by CIRT Team
SynAck Ransomware Sees Huge Spike in Activity [source: bleepingcomputer]
Over the past two days, there was an increase in activity from a relatively unknown ransomware strain named SynAck, according to victims who sought assistance in the Bleeping Computer ransomware support forums and from submissions to the ID-Ransomware service. This particular ransomware strain — named SynAck or Syn Ack — was first spotted on August 3 and experts quickly determined that they were looking at a...
Read More
by CIRT Team
Dragonfly: Western energy sector targeted by sophisticated attack group [source: symantec]
The energy sector in Europe and North America is being targeted by a new wave of cyber attacks that could provide attackers with the means to severely disrupt affected operations. The group behind these attacks is known as Dragonfly. The group has been in operation since at least 2011 but has re-emerged over the past two years from a quiet period following exposure by Symantec and a...
Read More
by CIRT Team
A360 Drive Abused to Deliver Adwind, Remcos, Netwire RATs [source: trendmicro]
Cloud-based storage platforms have a history of cybercriminal abuse, from hosting malicious files and directly delivering malware to even making them part of a command-and-control (C&C) infrastructure. GitHub was misused this way when the Winnti group used it as a conduit for its C&C communications. We saw a similar—albeit a lot simpler and less creative—attack on Autodesk® A360, comparable to the way file-sharing sites are being used to host...
Read More
by CIRT Team
Malspam pushing Locky ransomware tries HoeflerText notifications [source: sans.edu]
During past two weeks or so, we’ve seen plenty of botnet-based malicious spam (malspam) pushing Locky ransomware. In recent days, I’ve noticed multiple waves of malspam every weekday. It gets a bit boring after a while, but as 2017-08-31 came to a close, I noticed a different technique from this malspam. Today’s malspam had links to fake Dropbox pages. If you viewed the pages in...
Read More
by CIRT Team
Sudo CVE-2017-1000368 Incomplete Fix Local Privilege Escalation Vulnerability
Description: Todd Miller’s sudo version 1.8.20p1 and earlier is vulnerable to an input validation (embedded newlines) in the get_process_ttyname() function resulting in information disclosure and command execution. Impact: Local attackers could exploit this issue to run arbitrary commands with root privileges. This issue is fixed in sudo 1.8.20p2. NOTE: This issue is the result of an incomplete fix for the issue described in BID 98745...
Read More
by CIRT Team
Apache Struts CVE-2017-9805 Remote Code Execution Vulnerability
Description: The REST Plugin is using a XStreamHandler with an instance of XStream for deserialization without any type filtering and this can lead to Remote Code Execution when deserializing XML payloads. Impact: Successfully exploiting this issue may allow an attacker to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. Apache Struts 2.5 through 2.5.12...
Read More
by CIRT Team
CVE-2017-6768: Cisco Application Policy Infrastructure Controller Custom Binary Privilege Escalation Vulnerability
Description: A vulnerability in the build procedure for certain executable system files installed at boot time on Cisco Application Policy Infrastructure Controller (APIC) devices could allow an authenticated, local attacker to gain root-level privileges. The vulnerability is due to a custom executable system file that was built to use relative search paths for libraries without properly validating the library to be loaded. Impact: An attacker...
Read More
by CIRT Team
CVE-2017-6767: Cisco Application Policy Infrastructure Controller SSH Privilege Escalation Vulnerability
Description: A vulnerability in Cisco Application Policy Infrastructure Controller (APIC) could allow an authenticated, remote attacker to gain higher privileges than the account is assigned. The attacker will be granted the privileges of the last user to log in, regardless of whether those privileges are higher or lower than what should have been granted. The attacker cannot gain root-level privileges. The vulnerability is due to...
Read More
by CIRT Team
CVE-2017-6780: Cisco IoT Field Network Director Memory Exhaustion Denial of Service Vulnerability
Description: A vulnerability in the TCP throttling process for Cisco IoT Field Network Director (IoT-FND) could allow an unauthenticated, remote attacker to cause the system to consume additional memory, eventually forcing the device to restart. Impact: An attacker could exploit this vulnerability by sending a high rate of TCP packets to a specific group of open listening ports on a targeted device. An exploit could...
Read More
by CIRT Team
Symantec Messaging Gateway CVE-2017-6326 Remote Code Execution Vulnerability
Description: The Symantec Messaging Gateway can encounter an issue of remote code execution, which describes a situation whereby an individual may obtain the ability to execute commands remotely on a target machine or in a target process. Impact: Attackers can exploit this issue to execute arbitrary code on the affected system.Versions prior to Symantec Messaging Gateway 10.6.3-266 are vulnerable. Mitigation: Updates are available. Please check...
Read More
