ANCHOR CYBER FEED

Ransomware Observed to Jump from One Device to Another via the Cloud Researchers described last week an incident where they observed malicious "ransomware" propagating from one device to another via cloud-based file synchronization. When the ransomware encrypted files on one machine that synchronized files to a specific folder, it spread to other PCs that synchronized to that same folder. This type of phenomenon is simply another reason for organizations to serious consider limiting or eliminating the use of such file-synchronizing software within their networks. http://www.scmagazine.com/researchers-confirm-cases-of-ransomware-encryption-jumping-devices-via-cloud-apps/article/479572/ New OpenSSL Patches Soon to Come The OpenSSL project team announced last Thursday that they are working on patches to fix at least two "high" severity vulnerabilities in OpenSSL. This is the software that powers the cryptographic security layer of many web servers, browser...

This post is one in a series of blog posts on the fundamentals of an information security program. You can see the complete list of posts in this series here . Of all the common applications in most organizations, email is perhaps the most basic and essential. Any systems administrator knows that if email goes down they will hear about it very quickly! Email is also the very most common route for systems intrusions to begin in the modern enterprise. The most common example is "phishing" or "spear phishing" messages that lead to malware infections; the difference between the two is that general "phishing" is aimed at a broad audience (think of fishing with a tuna net) and spear phishing is aimed at one target or a small group of targets (think of fishing with, well, a spear). The malware can be anything from "ransomware" that tries to encrypt your files and hold them for ransom to a remote access trojan (RAT) that silently gives a hacker a...

Vulnerability in Key Unix/Linux System Library Potentially Puts Millions of Computers at Risk Last Tuesday, Google's engineering team released details on a vulnerability they had found and had been working on in cooperation with Red Hat. The vulnerability is in a ubiquitous Unix/Linux system library, in the function that handles DNS lookups. A malicious DNS server could potentially send replies in response to DNS requests that would run arbitrary code to run on the requesting machine. See our blog post from last week for full details: http://www.anchortechnologies.com/blog/vulnerability-in-dns-affects-wide-range-of-systems VMWare Issues New Patch to Replace One from Last Fall That Didn't Quite Fix the Problem VMWare issued a patch last October for CVE-2015-2342, a very serious issue in vCenter running on Windows. Last Friday VMWare issued a replacement for that patch, explaining in the new advisory that the original patch "did not address the issue." The vu...

This is a complex one. Google announced on Tuesday their discovery of a serious vulnerability in the function ("getaddrinfo") used by the GNU C library ("glibc") on Unix/Linux systems to do DNS lookups. The bug had actually been reported by other researchers back in July of last year, but the potentially serious way in which it could be exploited was not known until now. Google states that exploiting the vulnerability is "not trivial," but that a successful exploitation could enable an attacker to gain complete control of a vulnerable system. Given that the majority of servers on the Internet are Unix/Linux-based, as are modern Mac computers, Apple i-devices, and Android devices, a serious vulnerability in glibc affects a massive range of computer systems and mobile devices [update -- Apple iOS, Mac OS X, and Android all use different C libraries, not glibc, and are likely not affected]. Patches have started to be released by some vendors, but it may be ...

Major Vulnerability in Cisco ASA Firewalls Announced; Patch Available Cisco announced last Wednesday a major vulnerability that had been discovered in their ASA firewall platform. The flaw is found in the VPN service (specifically the IKE protocol for VPN authentication and setup) on the firewalls, and appears to affect every current version of the firewall. The flaw potentially allows an attacker to gain complete control of the firewall, and is already being actively exploited via the Internet. Cisco has an update available to fix the issue, and anyone running a Cisco firewall is urged to update as soon as possible. If it is not possible to update the firewall software immediately, disabling the VPN services on the firewall would appear to render the firewall invulnerable in the meantime. See Anchor's blog post from earlier this week for more details: http://www.anchortechnologies.com/blog/very-serious-cisco-asa-firewall-vuln-patch-asap Microsoft Issues Twelve Security Bu...

Cisco announced on Wednesday afternoon a very serious, newly-discovered vulnerability that affects their entire ASA firewall line. The vulnerability is triggered by specifically-crafted packets directed at the VPN service running on the firewall, specifically the IKE (Internet Key Exchange) protocol (usually running on UDP port 500). The attacker can embed commands within the exploit packets to potentially run arbitrary code on the system and gain total control of the firewall. Alternatively, exploit attempts could cause the firewall to shut down and restart. http://www.pcworld.com/article/3032497/critical-vpn-key-exchange-flaw-exposes-cisco-security-appliances-to-remote-hacking.html This vulnerability, CVE-2016-1287, has a CVSS (Common Vulnerability Scoring System) rating of 10.0, the highest possibly rating. Also, SANS' Internet Storm Center states that there is significant active scanning already taking place by hackers in an effort exploit vulnerable Cisco firewalls. If y...

Multiple Critical Vulnerabilities in Malwarebytes Disclosed; Still no Patch Available Last week Google's Project Zero disclosed several serious vulnerabilities in Malwarebytes' anti-malware software. Project Zero researcher Tavis Ormandy informed Malwarebytes of the issues back in November, and Malwarebytes says they were able to fix several of the reported bugs in the intervening months. They say that they should have a patch for the remainder in the next 3-4 weeks. Malwarebytes is advising customers to enable the "self-protection" setting on their software to mitigate the reported vulnerabilities. http://www.scmagazine.com/malwarebytes-says-sorry-for-multiple-av-bugs-still-unpatched/article/470738/ http://tps//blog.malwarebytes.org/news/2016/02/malwarebytes-anti-malware-vulnerability-disclosure/ https://code.google.com/p/google-security-research/issues/detail?id=714 Oracle Announces Java Browser Plugin to be Discontinued Oracle has announced plans to d...