Security Advisories

IT Security Advisories provided by Security I Trust

A critical vulnerability has been identified in the Linux GNU C Library (glibc), which is a commonly used component of most Linux distributions. This security vulnerability GHOST (CVE-2015-0235) was discovered by the Qualys. The flaw in Glibc exposes a buffer overflow that can be triggered locally and remotely in the “gethostbyname” functions.
It’s unclear whether attackers have been aware or exploiting this vulnerability before it was found but as its now become common knowledge we can expect that a lot of cyber attacker will attempt to use this vulnerability to exploit system.

Video Provided by Qualys on this security vulnerability.

 

CVE:
CVE-2015-0235

RISK:
This vulnerability this security hole could allow attackers to execute malicious code on servers and remotely gain control of Linux system.
A flaw in a commonly used component in most Linux distributions could allow an attacker to take remote control of a system after merely sending a malicious email.

Impact:
GHOST is considered to be critical because hackers could exploit it to silently gain complete control of a targeted Linux system without having any prior knowledge of system credentials (i.e. administrative passwords).

To execute the exploit code a hackers first need to gain access to a venerable system. So if you Linux server is secure with no existing vulnerabilities and you do not allow unauthorised file to be opened or executed on the system then the risk of impact is low

Some of the Affected Linus Distributions:

  • Debian 7 (wheezy),
  • Red Hat Enterprise Linux 6 & 7,
  • CentOS 6 & 7
  • Ubuntu 12.04

 

Best Course Of Action:
Mitigate the risk is to apply a patch from your Linux vendor

 

Detection:

To identify the version of glibc on your Linux system, run this command:
#ldd –version

To identify what file on your system are using glibc, run the  following command :
# lsof | grep libc | awk ‘{print $1}’ | sort | uniq

 

 

More Info can be found on the Qualys  Blog

A zero-day vulnerability affecting all Microsoft supported versions of Windows Operating system, including Windows Server has been identified. Also we are seen reports from iSight identifying a cyber espionage campaign already in progress to compromise exposed system

The vulnerability Exploitation is identified by CVE-2014-4114, and also known as Sandworm. It was been reportedly discovered in the wild in connection with a cyber espionage campaign that iSIGHT Partners has attributed to Russia. The zero-day vulnerability is reported as been used in early September  to infect victims with malicious attachments, primarily PowerPoint files. Although the attackers used PowerPoint as its attack vector.

 

The vulnerability exists in the OLE package manager in Microsoft Windows and Server. The OLE packager (packager .dll) is able to download and execute external files like INF, allowing the attacker to execute commands.

 

Risk Level

The Risk level appears high, because if one group could design a worm to exploit the hole, then someone will try to recode the worm and make it wide spread.

Impact – we are only at the early stage of trying to understand what we are looking at. But the if the vulnerability allows the possibility to download and execute a file that the potential impact is extremely High

 

http://www.tripwire.com/state-of-security/incident-detection/microsoft-windows-zero-day-exploit-sandworm-used-in-cyber-espionage-cve-2014-4114/

 

iSIGHT discovers zero-day vulnerability CVE-2014-4114 used in Russian cyber-espionage campaign – See more at: http://www.isightpartners.com/2014/10/cve-2014-4114/#sthash.mDSsxZ8j.dpuf

http://www.isightpartners.com/2014/10/cve-2014-4114/

.

 

http://www.theregister.co.uk/2014/10/14/isight_microsoft_announce_windows_and_windows_server_0day/


.

.
Russian Hackers Target EU, NATO

Shellshock bash Code Injection Vulnerability, what do you need to do? what is the Risk?

 

Report from SAMS ISC

 

Bash Code Injection (Shellshock) Vulnerability (CVE 2014-6271)

 

 

Cento OS Bash vulnerability that had been announced in 2014/09/24 How to FIX

 

 

How to fix bash code injection flaw on CentOS/RedHat 6x Server

 

 

HackerKast Shellshock- September 25, 2014 – WhiteHat Security

 

A number of UK, US and Australian iPad and iPhone users are experiencing some issues with their Apple devices. A message, saying something like this is popping up on their screens:
 
iPhone's and iPads under attack
 
Device hacked by Oleg Pliss. For unlock device…
In order to unlock the device Mr Pliss is asking for the modest sum of $100/€50 Now.. although the mechanism used to hack these accounts is still unclear, it seems the attackers got hold of the victims' iCloud login credentials and locked their devices remotely. It is speculated that the attackers got hold of these credentials from another data breach and just guessed that Apple users would use the same information.
 
