5,200 affected after unauthorized access of Neiman Marcus Group's websites

Neiman Marcus Group (NMG) has reported an unauthorized access to their online customer accounts on the websites  Neiman Marcus, Bergdorf Goodman, Last Call, and CUSP.

According to the public notice released on Jan. 29, 2016  by the company,  approximately 5,200 accounts has been affected. Information compromised includes Usernames, passwords, names, mailing addresses, phone numbers, last four digits of payment cards, and purchase histories.

No sensitive information like Social security number, date of birth, financial account number, or PIN number is visible through online accounts.

The  websites has been breached on or around Dec. 26, 2015, when an unauthorized individual gained access by using automated attacks to attempt various login and password combinations. As a result the hacker was able to make purchases on approximately 70 of these accounts.

Company's senior vice president Lindy Rawlinson,  said in a letter to the customers that the company's fraud team “has detected these unauthorized purchases, and Neiman Marcus has credited the affected customers for the full amount of the unauthorized purchase.”

The company has taken steps to limit the ability of the threat actors to access customer accounts, and has initiated a comprehensive response and investigation to understand the scope of the incident.

However the company has requested its customers to change their passwords on all NMG websites and any other site that uses the same username password combination. 

Flaw in Westermo Industrial Switches puts customer devices at risk

U.S Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)revealed last week that Westermo Ethernet industrial switches uses secure sockets layer (SSL)private keys which are hardcoded and shared across devices.

The Sweden-based company, Westermo is a supplier of high quality data communications equipment designed for harsh industrial applications. The firm’s solutions are used across the world in sectors such as transport, water, energy supplies, mining and petrochemical.

ICS-CERT discovered that using same SSL keys can be used by malicious actors to intercept and decrypt communications via a man-in-the-middle (MitM) attack and leverage the information to gain unauthorized access to a vulnerable device.

Even an attacker with low skill can exploit this flaw if they manage to launch a successful MitM attack on devices running versions 4.18 and earlier of WeOS, the operating system that powers Westermo’s hardware platforms.

The attack can affect Falcon, Wolverine, Lynx, Viper and RedFox.

The company is working on fixing the flaw by including the automate function of changing the key which will be included in WeOS 4.19 but for now the vendor has released an update that will allow users to change the problematic certificate in the web interface of the affected devices.

Meanwhile, users have been advised to update WeOS to the latest version and upload a custom certificate by following the instructions.

The affected company has also warned its customers to avoid self-signed certificates and either completely disable web access to the devices or limit access to secure networks.

BlackEnergy malware behind power outrages in Ukraine

The advanced Persistent threat (APT) actor that has recently targeted Ukraine has started sending BlackEnergy malware using specially coded Word documents that have embedded macros in them.

BlackEnergy malware which is assumed to be handled by multiple groups, have adopted sophisticated tools and they have been targeting energy and ICS/SCADA companies from across the world. Recently they have been seen targeting Ukraine's critical infrastructure.

In December , BlackEnergy malware attack resulted in power failure in Ivano - Frankivsk region. Along with BlackEnergy malware on systems, investigators found killDisk plugin that has been designed to delete data and make system inoperable. Researchers believe that not only the malware but along with other plugins are responsible for power outrages.

Cys Centrum, an Ukrainian security firm reported that attackers used PowerPoint presentations to deliver the malware. Usually the threat actors embedded macros into Excel spreadsheets to send Trojan onto targeted system.

Recently it has been reported by the Kaspersky lab that the attackers used specially crafted Microsoft word documents, they simply attached malicious code to microsoft word documents and sent them via email to potential users.

The document was cleverly coded so that when it was uploaded for online scanner, very few security scanners flagged it as threat, so it easily went through security systems without fail.

when the document is opened by user, it warned them that macros have been disabled for security reasons and they have to enable them, and thus by enabling macros, an executable file "vba_macr.exe" is created and installed on the system.

Security firm SentinelOne even conclued that there might be role of internal actors in order to help BlackEnergy attackers, especially in operations aimed at SCADA systems .

“The only two options then to carry out the attack is – target a victim’s machine that was not patched, or get an internal employee to either accidentally or deliberately execute the infected Excel documents causing the malware to propagate inside the network. At this point it would be highly unlikely that organizations have not deployed the patch against CVE-2014-4114, thus the most likely conclusion is use of an internal actor,” SentinelOne said in its report.

Udi Shamir, Chief Security Officer at SentinelOne told SecurityWeek that a new attack targeting a Ukrainian power facility has been detected very recently, but they have not been able to know the complete details .

Magento releases update for fixing security vulnerabilities

Magento an e-commerce management platform, has released an update for a number of critical XSS vulnerabilities which includes patches for two critical issues.

The stored cross-site scripting (XSS) flaws allow the attackers to hijack Magento-based websites via administrator accounts. Which may result to the theft of sensitive customer data.

