by CIRT Team
751 Domains Hijacked to Redirect Traffic to Exploit Kits [bleepingcomputer]
On July 7, French domain registrar Gandi lost control over 751 customer domains, which had their DNS records altered to point incoming traffic to websites hosting exploits kits. The domain hijacking was active for only a few hours, between 12:50 UTC and 13:30 UTC, albeit the DNS records of some domains propagated slower and they still redirected user traffic up until 18:02 UTC.
by CIRT Team
SMS Phishing induces victims to photograph its own token card [securityaffairs]
Today I faced quite an unusual SMS phishing campaign here in Brazil. A friend of mine received an SMS message supposedly sent from his bank asking him to update his registration data through the given URL. Otherwise, he could have his account blocked. My friend doesn’t have any account on the informed bank and, even so, we know that those kinds of message are hardly...
Read More
by CIRT Team
Android Backdoor GhostCtrl can Silently Record Your Audio, Video, and More [trendmicro]
The information-stealing RETADUP worm that affected Israeli hospitals is actually just part of an attack that turned out to be bigger than we first thought—at least in terms of impact. It was accompanied by an even more dangerous threat: an Android malware that can take over the device. There are three versions of GhostCtrl. The first stole information and controlled some of the device’s functionalities...
Read More
by CIRT Team
A deep dive into AWS S3 access controls – taking full control over your assets
Setting up access control of AWS S3 consists of multiple levels, each with its own unique risk of misconfiguration. We will go through the specifics of each level and identify the dangerous cases where weak ACLs can create vulnerable configurations impacting the owner of the S3-bucket and/or through third party assets used by a lot of companies. We also show how to do it properly...
Read More
by CIRT Team
21-Year-Old Bug in Kerberos Protocol Gets Patch in Windows, Linux [bleepingcomputer]
Researchers have contacted projects where the Kerberos protocol was used. Microsoft patched the vulnerability in its Kerberos implementation (CVE-2017-8495) in this week’s Patch Tuesday security update. Debian, FreeBSD, and Samba — projects using the Heimdal Kerberos implementation — have also released patches for the flaw, tracked as CVE-2017-11103.
by CIRT Team
The WPSetup Attack: New Campaign Targets Fresh WordPress Installs [wordfence]
At Wordfence, we track millions of attacks from a wide variety of sources every day. From this data we create a list of the worst-of-the-worst attackers and add those to our IP blacklist to protect our Premium customers. We also carefully monitor the activity that those known bad IP addresses engage in. In May and June, we saw our worst-of-the-worst IPs start using a new...
Read More
by CIRT Team
App Finds Computers Vulnerable to ETERNALBLUE Exploit [bleepingcomputer]
The Eternal Blues app found more than 50,000 vulnerable computers around the world in the past two weeks, since the tool’s official release. Eternal Blues works by pinging computers in a network range and attempting to identify if they are vulnerable to specially crafted SMB packets, as the ones used by the ETERNALBLUE exploit. Eternal Blues only checks for specific responses, without exploiting the actual...
Read More
by CIRT Team
Microsoft’s July Patch Tuesday Fixes 55 Security Issues [bleepingcomputer]
Microsoft has released updates on 12 July 2017, for the Windows 10 operating system, as well as for other of the company’s products, updates that fix 55 security issues ranging from remote code execution to simple spoofing attacks.
by CIRT Team
NTLM Relay Attacks Still Causing Problems in 2017 [bleepingcomputer]
Microsoft’s July 2017 Patch Tuesday includes a fix for an issue with the NT LAN Manager (NTLM) Authentication Protocol that can be exploited to allow attackers to create admin accounts on a local network’s domain controller (DC).
by CIRT Team
Attack on Critical Infrastructure Leverages Template Injection [talosintelligence]
Attackers are continually trying to find new ways to target users with malware sent via email. Talos has identified an email-based attack targeting the energy sector, including nuclear power, that puts a new spin on the classic word document attachment phish. Typically, malicious Word documents that are sent as attachments to phishing emails will themselves contain a script or macro that executes malicious code. In...
Read More