Cyber Security Institute


Thursday, August 15, 2013

Microsoft pulls faulty Exchange 2013 patch HOURS after release

Microsoft has pulled a security update for Exchange 2013 after problems emerged with the latest patch to the email server software just hours after its release. The critical MS13-061 security update for Exchange Server 2013 broke the message index service, preventing Exchange 2013 email users from searching their mailboxes. Specifically, after the installation of the security update, the Content Index for mailbox databases shows as Failed and the Microsoft Exchange Search Host Controller service is renamed.


Wednesday, June 26, 2013

Attackers sign malware using crypto certificate stolen from Opera Software

Hackers penetrated network servers belonging to Opera Software, stole at least one digital certificate, and then used it to distribute malware that incorrectly appeared to be published by the browser maker. “The attackers were able to obtain at least one old and expired Opera code signing certificate, which they have used to sign some malware,” Wednesday’s advisory stated. It is possible that a few thousand Windows users, who were using Opera between June 19 from 1.00 and 1.36 UTC, may automatically have received and installed the malicious software.”


Tuesday, May 07, 2013

Anonymous May 7 Target List Includes 12 Large Credit Unions

The hacker group OpUSA, which is working with hackers Anonymous to launch distributed denial of service attacks against government and financial institution websites Tuesday, released of list of targeted institutions that includes 12 credit unions.



Thursday, May 02, 2013

Saudi Arabia is a top target for cyber attacks

Saudi Arabia is the most targeted country for cyber attacks in the Middle East, according to a new report.  The kingdom ranks second globally, while the UAE is the fifth most targeted in the Middle East according to Symantec’s Internet Security Threat Report 2013. The region’s sophisticated internet infrastructure, high internet and mobile penetration and growing economy make it an attractive target for cyber criminals keen to make easy money without too much hassle.



DHS: ‘OpUSA’ May Be More Bark Than Bite

Department of Homeland Security is warning that a group of mostly Middle East- and North Africa-based criminal hackers are preparing to launch a cyber attack campaign next week known as “OpUSA” against websites of high-profile US government agencies, financial institutions, and commercial entities. A confidential alert, produced by DHS on May 1 and obtained by KrebsOnSecurity, predicts that the attacks “likely will result in limited disruptions and mostly consist of nuisance-level attacks against publicly accessible webpages and possibly data exploitation.


Wednesday, May 01, 2013

Hackers hijack US government website to spread malware

The US Department of Labor’s website has been infiltrated by [Chinese] hackers, according to a report from security firm AlienVault. “During the last few hours we have identified that the US Department of Labor website has been hacked and it is serving malicious code,” he said. They modified some files in the website so when a user visits the website some malicious code will be loaded from a malicious server. He said the firm has also detected a second function in the attack code, instructing it to target a patched vulnerability in Microsoft’s Internet Explorer.


Tuesday, April 30, 2013

DDoS used as cover fire for parallel attacks, $2.1 million unauthorized wire transfer

In Dell SecureWorks Counter Threat Unit(TM) research team 2012 Threatscape Review there is an intresting senario about Distributed denial-of-service attacks that  has been successful in draining up to $2.1 million from a bank account. The Dell SecureWorks 2012 Threatscape Review analyzes the conditions in 2012 that create threat scenarios and discusses notable trends in software vulnerabilities, global-scale threats, distributed denial of service (DDoS) attacks, Advanced Persistent Threats, and mobile threats.



Hackers hit thousands of websites with Apache backdoor attack

Security firm Eset has uncovered a malicious cyber campaign using a backdoor exploit in Apache web servers to herd web users to sites carrying Blackhole exploit packs. It will be difficult to assess the dangers and actions of specific compromised systems if only the binary is found and the active shared memory is not. Zwienenberg said the compromised servers are being used to drive web traffic to a number of malicious websites containing malware and exploits from the Blackhole exploit kit.   The campaign has already compromised hundreds of Apache servers, meaning that thousands of websites could potentially have been affected.



Thursday, April 25, 2013

Recently patched Java flaw already targeted in mass attacks

The vulnerability, identified as CVE-2013-2423, was one of the 42 security issues fixed in Java 7 Update 21 that was released by Oracle last week, on April 16. The company gave the flaw’s impact a 4.3 out of 10 rating using the Common Vulnerability Scoring System (CVSS) and added that “this vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets.”


