by CIRT Team
Microsoft Windows Express Compressed Fonts CVE-2017-8691 Remote Code Execution Vulnerability
Description: Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allow an attacker to execute code remotely on a target system when the Windows font library fails to properly handle specially crafted embedded fonts, aka “Express Compressed Fonts Remote Code Execution Vulnerability.” Impact: An attacker can exploit this issue to execute arbitrary code in the context of an affected system. Failed exploit attempts...
Read More
by CIRT Team
Linux Kernel CVE-2017-1000379 Local Security Bypass Vulnerability
Description: The Linux Kernel running on AMD64 systems will sometimes map the contents of PIE executable, the heap or ld.so to where the stack is mapped allowing attackers to more easily manipulate the stack. Linux Kernel version 4.11.5 is affected. Impact: Attackers can exploit this issue to bypass certain security restrictions and perform unauthorized actions. Linux Kernel 4.11.5 is vulnerable; other versions may also be...
Read More
by CIRT Team
Linux kernel CVE-2017-12762 Local Buffer Overflow Vulnerability
Description: In /drivers/isdn/i4l/isdn_net.c: A user-controlled buffer is copied into a local buffer of constant size using strcpy without a length check which can cause a buffer overflow. This affects the Linux kernel 4.9-stable tree, 4.12-stable tree, 3.18-stable tree, and 4.4-stable tree. Impact: Successful exploits may allow attackers to execute arbitrary code in context of the application. Failed exploits may result in denial-of-service conditions. Mitigation: Updates...
Read More
by CIRT Team
Active ransomware attack uses impersonation and embedded advanced threats [source: barracuda]
In the last 24 hours, the Barracuda advanced security team has observed about 20 million attempts at a ransomware attack through an email attachment “Payment_201708-6165.7z.” In this attack, the source of the email is a spoofed address, and the attachment name and number is included in the subject line and body of the message. The full subject line in this example is “Emailing: Payment_201708-6165” and...
Read More
by CIRT Team
RIG exploit kit distributes Princess ransomware [source: malwarebytes]
We have identified a new drive-by download campaign that distributes the Princess ransomware (AKA PrincessLocker), leveraging compromised websites and the RIG exploit kit. This is somewhat of a change for those tracking malvertising campaigns and their payloads. We had analyzed the PrincessLocker ransomware last November and pointed out that despite similarities with Cerber’s onion page, the actual code was much different. A new payment page seemed to have...
Read More
by CIRT Team
Cobian RAT – A backdoored RAT [source: zscaler]
The Zscaler ThreatLabZ research team has been monitoring a new remote access Trojan (RAT) family called Cobian RAT since February 2017. The RAT builder for this family was first advertised on multiple underground forums where cybercriminals often buy and sell exploit and malware kits. This RAT builder caught our attention as it was being offered for free and had lot of similarities to the njRAT/H-Worm...
Read More
by CIRT Team
Mining Adminers – Hackers Scan the Internet For DB Scripts [source: blog.sucuri]
Hackers are constantly scanning the internet for exploitable sites, which is why even small, new sites should be fully patched and protected. At the same time, it is not feasible to scan the whole internet with 330+ million domains and billions of web pages. Even Google can’t do it, but hackers are always getting better at reconnaissance. Despite these limitations, scanning just 1% of the internet allows...
Read More
by CIRT Team
Linux Kernel CVE-2017-7558 Multiple Local Information Disclosure Vulnerabilities
Description: A kernel data leak due to an out-of-bound read was found in Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() functions present since v4.7-rc1 upto v4.13 including. A data leak happens when these functions fill in sockaddr data structures used to export socket’s diagnostic information. As a result upto 100 bytes of the slab data could be leaked to a userspace. Impact: Local attackers can exploit...
Read More
by CIRT Team
NfSen CVE-2017-6972 Unspecified Security Bypass Vulnerability
Description: AlienVault USM and OSSIM before 5.3.7 and NfSen before 1.3.8 have an error in privilege dropping and unnecessarily execute the NfSen Perl code as root, aka AlienVault ID ENG-104945, a different vulnerability than CVE-2017-6970 and CVE-2017-6971. Impact: Remote attackers can exploit this issue to bypass certain security restrictions and perform unauthorized actions. Mitigation: Updates are available. Please check specific vendor advisory for more information....
Read More
by CIRT Team
CVE-2017-7874: Linux Kernel 4.8.0 UDEV < 232 Local Privilege Escalation Vulnerability
Description: udevd in udev 232, when the Linux kernel 4.8.0 is used, does not properly verify the source of a Netlink message, which allows local users to execute arbitrary commands by leveraging access to the NETLINK_KOBJECT_UEVENT family, and the presence of the /lib/udev/rules.d/50-udev-default.rules file, to provide a crafted REMOVE_CMD value. Impact: Local attackers may exploit this issue to execute arbitrary commands with elevated privileges. Mitigation:...
Read More
