Security Technology

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. Below you’ll find a quick recap of topics followed by links to news articles and/or our blog posts providing additional insight. Be sure to check back each Friday for highlights of the goings-on each week!   Petya Wreaks Havoc in the Wake of WannaCry Hot on the heels of the global WannaCry outbreak in May, there’s been a wave of what looks like copycat malware sweeping the globe again. However, there may more to this than meets the eye, more than a simple new variant of an already established ransomware borrowing propagation techniques.   As Cities Get Smarter, So Should Their Security Today, more urban centers than ever are implementing a range of advanced technological systems. These sensors and networks used in combination with citizens’ mobile devices create smarter cities with a multitude of capabilities. Large-Scale Petya Ransom

The late 70s/early 80s American television show Three’s Company was one of my favorite shows growing up. The central theme of the show revolved around the lives of three roommates. Each episode usually involved a misunderstanding, then chaos would ensue. In the end, everything would turn out okay. Unfortunately, this week’s episode of “ransomware in the news” isn’t over – there are still misunderstandings about the latest attack named “Petya,” even on what to call it! This past Tuesday, a ransomware attack similar to WannaCry shut down computers all over the world. It was initially thought that this new attack was an updated version of Petya from 2016. Others said it was a whole new malware that had Petya characteristics. Even further, now there is speculation that it’s not ransomware at all – that its objective was to permanently destroy data. No extortion – just destruction – and no happy ending to this week’s episode. Trend Micro TippingPoint continues to actively review the sit

Petya is a malware that infects Windows computers, encrypting files and demanding ransom to decrypt the files. Once a network is infected the malware propagates laterally to further infect devices on the network. from Check Point Update Services Advisories http://ift.tt/2tpEJqK

Hot on the heels of the global WannaCry outbreak in May, yesterday saw a wave of what looked like copycat malware sweeping the globe again. However, on closer inspection there may more to this than meets the eye, more than a simple new variant of an already established ransomware borrowing propagation techniques from WannaCry. The attack itself certainly seems to have been originally planned as a targeted attack, originating with a compromise of Ukrainian accounting software MEDoc’s update infrastructure (seemingly admitted on their website but categorically denied by MEDoc on facebook ). This island-hopping attack starting with a smaller software vendor, whose product is mandated for companies paying taxes in Ukraine, may well have been targeted specifically at that country. However, as with every notionally targeted attack there has been collateral damage. The fact that the malware was set to wait five days before triggering on the 27 th  June, a day before a Ukrainian public hol

This vulnerability allows local attackers to disclose sensitive information on vulnerable installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. from ZDI: Published Advisories http://ift.tt/2ufzRRx

This vulnerability allows local attackers to escalate privileges on vulnerable installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. from ZDI: Published Advisories http://ift.tt/2ufDwi3

This vulnerability allows disclose sensitive information on vulnerable installations of Cisco Prime Collaboration Provisioning. Authentication is not required to exploit this vulnerability. from ZDI: Published Advisories http://ift.tt/2te3LZp

This vulnerability allows remote attackers to delete arbitrary files on vulnerable installations of Cisco Prime Collaboration Provisioning. Authentication is not required to exploit this vulnerability. from ZDI: Published Advisories http://ift.tt/2tdIvCR

This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Cisco Prime Collaboration Provisioning. Authentication is not required to exploit this vulnerability. from ZDI: Published Advisories http://ift.tt/2te3F3Z

This vulnerability allows remote attackers to delete arbitrary files on vulnerable installations of Cisco Prime Collaboration Provisioning. Authentication is not required to exploit this vulnerability. from ZDI: Published Advisories http://ift.tt/2tdp25C

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Cisco Prime Collaboration Provisioning. Authentication is not required to exploit this vulnerability. from ZDI: Published Advisories http://ift.tt/2rUOb0Z

Seamless Traffic Distribution System (TDS) operates by silently redirecting the victim to a malicious web page, leading to infection by an exploit kit. Successful infection will allow the attacker to download additional malware to the target. from Check Point Update Services Advisories http://ift.tt/2tbtCR8

A memory corruption vulnerability has been reported in Microsoft Malware Protection Engine. A remote attacker can exploit this issue by enticing a target user to open a specially crafted file. A successful exploitation could lead to arbitrary code execution. from Check Point Update Services Advisories http://ift.tt/2u9C9S6

An arbitrary file write vulnerability has been reported in the dbman component of HPE Intelligent Management Center. The vulnerability is due to lack of authentication on FileTrans commands, used to transfer files to the host running dbman. A remote, unauthenticated attacker can exploit the vulnerability by sending a maliciously crafted packet to the target server. from Check Point Update Services Advisories http://ift.tt/2sa2frp

