Information Security News
Richard Porter --- ISC Handler on Duty(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The FBI and its counterparts in Europe, Brazil, and elsewhere have arrested more than 60 people suspected of carrying out hacking crimes associated with a secretive online forum known as Darkode, according to media reports.
Darkode, according to a post published in April 2013 by KrebsOnSecurity, has long acted as an online bazaar for criminals looking to buy and sell drive-by exploits, spam services, ransomware programs, botnet tools, and other illicit products and services. According to news organizations located in Brazil, the site has been under investigation since March by agents with the FBI Europol, Brazil's Federal Police, and law enforcement agencies in other countries. The operation has resulted in 62 arrests in 18 countries, including Germany, the UK, Romania, Bosnia, Serbia, India, Sweden, Denmark, and Colombia, according to the reports.
Microsoft has killed at least two security bugs linked to the compromised malware developer Hacking Team, including a critical remote-code execution hole that worked against people using the latest version of Internet Explorer on Windows 7 and 8 machines.
The IE vulnerability was discovered in an e-mail a security researcher sent to Hacking Team executives, according to a blog post published Tuesday by researchers from security firm Vectra Networks. In the message, a security researcher offered to sell proof-of-concept attack code exploiting the vulnerability, which was significant because it worked against what is widely regarded as Microsoft's most secure versions of Windows and IE.
"Are you by any chance interested in a PoC (DEP violation) last update to IE11, running on Win7 and Win 8.1?" the researcher wrote, according to the Vectra Networks blog post. "Let me know."
Overview of the July 2015 Microsoft patches and their status.
|#||Affected||Contra Indications - KB||Known Exploits||Microsoft rating(**)||ISC rating(*)|
|MS15-058||Remote Code Execution Vulnerabilities in SQL Server
(This bulletin was supposed to be part of the June 2015 patch Tuesday, but got delayed until today)
|MS15-065||Internet Explorer Rollup Patch (Replaces MS15-056 )|
|KB 3076321||CVE-2015-2398 has been publicly disclosed..||Severity:Critical
|MS15-066||Remote Code Execution Vulnerability in VBScript Scripting Engine (Replaces MS15-019 )|
|MS15-067||Remote Code Execution Vulnerability in RDP (Replaces MS15-030 )|
|MS15-068||Remote Code Execution Vulnerabilities in Hyper-V|
|MS15-069||Remote Code Execution Vulnerabilities in Windows|
|Windows and Windows Media Device Manager
|KB 3072631||unauthorized DLL loading is an ongoing issue.||Severity:Important
|MS15-070||Remote Code Execution Vulnerabilities in Office (Replaces MS13-084 MS15-022 MS15-033 MS15-046 )|
|Microsoft Office (including Mac and Sharepoint)
|KB 3072620||CVE-2015-2424 has been used in exploits..||Severity:Important
|MS15-071||Spoofing Vulnerability in Netlogon (Replaces MS15-027 )|
|MS15-072||Elevation of Privilege Vulnerability in Windows Graphics Component (Replaces MS15-035 )|
|Windows Graphics component
|MS15-073||Elevation of Privilege Vulnerability in Kernel Mode Drivers (Replaces MS15-061 )|
|Kernel Mode Drivers
|MS15-074||Elevation of Privilege Vulnerability in Windows Installer Service (Replaces MS49-049 )|
|Windows Installer Service
|MS15-075||Elevation of Privilege Vulnerability in OLE (Replaces MS13-070 )|
|MS15-076||Elevation of Privilege in Windows RPC (Replaces MS15-055 )|
|MS15-077||Elevationof Privilege Vulnerability in ATM Font Driver (Replaces MS15-021 )|
|ATM Font Driver (ATMFD.DLL)
|KB 3077657||Exploits Detected.||Severity:Important
Adobe Systems has issued an emergency update for its Flash media player to patch two critical zero-day vulnerabilities that allow attackers to surreptitiously install malware on end-user computers.
The previously unknown vulnerabilities were unearthed in the 400-gigabyte data dump hackers published nine days ago after rooting the servers of Hacking Team, the Italy-based company that sold spyware and exploits to governments around the world. As previously reported, Hacking Team was itself hacked by unknown individuals, who then published e-mails, sales invoices, and marketing material that appeared to contradict long-standing assurances from company executives that they operated ethically and didn't do business with repressive governments.
The two Flash vulnerabilities unearthed this past weekend are in addition to a third one found earlier in the Hacking Team dump, which Adobe patched last week, a few days after it was discovered. All three critical vulnerabilities were present in Flash versions for Windows, Mac OS X, and Linux. At least one of them was potent enough to pierce the vaunted Google Chrome security sandbox, most likely because it was combined with a separate privilege-escalation exploit for Windows.
In a warm up to patch Tuesday, it looks like we have a new version for Adobe Flash Player, Shockwave Player and PDF Reader. Given that some of the exploits against the vulnerabilities patchedare public, you may want to expedite patching and review your Flash Player and browser configuration.
the latest (patched) versions are (thanks Dave!):
- FlashPlayer 188.8.131.52
- Flash Player EST 184.108.40.2065
- Reader 10.1.15
- Reader 11.0.12
- Shockwave Player">220.127.116.11
You can get the latest version here:https://get.adobe.com/flashplayer/
Also note that many browsers now allow you to disable Flash by default. You can re-enable it for sites that require Flash. Here is a nice page that will explain how to have your browser ask for permission before running plugins:
by Sebastian Anthony
There's some drama going down in the Flash camp. Yesterday, because of two unpatched Hacking Team zero-day vulnerabilities, Mozilla blacklisted Adobe Flash Player 18.104.22.168, meaning Flash was disabled by default in Firefox. This morning, just a few moments ago, Adobe rushed out version 22.214.171.124, plugging the two vulnerabilities.
Meanwhile, over at Facebook, the company's new chief security officer called for Adobe to "announce an end-of-life date for Flash," so that we can finally "disentangle the dependencies and upgrade the whole ecosystem."
And if two Web giants weren't enough, Google recently announced that the next stable version of Chrome would "intelligently" block auto-playing Flash elements.
by Cyrus Farivar
Turns out, going after someone’s Bitcoin transactions is much easier than you might think. After all, as the saying goes, once you’re pwned, you’re pwned.
After Hacking Team, the Italian spyware vendor, was hacked earlier this month, and 400GB of its internal data was released, Ars reviewed many internal e-mails from the company. These documents clearly illustrate how simply Hacking Team's "Money Module" worked, and they provide a small glimpse into which customers were particularly interested in it.
In general, the Italian spyware company sold (and hopes to continue to sell) software that allowed targets to be surreptitiously surveilled as they used computers or smartphones, and its clientele included law enforcement agencies worldwide. Back in January 2014, Hacking Team internally announced a new feature as part of its version 9.2 upgrade to its Remote Control System suite, and the new iteration would include a way to "track cryptocurrencies, such as BitCoin [sic], and all the related information."