- Reddit locked Down accounts due to alleged security breach
- CISCO addresses DoS bugs in CISCO ESA products
- Alleged Iran-linked APT groups behind global DNS Hijacking campaign
- Three security bugs found in the popular Linux suite systemd
- Ironic turn … Kaspersky Labs helped NSA to catch alleged data thief
Posted: 10 Jan 2019 10:18 PM PST
The social media platform Reddit has notified users that some of them have been locked out of their accounts after detecting suspicious activity.
Reddit locked down a large number of user accounts after due to a security concern after detecting suspicious activity on them.
“If you are here because you've been locked out of your account in the last day or so, you're in the right place and we want to help you get your account back in working order.” reads a post published by one of the Reddit admins.
"A large group of accounts
Reddit seems to exclude a security breach of its systems, it pointed out that the root cause of the accounts lockdown is caused by the use of simple passwords on its website and from the reuse of those passwords on multiple services.
The motivation is not accepted by some users that commenting to the post claim they were locked out of their accounts even if they were using strong passwords and not using the Reddit credentials on other websites. If confirmed this means that Reddit was the victim of a data breach.
“I don’t have any other sites or addresses associated with my Reddit account, so I can safely rule out that possibility. This was breach on Reddit’s part or someone managed to bruteforce my unique credentials, including strong password. I’m leaning toward the former.” wrote a Reddit user.
Some users reported that their accounts were locked down although the activity page shows they were the only ones accessing them.
Other users instead reported that someone accessed their accounts from multiple locations worldwide.
The users that were locked out from their accounts were asked to reset their passwords to restore their accounts.
"Over the next few hours, affected accounts will be allowed to reset their passwords to be unlocked and restored. This will take the form of either
“It may be a little while before you receive your notice, but please be patient. There's no need to file additional support tickets or send messages to the admins at this time. If you haven't seen any update by tomorrow, contact us at that time via the Help Center. "
"We're sorry for the unpleasant surprise and are working to get you all back to
In August 2018, Reddit warned users of a security breach, an attacker broke into the systems of the platform and accessed user data.
The hacker accessed user data, email addresses, and a 2007 backup database containing hashed passwords managed by the platform.
The data breach was discovered on June 19, 2018, according to Reddit, between June 14 and 18, 2018, the attacker compromised some of the employees' accounts with the company cloud and source code hosting providers.R
(SecurityAffairs – Reddit, data breach)
The post Reddit locked Down accounts due to alleged security breach appeared first on Security Affairs.
Posted: 10 Jan 2019 12:55 PM PST
Cisco addressed two DoS vulnerabilities in CISCO ESA products that can be exploited by remote unauthenticated attacker.
Cisco fixed two denial-of-service (DoS) flaws in Email Security Appliance (ESA) products that can be exploited by a
The first flaw tracked as CVE-2018-15453 has been rated as "critical," it is a memory corruption bug caused by improper input validation in emails signed with Secure/Multipurpose Internet Mail Extensions (S/MIME). The attacker could send a specially crafted S/MIME email to vulnerable ESA products and can cause appliances to reload and enter a DoS condition.
“A vulnerability in the Secure/Multipurpose Internet Mail Extensions (S/MIME) Decryption and Verification or S/MIME Public Key Harvesting features of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to cause an affected device to corrupt system memory.” reads the security advisory published by Cisco.
“A successful exploit could cause the filtering process to unexpectedly reload, resulting in a denial of service (DoS) condition on the device. “
Experts pointed out that the DoS condition is permanent because even after the software restart, it will process the same malicious email.
To restore the Cisco ESA product it is necessary to manually fix it.
“A successful exploit could allow the attacker to cause a permanent DoS condition. This vulnerability may require manual intervention to recover the ESA. ” continues the advisory.
“This vulnerability affects all software versions prior to the first fixed release of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA), both virtual and hardware appliances, if the software is configured for S/MIME Decryption and Verification or S/MIME Public Key Harvesting.”
The second DoS flaw in Cisco
The flaw could be exploited by an attacker to cause a DoS condition by getting CPU usage to increase to 100%. The attacker could trigger the issue by sending an email containing a large number of whitelisted URLs.
“A vulnerability in the email message filtering feature of Cisco AsyncOS Software for Cisco Email Security Appliances (ESA) could allow an unauthenticated, remote attacker to cause the CPU utilization to increase to 100 percent, causing a denial of service (DoS) condition on an affected device.” reads the security advisory.
“The vulnerability is due to improper filtering of email messages that contain references to whitelisted URLs. An attacker could exploit this vulnerability by sending a malicious email message that contains a large number of whitelisted URLs.”
Both vulnerabilities in Cisco ESA were discovered by Cisco, the good news is that there is no evidence of malicious exploitation.
“This vulnerability affects all software versions prior to the first fixed release of Cisco AsyncOS Software for Cisco ESAs, both virtual and hardware, if the URL Filtering as Global Setting feature is enabled and a URL whitelist is in use. By default, the URL Filtering as Global Setting feature is disabled. ” states the advisory.
(SecurityAffairs – DoS, CISCO ESA)
Posted: 10 Jan 2019 06:48 AM PST
Security expert uncovered a DNS hijacking campaign targeting organizations in various industries worldwide and suspects Iranian APT groups.
