63,000 Social Security numbers compromised in UCF hack

University of Central Florida (UCF) has  recently faced a cybersecurity threat, nearly 63,000 Social Security numbers and names of former and current students and employees of University of Central Florida (UCF) were stolen by hackers.

The FBI's Jacksonville office is investigating the case with UCF Police and other agencies, it sent out notifications to all U.S. colleges "in an effort to identify other potential victims."

In January, UCF first realized the problem but didn't announce the hack publicly until a month later  of the hack.

Students those affected  includes 600 current student-athletes, former student-athletes who last played sports in 2014-15, student staff managers of the teams and other related positions. The rest are current UCF employees as well as those who worked at UCF as far back as the 1980s.

According to the director of Indiana University's Center for Applied Cybersecurity Research, Von Welch,  this case reveals  how hackers are frequent at stealing data and how such attacks are the new reality for schools, governments and others.

"It's an extremely hard situation for folks like UCF to be in," Welch said. "They have the large databases … All it takes is one mistake for hackers to exploit. If you're anything less than perfect, these hacks can occur."

Joel Hartman, head of university's information technology department, said we ourselves  are unclear who is responsible behind this attack, but from initial investigation it is likely to be done by multiple individuals.

"All the information we have indicates there has been no attempt to use this information for identity theft or fraud or other financial means," Hartman said.

Those affected by the hack will be notified by letters that are expected to be mailed Friday.

To tackle this situation the university also launched a website to answer questions at www.ucf.edu/datasecurity.

Outpost24 researchers find major flaws in Sauter SCADA systems

Flaws in Sauter’s moduWEB Vision SCADA product can be exploited by remote attackers to take full control of the product. The flaw was identified by researchers at vulnerability Management Company, Outpost24.

Sauter is a Switzerland-based company that specializes in building automation and system integration products. moduWEB Vision is a web-based visualization solution designed to allow users to operate and monitor building technologies remotely.

One of the flaw in the product is that though Sauter tells its users to change the password of the administrator account but there are other default accounts which are not covered in the vendor’s documentation thus making them vulnerable to the attackers.

The attackers then can reset the system to its default configuration, change the configuration or disable devices, and modify all passwords.

The attackers do not need to crack the hash to access the admin account, instead they can use it directly to authenticate on the system.

The researcher team found that some of the passwords are transmitted in clear text (CVE-2015-7915) when populating the password field in cases where the “keep me logged in” feature is enabled, but this feature is only enabled in newer versions of the SCADA system.

In addition, the attacker can also leverage a persistent cross-site scripting vulnerability found in the user and events management panels to elevate privileges and execute commands on behalf of an administrator.

The installations of the product are exposed to the internet which makes it easy to find its flaws because the product runs on web server that has specific header information.

The vendor has released 1.6.0 of the firmware to address the issues but Outpost 24 alleges that some of the vulnerabilities are still left untouched.

The vulnerabilities were reported to the company last year in April.

5,200 affected after unauthorized access of Neiman Marcus Group's websites

Neiman Marcus Group (NMG) has reported an unauthorized access to their online customer accounts on the websites  Neiman Marcus, Bergdorf Goodman, Last Call, and CUSP.

According to the public notice released on Jan. 29, 2016  by the company,  approximately 5,200 accounts has been affected. Information compromised includes Usernames, passwords, names, mailing addresses, phone numbers, last four digits of payment cards, and purchase histories.

No sensitive information like Social security number, date of birth, financial account number, or PIN number is visible through online accounts.

The  websites has been breached on or around Dec. 26, 2015, when an unauthorized individual gained access by using automated attacks to attempt various login and password combinations. As a result the hacker was able to make purchases on approximately 70 of these accounts.

Company's senior vice president Lindy Rawlinson,  said in a letter to the customers that the company's fraud team “has detected these unauthorized purchases, and Neiman Marcus has credited the affected customers for the full amount of the unauthorized purchase.”

The company has taken steps to limit the ability of the threat actors to access customer accounts, and has initiated a comprehensive response and investigation to understand the scope of the incident.

However the company has requested its customers to change their passwords on all NMG websites and any other site that uses the same username password combination. 

Flaw in Westermo Industrial Switches puts customer devices at risk

U.S Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)revealed last week that Westermo Ethernet industrial switches uses secure sockets layer (SSL)private keys which are hardcoded and shared across devices.

The Sweden-based company, Westermo is a supplier of high quality data communications equipment designed for harsh industrial applications. The firm’s solutions are used across the world in sectors such as transport, water, energy supplies, mining and petrochemical.

ICS-CERT discovered that using same SSL keys can be used by malicious actors to intercept and decrypt communications via a man-in-the-middle (MitM) attack and leverage the information to gain unauthorized access to a vulnerable device.

