NEWS - January 15, 2013

Red October, the espionage campaign uncovered by Kaspersky Labs after five years of actively spying on diplomats, scientists, and governments worldwide, is using a Java exploit to infect its victims, bringing the exploit count to four in this campaign.

Seculert, an Israeli security company, said today it has investigated one of the command and control servers in the Red October infrastructure and found a website serving an exploit targeting CVE-2011-3544. The vulnerability is in Java 7 and 6 u27 and earlier. According to the CVE alert, the flaw allows remote untrusted Java Web Start applications and untrusted applets to execute malicious scripts. Oracle patched the vulnerability in October 2011.

Kaspersky Labs had previously identified three Red October exploits, all of them malicious Excel or Word documents attached to spear phishing emails. The company was alerted to the spear phishing campaign by an unidentified partner, which led them to Red October. Researchers found several hundred infections and initially identified the three exploits and upwards of 1,000 unique malware files in 30 different categories including reconnaissance, data collection, code execution, credential harvesting and more. The exploits targeted mobile devices, workstations and removable storage drives.

Continued : https://threatpost.com/en_us/blogs/java-exploit-linked-red-october-espionage-malware-campaign-011513

Related: Rocra Espionage Malware Campaign Uncovered After 5 Years of Activity

Also:
Java exploit used in Red October cyberespionage attacks
'Operation Red October' Used Java Exploit as Added Attack Weapon

From Bitdefender's "HotForSecurity" Blog:

A serious flaw in the Linksys routers could allow an attacker to seize root privileges on the device, according to a blog post by pen-tester specialist DefenseCode.

As shown in a video, successful exploitation of a Cisco Linksys WRT54GL model gives the attacker root access on the locally installed Linux-based firmware. DefenseCode claims the vulnerability resides in the latest Linksys firmware (4.30.14), but older versions are also vulnerable.

"Months ago, we've contacted Cisco about a remote preauth (root access) vulnerability in default installation of their Linksys routers that we've discovered," the team wrote. "They said that this vulnerability was already fixed in latest firmware release...Well, not this particular vulnerability, since the latest official Linksys firmware - 4.30.14, and all previous versions are still vulnerable."

Once logged into the router with root provileges, an attacker can do nearly anything, including snoop on network traffic as it passes from LAN to WAN, discover the network topology or, even more, change the DNS settings to redirect websites that the user trusts to phishing pages.

Continued : http://www.hotforsecurity.com/blog/cisco-powered-linksys-routers-vulnerable-to-remote-ownage-5044.html

Also:
Dangerous remote Linksys 0-day root exploit discovered
DefenseCode turns up Linksys zero-day
Experts Identify Zero-Day Vulnerability in Cisco's Linksys Routers - Video

You're a spammer / malware peddler / phisher, and want to register hundreds of bogus accounts on a popular online service such as YouTube in order to lead users to your wares. But, you don't want to create them manually yourself because that would take simply too much of your precious time - so what do you do?

According to Dancho Danchev, there's an elegant solution out there, just waiting to be bought and implemented: a software tool that uses API keys offered by a CAPTCHA-solving services to automate the account registration process: [Screenshot]

Apparently, the bot can create up to 30 accounts at the same time, it can upload videos, logs activities and more.

"What's particularly interesting about this tool is the fact that every automatically created bogus account starts following another automatically created bogus account, leading to a self-serving, potentially fraudulent segment of fake users who will inevitably start commenting and liking each other's videos in an attempt to artificially increase their popularity, thereby undermining YouTube's reputation-based system," shares Danchev.

Continued : http://www.net-security.org/malware_news.php?id=2377

Last week, National Public Radio aired a story on my Pharma Wars series, which chronicles an epic battle between men who ran two competing cybercrime empires that used spam to pimp online pharmacy sites. As I was working with the NPR reporter on the story, I was struck by how much spam has decreased over the past couple of years.

Below is a graphic that's based on spam data collected by Symantec's MessageLabs. It shows that global spam volumes fell and spiked fairly regularly, from highs of 6 trillion messages sent per month to just below 1 trillion. I produced this graph based on Symantec's raw spam data. [Screenshot]

Some of the points on the graph where spam volumes fall precipitously roughly coincide with major disruptive events, such as the disconnection of rogue ISPs McColo Corp. and 3FN, as well as targeted takedowns against major spam botnets, including Bredolab, Rustock and Grum. Obviously, this graph shows a correlation to those events, not a direct causation; there may well have been other events other than those mentioned that caused decreases in junk email volumes worldwide. Nevertheless, it is clear that the closure of the SpamIt affiliate program in the fall of 2010 marked the beginning of a steep and steady decline of spam volumes that persists to this day.

Continued : http://krebsonsecurity.com/2013/01/spam-volumes-past-present-global-local/

Adobe delivered a security hotfix for its ColdFusion application server today, repairing a host of vulnerabilities being exploited in the wild.

The company had recommended a series of mitigations in a Jan. 7 advisory as a stopgap until today's hotfix was released.

Two of the vulnerabilities affect ColdFusion 10, 9.0.2, 9.0.1 and 9.0, while the other two do not impact version 10; the hotfix is for Windows, Mac OS X and UNIX.

"This hotfix addresses vulnerabilities that could permit an unauthorized user to remotely circumvent authentication controls, potentially allowing the attacker to take control of the affected server," Adobe said in its advisory.

The hotfix repairs two authentication bypass vulnerabilities (CVE 2013-0625 and CVE-201-0632), a directory traversal (CVE-2013-0629) and a data leakage vulnerability (CVE-2013-0631)

"Note that CVE-2013-0625 and CVE-2013-0629 only affect ColdFusion customers who do not have password protection enabled, or have no password set," Adobe said in its advisory. All of the vulnerabilities were given Adobe's most critical rating.

Continued : https://threatpost.com/en_us/blogs/adobe-patches-four-coldfusion-flaws-exploited-wild-011513

The recently discovered vulnerability disclosed on Thursday has been finally patched by Oracle, but exploitation in the wild continues on computers that have not been updated yet. With exploitation code included in world's most frequently used exploit packs such as BlackHole, Nuclear Pack and the Cool Exploit Kit, cyber-criminals have started to take advantage of the huge pool of vulnerable computers by planting ransomware.

Bitdefender has identified multiple campaigns that use the CVE-2013-0422 bug in Java to infect client machines with the notorious IcePol (also known as Reveton). Once the computer is successfully infected, the user is denied access to the desktop until payment of a ransom, which the criminals call a 'fine'.

Most of these attacks are directed from servers in the UK, Canada and the US, but, since the Reveton ransomware is localized in multiple languages depending on the IP address of the infected computer, victims are spread across the world. All it takes is a vulnerable version of Java. [Screenshot]

Continued : http://www.hotforsecurity.com/blog/police-ransomware-becomes-java-0-day-borne-5032.html