There has been a lot of ingenuity poured into creating crypto-ransomware, the money-making malware that has become the scourge of hospitals, businesses, and home users over the past year. But none of that ingenuity applies to Ranscam, a new ransom malware reported by Cisco's Talos Security Intelligence and Research Group.

Ranscam is a purely amateur attempt to cash in on the cryptoransomware trend that demands payment for "encrypted" files that were actually just plain deleted by a batch command. "Once it executes, it, it pops up a ransom message looking like any other ransomware," Earl Carter, security research engineer at Cisco Talos, told Ars. "But then what happens is it forces a reboot, and it just deletes all the files. It doesn't try to encrypt anything—it just deletes them all."

Talos discovered the file on the systems of a small number of customers. In every case, the malware presented exactly the same message, including the same Bitcoin wallet address. The victim is instructed:">Read 6 remaining paragraphs | Comments

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
OpenSSL CVE-2016-2176 Information Disclosure Vulnerability
Apache Tomcat CVE-2015-5174 Directory Traversal Vulnerability
OpenSSL CVE-2016-0797 Multiple Integer Overflow Vulnerabilities
OpenSSL CVE-2016-0705 Denial of Service Vulnerability

Enlarge (credit: WinterforceMedia)

A campaign that targeted a European energy company wielded malware that's so sneaky and advanced it almost certainly is the work of a wealthy nation, researchers said Tuesday.

The malware contains about 280 kilobytes of densely packed code that, like a ninja warrior, cleverly and stealthily evades a large number of security defenses. It looks for and avoids a long list of computer names belonging to sandboxes and honeypots. It painstakingly dismantles antiviruses one process at a time until it's finally safe to uninstall them. It takes special care when running inside organizations that use facial recognition, fingerprint scanners, and other advanced access control systems. And it locks away key parts of its code in encrypted vaults to prevent it from being discovered and analyzed.

Once the malware has gained administrative control of a computer, it uses its lofty perch to survey the connected network, report its findings to its operators, and await further instructions. From then on, attackers have a network backdoor that allows them to install other types of malware, either for more detailed espionage or potentially sabotage. Researchers from security firm SentinelOne found the malware circulating in an underground forum and say it has already infected an unnamed energy company in Europe.

Read 5 remaining paragraphs | Comments

Easy Forms for MailChimp Local File Inclusion vulnerability
WP Fastest Cache Member Local File Inclusion vulnerability

As usual for the second Tuesday fo the month, Microsoft today released its monthly security updates. Microsoft released a total of 11 bulletins. 6 are rated critical, and the remaining five are rated important.

One of the Bulletins (MS16-093) affects Adobes Flash player and is a copy of Adobes advisory.

None of the bulletins stick out as special. There are no bulletins that affect vulnerabilities for which exploits have been observed. But two bulletins included already known vulnerabilities:

%%cve:2016-3287%% , a vulnerability in Secure Boot.
%%cve:2016-3272%% , an information disclosure vulnerability in the Windows Kernel.

I dont consider either vulnerability very serious.

As far as prioritizing the patches go, I would as usual attend to the Internet Explorer, Edge, Flash and Office patches first.

The printer spool issue is interesting. An attacker could use the vulnerability to install arbitrary print drivers, which of course would lead to arbitrary code execution. As a workaround, Microsoft suggests that you do restrict printer that your users can use to print. This sounds like a good control, and you should use this vulnerability to make sure the printer configurations are sufficiently adjusted.

For a full list of Bulletins, see our summary here. If you prefer a more structured view, you can also retrieve the bulletin data via our API here.


Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Cross-Site Scripting vulnerability in Profile Builder WordPress Plugin
Cross-Site Scripting vulnerability in Master Slider WordPress Plugin
Cross-Site Scripting vulnerability in Email Users WordPress Plugin
[RCESEC-2016-004][CVE-2016-5005] Apache Archiva 1.3.9 admin/addProxyConnector_commit.action connector.sourceRepoId Persistent Cross-Site Scripting
[RCESEC-2016-003][CVE-2016-4469] Apache Archiva 1.3.9 Multiple Cross-Site Request Forgeries
[security bulletin] HPSBHF03608 rev.1 - HPE iMC PLAT and other Network Products using Apache Java Commons Collection (ACC), Remote Execution of Arbitrary Code
Persistent Cross-Site Scripting in WordPress Activity Log plugin
cURL/libcURL NTLM Connection CVE-2016-0755 Remote Security Bypass Vulnerability
OpenSSL Padding Oracle Incomplete Fix Information Disclosure Vulnerability
OpenSSL CVE-2016-2106 Integer Overflow Vulnerability
OpenSSL CVE-2016-2105 Buffer Overflow Vulnerability
Internet Storm Center Infocon Status