Category: Warnings

Within the digital attack space, crimeware kits — which can be purchase for as little as $200 — often come supplied with Java-based exploits.

Over 75 percent of browsers are using Java versions which are at least 6 months old, whereas nearly two-thirds are a year out of date, and 50 percent of Java versions in use are over two years behind the times in respect to Java vulnerabilities.

All in all, the researchers say that the vulnerable population of browsers is pegged at a staggering 93.77 percent.

Link: http://www.zdnet.com/java-based-attacks-remain-at-large-researchers-say-7000013131/?s_cid=e550

A cyber-attack on this scale on Israel would have serious consequences; therefore major companies are already preparing themselves for these cyber-attacks by using Bot-Trek™, initially as a test pilot.

On the example of the ISPs, it will provide tons of cyber intelligence information on infected machines within IP ranges including public and private sector, including Socks-, spam- and DDoS-bots IP-addresses and Data leaked from corporate domains or IP-ranges (e.g. corporate e-mail accounts, intranets, etc.).

Group-IB, one of the leading computer security companies, specializing in the investigation of computer crime, information security breaches, and computer forensics organized several pilot projects on Bot-Trek which will help to reduce the level of harmful and malware activities by proactive monitoring of ASN/BGP and 24/7/365 cyber intelligence. Group-IB CERT-GIB operates as the first private computer emergency response team in Russia and is internationally known for bringing down several of the biggest Botnet masters around the globe.

Previously, several largest botnets were found and blocked by Group-IB Bot-Trek system, such as Origami (4 000 000 infected PCs) in joint operation with Ministry of Interior of Russian Federation, Dragon, Grum, Virut together with SPAMHAUS, Australian CERT and CERT.pl , and many others. Last year Group-IB prevented theft from over 30,000 customers of various banks, and the number of identified and analyzed information is constantly growing.”, and more than “1.2 million infected PCs were found within the leading ISPs of different countries, which helped to stop malware, SPAM and DDOS activities”.

Link: http://i-hls.com/2013/03/preparing-major-israeli-companies-against-anonymous-attacks-on-the-7th-of-april/

That certificate is also valid for alternative non-publicly-recognizable domain names like qsauhub01, qsauhub01.sea.quiksilver.corp, qsauhub02, qsauhub02.sea.quiksilver.corp, and autodiscover.sea.quiksilver.corp. The .corp domain extension has been used internally on private corporate networks for a very long time, but is currently being considered for future public use as a new gTLD.

“If an attacker obtains a certificate before the new TLD is delegated, he/she could surreptitiously redirect a user from the original site to the attacker site, present his certificate and the victim would get the Transport Layer Security/SSL (TLS/SSL) lock icon,” the SSAC said in the advisory.

In a test case, a researcher working with SSAC successfully applied for and obtained an internal-use certificate for www.site from a CA.

…The SSAC also searched SSL certificate data collected in 2010 by the Electronic Frontier Foundation’s SSL Observatory project and found 37,244 internal name certificates issued by 157 CAs. The SSL Observatory data is from 2010 and only contains publicly available certificates on the IPv4 (Internet Protocol version 4) network, like the Quiksilver one, that are valid for both public and non-public domain names, it said.

Link: http://www.computerworld.com/s/article/9237678/Internal_use_SSL_certificates_pose_security_risk_for_upcoming_domain_extensions?source=CTWNLE_nlt_pm_2013-03-18

“Malwarebytes identified a ransomware Trojan, part of the Urausy family, which was being spread by a new Exploit Kit dubbed Neutrino. This ransomware sample evaded AV detection for almost a day and uses several levels of encryption to hide its payload,” Segura told V3. “This practice is becoming more and more common these days as it makes detection by looking at traffic packets more difficult.”

The Neutrino attack pretends to be a legitimate Skype file to gain access to a user’s machine. It’s called this because the ransomware renames itself to “skype.dat” and is placed in the folder, along with a configuration file called “skype.ini,” said Cannell.

“The skype.dat ransomware has nothing to do with the legitimate Skype program that millions of people use for VoIP communication.”

At the end of 2012 security firm Symantec issued a report suggesting ransomware scams are now earning criminals as much as $33,000 a day.

Link: http://www.v3.co.uk/v3-uk/news/2255480/malwarebytes-uncovers-av-dodging-neutrino-exploit-kit-targeting-java

Chase was targeted by the latest in a series of denial-of-service attacks, which overwhelm websites with phony requests so that legitimate customers can’t get through.

A group identifying itself as Izz ad-Din al-Qassam Cyber Fighters has been attacking American banks off and on since September. The group, based in the Middle East, says the attacks are retaliation for a video, produced by amateur U.S. filmmakers, that mocks the prophet Muhammad.

In a pastebin.com post, the group threatened to attack U.S. banks on Tuesdays, Wednesdays and Thursdays “because of widespread and organized offends to Islamic spirituals and holy issues.”

The website sitedown.co, which allows Internet users to report crashes of corporate sites, recorded 213 reports of problems with Chase’s website in the 24 hours that ended at 7:40 p.m.

The site showed 917 reports of Chase outages over the last month, compared with 453 at AT&T, 415 at Netflix, 351 at Bank of America and 107 at Wells Fargo.

Link: http://www.latimes.com/business/money/la-fi-mo-bank-cyber-attacks-chase-20130312,0,1903959.story