CERT advises users to ‘discontinue use’ of two Netgear routers due to major security flaw

December 10, 2016 – 7:32 PM

In a major setback for Netgear, it appears that at least two of its high-end routers may contain a severe security flaw according to an advisory issued by CERT.

The vulnerability itself is incredibly easy to leverage and simply relies upon accessing a specially crafted URL in the following format from the local network:

http://< router_IP >/cgi-bin/;COMMAND

The above will result in a command injection attack via the router’s web interface which will execute arbitrary commands with root privileges. Notably, the attack can be initiated remotely by an attacker who manages to fool a local user into clicking on a malicious URL hidden behind a shortened link. Otherwise, a nefarious user already on the local network can craft and visit a URL of their choice in order to achieve the same outcome.

So far, the two routers that have been confirmed to be susceptible to this vulnerability are:

  • Netgear R6400 with firmware version 1.0.1.6_1.0.4 (and possibly earlier)
  • Netgear R7000 with firmware version 1.0.7.2_1.1.93 (and possibly earlier)

While unconfirmed by CERT, one Reddit user indicated that their Netgear R8000 router was also affected by the flaw, which means that the list of impacted hardware may well expand over the coming days.

Source:
https://www.neowin.net/news/cert-advises-users-to-discontinue-use-of-two-netgear-routers-due-to-major-security-flaw

323,000 pieces of malware detected daily

December 8, 2016 – 5:37 AM

According to Kaspersky Lab, the number of new malware files detected by its products in 2016 increased to 323,000 per day. This is an increase of 13,000 from the amount in 2015, and a significant jump from the 70,000 files per day identified in 2011.

The number of cyberthreats appearing every day is now so big that it is impossible to process each one of them manually. That’s why automating the malware discovery and analysis process, in combination with human expertise, is the best approach when it comes to fighting modern cyber threats.

As a result, the Kaspersky Lab cloud malware database, includes discoveries by Astraea – a machine-learning based malware analysis system working inside the Kaspersky Lab infrastructure. Over a fifth of the malicious objects included in the cloud database were discovered and identified as malicious by Astraea. The database now carries a billion malicious objects, including viruses, Trojans, backdoors, ransomware, and advertisement applications and their components.

The percentage of malware discovered and added automatically to the Kaspersky Lab cloud database by Astraea has been growing steadily over the last five years: from 7.53 percent in 2012, to 40.5 percent in December 2016. The proportion is growing in line with the number of new malicious files discovered daily by Kaspersky Lab experts and detection systems. This has increased from 70,000 files per day in 2011 to 323,0001 per day in 2016.

Source:
https://www.helpnetsecurity.com/2016/12/08/malware-detected-daily/

Malicious online ads expose millions to possible hack

December 7, 2016 – 5:46 AM

Since October, millions of internet users have been exposed to malicious code served from the pixels in tainted banner ads meant to install Trojans and spyware, according to security firm ESET.

The attack campaign, called Stegano, has been spreading from malicious ads in a “number of reputable news websites,” ESET said in a Tuesday blog post. It’s been preying on Internet Explorer users by scanning for vulnerabilities in Adobe Flash and then exploiting them.

The attack is designed to infect victims with malware that can steal email password credentials through its keylogging and screenshot grabbing features, among others.

The attack is also hard to detect. To infect their victims, the hackers were essentially poisoning the pixels used in the tainted banner ads, ESET said in a separate post.

The hackers concealed their malicious coding in the parameters controlling the pixels’ transparency on the banner ad. This allowed their attack to go unnoticed by the legitimate advertising networks.

Victims will typically see a banner ad for a product called “Browser Defense” or “Broxu.” But in reality, the ad is also designed to run some Javascript that will secretly open a new browser window to a malicious website designed to exploit vulnerabilities in Flash that will help carry out the rest of the attack.

Source:
http://www.computerworld.com.au/article/611235/malicious-online-ads-expose-millions-possible-hack/?

Mozilla and Tor release urgent update for Firefox 0-day under active attack

November 30, 2016 – 9:15 PM

Developers with both Mozilla and Tor have published browser updates that patch a critical Firefox vulnerability being actively exploited to deanonymize people using the privacy service.

“The security flaw responsible for this urgent release is already actively exploited on Windows systems,” a Tor official wrote in an advisory published Wednesday afternoon. “Even though there is currently, to the best of our knowledge, no similar exploit for OS X or Linux users available, the underlying bug affects those platforms as well. Thus we strongly recommend that all users apply the update to their Tor Browser immediately.”

The Tor browser is based on the open-source Firefox browser developed by the Mozilla Foundation. Shortly after this post went live, Mozilla security official Daniel Veditz published a blog post that said the vulnerability has also been fixed in a just-released version of Firefox for mainstream users. On early Wednesday, Veditz said, his team received a copy of the attack code that exploited a previously unknown vulnerability in Firefox.

The attack executed code when targets loaded malicious JavaScript and code based on scalable animation vector graphics. The exploit used the capability to send the target’s IP and MAC address to an attacker-controlled server. The code in general resembles the types of so-called network investigative techniques used by law-enforcement agencies, and specifically one that the FBI used in 2013 to identify Tor-protected users who were trading child pornography.

Source:
http://arstechnica.com/security/2016/11/tor-releases-urgent-update-for-firefox-0day-thats-under-active-attack/

Major Linux security hole gapes open

November 16, 2016 – 5:51 AM

Sometimes Linux users can be smug about their system’s security. And sometimes a major hole that’s been hiding in Linux since about version 2.6 opens up and in you fall.

The security hole this time is with how almost all Linux distributions implement Linux Unified Key Setup-on-disk-format (LUKS). LUKS is the standard mechanism for implementing Linux hard disk encryption. LUKS is often put into action with Cryptsetup. It’s in Cryptsetup default configuration file that the problem lies and it’s a nasty one. Known Linux distributions with this bug include Debian, Ubuntu, Fedora, Red Hat Enterpise Linux (RHEL), and SUSE Linux Enterprise Server (SLES).

As described in the security report, CVE-2016-4484, the hole allows attackers “to obtain a root initramfs [initial RAM file system] shell on affected systems. The vulnerability is very reliable because it doesn’t depend on specific systems or configurations. Attackers can copy, modify, or destroy the hard disc as well as set up the network to exflitrate data. This vulnerability is specially serious in environments like libraries, ATMs, airport machines, labs, etc, where the whole boot process is protected (password in BIOS and GRUB) and we only have a keyboard or/and a mouse.”

Now for the really embarrassing part. Want to know how to activate it? Boot the system and then hold down the enter key. Wait. After about a minute and a half, you’ll find yourself in a BusyBox root shell. You now control the horizontal, you now control the vertical, and whoever owns the system is not going to be happy with you.

Source:
http://www.zdnet.com/article/major-linux-security-hole-gapes-open/