A Week in Security (Apr 05 - 11)

A Week in Security (Apr 26 – May 02)

Last week, our researchers found naughty ads on a page that is supposedly family- or child-oriented.

Speaking of naughty, it was strike two for xHamster when we found more ads leading to exploits. Senior Security Researcher Jérôme Segura also briefed us on domain shadowing in a succeeding post.

We also expressed concerns over Google’s new extension for Chrome called Password Alert, found some iPhone 6 scams, and a 419 spam that banked on the earthquake in Nepal.

Notable news stories and security related happenings:

  • Critical HTTPS Bug May Open 25,000 iOS Apps to Eavesdropping Attacks. “Any app that uses a version of AFNetworking prior to the just-released 2.5.3 may expose data that’s trivial for hackers to monitor or modify, even when it’s protected by the secure sockets layer (SSL) protocol. The vulnerability can be exploited by using any valid SSL certificate for any domain name, as long as the digital credential was issued by a browser-trusted certificate authority (CA).” (Source: Ars Technica)
  • Critical Persistent XSS 0day in WordPress. “If your WordPress site allows users to post comments via the WordPress commenting system, you’re at risk. An attacker could leverage a bug in the way comments are stored in the site’s database to insert malicious scripts on your site, thus potentially allowing them to infect your visitors with malware, inject SEO spam or even insert backdoor in the site’s code if the code runs when in a logged-in administrator browser.” (Source: Sucuri Blog)
  • Cyber general: US satellite networks hit by ‘millions’ of hacks. “The top cyber official for the Air Force says the service’s space and satellite networks are being constantly hacked by outside groups.” (Source: The Hill)
  • ‘Largest’ denial-of-service attack hit Asian datacenter this year. “Arbor Networks said the attack had traffic of up to 334 Gbps, accounting for tens of thousands of connections, targeting one Asian network operator.” (Source: ZDNet)
  • Conversation With a Tech Support Scammer. “When investigating an incident that involved domain redirection and a suspected tech support scam, I recorded my interactions with the individual posing as a help desk technician and researched the background of this scheme. It was an educational exchange, to say the least.” (Source: Lenny Zeltser Blog)
  • Authentication Vulnerabilities Identified in Projector Firmware. “The manufacturer of a popular projector found primarily in classrooms is neglecting to address several authentication bugs that exist in the device that could open it up to hacks.” (Source: ThreatPost)
  • Social engineering tricks open the door to macro-malware attacks – how can we close it? “Just when you think macro malware is a thing of the past, over the past few months, we have seen an increasing macro downloader trend that affects nearly 501,240 unique machines worldwide.” (Source: Microsoft’s Malware Protection Center Blog)
  • Nepal Earthquake Disaster Email Scams. “US-CERT warns users of potential email scams citing the earthquake in Nepal. The scam emails may contain links or attachments that may direct users to phishing or malware infected websites. Phishing emails and websites requesting donations for fraudulent charitable organizations commonly appear after these types of natural disasters.” (Source: US-CERT)
  • Apple Bans Watch Apps from Apple Watch. “…But then we realised it’s about facing reality: people just don’t use watches to tell the time any more.” (Source: Sophos’ Naked Security Blog)
  • Unpatched, Vulnerable PDF Readers Leave Users Open to Attack. “The security of a PC is significantly affected by the number and type of applications installed on it, and the extent to which these programs are patched.” (Source: Help Net Security)
  • Dyre Banking Trojan Jumps Out of Sandbox. “The new strain of Dyre, also known as Dyreza, uses a fairly new technique to avoid detection that is one of many established ways to elude sandbox protections already in place. (Source: ThreatPost)

Safe surfing, everyone!

The Malwarebytes Labs Team