- Fallout Exploit Kit now includes exploit for CVE-2018-15982 Flash zero-day
- Android apps use the motion sensor to evade detection and deliver Anubis malware
- Oracle critical patch advisory addresses 284 flaws, 33 critical
- Twitter fixed a bug in its Android App that exposed Protected Tweets
- Attacks in the wild leverage flaw in ThinkPHP Framework
Posted: 18 Jan 2019 03:22 PM PST
Experts at Malwarebytes have reported that the code for the recently discovered Flash zero-day flaw was added to the Fallout Exploit kit.
Experts at Malwarebytes observed a new version of the Fallout Exploit kit that
The Fallout Exploit kit was discovered at the end of August by the threat analyst nao_sec, at the time it was used to distribute the
First detailed in September 2018, the toolkit was observed delivering malware families ranging from ransomware to backdoors, but also fingerprinting the browser profile to identify targets of interest.
The activity associated with the Fallout exploit kit was temporarily suspended in early January, likely to improve it, in the same period experts at Malwarebytes observed an increase in the RIG EK activity.
The Fallout EK was distributed mainly via malvertising chains, starting January 15 it was used to deliver the GandCrab ransomware.
“After a short hiatus in early January, the Fallout
“The revised Fallout EK boasts several new features, including integration of the most recent Flash Player exploit. Security researcher Kafeine identified that Fallout is now the second exploit kit to add CVE-2018-15982.”
One of the most important improvements for the Fallout Exploit kit is the exploit for a recently discovered Adobe Flash Player zero-day tracked as
The CVE-2018-15982 flaw is a critical
The flaw could be exploited by attackers to execute arbitrary code, Adobe addressed it with the release of Flash Player 18.104.22.168 for Windows, macOS, Linux, and Chrome OS.
The first exploit kit that integrated the code to trigger the CVE-2018-15982 flaw in
The new Fallout Exploit kit implements the support for HTTPS support, a new landing page format, and uses Powershell to run the final payload.
“The Base64 encoded Powershell command calls out the payload URL and loads it in its own way” continues the analysis. ”
The new development for the Fallout Exploit kit demonstrates the malware developers
This development is the proof that exploit kit developers are continuously improving their code to trigger the most recent flaws.
The post Fallout Exploit Kit now includes exploit for CVE-2018-15982 Flash zero-day appeared first on Security Affairs.
Posted: 18 Jan 2019 10:37 AM PST
Security experts from Trend Micro have recently spotted two Android apps that use the motion sensor to evade detection and spread the Anubis banking Trojan.
Malware authors continue to improve their malicious apps to avoid detection and infect the largest number of users.
Security experts from Trend Micro have recently spotted two Android apps in the Google Play Store, Currency Converter and BatterySaverMobi, that infected thousands of users with banking malware.
Currency Converter masquerade as a currency exchange app and
With this trick,
“We looked into this campaign and found that the apps dropped a malicious payload that we can safely link to the known banking malware Anubis (detected by Trend Micro as ANDROIDOS_ANUBISDROPPER
“As a user moves, their device usually generates some amount of motion sensor data. The malware developer is assuming that the sandbox for scanning malware is an emulator with no motion sensors, and as such will not create that type of data. If that is the case, the developer can determine if the app is running in a sandbox environment by simply checking for sensor data.”
The infection process doesn’t start if the malware determines that the device and the user are still by analyzing the sensor data.
If the app discovers the sensor data it runs the malicious code and then attempts to trick the victims into downloading and installing the Anubis payload APK with a fake system update. masquerading it as a “stable version of Android.”
If the user accepts the bogus system update, the dropper uses requests and responses over legitimate services such as Twitter and Telegram downloads the Anubis banking Trojan from the C2 and install it.
“Then, it registers with the C&C server and checks for commands with an HTTP POST request. If the server responds to the app with an APK command and attaches the download URL, then the Anubis payload will be dropped in the background.” continues the analysis.
Experts pointed out the Anubis banking Trojan uses a built-in keylogger to steal credentials and it is also able to take screenshots of the users’ screen while inserting credentials into any banking app.
Experts observed infections in 93 different countries, the latest variant of the Anubis banking Trojan targets at least 377 variations of financial apps.
