networks. The privilege elevation bug is already being exploited in highly targeted attacks and gives hackers extraordinary control over vulnerable networks.

"The only way a domain compromise can be remediated with a high level of certainty is a complete rebuild of the domain," Microsoft engineer Joe Bialek wrote in a blog post accompanying Thursday's patch. "An attacker with administrative privilege on a domain controller can make a nearly unbounded number of changes to the system that can allow the attacker to persist their access long after the update has been installed. Therefore it is critical to install the update immediately."

Read 5 remaining paragraphs | Comments