CyberInsecure.com

Archive for the ‘Breaches And Incidents’ Category

A hack attack that can expose users to malware exploits has infected more than 1 million webpages, at least two of which belong to Apple.

The SQL injection attacks bombard the websites of legitimate companies with database commands that attempt to add hidden links that lead to malware exploits. While most of the sites that fell prey appear to belong to mom-and-pop operations, two of the infections hit pages Apple uses to promote iTunes podcasts. The malicious links appear to have been removed since Google last indexed the pages in early August.
In all, at least 538,000 pages have been compromised by the same attack. Attacks the bear similar fingerprints but point to different domains have claimed close to 500,000 more.

“These attacks have been ongoing and are changing pretty often,” said Mary Landesman, a senior researcher with ScanSafe, a Cisco-owned service that provides customers with real-time intelligence about malicious sites. “Interestingly, many of the sites compromised have been involved in repeated compromises over the past few months. It’s not clear whether these are the work of the same attackers or are competing attacks.”

SQL injection attacks succeed because web applications don’t properly filter search queries and other user-supplied input for malicious text. When the data is processed, commands are passed to a website’s backend server, causing it to add links or cough up sensitive information.

The attacks that hit Apple used highly encoded text strings to sneak past web-application filters. They are only the latest in a series of hack attacks to hit large numbers of websites.

The exploits used this time around weren’t as effective as they might have been. According to Landesman, many of the iframes buried into the websites contained HTML that couldn’t be rendered.

Credit: The Register

A bug in Facebook’s login system allows attackers to match unknown email addresses with users’ first and last names, even when they’ve configured their accounts to make that information private.

The information leak can be exploited by social-engineering scammers, phishers, or anyone who has ever been curious about the person behind an anonymous email message. If the address belongs to any one of the 500 million active users on Facebook, the social-networking site will return the full name and picture associated with the account.

“Facebook users have no control over this, as this works even when you have set all privacy settings properly,” Atul Agarwal of Secfence Technologies wrote Wednesday on the Full-disclosure security listserve. “Harvesting this data is very easy, as it can be easily bypassed by using a bunch of proxies.”

Exploiting the vulnerability is as easy as entering the email address into the Facebook sign-on page, typing a random password and hitting enter. To streamline the attack, Agarwal has written a PHP script that works with large lists of email addresses.

Over the past few years, Facebook has come under criticism for revealing too much information about its users. The data — which can include users’ birthdays, home towns and personal friends — can then be used by marketers, stalkers, and other ne’er-do-wells to invade the users’ privacy. The social-networking site has responded by giving users more control over who gets to see select pieces of user information.

Evidently, the name-to–email address extraction bug has been overlooked. We wouldn’t be surprised to see this fixed in short order.

Credit: The Register

There are strong indications that unidentified hackers are currently building a botnet, possibly by exploiting a vulnerability in outdated phpMyAdmin installations, and are using it to launch SSH brute force attacks.

Apparently more and more Web server owners are finding instances of an unauthorized script called dd_ssh running on their systems. The script is located in the /tmp/ directory, runs under the same account as Apache and is apparently being used to brute force SSH logins.

The SANS Internet Storm Center (ISC) confirms detecting a recent spike in the number of unique IP addresses that participate in SSH scanning.

Data gathered by its DShield monitoring system shows that the number of SSH scanning sources increased from around 1,300 per day at the beginning of August to over 5,000 at this moment.

According to some reports attackers might exploiting a vulnerability in older versions of phpMyAdmin in order to drop dd_ssh and another file called vm.c in the tmp dir.

The vulnerability, which allows for remote code execution, is said to affect versions below 3.2.4 (Debian) and has apparently been patched back in April.

“I’ve found that many people who have been attacked have logs showing a flood of http requests from IPs in Asia and Eastern Europe that query the version of phpMyAdmin,” a networking and security enthusiast, who looked into the attacks, writes.

“These attacks may resemble a DDoS attack server side, but have an ulterior motive. Once discovered the version to be vulnerable, they inject the code,” he adds.

