Spyware, viruses, & security forum: NEWS - August 30, 2012

Zero-day Java flaw exploited in targeted tax email malware attack

Experts at SophosLabs have discovered that cybercriminals have taken advantage of the critical zero-day flaw vulnerability in Java, sending out malicious emails which pretend to come from an accountancy firm announcing a rise in the tax rate.

Unsuspecting internet users who click on links contained inside the email - perhaps concerned that there has been a rise in the VAT rate - risk instantly infecting their computers.

SophosLabs discovered the email in one of its global network of spamtraps. The email purported to be from the Dutch branch of the accountancy firm BDO Stoy Hayward: [Screenshot]

Of course, the email doesn't really come from the accountancy firm. A closer look discovers that it has been sent from a hosting provider in the Netherlands:

Continued : http://nakedsecurity.sophos.com/2012/08/30/zero-day-java-flaw-exploited-tax-email/

Also from Sophos: How to turn off Java on your browser - and why you should do it now

"Admin and user accounts from websites breached and posted online"

A hacker gang claims to have leaked more than a million user accounts from some 100 websites worldwide, and its weapon of choice appears to mainly be good ol' SQL injection.

The GhostShell gang on Saturday posted online what it claims are accounts and records from various financial services, consulting firms, academia, law enforcement, and the CIA. "Team GhostShell's final form of protest this summer against the banks, politicians and for all the fallen hackers this year," the post said in part. "One million accounts/records leaked. We are also letting everyone know that more releases, collaborations with Anonymous and other, plus two more projects are still scheduled for this fall and winter. It's only the beginning."

Researchers at Imperva say the attackers appear to have employed mostly SQL injection, but also exploited weak passwords and vulnerable content management systems. The attackers used the popular SQLmap tool, and some of the hacked databases included more than 30,000 records.

Continued : http://www.darkreading.com/identity-and-access-management/167901114/security/attacks-breaches/240006425/ghostshell-haunts-websites-with-sql-injection.html

Also:
'Team GhostShell' hackers use SQL weakness to raid 100 websites
Hacktivists Continue To Own Systems Through SQL Injection

Boasting a new silent updater and an optimized memory management system, Mozilla pushed out Firefox 15 this week, the latest build of its flagship browser. Following similar steps taken by Adobe and Google with its Flash, Reader and Chrome products, Firefox's new updater will now perform updates in the background, saving users from those pesky, sometimes intrusive notifications.

Mozilla debuted a silent update mechanism for the browser in April when it released version 12 of Firefox. While that method allowed Firefox to update while the browser was running, installing that version, during its next restart, would take slightly longer. Firefox 15's background updates are different than silent updates in the sense that when an update is installed in the background, the browser will take the same amount of time to start up as it usually would.

Firefox's new memory management system should help prevent add-ons from hogging memory after a user has already closed a browser tab. The new mechanism apparently notices when extra versions of websites no longer need to be held onto and recaptures the leaked memory, according to Asa Dotzler, Mozilla's Product Manager for Firefox, in a blog post detailing the new system.

"Many users should experience greatly reduced memory consumption, particularly on long browsing sessions," wrote Nicholas Nethercote, a Firefox developer who previewed the functionality in a blog post last month.

Continued : https://threatpost.com/en_us/blogs/mozilla-releases-firefox-15-new-invisible-updater-083012

Firefox 15 related:
Firefox 15 arrives, supports compressed textures for impressive 3D gaming
Firefox and Thunderbird 15 fix several security vulnerabilities

From Citizen Lab:

Download PDF version

This post describes our work analyzing several samples which appear to be mobile variants of the FinFisher Toolkit, and ongoing scanning we are performing that has identified more apparent FinFisher command and control servers.
Introduction

Earlier this year, Bahraini Human Rights activists were targeted by an email campaign that delivered a sophisticated Trojan. In From Bahrain with Love: FinFisher's Spy Kit Exposed? we characterized the malware, and suggested that it appeared to be FinSpy, part of the FinFisher commercial surveillance toolkit. Vernon Silver concurrently reported our findings in Bloomberg, providing background on the attack and the analysis, and highlighting links to FinFisher's parent company, Gamma International.

After these initial reports, Rapid7, a Boston-based security company, produced a follow-up analysis that identified apparent FinFisher Command and Control (C&C) servers on five continents. After the release of the Rapid7 report, Gamma International representatives spoke with Bloomberg and The New York Times' Bits Blog, and denied that the servers found in 10 countries were instances of their products.

Continued : https://citizenlab.org/2012/08/the-smartphone-who-loved-me-finfisher-goes-mobile/

A mystery virus has infected the network of Qatar's natural gas pumper RasGas, prompting bosses to pull the plug on the biz's internet connection. Office systems have been unusable since the malware struck on 27 August, according to local reports.

In a fax to suppliers, the company reportedly said: "RasGas is presently experiencing technical issues with its office computer systems. We will inform you when our system is back up and running."

The RasGas website, rasgas.com, remains unreachable at the time of writing on Thursday afternoon. A spokesman for the firm told Arabian Oil and Gas that the malware outbreak was not affecting gas extraction and processing.

The virus infection follows a strikingly similar attack against Saudi Aramco on 15 August, which hit 30,000 workstations and forced the world's largest oil company to suspend access to its internal and remote networks for 10 days. Oil production activities were not affected by that outbreak either.

Continued : http://www.theregister.co.uk/2012/08/30/rasgas_malware_outbreak/

Also: Gas Giant RasGas Downed By Virus

.. enterprise networks

The first six months of 2012 saw continued increases of malicious infection activity and an intensified danger of email-based attacks as cybercriminals increasingly employed throw-away domains to infiltrate enterprise networks, according to a FireEye report.

Research shows that over 95 percent of companies are compromised by advanced malware and most are not aware of the attack.

Key findings include:

Explosive growth of advanced malware infections - Advanced malware that evades signature-based detection increased nearly 400 percent since 2011, to an average of 643 successful infections per week per company.

Intensified danger of email-based attacks - 56 percent growth in email-based attacks in 2Q 2012 versus 1Q 2012. Malicious links were more widely used than malicious attachments in the last two months of the second quarter of 2012.

Continued : http://www.net-security.org/malware_news.php?id=2246

Secunia announced the availability of the latest version of its Corporate Software Inspector product with new features to support additional operating platforms.

In Secunia CSI 6.0, the vulnerability scanner will now cover Red Hat Enterprise Linux in addition to Windows and Mac OS X, and has added the ability to scan for custom software throughout the environment. Updates can be created using the Secunia Package System and existing deployed solutions, the company noted.

SecuniaIn addition, there is a new level of integration with Microsoft Windows Server Update Services, Microsoft System Center Configuration Manager, Altiris Deployment Solution and other third-party configuration management tools. The integration will enable easy installation of third-party updates and make patching more straight-forward, the company said.

Continued : http://www.securityweek.com/secunia-updates-vulnerability-patch-management-tool

Also: Secunia launches Corporate Software Inspector 6.0