Sunday, April 21, 2013

Hacking collective Anonymous calls for Internet blackout on April 22 to protest CISPA

Hacking collective Anonymous has called for an Internet blackout in protest of a bill, CISPA, which if signed into law, would make it legal for websites to give personal information to the US government without the user’s permission. Anonymous has called for an Internet protest on Monday, April 22, to protest the “illogical and terrorizing bill”, reports The Huffington Post. The plan doesn’t involve shutting down or attacking the Internet in any way, it just wants all websites to go dark in protest for 24 hours on Monday.


Wednesday, April 17, 2013

Java 7 Update 21 to fix bugs, change applet warning messages

Oracle will release a new version of Java on Tuesday that will include 42 security fixes and will make changes to how Web-based Java content will be presented inside browsers. Thirty-nine of the vulnerabilities patched by the new Java 7 Update 21 (7u21) can be exploited remotely without authentication, Oracle said in a pre-release announcement. In addition to security fixes, the new update will also make changes to how Java applets—Web-based Java applications—are handled and presented in Web browsers that have the Java plug-in enabled.


Friday, April 12, 2013

U.S. On Brink Of Major Cyber Attack From Another Nation - Perhaps North Korea

Philip Lieberman, author and CEO of security firm Lieberman Software, believes United States is on the brink of suffering a major cyber attack from another nation state that will severely damage the country’s national infrastructure. The security expert has spoken out as the U.S. falls into its latest bout of international confrontation, with North Korea threatening to launch nuclear attacks on the United States and old foe South Korea.   But far more likely than military engagement is the use of cyber weapons, and indeed, the North is already thought to have been behind crippling cyber attacks on the networks of South Korean banks and television stations last the month, reported ITProPortal.   The U.S. and the South have taken action to safeguard their digital infrastructures, last week signing a cyber alliance to increase the sharing of strategies and intelligence between the two nations, while President Obama has been busy bolstering the U.S. cyber arsenal and acquiring legal permission to launch cyber strikes this year.



Wide-scale attack against WordPress blogs reported

Unidentified hackers are said to have have launched a large-scale attack against WordPress blogs and any hosts using weak passwords are urged to update them immediately Security firms have been tracking an escalating number of “brute force” attacks against WordPress installations, which have been trying out logins such as “admin” and then running through thousands of commonly-used passwords to try to break in. Security firm Incapsula told security blog KrebsOnSecurity that infected sites are seeded with a backdoor that gives the attackers remote control of the site.   “The infected sites then are conscripted into the attacking server botnet, and forced to launch password-guessing attacks against other sites running WordPress,” the site reported.


Thursday, April 11, 2013

Small Banks: Prepping for DDoS Attacks

For tiny First Landmark Bank in Marietta, Ga., cybersecurity is a priority, even though smaller financial institutions have not yet been prime targets for recent distributed-denial-of-service attacks against banking institutions. Because the community bank’s leaders fear the institution could eventually be a target for a cyber-attack, they are taking a proactive approach to mitigate potential risks - an approach that others should emulate. Small banking institutions have to depend on third parties to keep them abreast of emerging fraud schemes and attack trends, such as DDoS. First Landmark Bank, which has only $182 million in assets, is working with its core processor, Fiserv, and third-party service providers, such as CSI, to ensure its online-banking channel is secure.   The bank is leaning on numerous vendors because relying solely on Fiserv alone would not meet its needs, says Leigh Pharr, senior vice president.


Monday, April 08, 2013

Security updates likely to keep admins busy in April

Microsoft is to release nine security bulletins next week as part of its monthly Patch Tuesday security updates, aimed mainly at critical vulnerabilities in Internet Explorer and Windows 7. There is also an out-of-cycle update for Java from Oracle this month. In addition to the Microsoft updates, security administrators should note that the PostGreSQL Open Source project has published a new version of its database product that addresses five security flaws. One of them – CVE-2013-1899 – allows the attacker to delete database files without authentication, leading to data loss and denial of service.



Wednesday, April 03, 2013

Ars Technica: Exclusive: Ongoing malware attack targeting Apache hijacks 20,000 sites

Tens of thousands of websites, some operated by The Los Angeles Times, Seagate, and other reputable companies, have recently come under the spell of “Darkleech,” a mysterious exploitation toolkit that exposes visitors to potent malware attacks. The ongoing attacks, estimated to have infected 20,000 websites in the past few weeks alone, are significant because of their success in targeting Apache, by far the Internet’s most popular Web server software. ... Vulnerabilities in Plesk, Cpanel, or other software used to administer websites is one possibility, but researchers aren’t ruling out the possibility of password cracking, social engineering, or attacks that exploit unknown bugs in frequently used applications and OSes. Visitors using IP addresses belonging to security and hosting firms are passed over, as are people who have recently been attacked or who don’t access the pages from specific search queries.


