January 2016, the first week round up

Over the first week of 2016, a handful of important cybersecurity news came in, including those directly and indirectly affecting businesses worldwide.

Over the first week of 2016, a handful of important cybersecurity news came in, including those directly and indirectly affecting businesses worldwide. Here’s a digest:

1. Ransomware as as service

Ransom32, probably the world’s first Ransomware-as-a-service operation, was announced. Available for download on a Tor hidden server to anyone with a Bitcoin address, the malware looks for and encrypts dozens of file types and asks for a ransom payable in digital currency; Ransom32’s creators get a 25% commission on every transaction. All communications are executed via Tor network.

What makes it especially dangerous is that it is packaged into a Chromium executable using NW.js. This platform is used to develop desktop JavaScript apps not only for Windows, but also Mac OS X and Linux, which in theory makes this ransomware cross-platform, although for now it is confined to Windows.

More information is available here.

2. Zerodium is buying exploits for Adobe Flash Player

The company Zerodium, known for buying out high-risk zero-day vulnerabilities for all major platforms and third-party application, has announced a large bug bounty program for Adobe Flash, promising up to $100K per exploit.

Adobe has recently rewritten Flash Player’s memory manager, laying the groundwork for widespread heap isolation, which is an important protection against some types of exploits. Now Zerodium wants to purchase (and then resell to Adobe) all exploits that can bypass heap isolation. $100K is paid for exploits with sandbox, $65K without one.

Adobe decided it’s time to call it quits on Flash, but since it is still an extremely popular tool among both individual users and businesses (and a widely-spread security issue as well) it still has to be updated.

For more info visit here.

3. Linode: double trouble

Cloud-based webhost Linode had to reset their customer passwords after a suspected breach. The breach came under a “smokescreen” of a potent DDoS attack which is ongoing since Christmas.

The password breach was announced after the company said three accounts were accessed without permission and it discovered two Linode.com user credentials on an “external machine”, which possibly implies that user credentials “could have been read from our database, either offline or on, at some point,” according to Linode’s advisory on the matter.

There was no evidence of further intrusion into the host or virtual machines so far.

Linode says its staff is working around the clock to resolve the problems with the service, while multiple Federal law enforcement authorities are also investigating and have cases open for the situation.

More on the incident.

4. More CMS worries: Drupal and WordPress

Cybersecurity researchers have announced a number of serious issues discovered in the popular content management system Drupal.

One of them has existed in the wild “in some form” for years: Drupal’s updates aren’t encrypted when they’re transferred, and CMS doesn’t verify the authenticity of the updates when they come across. To exploit the vulnerability an attacker would have to be on the same network and carry out a man-in-the-middle attack, researchers said. A fix is not available yet.

All these vulnerabilities can lead to code execution and the theft of database credentials via a man-in-the-middle attack. More details are available here.

WordPress developers, in turn, fixed a cross-site scripting (XSS) vulnerability and started pushing 4.4.1 update, encouraging users to install it ASAP. The XSS bug exists in all versions before 4.4 and if exploited, could allow a hacker to take control of an affected website, at least in theory. It’s unclear how dangerous the bug actually is, but developers don’t want to take any chances.

Beside this one, 4.4.1 fixed 51 more bugs.

Late in December it was reported that CMS Joomla had been attacked using 0day vulnerability (patched shortly before the announcement).

The major content management systems come under attack on a regular basis; their popularity make them a favorable target for criminals looking to spread their malware as far and wide as possible, and the popular sites with vulnerable CMS are making a great tool for it.

Tips