Breaking News »

Latest Hacking News

5,200 affected after unauthorized access of Neiman Marcus Group's websites

Neiman Marcus Group (NMG) has reported an unauthorized access to their online customer accounts on the websites  Neiman Marcus, Bergdorf Goodman, Last Call, and CUSP.

According to the public notice released on Jan. 29, 2016  by the company,  approximately 5,200 accounts has been affected. Information compromised includes Usernames, passwords, names, mailing addresses, phone numbers, last four digits of payment cards, and purchase histories.

No sensitive information like Social security number, date of birth, financial account number, or PIN number is visible through online accounts.

The  websites has been breached on or around Dec. 26, 2015, when an unauthorized individual gained access by using automated attacks to attempt various login and password combinations. As a result the hacker was able to make purchases on approximately 70 of these accounts.

Company's senior vice president Lindy Rawlinson,  said in a letter to the customers that the company's fraud team “has detected these unauthorized purchases, and Neiman Marcus has credited the affected customers for the full amount of the unauthorized purchase.”

The company has taken steps to limit the ability of the threat actors to access customer accounts, and has initiated a comprehensive response and investigation to understand the scope of the incident.

However the company has requested its customers to change their passwords on all NMG websites and any other site that uses the same username password combination. 

Flaw in Westermo Industrial Switches puts customer devices at risk

U.S Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)revealed last week that Westermo Ethernet industrial switches uses secure sockets layer (SSL)private keys which are hardcoded and shared across devices.

The Sweden-based company, Westermo is a supplier of high quality data communications equipment designed for harsh industrial applications. The firm’s solutions are used across the world in sectors such as transport, water, energy supplies, mining and petrochemical.

ICS-CERT discovered that using same SSL keys can be used by malicious actors to intercept and decrypt communications via a man-in-the-middle (MitM) attack and leverage the information to gain unauthorized access to a vulnerable device.

Even an attacker with low skill can exploit this flaw if they manage to launch a successful MitM attack on devices running versions 4.18 and earlier of WeOS, the operating system that powers Westermo’s hardware platforms.

The attack can affect Falcon, Wolverine, Lynx, Viper and RedFox.

The company is working on fixing the flaw by including the automate function of changing the key which will be included in WeOS 4.19 but for now the vendor has released an update that will allow users to change the problematic certificate in the web interface of the affected devices.

Meanwhile, users have been advised to update WeOS to the latest version and upload a custom certificate by following the instructions.

The affected company has also warned its customers to avoid self-signed certificates and either completely disable web access to the devices or limit access to secure networks.

BlackEnergy malware behind power outrages in Ukraine

The advanced Persistent threat (APT) actor that has recently targeted Ukraine has started sending BlackEnergy malware using specially coded Word documents that have embedded macros in them.

BlackEnergy malware which is assumed to be handled by multiple groups, have adopted sophisticated tools and they have been targeting energy and ICS/SCADA companies from across the world. Recently they have been seen targeting Ukraine's critical infrastructure.

In December , BlackEnergy malware attack resulted in power failure in Ivano - Frankivsk region. Along with BlackEnergy malware on systems, investigators found killDisk plugin that has been designed to delete data and make system inoperable. Researchers believe that not only the malware but along with other plugins are responsible for power outrages.

Cys Centrum, an Ukrainian security firm reported that attackers used PowerPoint presentations to deliver the malware. Usually the threat actors embedded macros into Excel spreadsheets to send Trojan onto targeted system.

Recently it has been reported by the Kaspersky lab that the attackers used specially crafted Microsoft word documents, they simply attached malicious code to microsoft word documents and sent them via email to potential users.

The document was cleverly coded so that when it was uploaded for online scanner, very few security scanners flagged it as threat, so it easily went through security systems without fail.

when the document is opened by user, it warned them that macros have been disabled for security reasons and they have to enable them, and thus by enabling macros, an executable file "vba_macr.exe" is created and installed on the system.

Security firm SentinelOne even conclued that there might be role of internal actors in order to help BlackEnergy attackers, especially in operations aimed at SCADA systems .

“The only two options then to carry out the attack is – target a victim’s machine that was not patched, or get an internal employee to either accidentally or deliberately execute the infected Excel documents causing the malware to propagate inside the network. At this point it would be highly unlikely that organizations have not deployed the patch against CVE-2014-4114, thus the most likely conclusion is use of an internal actor,” SentinelOne said in its report.

Udi Shamir, Chief Security Officer at SentinelOne told SecurityWeek that a new attack targeting a Ukrainian power facility has been detected very recently, but they have not been able to know the complete details .

Magento releases update for fixing security vulnerabilities

Magento an e-commerce management platform, has released an update for a number of critical XSS vulnerabilities which includes patches for two critical issues.

The stored cross-site scripting (XSS) flaws allow the attackers to hijack Magento-based websites via administrator accounts. Which may result to the theft of sensitive customer data.

The first vulnerability affected almost every version of Magento from CE and below to EE and above. This  vulnerability could be exploited remotely by attackers. For exploiting this bug one needs an an email containing malicious Javascript code  which is sent through the CMS platform.

Magento doesn't check the content of the email properly and executes it in an admin content. After this the malicious code is able to steal an administrator session.

Cybersecurity firm Sucuri says:"The buggy snippet is located inside Magento core libraries, more specifically within the administrator's backend. Unless you're behind a WAF or you have a very heavily modified administration panel, you're at risk."

The second bug was discovered within the comments sections of the Magento CMS.
As Magento does not filter the request properly, JavaScript code gets saved in the Magento database. When admin view the server-side, this code executes and  leads to the session hijacking.

Other than these two critical vulnerabilities Magento also fixes problems including RSS-based information leaks, weaknesses to brute-force attacks, a lack of form protection on the Admin Login page, and many more.

To protect websites from exploitation, apply for the latest patch bundle SUPEE-7405 as soon as possible.

Vulnerability »

Malware Report »

Defacements »

Spam Report »