Tuesday, April 02, 2013


Two weeks ago, some 30,000 systems at South Korean banks and broadcasters were wiped out in a coordinated attack – it might have come from North Korea, but investigators are still chasing basic details. “We judge that there is a remote chance of a major cyber attack against U.S. critical infrastructure systems during the next two years that would result in long-term, wide-scale disruption of services,” wrote U.S. Director of National Intelligence James Clapper. .“Our critical infrastructures are all identifiable: they’ve been probed, and they’ve been mapped,” said Frank Cilluffo, Director of the Homeland Security Policy Institute at George Washington University last week in testimony before the House Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies. Last month security firm Mandiant fingered the Chinese People’s Liberation Army as brazenly running cyber operations out of a 12-story building in Shanghai – alleging this “APT1″ unit is one of dozens of hacking outfits run by the Chinese military. Iran is believed to be behind persistent denial-of-service attacks against Bank of America, JPMorgan Chase, Citi, and U.S. government sites during 2011 and 2012, as well as a destructive attack against Saudi Aramco and Qatar’s RasGas last year where malware wiped out more than 30,000 workstations. Where denial-of-service and outright destructive attacks might be a digital form of sabre-rattling for some regimes– or make for great movie plots– cyber espionage is the bread and butter of much state-sponsored online action.


Friday, March 29, 2013

Critical denial-of-service flaw in BIND software puts DNS servers at risk


Wednesday, March 27, 2013

Java-based attacks remain at large, researchers say

A new Websense report suggests that approximately 94 percent of endpoints which run Oracle’s Java are vulnerable to at least one exploit, and we are ignoring updates at our own peril.  With so many vulnerabilities, keeping browsers up-to-date can become an issue — especially as Java has to be updated independently from our preferred browser, and a mobile, cross-browser workforce is difficult to manage securely.  Keeping this in mind, the security team used their Advanced Classification Engine (ACE) and ThreatSeeker Network to both detect and analyze in real-time which versions of Java are currently in use across “tens of millions” of endpoints. The researchers found that the latest version of Java, version 1.7.17, is only in use by a dismal five percent of users, and many versions are months or years out of date — just begging to be exploited.


Tuesday, March 26, 2013

Preparing major Israeli companies against Anonymous attacks on the 7th of April

What distinguishes this plan when compared to previous attacks is that it really seems to be organized by Anonymous-affiliated groups from around the world in what looks like a joining of forces. It was reported that as part of this “operation,” details of some 600,000 users of Walla’s email were exposed in addition according to the then finance Minister Yuval Steinitz “Israel deflected 44 million cyber-attacks on government websites. On Wednesday 20 March 2013, cyber-attack crippled TV stations and banks in South Korea, some for a few hours and some are still trying to come back from this attack. As many as 30,000 PCs in Shinhan Bank, Jeju Bank, Nonghyup Bank, the Munhwa Broadcasting Corporation, YTN and the Korea Broadcasting System (KBS) had their hard drives wiped when a virus was activated at 14.00 local time on Wednesday 20 March.


Monday, March 18, 2013

Malwarebytes uncovers AV-dodging ransomware in Java exploit kit

Security firm Malwarebytes has discovered new ransomware being spread by the Neutrino exploit kit, targeting Java with a fake Skype file. Malwarebytes security researchers Jerome Segura and Joshua Cannell reported discovering Neutrino on Monday, warning the ransomware can bypass all major antivirus products.


Internal-use SSL certificates pose security risk for upcoming domain extensions

The practice of issuing SSL certificates for internal domain names with unqualified extensions could endanger the privacy and integrity of HTTPS communications for upcoming generic top-level domains (gTLDs), according to a security advisory from the Internet Corporation for Assigned Names and Numbers (ICANN). The advisory was finalized by ICANN’s Security and Stability Advisory Committee (SSAC) last week and warns that existing SSL certificates which have been issued for non-public domain names like those used to identify servers inside private networks, could be used to hijack HTTPS traffic for real domain names as new gTLDs become operational.


Wednesday, March 13, 2013

Cyber attacks on banks resume, targeting Chase

A wave of bank cyber attacks has resumed, with many JPMorgan Chase & Co. customers unable to access their Internet banking accounts.


