(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Cisco IOS and IOS XE Software CVE-2016-6474 Authentication Bypass Vulnerability
Cisco AsyncOS CVE-2016-6469 Remote Denial of Service Vulnerability

Enlarge (credit: Klaus with K)

A former IT specialist at Expedia has admitted he used his privileged position to access executives' e-mails in an insider stock-trading scheme that netted almost $330,000 in illegal profits, prosecutors said.

During the two-year span that Jonathan Ly, 28, of San Francisco, worked at the online travel service, he accessed e-mail accounts belonging to the company's chief financial officer, head of investor relations, and other high-ranking employees, prosecutors with the US attorney's office in Seattle alleged in a criminal complaint filed late last week. The correspondence included upcoming earnings reports, a draft of an upcoming press release announcing Justice Department approval of Expedia's acquisition of competitor Orbitz, and other stock-moving developments that weren't yet public. Ly used the information to buy Expedia stock at a low price and then sell it after the disclosures went public at a much higher price.

"Beginning in 2013, and continuing through October 2015, Ly secretly and fraudulently accessed the contents of Expedia executives' computer files and corporate e-mail accounts in order to obtain material, non-public, and proprietary information belonging to Expedia without the knowledge and permission of the executives or Expedia," the complaint alleged. "Ly fraudulently obtained the information in order to execute a series of well-timed and lucrative securities trades in Expedia options. As a result of his scheme, Ly obtained through his securities trades net profits in excess of $331,000."

Read 4 remaining paragraphs | Comments

QEMU '/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c' Denial of Service Vulnerability
Cisco AnyConnect Secure Mobility Client CVE-2016-9192 Local Privilege Escalation Vulnerability
Cisco ASR 5000 Series Aggregation Services Routers CVE-2016-6467 Denial of Service Vulnerability
Cisco Web Security Appliance CVE-2016-9212 Remote Security Bypass Vulnerability
libming 'parser.c' Heap Buffer Overflow Vulnerability
Apache CouchDB CVE-2016-8742 Local Privilege Escalation Vulnerability
QEMU 'ehci_init_transfer()' Function Denial of Service Vulnerability
QEMU 'hw/display/virtio-gpu.c' Denial of Service Vulnerability
LibTIFF CVE-2016-9539 Memory Corruption Vulnerability
LibTIFF CVE-2016-9538 Integer Overflow Vulnerability
LibTIFF CVE-2016-9534 Heap Buffer Overflow Vulnerability
RETIRED: LibTIFF Multiple Security Vulnerabilites
FFmpeg CVE-2016-9561 Denial of Service Vulnerability

When investigating events, like malware or spam hitting our systems, we often send notifications to parties from which the malicious traffic originates. One the other hand, it isntterribly unusual, for us to receive malware notifications if some of the snippets of code we post match anti-virus patterns.

So I was not terribly surprised when I got an e-mail recently regarding one of my more interesting domains that I keep around for our web application security classes: xn--govindex-634g.biz . The e-mail claimed to come from an organization that calls itself Domaincops.net">As far as malicious e-mails go, I would consider this one of the better once. Obviously, they harvested whois information. It would not be terribly odd to find a link in a message like that (we try to avoid them, but I have seen them used in abuse notifications for tracking). But with any link, it is better to be careful, so I pulled it in from my sacrificial machine / malware lab.

What I got was an RTF document called Abuse_report_HSQ393.doc. Virustotal had some historyfor the file and identified it asa generic downloader,exploiting an older (%%CVE:2012-0158%%) vulnerability. It is kind of sad that this group wasted a pretty nice scheme with aplausible domain name and only had a2012 vulnerability to deliver with it.

First time I tried to download the file, the site was down (it washowever protected by Cloudflare). Aday or so later, the site was up again, and I finally was able to download my report. It is interesting that the e-mail was signed with DKIM (my mail server adds the [dkimok] flag to all e-mails that have a valid signature). This should make it less likely for e-mails like this to pass spam filters.

Currently, domaincops.net has been suspended by its registrar.

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
CVE-2013-1306: MSIE 9 MSHTML CDisp­Node::Insert­Sibling­Node use-after-free details
ForeScout CounterACT SecureConnector Agent Multiple Insecure File Creation Vulnerabilities
[security bulletin] HPSBHF03674 rev.1 HPE Comware 5 and Comware 7 Network Products using SSL/TLS, Remote Disclosure of Information
Microsoft Remote Desktop Client for Mac Remote Code Execution
Internet Storm Center Infocon Status