Skip to main content
March 16, 2016

Today's AppSec News: NY Times hit with malvertising, XSS in some VMware products

Major News Websites Hit by Malvertising Attacks

Major websites including the BBC, Newsweek, The New York Times and MSN ran malicious online advertisements on Sunday that attacked users’ computers, a campaign that one expert said was the largest seen in two years.

"Researchers at Trend Micro, Malwarebytes, and Trustwave each reported a spike in malicious traffic over the weekend that impacted thousands of websites. It isn't clear if the upticks were part of a larger coordinated effort. What is clear is that the person(s) driving the campaign knew what they were doing," reported CSO.

Tens of thousands of computers may have been exposed to the harmful ads on Sunday. IDG reports, "The advertisements connected with servers hosting the Angler exploit kit. The kit tries to find software vulnerabilities on a computer in order to deliver malware. A successful exploit could deliver ransomware, a type of malware that encrypts a computer’s files. Victims are asked to pay a ransom, usually in bitcoin, in order to get the decryption key and restore their systems."

VMware vRealizes that vRealize has XSS bugs on Linux

Several vRealize products have a pair of Cross-Site Scripting bugs that could compromise a user's workstation, meaning that both vRealize Business Advanced and Enterprise 8.x on Linux need a patch to version 8.2.5.

On the fix front, the list is long and addresses some things that look very irritating - “Virtual machine is deleted during re-provisioning when a datastore is moved from one SDRS cluster to another” - and others that are mere annoyances, such as an issue that meant “After you upgrade to vRealize Automation 7.0, duplicate catalogue items for the same business group appear in the catalogue,” reports The Register.

Malware Gang Steals Legitimate Certificates

Ars Technica reported this morning that one of the keys to a gang called Suckfly’s advanced hacking operation is having plenty of stolen code-signing certificates on hand to give its custom malware the appearance of legitimacy. The group has used at least nine separate signing certificates from nine different companies since 2014.

"After tracing the hacking group's traffic to IP addresses in Chengdu, China, Symantec researchers ultimately identified a much larger collection of custom-developed backdoors and hacking tools that were signed by nine different certificates from nine different companies. Curiously, all nine of the compromised companies are located within a few miles of each other in Seoul. While the physical proximity is suspicious, the researchers ultimately speculated it was coincidental."

The article continues, "Digitally signed certificates allow Suckfly exploits to work seamlessly without calling attention to themselves. One of the group's booby-trapped Web pages, for example, was able to exploit a 2014 vulnerability in a Microsoft Windows component known as Object Linking and Embedding when it was viewed with Internet Explorer."

Eric manages global public relations at Veracode. In this role, he manages all facets of the company’s PR efforts. He brings more than 13 years’ experience in the industry. Prior to Veracode, Eric ran public relations activities for CyberArk across the US, EMEA and APJ.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.