A memory corruption vulnerability exists in WebGL components of Mozilla Firefox. The vulnerability is due to an integer overflow in Intersect function while calculating destination frame buffer width and height. A remote attacker could exploit this vulnerability by enticing a user to open a maliciously crafted web page. from Check Point Update Services Advisories http://ift.tt/2sTDVXR

A double free vulnerability exists in the ldapsearch function of OpenLDAP. The vulnerability is due to improper handling of ldapsearch queries with a pagesize of 0. A remote attacker can exploit this vulnerability by sending a crafted query to he target OpenLDAP server. from Check Point Update Services Advisories http://ift.tt/2t9GlEW

A denial of service vulnerability exists in Digium Asterisk. The vulnerability is due to a processing flaw in the chan_skinny SCCP packet processing module. A remote unauthenticated attacker can exploit this vulnerability by sending a maliciously crafted SCCP packet to a vulnerable Asterisk server. from Check Point Update Services Advisories http://ift.tt/2tIUp5n

A denial-of-service vulnerability exists in OpenVPN. This vulnerability is due to an assertion in OpenVPN server that can be reached during the processing of a malicious packet. A remote, unauthenticated attacker can exploit this vulnerability to cause the OpenVPN server program to terminate, resulting in a denial-of-service condition. from Check Point Update Services Advisories http://ift.tt/2t9U922

A denial-of-service vulnerability exists in ISC BIND. The vulnerability is due to a defect that can cause the named service to exit with an assertion failure or crash due to a NULL pointer dereference while processing a query and running a specific configuration. A remote, unauthenticated attacker could exploit this vulnerability by sending a query to an affected server running the affected configuration. from Check Point Update Services Advisories http://ift.tt/2t9xLWw

A Buffer Overflow vulnerability exists in Quest One Identity Privilege Manager. The vulnerability is due to improper handling requests. A remote, unauthenticated attacker could exploit this vulnerability to run arbitrary code with elevated privileges. from Check Point Update Services Advisories http://ift.tt/2tIPNMq

An SQL Injection vulnerability exists in Trend Micro's SafeSync's deviceTool.pm Perl module. The vulnerability is due to insufficient validation of the user-supplied role or role parameter when sending a query to get the information about a SafeSync nic device. A remote, authenticated, attacker could exploit this vulnerability by sending an HTTP request with a malicious SQL query to the target server. from Check Point Update Services Advisories http://ift.tt/2t9qqGw

A command injection vulnerability exists in AlienVault USM and OSSIM. The vulnerability is due to a failure to sanitize input on requests to get_fqdn function. A remote, unauthenticated attacker can exploit this vulnerability by sending a crafted request to the vulnerable application. from Check Point Update Services Advisories http://ift.tt/2tIPMIm

Three cross-site scripting vulnerabilities exist in Mantis Bug Tracker (MantisBT). These vulnerabilities are due to insufficient input validation of the action, type and config_option HTTP parameters by adm_config_report.php and move_attachments_page.php. A remote attacker could exploit this vulnerability by enticing a target user to click on a specially crafted URL in an entry on the server. from Check Point Update Services Advisories http://ift.tt/2t9iMfr

An SQL Injection vulnerability exists in Trend Micro's SafeSync for Enterprise deviceTool.pm page. The vulnerability is due to insufficient validation of the user-supplied role or device_id parameter when sending a query to get the information about a SafeSync storage device.A remote, authenticated, attacker could exploit this vulnerability by sending an HTTP request with a malicious SQL query to the target server. from Check Point Update Services Advisories http://ift.tt/2tINOHU

A heap buffer overflow exists in IBM's Informix Dynamic Server and Informix Open Admin Tool. The vulnerability is due an input validation error when processing requests sent to index.php. A remote, unauthenticated attacker can exploit this vulnerability by sending a crafted request. from Check Point Update Services Advisories http://ift.tt/2t9OcCr

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Cisco WebEx Network Recording Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. from ZDI: Published Advisories http://ift.tt/2tYhgt3

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Cisco WebEx Network Recording Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. from ZDI: Published Advisories http://ift.tt/2tYuSV5

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Cisco WebEx Network Recording Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. from ZDI: Published Advisories http://ift.tt/2tYuRjZ