Even though the SSH brute force attacks have spiked this month, the dd_ssh script has been mentioned in various reports since June, like this one from networking appliances manufacturer F5 Networks.

Credit: Softpedia.com News

Security researchers warn that a new mass injection attack affecting websites hosted at Rackspace and Media Temple. The compromises result in rogue JavaScript code being added to legit .js files used by the affected websites.

The new attack was reported by Denis Sinegubko, the creator of the Unmask Parasites website scanner. “Right before this week-end I noticed an increased number of sites hosted on MediaTemple and RackSpace coming to Unmask Parasites with the same problem — their sites are blocked by Google and their diagnostic pages mention the following five domains: ‘myads .name’, ‘adsnet .biz’, ‘toolbarcom .org’, ‘mybar .us’, ‘freead .name’,” the Web security expert notes.

What’s rather unusual about this attack is that the malicious code is not necessarily inserted into the .html files or .php scripts. In fact, this is hardly the case. Instead, the attackers add the rogue code to static .js files that already exist on the server.

Another noteworthy aspect of these injections is that the malicious JavaScript snippet is not added on new lines in the tainted files. It’s actually prepended to the first line in the document, making automatic removal a bit harder, since removing the entire line would also break the legit code. According to Sinegubko, automatic cleaning scripts should not remove stuff after “this.O=58441;var gr0=0;”.

The rogue JavaScript first performs a check to see if the visitor is a search engine crawler or a real user. The malicious payload will not be served to search engine bots. Real visitors will also only be targeted once after which a cookie will be set in their browser preventing them from being attacked in the future. There’s obviously no point in trying to re-infect a user that’s already been infected or on who’s computer the exploit failed.

The attackers serve the payload from multiple websites, most likely for redundancy and to make filtering harder. The rogue code will calculate a URL and load the malicious content from it. Sinegubko explains that there are 5 domains and 36 subdomain variations on each. That means 180 possible malicious URLs.

Websites hosted at both companies have been targeted in mass injections attacks before. However, their security staff haven’t found any particular vulnerability being exploited or any security hole in their own infrastructure. The Unmask Parasites creator suggests that this might be related to overly generous file permissions. He suggests changing the permissions of static static content files like .js, which hardly even get modified to 444 or even 400, if the Web app doesn’t need to change them either.

Credit: Softpedia.com News

Security researchers from Websense warn that over one hundred websites hosted at Media Temple (mt) have been injected with rogue code that lead visitors to a potent Web exploitation kit. The toolkit targets a dozen vulnerabilities in older versions of Flash Player, Adobe Reader, Internet Explorer or Java Runtime.

The mass compromise was detected by Websense’s ThreatSeeker Network, and even though the affected websites are hosted at Media Temple, this does not imply any security problems with the hosting company’s servers or infrastructure. Similarly to other hosting providers, Media Temple has had its share of compromised websites under its roof in the past and this is because hackers systematically scan entire address spaces for vulnerable targets, before proceeding to infect them.

A large number of the websites compromised in this latest attack (46%) are running WordPress, but again, this does not suggest any unpatched vulnerability in the popular blogging platform. The Websense security researchers note that most likely the injections are the result of flaws in outdated third party software.

The rogue code added to the compromised websites is obfuscated JavaScript, generates and directs users to one of malicious malicious URLs. “Using the algorithm [...], we generated 64 URLs […] and find there are 2 different scripts. One is very simple with an anti-bot trick so it won’t be crawled by search engines. […] The other is highly obfuscated, and finally redirects to an exploit kit called Phoenix,” the Websense experts explain.

An exploit kit is a collection of exploits for vulnerabilities affecting various applications that are usually found on most people’s computers. At the moment, the Phoenix kit targets two flaws in Adobe Flash Player, five in Adobe Reader, three in Internet Explorer and two in the Java Runtime Environment, however, these could change in the future.

In order to stay protected from such threats users are advised to always keep their applications up to date and run a capable antivirus program on their computers. Free specialized programs like the Personal Software Inspector (PSI) from Secunia, can monitor most programs installed on a computer and alert the owner as soon as any updates for them are available.