The first vulnerability affected almost every version of Magento from CE and below to EE and above. This  vulnerability could be exploited remotely by attackers. For exploiting this bug one needs an an email containing malicious Javascript code  which is sent through the CMS platform.

Magento doesn't check the content of the email properly and executes it in an admin content. After this the malicious code is able to steal an administrator session.

Cybersecurity firm Sucuri says:"The buggy snippet is located inside Magento core libraries, more specifically within the administrator's backend. Unless you're behind a WAF or you have a very heavily modified administration panel, you're at risk."

The second bug was discovered within the comments sections of the Magento CMS.
As Magento does not filter the request properly, JavaScript code gets saved in the Magento database. When admin view the server-side, this code executes and  leads to the session hijacking.

Other than these two critical vulnerabilities Magento also fixes problems including RSS-based information leaks, weaknesses to brute-force attacks, a lack of form protection on the Admin Login page, and many more.

To protect websites from exploitation, apply for the latest patch bundle SUPEE-7405 as soon as possible.

Hack on cPanel exposes customer details

cPanel was hacked this weekend which exposed details of its customers,including their names, contact details, and encrypted passwords.

Though hacking did not affect payment information which was kept on a separate system.

The firm warned its customers with older passwords to change them,though the possibility of its exposure is less.

   “Although current passwords are stored salted and encrypted, we are accelerating our move to stronger password encryption at the same time in order to minimize disruption. In order to safeguard the system, we will force all users with older password encryption to change their passwords,” said the company’s e-mail.

Though the breach is fairly minor but if attackers make use of exposed information, the customers may be badly impacted.

The company has been in control since 1997 and promises its customers to be most reliable company in web hosting industry. 

Phishing attack on Ukrainian electricity utilities systems

Recently Ukrainian electricity utilities systems were exposed to phishing attacks which let to power cut affecting almost 80,000 customers for six hours.

The current Phishing attacks were similar to that of BlackEnergy attacks that happened on 23rd december in the Prykarpattya Oblenergo and Kyiv Oblenergo causing huge Power cut leading to mass outrage.

Ukraine's nation security have doubted Kremlin for the attacks.

For the current phishing attack , computer systems were served with malicious Microsoft XLS files , which attempts to open and execute open source software GCat backdoor, software which is responsible for handling Ukrainian electricity utilities systems.

This technique has been used in other attacks as well. According to Robert Lipovsky, who is ESET threat man confirmed that in the attack Users on the system are urged to download macros, and then those macros downloads executables and run shell commands leading to total crash of software .

Some of the GC at backdoor functionality like making screenshots, keylogging or uploading files, were removed from the source code.

The macros were sent using gmail account, which makes malwares difficult to detect.

Lipovsky said they were not certain of role of Russia or other actor in the attacks.

Many researchers in Ukraine are working on forensics and systems security following BlackEnergy attacks.

New Linux Trojan spies on users by taking screenshots

(pc-google images)
In the last one week, Linux.Ekocms.1 trojan has become the latest threat that targets Linux PCs, soon after ransomware Linux.Encoder and the Linux XOR DDoS malware had showed a large number of issues and have created blotches in Linux's status as impermeable when it comes to malware infections.

According to Russia's top anti-virus company, Dr.Web, this trojan is a part of the spyware family that was specially designed in order to take screenshots of the user's desktop every 30 seconds. In most cases, the recorded screenshot files got saved to the same two folders, but in the absence of the folders, the trojan created its own  folder when needed.

People using Linux PC without an antivirus solution installed can diagnose for Linux.Ekocms themselves by searching the following two folders and seeing if they can find any screengrabs:
- $HOME/$DATA/.mozilla/firefox/profiled
- $HOME/$DATA/.dropbox/DropboxCache

The trojan saves all files in JPEG format with a title consisting of the timestamp of the screenshot. On facing an error while saving the screenshot, the trojan will instead use the BMP format for saving the screengrabs, which are then uploaded to an available remote server. Linux.Ekocms uploads these files to a C&C (command and control) server via a proxy IP at regular intervals. The server's IP address is hard-coded into the trojan's source code thus, all files are sent via an encrypted connection, therein third-party reverse engineers tools will have a tedious job to pick up on the trojan's operations.

The presence of an audio recording feature in its codebase, as claimed by Dr.Web experts remains dysfunctional as it was never active in the trojan's normal operation. The latest version, Linux.Ekocms is a powerful reconnaissance tool, that allows attackers to get a brief overview of the basic tools used on a daily basis by a Linux user and the websites visited.

Cyber Insurer sued after company loses $480K in CEO Fraud

A Texas-based engineering firm, Ameriforge Group Inc. or popularly known as AFGlobal is suing its cyber insurance provider, Federal Insurance Co., a division of insurance giant Chubb Group for refusing to cover a $ 480,000 loss following an email scam that impersonated the firm’s chief executive.

