Our weekly application security news roundup for March 28 to April 1 2016 features “Google dorking,” another healthcare institution malware victim, new Android vulnerability, and details on Petya ransomware. Read on for details on the following headlines:
- Investigators suspect “Google dorking” in Iranian hackers’ attempt to attack a New York dam,
- Healthcare institution MedStar is a victim of a malware attack,
- Truecaller for Android vulnerability put personal data of 100 million users at risk,
- Multiple XSS vulnerabilities spotted in Zen Cart,
- Researchers publish black market prices for widely used cyberattack tools,
- Details emerge on "Petya" ransomware,
- Malware detected in Cisco and Snort software,
- An iOS exploit is discovered by Check Point,
- A bug in Trend Micro’s software left a remote debugging server running on customer machines,
- A report shows recent proliferation of Android malware
"Google dorking" was employed by Iranian cyber attackers
The Wall Street Journal today is taking a look at an advanced search method called "Google dorking" that may have played into an Iranian hacking group's attempts to attack a New York state dam in 2013. This involved using an advanced Google search to pinpoint weaknesses in the dam located in Rye Brook, NY.
A cybersecurity consultant quoted in the article points out that white hats often use this method non-maliciously in order to identify network weak spots. Last week's discovery of the 2013 incident continues to be a cause of concern for those closely following cyberattackers’ growing interest in targeting U.S. critical infrastructure.
Also covered in Slate.
Medstar shut down by malware
Medstar, a non-profit healthcare institution that runs 10 hospitals in the D.C.-area, has been hit by a malware attack that has blocked access to its internal network, leading the affected hospitals to revert to paper transactions temporarily. In a statement, Medstar said no patient data had been compromised.
While the nature of the attack hasn't been publicized yet, a report from Computerworld was among those that speculated on a connection to recent ransomware attacks against hospitals in California and Kentucky. USA Today and others report an FBI investigation has been launched.
Truecaller for Android vulnerability put personal data of 100 million users at risk
More than 100,000 Android users are at significant risk of losing sensitive data due to a severe vulnerability that has been found in Truecaller for Android by Cheetah Mobile.
Truecaller explained in a rundown on its website that the app uses devices' IMEI numbers as the only way to identity users, which means that anyone with access to the IMEI of a device will be able to get Truecaller users' personal information and mess with their app settings to expose them to phishing attacks. The flaw put phone numbers, home addresses and gender information at risk of falling into the hands of hackers, reports The Inquirer.
Researchers spot multiple XSS vulnerabilities in Zen Cart
Trustwave researchers have discovered multiple Cross-Site Scripting (XSS) vulnerabilities in the administration section of the online store management platform Zen Cart.
The price of popular cyberattack tools
Dark Reading has published a slideshow listing average black market prices of widely used cyberattack tools. Among those included are botnet booter rentals ($60/day or $400/week), compromised website access ($3-25), exploit kits ($600-1800/month) and healthcare data ($4,700 for a bundle of 10 Medicare numbers).
The figures are drawn from recent reports and research carried out by Trend Micro
McAfee and Dell SecureWorks.
Researchers learning more about Petya ransomware
A new advanced form of crypto-ransomware dubbed Petya has been targeting German companies via infected Dropbox links. Threatpost explains that the function of Petya is a "radical departure" from other strains of ransomware because it encrypts the master file table of the affected computer, rather than files, network shares or backups. Once delivered, Petya demands $400 in Bitcoin to decrypt the file table.
A report in Computerworld expands on this: "The new Petya ransomware overwrites the master boot record (MBR) of the affected PCs, leaving their operating systems in an unbootable state." Trend Micro was one of the first to catch wind of Petya, and has provided info on its company blog.
Exploit affects Cisco and Snort security software
A new exploit given the title CVE-2016-1345 leaves two types of security software—Cisco's Firepower firewall and the open source intrusion prevention solution Snort—susceptible to malware. The official advisory explains: "A crafted HTTP request can bypass malicious file detection, or could block policies configured on the system." More information can be found in The Register.
New iOS exploit detailed by Check Point
Check Point Software shared details on a newly discovered iOS exploit from the Black Hat Asia conference. They claim they have found an issue in the iOS MDM interface that allows devices to be taken over by an attacker. Check Point has named the exploit "SideStepper."
Ars Technica explains the mechanics of an attack made possible by the exploit: "By sending a link to a victim's device, someone could take control of the MDM software on the phone and push potentially malicious applications to the device as well as perform other configuration changes as a remote administrator." Although iOS 9 incorporated more measures that prevent apps with untrusted certificates to run on devices, MDM systems remain a loophole since iOS automatically trusts any app run through them.
Patch out for 'ridiculous' Trend Micro command execution vuln
A bug in Trend Micro’s software accidentally left a remote debugging server running on customer machines, leaving Password Manager, Maximum Security and Premium Security all at risk.
Trend Micro issued a patch for the flaw on Wednesday, a little over a week after Ormandy reported the bug to it on 22 March. The patch is not complete but does address the most critical issues at hand, according to Trend. In a statement, Trend Micro explained its handling of the bug, which it points out affects only its consumer security software and not its enterprise technology, reports The Register.
Report says Android malware doubled in 2015
A Trend Micro report issued this week says that the number of cases of Android malware doubled in 2015. It states that in Q4 2015 alone, 10.6 million Android malware attacks were detected. These figures are accompanied by an overview of Android security over the past year, noting that the MediaPlayer component was especially susceptible to attack due to Stagefright and related incidents.