If you haven't become a Victum of this attack
 
  1. Enable 2FA (2-factor authentication) right now for your iCloud account. This will prevent someone holding your iCloud login details to access it. Instructions on how enable 2FA can be found on Apple's support site: http://support.apple.com/kb/HT5570
  2. Change your iCloud password as a preventive measure, especially if you are using the same password for different sites. Instructions on how to do this can be found on Apple’s support site: http://support.apple.com/kb/PH2617
  3. Don’t pay the ransom
 
Steps to take so you do not become a Victum
 
  1. If the attackers have set a passcode on your device, instructions on how to bypass the lock can be found on Apple's support site: http://support.apple.com/kb/ht1212 However, this requires resetting the device, which would erase all information that is not backed up.
  2. In case you cannot recover control of your device, you might need to contact Apple’s support customer care. Here are the phone numbers: http://support.apple.com/kb/he57
 
 
 
This attack is believe to have originated from a physhing email attack where user were informed their "Apple ID has been Disabled for Security Reasons!" which was acutall a tricl to steal their apple login details

Cyber Criminals are starting a Skype based campaign aimed at spreading malicious software. We have heard reports of many users reported receiving messages that appear to come from their friends in their Skype contact lists. These messages are part of a a social engineering agains skype user.
 

Read More: http://countermeasures.trendmicro.eu/skype-worm-spreading-fast/

Due to a security flaw in the Samsung Galaxy S3 your phones data can be wipe just by surfing web pages (on a compromised website). Hackers have become aware of this security flaw and they are placing hidden code in webpages that will trigger the remote wipe feature of this phone without the permission or any input from the phones user. This code is presently circulating online through websites but it’s also possible that attackers may adopt the code to a test message distribution method, QR code or NFC tag.

Other reports on the internet are saying that they have uncovered more codes built into Samsung devices that could be used in other attacks like killing the phones SIM card. Beside claim we have not seen any evidence of such code yet.

It is also believed that this code may also trigger a factory reset on Galaxy S2 and other Samsung devices that use Samsung's "TouchWiz" interface.

How to Protect you self for this issue:
Backup you Smart Phone content, and check regularly on the Samsung website to see if they have released an update to fix your phone.
The only way to guard against the attacks is to switch off "service loading" in settings, and disable QR code and NFC apps.

How to Test your Phone
You can test your phone by entering any one of the two codes provide here:

*2767*688#
or
*2767*2878#

Please make BACKUP of your all data on your phone before use this code because it you phone is vulnerable the code will wipe all data on your phone and reset it back to factory default.

Devices from other Android manufacturers appear to be unaffected
 

Internet SCAM

An internet Scam target at Bank of Ireland 365 customer has been detected. The Hackers are sending email to targeting Irish email address with a message saying that your account has been temporally limited. This emails is designed to look as if it has come from Bank of Ireland 365 online banking. The emails that we have received have not come from Bank of Ireland and the link in the email  does not take you to a bank of Ireland server. This is a social engineering attack by cybercriminal to steal your banking login details.

If you have already fallen victim to this attack change your banking login details immediately.

 

————————————————————————————–.

From: 365 Online [mailto:no-reply@365online.ie]
Sent: Friday, March 09, 2012 12:45 PM
To: niall@securityitrust.com
Subject: Your account has been temporarily limited. ID: 201203WJS2

 

Bank of Ireland 365 internet scam

Dear Customer,

Your account has been temporarily limited.
To remove the limitation from your account
please confirm your credit card details on file.

 

For confirmation, please click the link below:

Sign In to 365online account  – (Link to fake website desgned to look like 365 Online). 

We apologise for any inconvenience caused.
Thank you.

——————————————————–.