Saturday 19 December 2015

Message Header Analyzer (Microsoft & Google)

Spear-phishing attacks still happen and are still successful. According to Symantec: “The FBI estimates that the amount lost to BEC (Business Email Compromise) between October 2013 and August 2015 was over $1.2 billion. With such huge returns, it’s unlikely that these scams will cease any time soon.”

Symantec researchers also explained that “BEC attackers target senior-level employees rather than consumers as it’s easier to scam them out of large amounts. In one incident, we observed the scammers asking the target to transfer over US$370,000. By requesting large amounts of money, the scammers only need to be successful a couple of times to make a profit,”.

Usually spear-phishing emails are used for untargeted attacks. Lately we saw spear-phishing attacks becoming more targeted. An example is the CEO fraud attacks. A cyber criminal sends an email that appears to be from an executive (usually from the CEO to the CFO) asking for a specific payment to be processed immediately. The payment may be in any currently or even BitCoin(s). 

There are a couple of tools online that you can use to check the email headers of incoming emails. The email headers allow you to check if a suspicious incoming email is actually a spoofed email as part of a spear-phishing attack campaign.

Friday 18 December 2015

FireEye critical vulnerability

Google's team in Project Zero discovered a critical vulnerability in FireEye NX, EX, AX and FX network security devices that run on security content version 427.334 or prior versions.
An attacker could exploit this vulnerability to gain persistent access and remotely exploit code. It is good to see that FireEye focused this time towards patching the security flaw and did not try to take legal action, like previously, for the vulnerabilities discovered by the German security firm ERNW). 

FireEye responded with a support alert stating that a patch was released through automated security content updates for all of the affected devices. FireEye is making the patch available for “out-of-contract customers” and the firm warned customers who perform manual security content updates, to “update immediately”.

The flaw discovered by Project Zero follows an earlier series of vulnerabilities discovered by the German security firm ERNW. FireEye filed an injunction against ERNW in September after learning that the firm was planning to release findings on vulnerabilities that it discovered in FireEye's operating system

It was proven that it was possible for an attacker to root the FireEye's network security device by simply tricking a victim into clicking on a link contained in an email. 

"Unauthorized code" in Juniper firewalls decrypts encrypted VPN traffic

Juniper Networks published an advisory saying that NetScreen firewalls using ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20 contain unauthorized code that surreptitiously decrypts the VPN traffic by giving attackers administrative access. 


This system "backdoor" requires immediate patching! The vulnerability was discovered during a recent internal code review[1]. The "unauthorised code" in ScreenOS could allow a knowledgeable attacker to gain administrative access to NetScreen appliances and to decrypt VPN connections. 

Juniper Networks explained in a separate advisory that there are two separate vulnerabilities which are both described as “Unauthorised Code”.

The first flaw allows unauthorized remote administrative access to an affected device over SSH or telnet. Exploits can lead to complete compromise. "The second issue may allow a knowledgeable attacker who can monitor VPN traffic to decrypt that traffic," the advisory said. "It is independent of the first issue. There is no way to detect that this vulnerability was exploited." [2]

This Github repository contains notes, binaries, and related information from the analysis of the CVE-2015-7755 & CVE-2015-7756 issues within Juniper ScreenOS. See a detailed analysis by Rapid7

Wednesday 16 December 2015

Joomla Critical 0day Remote Command Execution Vulnerability - Patch Now

A vulnerability that affects all versions of Joomla from 1.5.0 to 3.4.5 have just been released (CVE-2015-8562). 

The Joomla security team released a patch to address this critical remote command execution vulnerability that is already being exploited in the wild. 

Joomla is one of the most popular Content Management Systems (CMS), alongside Wordpress, Drupal and Magento. Joomla CMS is used to build web sites and online applications in conjunction with the many supported shopping cart, e-commerce and payment gateway extensions.  

Joomla users need to upgrade to version 3.4.6 immediately. For Joomla 3 and above, updating is a simple one-click process through the admin panel. For the unsupported versions 1.5.x - 2.5.x the users need to patch using the Joomla hotfixes.

Wednesday 9 December 2015

Combating cybercrime during the holidays. Advice for retailers and shoppers

Online shopping, especially during the holiday period, is a massively important trading platform for many businesses. For online retailers their ability to service high customer demand and ensure the availability of their website throughout this period is crucial to their success.
The shopping frenzy has already started, with the adoption of Black Friday and Cyber Monday in many countries adding additional pressure on high street, and online retailers. In the UK and Europe, this only increased further during the holiday week and the discounts the day after Christmas. With these periods being hugely busy on the high street, an increasing number of shoppers are moving to the Internet to hunt for their bargains.

During this overwhelming period of spending, online retailers and shoppers need to be wary since this also is a lucrative period for Cybercriminals. In this article, we have highlighted a few key steps retailers and shoppers can take to keep themselves safe from cybercrime during the holidays.