Hackin9
ESA-2016-012: EMC Documentum xCP ? User Information Disclosure Vulnerability
 

George W. Bush stands next to a Frenchified cardboard version of himself. (credit: The Smoking Gun)

A year and a half after he was indicted, a Romanian man who broke into the e-mail of a family member of two former presidents is set to be extradited to the United States.

Romania's top court approved the temporary extradition of Marcel Lehel Lazăr, also known as "Guccifer" and "Micul Fum," according to a report by IDG News. Lazăr allegedly broke into the e-mail account of an unnamed family member of both former president George H. W. Bush as well as George W. Bush, intercepting images including family photos and self-portraits painted by George W. Bush. The hack exposed other deeply personal information about the family, including family e-mails planning a possible funeral for the older former president, written when he was hospitalized in late 2013.

The Romanian suspect, a former cab driver, will face charges of wire fraud, unauthorized access to a protected computer, aggravated identity theft, cyberstalking, and obstruction of justice. He has been charged in the Eastern District of Virginia. The Romanian court decision allows him to be extradited for up to 18 months to face the charges.

Read 2 remaining paragraphs | Comments

 

Storage device manufacturer Seagate's executives informed employees last week that their income tax data had been shared with an unknown outside party as the result of a targeted phishing attack. On March 1, a Seagate employee sent the data to an outside e-mail address after receiving an e-mail purportedly from Seagate's CEO Stephen Luczo requesting 2015 W-2 data for current and former Seagate employees. The employee, believing the request to be real, forwarded the W-2 reporting data—exposing US employees of Seagate to potential tax fraud and identity theft.

Security reporter Brian Krebs reported the breach after learning of it from a Seagate employee who had been given written notification of the breach. The Seagate breach comes less than a week after Snapchat employees' data was leaked in the same way. Last week, the New York Post broke news that Mansueto Ventures (the publishers of Inc. Magazine and Fast Company) also had payroll data stolen.

Seagate's spokesperson Eric DeRitis confirmed the incident to Krebs. "On March 1, Seagate Technology learned that the 2015 W-2 tax form information for current and former US-based employees was sent to an unauthorized third party in response to the phishing e-mail scam," DeRitis said. "The information was sent by an employee who believed the phishing e-mail was a legitimate internal company request.” DeRitis told Krebs that "several thousand" employees were affected and that the company is working with federal law enforcement; employees will receive two years of credit protection from the company.

Read 4 remaining paragraphs | Comments

 
Re: Apple iOS v9.2.1 - Multiple PassCode Bypass Vulnerabilities (App Store Link, Buy Tones Link & Weather Channel Link)
 
Re: Apple iOS v9.2.1 - Multiple PassCode Bypass Vulnerabilities (App Store Link, Buy Tones Link & Weather Channel Link)
 

Im operating severalcatch-all mailboxes that help me to collect interesting emails. Besides the classic spam messages which try to sell me colored pills and to promise me millions of revenue, Im also receiving a lot of malicious documents. For a few weeks, I can see a hugepeak of emails:">Most of them are the same and belongs to the massive waves of campaigns that try to hit as many victims as possible. If we see an increase of JScript files (.js) for a while, VBA macros in OLE documents remain classic. If the very-first macros tended to download a malicious executable from a 3rd party compromised website viaMicrosoft.XMLHTTP, some attackers are embeddingthe payload directly to the Office document. I alreadywrote a diaryabout the analysis if such document. By using this technique, the victim does not phone home to the wild Internet and computers without a networkconnectivity can also be infected.">">The file that I received was called walmart_code.doc and its original VT score was 5/54(yesterday,it reached 23/54).Let">Let">walmart_code.doc: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Mar 2 10:50:00 2016, Last
Saved Time/Date: Thu Mar 3 13:49:00 2016, Number of Pages: 1, Number of Words: 6, Number of Characters: 36, Security: 0
#oledump walmart_code.doc
1: 114 \x01CompObj
2: 284 \x05DocumentSummaryInformation
3: 404 \x05SummaryInformation
4: 8706 1Table
5: 17276 Data
6: 482 Macros/PROJECT
7: 65 Macros/PROJECTwm
8: M 1645 Macros/VBA/Module1
9: M 4408 Macros/VBA/ThisDocument
10: 3054 Macros/VBA/_VBA_PROJECT
11: 565 Macros/VBA/dir
12: 158418 ObjectPool/_1518536137/\x01Ole10Native
13: 6 ObjectPool/_1518536137/\x03ObjInfo
14: 4142 WordDocument">">We have two macros that perform malicious code. They are simple and strings arent obfuscated with high-level techniques. The function used is:"> Public Function WejndHw(vbhs As Integer) WejndHw = Chr(vbhs)"> fdda = 7 - 8RTQCDW = WejndHw(40 + 6)RREW = RTQCDW + WejndHw(8 + 94 + fdaa)RREW = RREW x + WejndHw(10 + 81 + 10) .exeUUIIW = RTQCDW WejndHw(-6 + 110 + 10) WejndHw(4 + 110 + 2) + f">First 4 Bytes ">Next 2 Bytes ">From 7th"> # hexdump -C 12.tmp 00000000 ce 6a 02 00 02 00 20 00 43 3a 5c 41 61 61 61 5c |.j.... .C:\Aaaa\|00000010 65 78 65 5c 69 64 64 32 2e 65 78 65 00 00 00 03 |exe\idd2.exe....|00000020 00 27 00 00 00 43 3a 5c 55 73 65 72 73 5c 4d 5c |....C:\Users\M\|00000030 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 54 65 |AppData\Local\Te|00000040 6d 70 5c 69 64 64 32 2e 65 78 65 00 00 6a 02 00 |mp\idd2.exe..j..|00000050 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 |MZ..............|00000060 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 |[email protected]|00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|00000080 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 |................|00000090 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 |........!..L.!Th|000000a0 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f |is program canno|000000b0 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 |t be run in DOS |000000c0 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 |mode....$.......|">Let"> # oledump.py -s 12 -d walmart_code.doc | cut-bytes.py 80: 12.exe# file 12.exe12.exe: PE32 executable (GUI) Intel 80386 system file, for MS Windows# md5sum 12.exe">Xavier Mertens
ISC Handler - Freelance Security Consultant
PGP Key
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

 

ool, a platform or an environment is popular, more it will be targeted. Those who still think that they are safe with their OSX environment are wrong. Manuel wrote a diary two months ago about aransomware written in JavaScript (and that could affect different environments).Yesterday, a native malware for OSX has been detected and analyzedby Palo Alto Networks. It is called KeRanger and is spread via a malicious installation package of Transmission, a popular BitTorrent client. The malicious file was available for download on the official Transmission website which suggests that it">">Once installed, the ransomware will wait three days before activating itself. It communicateswith its C2 via Tor. The ransom is 1BC (~$400). Note that the binary is signed with a legit developer certificate and that it also attempts to encrypt TimeMachine backups (which are very popular and used by most OSX users!).">">24a8f01cfdc4228b4fc9bb87fedf6eb7">Xavier Mertens
ISC Handler - Freelance Security Consultant
PGP Key (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Apple iOS v9.2.1 - Multiple PassCode Bypass Vulnerabilities (App Store Link, Buy Tones Link & Weather Channel Link)
 
Multiple vulnerabilities in Wordpress plugin SP Projects & Document Manager
 
[SECURITY] [DSA 3508-1] jasper security update
 
Internet Storm Center Infocon Status