Security experts at FireEye uncovered a DNS hijacking campaign that is targeting government agencies, ISPs
“FireEye's Mandiant Incident Response and Intelligence teams have identified a wave of DNS hijacking that has affected dozens of domains belonging to government, telecommunications
“While we do not currently link this activity to any tracked group, initial research suggests the actor or actors responsible have a nexus to Iran. “
Experts monitored the activities of threat actors between January 2017 and January 2019.
Working with victims, the security firm collected evidence that links the campaign to Iran, tactics, techniques
FireEye researchers tracked access from Iranian IPs to machines used to intercept, record and forward network traffic. The same IPs were previously associated with cyber attacks conducted by Iranian cyberspies.
The attackers are not financially motivated and targeted several Middle Eastern governments whose data would be of interest to Iran.
It is interesting to note that FireEye confirmed that this campaign is different from other operations carried out by Iranian APT groups due to the use of DNS hijacking at scale.
“While this campaign employs some traditional tactics, it is differentiated from other Iranian activity we have seen by leveraging DNS hijacking at scale.” continues the analysis published by FireEye.
“The attacker uses this technique for their initial foothold, which can then be exploited in a variety of ways. “
Attackers used three different ways to manipulate DNS records to enable victim compromises.
The first technique sees attackers attempt logging into a DNS provider's administration interface using compromised credentials and changing DNS A records to intercept email traffic.
The second technique sees attackers attempt changing DNS NS records after hacking into the victim's domain registrar account.
In both cases, the
“The Let's Encrypt Certificate allows the browsers to establish a connection without any certificate errors as Let’s Encrypt Authority X3 is trusted.” continue the researchers.
With these techniques, attackers are able to harvest
The third attack technique involved a DNS redirector and previously altered A and NS records to redirect victim’s traffic to infrastructure controlled by the attackers.
FireEye says it's still trying to determine the exact attack vector for the DNS record modifications, but believes multiple techniques, including phishing, may have been used.
At the time it is quite impossible to exactly identify a single intrusion vector for each record change, experts believe attackers employed multiple techniques to gain an initial foothold into victims’ infrastructure.
“Additionally, while the precise mechanism by which the DNS records were changed is unknown, we believe that at least some records were changed by compromising a victim's domain registrar account.” concludes FireEye.
"This DNS hijacking, and the scale at which it has been
(SecurityAffairs – Iran, DNS hijacking)
The post Alleged Iran-linked APT groups behind global DNS Hijacking campaign appeared first on Security Affairs.
Posted: 10 Jan 2019 03:51 AM PST
Experts disclosed three flaws in the
(SecurityAffairs – Linux, hacking)
The post Three security bugs found in the popular Linux suite systemd appeared first on Security Affairs.
Posted: 10 Jan 2019 01:29 AM PST
Kaspersky was a long accused to support Russian intelligence, in an ironic turn, source now revealed it helped to catch alleged NSA data thief
The company denied any involvement with operations conducted by the Russian intelligence and recently opened it Transparency Center in Zurich
to assure the integrity and trustworthiness of its products.
Now the position of the company seems completely changed.
We have a long discussed the hack of the NSA-linked Equation Group Remember carried out by the “The Shadow Brokers” that attempted to sale the stolen hacking tools and exploits and leaked part of them online.
In August 2016, the FBI has arrested the former NSA contractor Harold Thomas Martin over a massive secret data theft.
At the time of the arrest, Martin was working for Booz Allen Hamilton Holding Corp.
The US DoJ charged Harold Thomas Martin (51) with theft of secret documents and highly classified government material. According to a court complaint disclosed, the stolen data include source codes developed by the NSA to its hacking campaigns against foreign governments.
According to the Politico website, sources informed of the events reported that Kaspersky learned about Martin after he sent strange Twitter messages to two researchers of the firm in 2016, minutes before The Shadow Brokers began leaking the NSA dump online.
“The timing was remarkable — the two messages arrived just 30 minutes before an anonymous group known as Shadow Brokers began dumping classified NSA tools online and announced an auction to sell more of the agency's stolen code for the price of $1 million Bitcoin. ” reported the Politico website.
“The case unfolded after someone who U.S. prosecutors believe was Martin used an anonymous Twitter account with the name ‘HAL999999999’ to send five cryptic, private messages to two researchers at the Moscow-based security firm,” Politico reports.
A first message sent on Aug. 13, 2016, asked one of the researchers to arrange a conversation with Kaspersky Lab CEO Eugene Kaspersky.
Kaspersky reported the events to the NSA that identified Martin and the FBI arrested him later.
“According to the sources who spoke with POLITICO, Kaspersky gave the NSA all five Twitter messages as well as evidence of the sender’s real identity.” continues the Politico. “Then, according to the redacted court document, the FBI used the evidence to obtain search warrants for Martin’s Twitter account and Maryland home and property. The document doesn't indicate how the FBI learned of the Twitter messages or Martin's identity. “
Summarizing, Kaspersky Lab helped the NSA to catch an alleged NSA data thief, the security firm exposed a massive breach that U.S. authorities were not able to detect.
(SecurityAffairs – Kaspersky Lab, intelligence)
The post Ironic turn … Kaspersky Labs helped NSA to catch alleged data thief appeared first on Security Affairs.
|You are subscribed to email updates from Security Affairs. |
To stop receiving these emails, you may unsubscribe now.
|Email delivery powered by Google|
|Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States|