Even an attacker with low skill can exploit this flaw if they manage to launch a successful MitM attack on devices running versions 4.18 and earlier of WeOS, the operating system that powers Westermo’s hardware platforms.

The attack can affect Falcon, Wolverine, Lynx, Viper and RedFox.

The company is working on fixing the flaw by including the automate function of changing the key which will be included in WeOS 4.19 but for now the vendor has released an update that will allow users to change the problematic certificate in the web interface of the affected devices.

Meanwhile, users have been advised to update WeOS to the latest version and upload a custom certificate by following the instructions.

The affected company has also warned its customers to avoid self-signed certificates and either completely disable web access to the devices or limit access to secure networks.

BlackEnergy malware behind power outrages in Ukraine

The advanced Persistent threat (APT) actor that has recently targeted Ukraine has started sending BlackEnergy malware using specially coded Word documents that have embedded macros in them.

BlackEnergy malware which is assumed to be handled by multiple groups, have adopted sophisticated tools and they have been targeting energy and ICS/SCADA companies from across the world. Recently they have been seen targeting Ukraine's critical infrastructure.

In December , BlackEnergy malware attack resulted in power failure in Ivano - Frankivsk region. Along with BlackEnergy malware on systems, investigators found killDisk plugin that has been designed to delete data and make system inoperable. Researchers believe that not only the malware but along with other plugins are responsible for power outrages.

Cys Centrum, an Ukrainian security firm reported that attackers used PowerPoint presentations to deliver the malware. Usually the threat actors embedded macros into Excel spreadsheets to send Trojan onto targeted system.

Recently it has been reported by the Kaspersky lab that the attackers used specially crafted Microsoft word documents, they simply attached malicious code to microsoft word documents and sent them via email to potential users.

The document was cleverly coded so that when it was uploaded for online scanner, very few security scanners flagged it as threat, so it easily went through security systems without fail.

when the document is opened by user, it warned them that macros have been disabled for security reasons and they have to enable them, and thus by enabling macros, an executable file "vba_macr.exe" is created and installed on the system.

Security firm SentinelOne even conclued that there might be role of internal actors in order to help BlackEnergy attackers, especially in operations aimed at SCADA systems .

“The only two options then to carry out the attack is – target a victim’s machine that was not patched, or get an internal employee to either accidentally or deliberately execute the infected Excel documents causing the malware to propagate inside the network. At this point it would be highly unlikely that organizations have not deployed the patch against CVE-2014-4114, thus the most likely conclusion is use of an internal actor,” SentinelOne said in its report.

Udi Shamir, Chief Security Officer at SentinelOne told SecurityWeek that a new attack targeting a Ukrainian power facility has been detected very recently, but they have not been able to know the complete details .

Magento releases update for fixing security vulnerabilities

Magento an e-commerce management platform, has released an update for a number of critical XSS vulnerabilities which includes patches for two critical issues.

The stored cross-site scripting (XSS) flaws allow the attackers to hijack Magento-based websites via administrator accounts. Which may result to the theft of sensitive customer data.

The first vulnerability affected almost every version of Magento from CE and below to EE and above. This  vulnerability could be exploited remotely by attackers. For exploiting this bug one needs an an email containing malicious Javascript code  which is sent through the CMS platform.

Magento doesn't check the content of the email properly and executes it in an admin content. After this the malicious code is able to steal an administrator session.

Cybersecurity firm Sucuri says:"The buggy snippet is located inside Magento core libraries, more specifically within the administrator's backend. Unless you're behind a WAF or you have a very heavily modified administration panel, you're at risk."

The second bug was discovered within the comments sections of the Magento CMS.
As Magento does not filter the request properly, JavaScript code gets saved in the Magento database. When admin view the server-side, this code executes and  leads to the session hijacking.

Other than these two critical vulnerabilities Magento also fixes problems including RSS-based information leaks, weaknesses to brute-force attacks, a lack of form protection on the Admin Login page, and many more.

To protect websites from exploitation, apply for the latest patch bundle SUPEE-7405 as soon as possible.

Hack on cPanel exposes customer details

cPanel was hacked this weekend which exposed details of its customers,including their names, contact details, and encrypted passwords.

Though hacking did not affect payment information which was kept on a separate system.

The firm warned its customers with older passwords to change them,though the possibility of its exposure is less.

   “Although current passwords are stored salted and encrypted, we are accelerating our move to stronger password encryption at the same time in order to minimize disruption. In order to safeguard the system, we will force all users with older password encryption to change their passwords,” said the company’s e-mail.

Though the breach is fairly minor but if attackers make use of exposed information, the customers may be badly impacted.

The company has been in control since 1997 and promises its customers to be most reliable company in web hosting industry. 