Credit: Softpedia.com News

Security researchers warn that various domains in the .gov space had their DNS hijacked and are hosting pages that redirect users to adult websites. The hijacking seems to be part of a scheme to push FLVDirect adware.

Apparently, FLVDirect affiliates are abusing several government domains, including, but not limited to yanceycountync.gov, uppersiouxcommunity-nsn.gov, woodfin-nc.gov, dumontnj.gov and emporia-kansas.gov to trick users into downloading and installing adware on their computers. The attackers have managed to create sub-domains of the form tubes-####.* (where # is a single digit) on all of the affected domains.

“It looks like their DNS has been hijacked and those sub domains point to servers that are not under their control,” researchers from Sunbelt Software, who analyzed the attack, write. Pages hosted on the rogue sub-domains are riddled with keywords and being used in a black hat search engine optimization (BHSEO) campaign to poison search results for queries related to adult content. Such techniques are commonly employed by cyber crooks to infect unsuspecting users looking for information on current events with scareware.

Visiting any of the pages hosted on the rogue sub domains redirects users to either a FLVDirect affiliate site promising hundreds of hours of adult videos for free or an adult dating community. FLVDirect is well known piece of adware – an application designed to display unsolicited ads once installed on a computer.

“Adware:Win32/FlvDirect is the detection for a file that installs the program ‘FlvDirect Media Player’. This program is usually bundled with another adware program detected as Adware:Win32/LoudMo. These installers contain an ID, which can be monitored; the more installers are deployed, the more an affiliate company is paid for deploying the installer,” Microsoft explains.

All the sub-domains appear to be hosted on a server responding to 66.49.238.80. This IP address belongs to a company called Canaca-com Inc, which sells Web hosting and VPS hosting services.

Credit: Softpedia.com News

A malvertising attack targeted TweetMeme.com users today after a rogue advertiser made its way onto the website. The malicious advertisements directed user to third party websites displaying fake malware alerts with the purpose of convincing users to install scareware.

Malvertising (malicious advertising) is a type of attack where cyber crooks manage to insert rogue ads that lead users to malicious content into a legit website. The practice is commonly employed by scareware pushers to distribute their fake antivirus products.

According to StopMalvertising, a website dedicated to researching and stopping such attacks, TweetMeme users were targeted via malicious advertisements served by a rogue advertiser at y5-media.com. An investigation of the incident revealed that the threat distributed through these malvertisements was a fake antivirus called Security Threat Analysis.

The researchers explain that requests to y5-media.com bounce through two other websites before landing on the scareware domains. In order to fly under the radar the cyber crooks tried to make the attack as subtle as possible.

“Both domains perform various checks to see whether you’re a bot, a search engine, a proxy … as in those cases the redirect to the scareware will not happen,” the researchers explain. Also, if a user visits the malicious websites once, a cookie is added in his browser to prevent him from being targeted again.

The landing websites at www3.luckfind42td.in and www2.guardhere5.in, display the typical fake malware scans associated with scareware scams. When these scans are “done” the users are taken to another domain called www1.wareforyou10.in, which serves a file called packupdate107_302.exe for download. This is a program in the FakeAV family of malware, which currently has a very low AV detection rate.

Malvertisements can be very dangerous, because unlike black hat search optimization campaigns that poison search results with malicious links, they can are a lot harder to detect, and abuse the trust that users put into legit websites. Popular websites that were previously affected by similar attacks include the New York Times, Gizmodo or Digital Spy.

Credit: Softpedia.com News

The Pirate Bay has been compromised by an Argentinean hacker who made off with usernames, email and internet addresses of more than four million people signed up to the BitTorrent tracker site.

KrebsOnSecurity.com reported yesterday that Ch Russo broke into TPB’s system and grabbed the info from the notorious website, which might amuse some pro-copyright groups.

Russo had considered selling the private data, but in the end decided to go public about TPB’s shaky security credentials. He accessed the information via the site’s user database by exploiting its weakness to SQL injections.

“We wanted to tell people that their information may not be so well protected,” Russo said.