The banking Trojan is also able to access to contact lists and location, send spam messages to contacts, call numbers from the device, record audio, and alter external storage.
Further details on the malware, including IoCs are reported in the analysis published by Trend Micro.
(SecurityAffairs – Anubis banking Trojan, motion sensor)
The post Android apps use the motion sensor to evade detection and deliver Anubis malware appeared first on Security Affairs.
Posted: 18 Jan 2019 05:15 AM PST
Oracle released the first critical patch advisory for 2019 that addresses a total of 284 vulnerabilities, 33 of them are rated "critical".
Let’s give a close look at some of the vulnerabilities fixed by this patch advisory.
The advisory fixed the CVE-2016-1000031 flaw, a remote code execution (RCE) bug in the Apache Commons FileUpload, disclosed in November last year. The Commons FileUpload library is the default file upload mechanism in Struts 2, the CVE-2016-1000031 was discovered two years ago by experts at Tenable.
The bug affected the OCA’s Diameter Signalling Router component and its Communications Services Gatekeeper. The flaw also affected the Financial
A vulnerability in the Apache Log4j tracked as CVE-2017-5645 impacted the Oracle’s Converged Application Server – Service Controller, the OCA Online Mediation Controller Service Broker, the WebRTC Session Controller, the FLEXCUBE component in Oracle Financial Services Applications, the Fusion’s GoldenGate app adapters and SOA Suite, and also a Sun tape library component.
The CVE-2017-5645 flaw resides in the Codehaus versions of Groovy and affected OCA Unified Inventory Management.
The critical patch advisory for 2019 also fixed the CVE-2018-11776 vulnerability in the OCA’s Communications Policy Management Component, this issue was exploited in 2018 by threat actors to mine
Another bug fixed by Big Red affected the Oracle E-Business’ Performance Management component, it
“Easily exploitable vulnerability allows
“Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Performance Management accessible data as well as unauthorized access to critical data or complete access to all Oracle Performance Management accessible data. “
Oracle addressed the CVE-2016-4000 flaw, Jython provided a vector for arbitrary code, it is used by Oracle Enterprise Manager platform, Banking Platform, and Utilities Network Management System.
The list is very long, it also includes patches for a DoS in the Derby
People interested in the full list could visit the following address:
The post Oracle critical patch advisory addresses 284 flaws, 33 critical appeared first on Security Affairs.
Posted: 18 Jan 2019 01:49 AM PST
A bug in the Twitter app for Android may have had exposed tweets, the social media platform revealed on Thursday.
The bug in the Android Twitter app affects the "Protect my Tweets" option from the account's "Privacy and safety" settings that allows viewing user’s posts only to approved followers.
People who used the
“We’ve become aware of an issue in Twitter for Android that disabled the “Protect your Tweets” setting if certain account changes were made.” reads the security advisory published by the
“You may have been impacted by this issue if you had protected Tweets turned on in your settings, used Twitter for Android, and made certain changes to account settings such as changing the email address associated with your account between November 3, 2014, and January 14, 2019.”
The vulnerability was introduced on November 3, 2014, and was fixed on January 14, 2019, users using the iOS app or the web version
Twitter has notified impacted users and has turned “Protect your Tweets” back on for them if it was disabled.
"We are providing this broader notice through the Twitter Help Center since we can't confirm every account that may have been impacted. We encourage you to review your privacy settings to ensure that your 'Protect your Tweets' setting reflects your preferences," continues the advisory.
In September 2018, the company announced that an issue in Twitter Account Activity API had exposed some users' direct messages (DMs) and protected tweets to wrong developers.
Twitter is considered one of the most powerful social media platforms, it was used in multiple cases by nation-state actors as a vector for disinformation and propaganda.
In December Twitter discovered a possible nation-state attack while it was investigating an information disclosure flaw affecting its platform.
The post Twitter fixed a bug in its Android App that exposed Protected Tweets appeared first on Security Affairs.
Posted: 17 Jan 2019 11:58 PM PST
Threat actors in the wild are leveraging a recently discovered flaw in the ThinkPHP PHP framework to install
The post Attacks in the wild leverage flaw in ThinkPHP Framework appeared first on Security Affairs.
|You are subscribed to email updates from Security Affairs. |
To stop receiving these emails, you may unsubscribe now.
|Email delivery powered by Google|
|Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States|