Yesterday I celebrated my 29 th birthday (again) and it was great to celebrate with friends, family, and coworkers. They say age is just a number, and I truly believe that. Unfortunately, we live in a world where laws require us to count numbers so that it can be determined if we can vote, drink, rent a car, and even retire from the workforce. In our cyber security world, we love to count. In the world of the Zero Day Initiative (ZDI), the number of vulnerabilities disclosed so far in 2017 is just a number, but it’s a really big number! Last year, the ZDI publicly disclosed a record 690 vulnerabilities covering almost 50 vendors. As of the publishing of this blog, the number currently stands at 441! Is this the year we hit 1,000? Only time will tell. In the meantime, I invite you to take a sneak peek into the inner workings of the ZDI by reading Dustin Child’s blog: The Inside Scoop on the World’s Leading Bug Bounty Program .   Adobe Security Updates This week’s Digital Vaccine (D

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. Below you’ll find a quick recap of topics followed by links to news articles and/or our blog posts providing additional insight. Be sure to check back each Friday for highlights of the goings-on each week!   Erebus Resurfaces as Linux Ransomware On June 10, South Korean web hosting company  NAYANA was hit by Erebus ransomware  (detected by Trend Micro as  RANSOM_ELFEREBUS.A ), infecting 153 Linux servers and over 3,400 business websites the company hosts.   AdGholas Malvertising Campaign Employs Astrum Exploit Kit At the end of April this year, we found  Astrum exploit kit employing Diffie-Hellman key exchange  to prevent monitoring tools and researchers from replaying their traffic. As AdGholas started to push the exploit, we saw another evolution: Astrum using HTTPS to further obscure their malicious traffic. The World’s Leading Bug

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple Safari. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. from ZDI: Published Advisories http://ift.tt/2rHZIQY

Good Man Traffic Distribution System (TDS) operates by silently redirecting the victim to a malicious web page, leading to infection by an exploit kit. Successful infection will allow the attacker to download additional malware to the target. from Check Point Update Services Advisories http://ift.tt/2sV2fuL

Pseudo DarkLeech Traffic Distribution System (TDS) operates by silently redirecting the victim to a malicious web page, leading to infection by an exploit kit. Successful infection will allow the attacker to download additional malware to the target. from Check Point Update Services Advisories http://ift.tt/2tSV6IC

RoughTED Traffic Distribution System (TDS) operates by silently redirecting the victim to a malicious web page, leading to infection by an exploit kit. Successful infection will allow the attacker to download additional malware to the target. from Check Point Update Services Advisories http://ift.tt/2sV1IsB

Within the security researcher community, the Zero Day Initiative (ZDI) program is a well-known entity, representing the world’s largest vendor agnostic bug bounty program. Customers of the TippingPoint Intrusion Prevention Systems ( IPS ) and Threat Protection Systems ( TPS ) know the ZDI as the group that buys 0-days so they have protections before the affected vendor releases a patch. Outside of those communities, there may be misconceptions about what happens behind the scenes when dealing with so many bugs. At a high level, here’s how the program works. An independent researcher finds an otherwise unknown vulnerability (e.g. 0-day) in a piece of software and reports that to the ZDI. The researcher can be from just about anywhere – we have worked with more than 3,000 different researchers from 80+ countries. Being vendor agnostic means the software can be just about anything, too. In 2016, the ZDI purchased 0-days impacting 49 different vendors, including large vendors like Micro

Last week, while visiting the product management team for Deep Security, I asked about their latest release. They surprised me by saying the big news is that there IS a release. Confused, I asked them to elaborate… You see, when you develop software, you’re faced with many choices, one of which is deciding whether to offer software that a customer can run, or a SaaS version and release new features instantly, as they become available to all users. SaaS has become a very popular option for software developers these days because the speed of adoption is very fast. However, what happens when an organization needs your service, but compliance, regulation or company policy dictates that the data and software need to live within their own data center? For any number of reasons, they can’t adopt a SaaS offering. Well, then you must turn to software deployment models that traditionally mean major releases every year or two followed by minor releases. With Deep Security, we recognized tha

Original release date: June 21, 2017 The Internet Crime Complaint Center (IC3) has released its 2016 Internet Crime Report, describing the numbers and types of cyber crimes reported to IC3. Business Email Compromise (BEC), ransomware attacks, tech support fraud, and extortion are all common schemes affecting people in the U.S. and around the world. US-CERT encourages users to review the 2016 Internet Crime Report for details and refer to the US-CERT Security Publication on Ransomware for information on defending against this particular threat. This product is provided subject to this Notification and this Privacy & Use policy. from US-CERT: The United States Computer Emergency Readiness Team http://ift.tt/2sCwXqb