Meanwhile, it may be a coincidence, but The Pirate Bay is currently out of action and carried the following message:

“Upgrading some stuff, database is in use for backups, soon back again.. Btw, it’s nice weather outside I think.”

At this moment the website appears to be offline.

Credit: The Register

Hackers and pranksters began exploiting a newly discovered scripting flaw on YouTube on Sunday, provoking rumours that a virus was spreading on the site.

The cross-site scripting flaw (XSS) on the video-sharing website created a means for hackers to post JavaScript code in the comments sections of videos. The flaw meant that this JavaScript code was run on the machines of surfers viewing the same video clip.

Predictable enough, pranksters at 4Chan have begun using the vulnerability to redirect surfers looking for Justin Bieber video clips to goatse or false reports that the irksomely clean-cut Canadian singer had died in a car crash. Denizens of 4Chan are separately trying to rig an online poll to encourage Beiber to play North Korea in an upcoming tour.

In other cases the flaw has become the fodder of comment spam. Google iced the problem hours after it first appeared, techie-buzz.com reports.

“We took swift action to fix a cross-site scripting (XSS) vulnerability on youtube.com that was discovered several hours ago,” said Google. “Comments were temporarily hidden by default within an hour, and we released a complete fix for the issue in about two hours. We’re continuing to study the vulnerability to help prevent similar issues in the future.”

The appearance of the vulnerability sparked rumours on Twitter and elsewhere that a virus was spreading across YouTube. A blog post by Chris Boyd of Sunbelt charts the genesis of this rumour, which is just the sort of thing that’s likely be used in new anti-virus (scareware) scams.

Security watchers at the Internet Storm Centre note that the vulnerability on YouTube might potentially have been used for all manner of hacking attacks, including password stealing scams.

“They [hackers] could steal your YouTube cookies, which probably doesn’t mean much to them, but they could also post various JavaScript code that will execute in your browser, in the context of YouTube,” an ISC handler writes. “I’ve seen nasty XSS attacks that are used to fake whole login screens and we know how many people use [the] same passwords for multiple accounts.”

Credit: The Register

The support site of leading Chinese PC manufacturer Lenovo has been compromised by unknown attackers who injected a rogue IFrame into the pages over the weekend. Security researchers warn that unwary visitors looking for drivers are exposed to several exploits that install the Bredolab trojan onto their computers.

According to a report from Vietnamese antivirus vendor Bkis, the pages have been infected since at least Sunday afternoon. However, some users have been reporting getting antivirus warnings when visiting Lenovo’s download website since Saturday.

The IFrame points to an exploit kit hosted on a domain called volgo-marun.cn. After performing several checks to determine what vulnerable software they had installed on their computer, the visitors were served with exploits targeting older versions of Internet Explorer, Adobe Reader or Adobe Flash player.

“These exploit codes attempt to load file hxxp://volgo-marun.cn/pek/exe.exe which is a virus, onto victim’s computer. The virus is a new variant of Bredolab Botnet […]. After being loaded onto the computers, the virus copies itself as %Programs%\Startup\monskc32.exe and receives commands from C&C server with domain sicha-linna8.com,” Le Minh Hung, senior security researcher at Bkis, writes.

At the moment, the malicious executable is detected by only ten of the 41 antivirus products listed on VirusTotal. The entire download.lenovo.com subdomain has been blacklisted by Google’s Safe Browsing service. This means that Firefox or Chrome users should see malware warnings when opening resources hosted on it.

“Of the 46 pages we tested on the site over the past 90 days, 39 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-06-20, and the last time suspicious content was found on this site was on 2010-06-20. Malicious software includes 1 trojan(s). Malicious software is hosted on 1 domain(s), including volgo-marun.cn/,” a detailed explanation of the Google warnings reads.

Even though the malicious .cn domain appears to be dead at the moment, it could return back online at any time. Therefore, users are advised to stay clear of the Lenovo support website for a couple of days, until the manufacturer has a chance to clean it up and plug the hole that allowed the compromise in the first place.

Credit: Softpedia.com News