AFGlobal claims of having the papers to prove that scammers impersonating AFGlobal’s CEO convinced the company’s accountant to wire $ 480,000 to Agricultural Bank of China.

According to documents filed with the U.S. District Court in Harris County, Texas, the policy covered up to $3 million, with a $100,000 deductible. The documents indicate that from May 21, 2014 to May 27, 2014, AFGlobal’s director of accounting received a series of emails from someone claiming to be Gean Stalcup, the CEO of AFGlobal.

After the demand was fulfilled, the email sender then asked for an additional $ 18 million.

The firm expects some payout from its insurer for this incident but the insurer expects all this to go away.

CEO Fraud schemes are an increasingly common and costly form of cybercrime. According to the FBI, thieves have stolen nearly $750 million in such scams from more than 7,000 victim companies in the U.S. between October 2013 and August 2015.

The chief financial officer of one of New Zealand’s largest learning institutions had left her job after falling for an email “whaling” scam.

The executive director of finance at Te Wananga o Aotearoa, Bronwyn Koroheke, transferred $US 79,000 ($118,000) to an offshore bank account after receiving an email which appeared to be from her chief executive Jim Mather telling her to send the money which was actually sent from Chinese-based fraudsters running a whaling scam.

In such a scenario, the FBI has urged businesses to adopt two-step or two-factor authentication for email, where available, and/or to establish other communication channels such as telephone calls to verify significant transactions. Businesses are also advised to exercise restraint when publishing information about employee activities on their Web sites or through social media.

Source: KrebsOnSecurity

SSH backdoor discovered in Fortinet FortiOS firewalls

Within a month's span since Juniper Network found an unauthorised backdoor in their Netscreen firewall, researchers from all over the globe have been working hard and have found similar faulty codes in Juniper's top competitor Fortinet.

This code comprises of a certain "challenge and response" authentication routine in order to log in to the server with an enabled secure shell (SSH) protocol. A hard-coded password for FGTAbc11*xy+Qqz27 was extracted by researchers after reviewing it when it was exploited and the code was later posted online on Saturday. On Tuesday, a researcher claimed that by using the exploited code, one can gain access to a server running Fortinet's FortiOS software.

According to Ralf-Philipp Weinmann, a security researcher who contributed in unraveling the innerworkings of the Juniper vulnerability, took to Twitter on Tuesday and has been continuously referring to the custom SSH authentication as a "backdoor." In one of his posts, he confirmed that he was able to make the backdoor work as reported for older versions of FortiOS.

According to the exploited code, the undisclosed authentication worked from versions 4.3, up to 5.0.7. If the days stand undisputed, the surreptitious access method would active in FortiOS versions as well in the current 2013 and 2014 time frame and possibly earlier. The vulnerability was eventually patched, but still, researchers are unable to locate a security advisory that could disclose the alternative authentication method or the hard-coded password. While one researcher started that the exploit no longer works in version 5.2.3, the release is still suspicious as it contained the same hard-coded string.

"So a lot of parts of this auth mechanism are still in the later firmware," said the researcher, who requested to be anonymous. The most recent version of FortiOS 5.4.0, was released this month.

IT security firm Trustwave sued for Failing to Stop Data Breach

IT security firm Trustwave has been accused of failing to properly investigate the card breach suffered by the Las Vegas-based casino operator Affinity Gaming in 2013.

Affinity Gaming filed a complaint in the district court of Nevada in December alleged Trustwave of misrepresenting themselves and failed to perform the adequate investigation, identify the breach, and falsely misinform them about the correction of the breach.

In December 2013, Affinity Gaming suffered a security breach that penetrated their payment card systems. They called Trustwave to investigate the matter.

According to the complaint filed “Trustwave informed the company that the malware was removed from its systems and that the breach was contained.”

After Trustwave completed its investigation, Affinity Gaming called Ernst & Young to conduct penetration testing. While penetration testing testers identified suspicious activity associated with a piece of malware.

Now Affinity Gaming  called FireEye-owned forensic specialist Mandiant  for further investigation.

The complaint was filed based on the latest investigation done by Mandiant.

“Trustwave had failed to diagnose that the data breach actually was the result of unidentified outside persons or organizations who were able to compromise Affinity’s data through Affinity Gaming’s Virtual Private Network (VPN), and that the ‘backdoor’ these persons/organizations had created — which Trustwave had speculated may have existed but concluded was ‘inert’ — was very real and accessible,” reads the complaint.

“Mandiant also determined that the unauthorized access and renewed data breach occurred on a continuous basis both before and after Trustwave claimed that the data breach had been contained,” it continues.

Affinity is looking for damages in excess of $100,000 / €92,000.