Hackin9
Webutler CMS 3.2 - Cross-Site Request Forgery
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Daily record for Tuesday, April 19
Grand Island Independent
Christifer P. Luna-Cardenas, 25, 212 North Lane, was charged with leaving accident-fail to furnish info-second offense and fourth-offense DUI, both on Sunday. Preliminary hearing set for 10:30 a.m. May 11. β€” Jodi L. Hoffman, 46, De Pere, Wis., was ...

and more »
 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Im currently going through a phase of WordPress dPression. Either my users are exceptionally adept at finding hacked and subverted WordPress sites, or there are just so many of these sites out there. This weeks particular fun seems to be happening on restaurant web sites. Inevitably, when checking out the origin of some crud, I discover a dPressing installation that shows signs of being owned since months. The subverted sites currently lead to Angler Exploit Kit (Angler EK), and are using Pseudo Darkleech as their gate.

Pseudo-Darkleech is not the most fortunate name for malcode, but as far as I can tell, it was invented" />

ants-wer4u-org showed up for the first time on April 18, and has been in use since. cerf volant is French and means flying a kite. I hope this was a random selection, because the only other option is that this particular malware miscreant is actually making fun of us. Virustotal shows a couple of goodies that have been observed from this site.

In this diary, well do a step-by-step of the decoding, to show how it can be done, and more importantly, to show how massively convoluted the encoding used in current exploit kit gates has become. If, in a corporate setting, you are wondering why you get all the AnglerEK (JS/Redirector) hits only on your workstation anti-virus, but not on your proxy content filter, this diary is for you. Youll see that it is becoming very hard (aka impossible) to detect such malcode without actually running it in a real browser. Sit back, and get some popcorn! :).

If you look at the first picture above, youll notice there are two elements. One is a HTML DIV section named evs, and filled with what looks like a garbage combination of numbers and letters. The other is a script section, but filled with what does not look like JavaScript at all.

For starters, lets ignore the evs, and make sense of the script">cat script.js | perl -pe \n/g

This adds a line break to every
hkgcz=\x63\x78\x63" />

Note how the decoded JavaScript references the evs">replace(/[^\d ]/g,) : Everything that is not a space or a number \d gets replaced with ...parseint(a[i])^9 ">[email protected]:$ cat evs | perl -pe s/(\d+)\s+/chr($1^9)/ge" />


Even more progress :). Ill finish the analysis in a second diary that Ill post later.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

The Star Online

Agency working to beef up leadership in information security
The Star Online
CYBERSecurity Malaysia (CSM), an agency under the Science, Technology and Innovation Ministry, has successfully trained its top information security executives in the EC-Council's Certified Chief Information Security Officers (CCISO) programme.

 

Techworm

This slim PiPO KB2 folding keyboard is actually a Windows 10 PC
Techworm
About Us. Techworm is a Security News Platform that centers around Infosec, Hacking, Xero-days, Malware, Vulnerabilities,Cyber Crime, DDoS, Surveillance and Privacy Issues and to keep you Informed and Secure.

and more »
 

Tom's Guide

Mac Anti-Ransomware Tool Released, but Needs More Work
Tom's Guide
"Unless you've been living under an infosec rock, you're likely aware that ransomware is somewhat of a problem β€” to put it mildly," Wardle, a researcher with Silicon Valley security firm Synack, wrote in a blog post. "There are already claims that ...

and more »
 
Cisco Security Advisory: Cisco Adaptive Security Appliance Software DHCPv6 Relay Denial of Service Vulnerability
 
Cisco Security Advisory: Cisco Wireless LAN Controller HTTP Parsing Denial of Service Vulnerability
 
Cisco Security Advisory: Cisco Wireless LAN Controller Denial of Service Vulnerability
 
Cisco Security Advisory: Multiple Cisco Products libSRTP Denial of Service Vulnerability
 

LockPath Included in Gartner's Market Guide for Corporate Compliance and Oversight Solutions
Marketwired (press release)
LockPath is a market leader in corporate governance, risk management, regulatory compliance (GRC) and information security (InfoSec) software. The company's flexible, scalable and fully integrated suite of applications is used by organizations to ...

 
RCE via CSRF in phpMyFAQ
 

(credit: An-d)

New research into the "Rowhammer" bug that resides in certain types of DDR memory chips raises a troubling new prospect: attacks that use Web applications or booby-trapped videos and documents to trigger so-called bitflipping exploits that allow hackers to take control of vulnerable computers.

The scenario is based on a finding that the Rowhammer vulnerability can be triggered by what's known as non-temporal code instructions. That opens vulnerable machines to several types of exploits that haven't been discussed in previous research papers. For instance, malicious Web applications could use non-temporal code to cause code to break out of browser security sandboxes and access sensitive parts of an operating system. Another example: attackers could take advantage of media players, file readers, file compression utilities, or other apps already installed on Rowhammer-susceptible machines and cause the apps to trigger the attacks.

As Ars has previously reported, Rowhammer exploits physical weaknesses in certain types of DDR memory chips to reverse the individual bits of data they store. By repeatedly accessing small regions of memory many times per second, code can change zeroes to ones and vice versa in adjacent regions. These changes occur even though the exploit code doesn't access, and doesn't have access rights to, the adjacent regions. The bug took on the name Rowhammer, because when the code figuratively clobbers one or more rows of memory cells, it causes bitflips in a neighboring cell.

Read 9 remaining paragraphs | Comments

 

WhiteHat Security Announces The Tenth Annual Top 10 Web Hacking Techniques For 2015
PR Newswire (press release)
"Within these thousands of pages are the newest, most creative ways to attack websites, browsers and their mobile equivalents. We created the Top 10 Web Hacks as a way to encourage information sharing within the InfoSec community, help IT professionals ...

and more »
 

Information Management

Growing Cyber Threats Forcing Many Firms to Rethink Defense Strategies
Information Management
In Amica's case, all vendors are required to provide documentation on security policies, network infrastructure diagrams and report findings from independent information security audits or assessments. β€œIt's now essential for all of our third-party ...

 
shell.com vulnerable TLS
 
*.Shell.com Port 443 DROWN decryption attack
 

The Register

Top infosec students square off in inter-uni hackathon contest
The Register
Cambridge University is due to host a cybersecurity hacking competition between the top UK universities next Saturday (23 April). The hackathon (pdf), which is expected to involve students from 10 UK universities, follows a similar exercise between ...

 
PHPBack v1.3.0 SQL Injection
 
Internet Storm Center Infocon Status