Phishing attack on Ukrainian electricity utilities systems

Recently Ukrainian electricity utilities systems were exposed to phishing attacks which let to power cut affecting almost 80,000 customers for six hours.

The current Phishing attacks were similar to that of BlackEnergy attacks that happened on 23rd december in the Prykarpattya Oblenergo and Kyiv Oblenergo causing huge Power cut leading to mass outrage.

Ukraine's nation security have doubted Kremlin for the attacks.

For the current phishing attack , computer systems were served with malicious Microsoft XLS files , which attempts to open and execute open source software GCat backdoor, software which is responsible for handling Ukrainian electricity utilities systems.

This technique has been used in other attacks as well. According to Robert Lipovsky, who is ESET threat man confirmed that in the attack Users on the system are urged to download macros, and then those macros downloads executables and run shell commands leading to total crash of software .

Some of the GC at backdoor functionality like making screenshots, keylogging or uploading files, were removed from the source code.

The macros were sent using gmail account, which makes malwares difficult to detect.

Lipovsky said they were not certain of role of Russia or other actor in the attacks.

Many researchers in Ukraine are working on forensics and systems security following BlackEnergy attacks.

New Linux Trojan spies on users by taking screenshots

(pc-google images)
In the last one week, Linux.Ekocms.1 trojan has become the latest threat that targets Linux PCs, soon after ransomware Linux.Encoder and the Linux XOR DDoS malware had showed a large number of issues and have created blotches in Linux's status as impermeable when it comes to malware infections.

According to Russia's top anti-virus company, Dr.Web, this trojan is a part of the spyware family that was specially designed in order to take screenshots of the user's desktop every 30 seconds. In most cases, the recorded screenshot files got saved to the same two folders, but in the absence of the folders, the trojan created its own  folder when needed.

People using Linux PC without an antivirus solution installed can diagnose for Linux.Ekocms themselves by searching the following two folders and seeing if they can find any screengrabs:
- $HOME/$DATA/.mozilla/firefox/profiled
- $HOME/$DATA/.dropbox/DropboxCache

The trojan saves all files in JPEG format with a title consisting of the timestamp of the screenshot. On facing an error while saving the screenshot, the trojan will instead use the BMP format for saving the screengrabs, which are then uploaded to an available remote server. Linux.Ekocms uploads these files to a C&C (command and control) server via a proxy IP at regular intervals. The server's IP address is hard-coded into the trojan's source code thus, all files are sent via an encrypted connection, therein third-party reverse engineers tools will have a tedious job to pick up on the trojan's operations.

The presence of an audio recording feature in its codebase, as claimed by Dr.Web experts remains dysfunctional as it was never active in the trojan's normal operation. The latest version, Linux.Ekocms is a powerful reconnaissance tool, that allows attackers to get a brief overview of the basic tools used on a daily basis by a Linux user and the websites visited.

Cyber Insurer sued after company loses $480K in CEO Fraud

A Texas-based engineering firm, Ameriforge Group Inc. or popularly known as AFGlobal is suing its cyber insurance provider, Federal Insurance Co., a division of insurance giant Chubb Group for refusing to cover a $ 480,000 loss following an email scam that impersonated the firm’s chief executive.

AFGlobal claims of having the papers to prove that scammers impersonating AFGlobal’s CEO convinced the company’s accountant to wire $ 480,000 to Agricultural Bank of China.

According to documents filed with the U.S. District Court in Harris County, Texas, the policy covered up to $3 million, with a $100,000 deductible. The documents indicate that from May 21, 2014 to May 27, 2014, AFGlobal’s director of accounting received a series of emails from someone claiming to be Gean Stalcup, the CEO of AFGlobal.

After the demand was fulfilled, the email sender then asked for an additional $ 18 million.

The firm expects some payout from its insurer for this incident but the insurer expects all this to go away.

CEO Fraud schemes are an increasingly common and costly form of cybercrime. According to the FBI, thieves have stolen nearly $750 million in such scams from more than 7,000 victim companies in the U.S. between October 2013 and August 2015.

The chief financial officer of one of New Zealand’s largest learning institutions had left her job after falling for an email “whaling” scam.

The executive director of finance at Te Wananga o Aotearoa, Bronwyn Koroheke, transferred $US 79,000 ($118,000) to an offshore bank account after receiving an email which appeared to be from her chief executive Jim Mather telling her to send the money which was actually sent from Chinese-based fraudsters running a whaling scam.

In such a scenario, the FBI has urged businesses to adopt two-step or two-factor authentication for email, where available, and/or to establish other communication channels such as telephone calls to verify significant transactions. Businesses are also advised to exercise restraint when publishing information about employee activities on their Web sites or through social media.

Source: KrebsOnSecurity