(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Hackers are exploiting a serious zero-day vulnerability in the latest version of Apple's OS X so they can perform drive-by attacks that install malware without requiring victims to enter system passwords, researchers said.

As Ars reported last week, the privilege-escalation bug stems from new error-logging features that Apple added to OS X 10.10. Developers didn't use standard safeguards involving additions to the OS X dynamic linker dyld, a failure that lets attackers open or create files with root privileges that can reside anywhere in the OS X file system. It was disclosed last week by security researcher Stefan Esser.

On Monday, researchers from anti-malware firm Malwarebytes said a new malicious installer is exploiting the vulnerability to surreptitiously infect Macs with several types of adware including VSearch, a variant of the Genieo package, and the MacKeeper junkware. Malwarebytes researcher Adam Thomas stumbled on the exploit after finding the installer modified the sudoers configuration file. In a blog post, Malwarebytes researchers wrote:

Read 3 remaining paragraphs | Comments


Earlier this year, security engineer Trammell Hudson developed and showed off a proof-of-concept firmware called Thunderstrike. The malware could hitch a ride on Thunderbolt-connected accessories that used Option ROMs and infect any Mac it was connected to at boot. The infected Mac could then pass the malware to other accessories, which could infect other computers.

Apple (mostly) patched this exploit in OS X version 10.10.2 back in January, but Wired reports that Hudson and LegbaCore security researcher Xeno Kovah have developed a sequel.

Dubbed "Thunderstrike 2," the new proof-of-concept attack still spreads primarily through infected Thunderbolt accessories. But where the original Thunderstrike required a malicious user to have physical access to your computer to work—something sometimes referred to as an "evil maid" attack, though an evil butler could probably do the same job—the new one can be spread remotely. The malware can be delivered "via a phishing e-mail and malicious Web site," and once downloaded it can infect connected accessories that use Option ROM (Apple's Thunderbolt-to-gigabit-Ethernet accessory is a commonly cited example). Once the accessory is infected, the malware can spread to any Mac that you plug the accessory into.

Read 3 remaining paragraphs | Comments


Hackers have started exploiting an extremely severe vulnerability in a widely used software utility, touching off concerns that the in-the-wild attacks could affect the stability of the Internet.

The attacks are exploiting a denial-of-service bug in all versions of Bind, the most widely used software for translating human-friendly domain names into IP addresses used by servers. As Ars reported last week, the flaw can be exploited with a single command to crash authoritative and recursive domain name system servers and in theory could allow a single person to take down large swaths of the Internet. There's no practical workaround, although some website firewalls can block many exploits. The only way administrators can ensure they don't fall victim is to install a recently published patch.

"Because of its severity we've been actively monitoring to see when the exploit would be live," Daniel Cid, founder and CTO of security firm Sucuri, wrote in a blog post published Sunday. "We can confirm that the attacks have begun. DNS is one of the most critical parts of the Internet infrastructure, so having your DNS go down, it also means your e-mail, HTTP, and all other services will be unavailable."

Read 3 remaining paragraphs | Comments

[SECURITY] [DSA 3326-1] ghostscript security update
LinuxSecurity.com: Handle terminal control characters in scp progressmeter (#1247204) -- Security fix
LinuxSecurity.com: Security fix for CVE-2015-3245, CVE-2015-3246
[SECURITY] [DSA 3325-1] apache2 security update
[SECURITY] [DSA 3324-1] icedove security update
[SECURITY] [DSA 3323-1] icu security update
Multiple XSS vulnerabilities in FortiSandbox WebUI
[SECURITY] [DSA 3322-1] ruby-rack security update

I am seeing some scanning for SSH servers on port 8080 in web server logs for web servers that listen on this port. So far, I dont see any scans like this for web servers listening on port 80. In web server logs, the scan is reflected as an Invalid Method (error 501) as the web server only sees the banner provided by the SSHclient, and of course can not respond.

For example: - - [03/Aug/2015:08:31:55 +0000] SSH-2.0-libssh2_1.4.3 501 303 - -

This IP address in this example is for now the most prolific source of these scans:

inetnum: -        CHINANET-JSdescr:          CHINANET jiangsu province networkdescr:          China Telecomdescr:          A12,Xin-Jie-Kou-Wai Streetdescr:          Beijing 100088country:        CN

With very frequent scans for SSH servers, users often move them to an alternative port. I am not aware of a common configuration moving them to port 8080, but it is certainly possible that this has become somewhat a common escape port.

Please let us know if you have any details to fill in. Any other sources for these scans? Any reason why someone would use port 8080 for an ssh server? If you use an alternative port, one more random would certainly be better, in particular if the port is not in default port lists (like the one used by nmap).

As usual, hiding your SSH server on an off-port is good. But you ceratinlyshould still use keys, not passwords, to authenticate and follow other best practices in configuring and maintaining your SSH server.

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Internet Storm Center Infocon Status