Original release date: June 21, 2017 Drupal has released an advisory to address several vulnerabilities in Drupal versions 7.x and 8.x. A remote attacker could exploit one of these vulnerabilities to take control of an affected system. US-CERT encourages users and administrators to review Drupal's Security Advisory and upgrade to version 7.56 or 8.3.4 . This product is provided subject to this Notification and this Privacy & Use policy. from US-CERT: The United States Computer Emergency Readiness Team http://ift.tt/2tuvpP0

Original release date: June 21, 2017 Cisco has released updates to address several vulnerabilities affecting multiple products. A remote attacker could exploit one of these vulnerabilities to take control of a system. US-CERT encourages users and administrators to review the following Cisco Security Advisories and apply the necessary updates: Prime Infrastructure and Evolved Programmable Network Manager XML Injection Vulnerability cisco-sa-20170621-piepnm1 Virtualized Packet Core-Distributed Instance Denial of Service Vulnerability cisco-sa-20170621-vpc WebEx Network Recording Player Multiple Buffer Overflow Vulnerabilities cisco-sa-20170621-wnrp This product is provided subject to this Notification and this Privacy & Use policy. from US-CERT: The United States Computer Emergency Readiness Team http://ift.tt/2sRm8CZ

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Lepide LepideAuditor Suite. Authentication is not required to exploit this vulnerability. from ZDI: Published Advisories http://ift.tt/2tu0Lp6

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of UCanCode E-XD++ Visualization Enterprise Suite. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. from ZDI: Published Advisories http://ift.tt/2tu4XVN

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of UCanCode E-XD++ Visualization Enterprise Suite. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. from ZDI: Published Advisories http://ift.tt/2tuqmyj

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of UCanCode E-XD++ Visualization Enterprise Suite. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. from ZDI: Published Advisories http://ift.tt/2tu5dEi

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of UCanCode E-XD++ Visualization Enterprise Suite. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. from ZDI: Published Advisories http://ift.tt/2tueJaf

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of UCanCode E-XD++ Visualization Enterprise Suite. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. from ZDI: Published Advisories http://ift.tt/2ttYWbP

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of UCanCode E-XD++ Visualization Enterprise Suite. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. from ZDI: Published Advisories http://ift.tt/2ttZmyC

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of UCanCode E-XD++ Visualization Enterprise Suite. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. from ZDI: Published Advisories http://ift.tt/2tu1G8M

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of UCanCode E-XD++ Visualization Enterprise Suite. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. from ZDI: Published Advisories http://ift.tt/2ttLoNt

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of UCanCode E-XD++ Visualization Enterprise Suite. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. from ZDI: Published Advisories http://ift.tt/2tucl3C

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple Safari. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. from ZDI: Published Advisories http://ift.tt/2rRuawj

At Trend Micro, we’re used to fighting it out against a constant barrage of cyber threats facing our customers. But we don’t just want to be number one in cybersecurity: We’re also highly competitive elsewhere. As a company proud of our East Asian links we’re keen Dragon Boat racers, and guess what? Dragon Boat season is now officially in full swing now: not just in traditional countries like Taiwan, but also around the world. That’s why Trend Micro will be blending technology with tradition when we take on all comers at the long-running Ottawa Dragon Boat festival later this month, following our battling performance at a similar event in Taipei at the end of May.   A tragic tale The Dragon Boat Festival has many different Chinese names associated with it, but most commemorate the same event: the suicide of poet and minister Qu Yuan back in 278 BC. Qu’s protests at the corrupt Chu government of the day led him to be stripped of his title as minister, and subsequent banishment. Aft

This vulnerability allows local attackers to escalate privileges on vulnerable installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. from ZDI: Published Advisories http://ift.tt/2slnq8z

Ransomware  and other advanced attacks are the scourge of the modern IT security team. If allowed to gain access to your IT environment, these attacks could shut down the organization, denying access to mission critical applications & data for potentially days, or even indefinitely. The result? The disruption of service delivery, lost productivity and a hefty hit to reputation and profits. While traditionally thought of as an endpoint issue – 93 percent of phishing emails are now ransomware – the reality is that ransomware and other advanced attacks are also focused on your servers. The combination of instantly available infrastructure via the public cloud and the increasing velocity of application delivery to create competitive advantage, has made servers an important target for cybercriminals. Servers are different than a traditional endpoint: the applications and operating systems that run enterprise workloads in the data center, in the cloud, and in containers can be extrem

Original release date: June 19, 2017 The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD , which contains historical vulnerability information. The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores: High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0 Medium - Vulnerabilities will be labeled Medium severity