Monday, March 11, 2013

Australian central bank computers hacked

Computer networks at the Reserve Bank of Australia have been hacked, some reportedly by Chinese-developed malware searching for sensitive information, officials said Monday. The central bank revealed the attacks after investigations by The Australian Financial Review found multiple computers had been compromised by malicious software seeking intelligence. The newspaper said in one attack a Chinese-developed malware spy programme was searching in 2011 for information on sensitive G20 negotiations, where Beijing’s exchange rate and currency reserves were on the agenda.


Sunday, March 10, 2013

Canadian businesses are resigning themselves to being hacked: study - Canadian Business

Canadian businesses have set themselves up to be hacked, and a new study has found that some companies believe that it’s almost inevitable they’ll fall victim to a security breach. Telus and the Rotman School of Management at the University of Toronto says its annual study on IT security found a “pervasive sense of vulnerability” at many corporations. “Security managers are not very confident that they can identify whether a breach actually occurred or whether they’re actually in the midst of a current breach,” said Walid Hejazi, a professor of business economics at Rotman.


Wednesday, March 06, 2013

Cybercriminals Likely To Expand Use Of Browser Proxies

A technique for controlling a compromised system’s browser, widely used in Brazilian banking schemes, will likely become more widespread worldwide in the next few years, say security experts. The technique abuses a legitimate way to control where a browser sends its requests, known as proxy auto-configuration or PAC, to take over a victim’s browser and send traffic—say, requests to a bank—to an attacker-controlled server instead.  While the attackers still have to find a way to execute code on a victim’s system, once that is done, they can set a proxy for the browser, capture selected traffic, and re-route it invisibly.


Cybercriminals Likely To Expand Use Of Browser Proxies

A technique for controlling a compromised system’s browser, widely used in Brazilian banking schemes, will likely become more widespread worldwide in the next few years, say security experts. The technique abuses a legitimate way to control where a browser sends its requests, known as proxy auto-configuration or PAC, to take over a victim’s browser and send traffic—say, requests to a bank—to an attacker-controlled server instead.  While the attackers still have to find a way to execute code on a victim’s system, once that is done, they can set a proxy for the browser, capture selected traffic, and re-route it invisibly.


Friday, March 01, 2013

Hackers use corporate attacks as staging grounds for other cyber assaults

Attackers have invaded corporate networks to steal sensitive data and use them as staging grounds to attack other corporate networks — and IT managers detecting these invaders may find yet another surprise: law enforcement lurking in their networks monitoring it all as part of a cyber-sting. “There may be law enforcement watching it,” said Charles Shugg, retired Brigadier General of the Air Force who once headed the U.S.  Air Force Cyber Command, and spoke yesterday on a panel at the RSA Conference on the topic of how far IT managers can go to “hackback” against network attackers they happen to detect.  But you might be stepping into something bigger than you know, because “an undercover agent may witness crimes taking place and not stop them in hopes of getting them,” said Shugg. It’s just another wrinkle in the world of cybercrime that’s invaded corporate networks, whether it be suspected Chinese spies stealing important intellectual property, remotely-controlled botnets and cybercooks from everywhere making off with what they can, or hacktivists out to score political points.


Blackhole Exploit Kit Run Adopts Controversial Java Flaw

A perfect example of this prediction is how Blackhole Exploit Kit continuously attempts to circumvent the efforts done by the security industry.  True enough, we recently received reports of a Blackhole Exploit Kit (BHEK) run that incorporated an exploit (detected by Trend Micro as JAVA_ARCAL.A) targeting the recently patched CVE-2013-0431. When users click the item number indicated in these messages, they are led to several redirecting sites until they arrive at the page hosting the encrypted BHEK code. In the testing we did, the BHEK code found certain versions of Adobe Reader, which prompted it to download and execute a malicious. This BHEK code also downloads and executes JAVA_ARCAL.A from a specific page after checking the Java version of the infected system.  JAVA_ARCAL.A then downloads and executes TSPY_FAREIT.MEX by using command.exe in the PATH %user% in a specific URL. ...  At the end of the infection chain, this BHEK code will access the malicious page below to lead users into thinking that they’re just redirected to a seemingly non-malicious website.


Monday, February 25, 2013

New Java 7 security flaws emerge as old one lands in crime kits - java 7, software vulnerabilities,

Less than a week after Oracle released its latest Java critical patch update, researchers have found two previously unknown security issues affecting Java 7. The issues are specific to Java SE 7 and affect Update 11 and Update 15 of the software, according to Security Explorations’ CEO Adam Gowdiak.  Oracle only released Java SE 7 Update 15 last week, patching five additional CVEs to the fifty in an unscheduled release on February 1 to address a zero day flaw being exploited by attackers.