Mitigations Available for PanelShock Vulnerabilities in Schneider Electric Magelis HMIs

One week after addressing a critical vulnerability in its industrial controller management software, Schneider Electric is in the midst of handling two more serious flaws in a number of its Magelis HMI products.
 HMI is short for human machine interface, a graphical visualization of an industrial process that also includes a panel through which operators manipulate and manage processes.

An attacker exploiting either of the vulnerabilities could crash an industrial process, and in a critical industry such as water or energy, the impact on lives could be substantial. The flaws, nicknamed PanelShock, were privately disclosed in April to Schneider Electric by an ICS and SCADA security startup called Critifence. CTO Eran Goldstein said in an advisory published Tuesday that the Magelis GTO, GTU, STO, STU, and XBT panels are affected by the vulnerabilities (CVE-2016-8367 and CVE-2016-8374).
 Schneider Electric has provided a number of temporary mitigations, but operators of the GTO Advanced Optimum panels and GTU Universal panel should not expect a patch until next March when product upgrades are scheduled to be available.

A request for comment from Schneider Electric was not returned in time for publication. “By exploiting PanelShock vulnerabilities, a malicious attacker can ‘freeze’ the panel remotely and disconnect the HMI panel device from the SCADA network and prevent the panel from communicating with PLCs and other devices, which can cause the supervisor or operator to perform wrong actions, which may further damage the factory or plant operation,” Critifence said.

The vulnerabilities, Critifence said, are related to improper implementations of different HTTP request methods and a resource consumption management mechanism. Schneider Electric qualified that for an exploit to be successful, the Web Gate Server, which is off by default, must be enabled.
“The use cases identified demonstrate the ability to generate a freeze condition on the HMI, that can lead to a denial of service due to incomplete error management of HTTP requests in the Web Gate Server,” Schneider Electric said in its advisory. “While under attack via a malicious HTTP request, the HMI may be rendered unable to manage communications due to high resource consumption.

 This can lead to a loss of communications with devices such as Programmable Logic Controllers (PLCs), and require reboot of the HMI in order to recover.” Schneider Electric recommends limiting exposure of the vulnerable HMIs to the Internet and disabling the Web Gate Server. Also, control system networks should be isolated from business networks and behind a firewall. If remote access is required, Schneider Electric recommends it be done through a VPN connection and that systems’ patching levels be current. Last week, a critical flaw was disclosed in Schneider Electric Unity Pro software that allows for remote code execution. ICS security company Indegy found the flaw in the Unity Pro PLC Simultor, and Schneider Electric had patched it on Oct. 14. Any Unity Pro component exposed to the Internet was vulnerable, and attackers could take advantage of a lack of authentication to access the controller and exploit the issue.

One week after addressing a critical vulnerability in its industrial controller management software, Schneider Electric is in the midst of handling two more serious flaws in a number of its Magelis HMI products. HMI is short for human machine interface, a graphical visualization of an industrial process that also includes a panel through which operators manipulate and manage processes. Related Posts Google Reveals Windows Kernel Zero Day Under Attack October 31, 2016 , 5:00 pm Major Vulnerability Found In Schneider Electric Unity Pro October 26, 2016 , 7:00 am Threatpost News Wrap, October 14, 2016 October 14, 2016 , 10:38 am An attacker exploiting either of the vulnerabilities could crash an industrial process, and in a critical industry such as water or energy, the impact on lives could be substantial. The flaws, nicknamed PanelShock, were privately disclosed in April to Schneider Electric by an ICS and SCADA security startup called Critifence. CTO Eran Goldstein said in an advisory published Tuesday that the Magelis GTO, GTU, STO, STU, and XBT panels are affected by the vulnerabilities (CVE-2016-8367 and CVE-2016-8374). Schneider Electric has provided a number of temporary mitigations, but operators of the GTO Advanced Optimum panels and GTU Universal panel should not expect a patch until next March when product upgrades are scheduled to be available. A request for comment from Schneider Electric was not returned in time for publication. “By exploiting PanelShock vulnerabilities, a malicious attacker can ‘freeze’ the panel remotely and disconnect the HMI panel device from the SCADA network and prevent the panel from communicating with PLCs and other devices, which can cause the supervisor or operator to perform wrong actions, which may further damage the factory or plant operation,” Critifence said. The vulnerabilities, Critifence said, are related to improper implementations of different HTTP request methods and a resource consumption management mechanism. Schneider Electric qualified that for an exploit to be successful, the Web Gate Server, which is off by default, must be enabled. “The use cases identified demonstrate the ability to generate a freeze condition on the HMI, that can lead to a denial of service due to incomplete error management of HTTP requests in the Web Gate Server,” Schneider Electric said in its advisory. “While under attack via a malicious HTTP request, the HMI may be rendered unable to manage communications due to high resource consumption. This can lead to a loss of communications with devices such as Programmable Logic Controllers (PLCs), and require reboot of the HMI in order to recover.” Schneider Electric recommends limiting exposure of the vulnerable HMIs to the Internet and disabling the Web Gate Server. Also, control system networks should be isolated from business networks and behind a firewall. If remote access is required, Schneider Electric recommends it be done through a VPN connection and that systems’ patching levels be current. Last week, a critical flaw was disclosed in Schneider Electric Unity Pro software that allows for remote code execution. ICS security company Indegy found the flaw in the Unity Pro PLC Simultor, and Schneider Electric had patched it on Oct. 14. Any Unity Pro component exposed to the Internet was vulnerable, and attackers could take advantage of a lack of authentication to access the controller and exploit the issue.

See more at: Mitigations Available for PanelShock Vulnerabilities in Schneider Electric Magelis HMIs https://wp.me/p3AjUX-vFA

How Hackers Could Steal Your Cellphone Pictures From Your IoT Crock-Pot

If you have an internet-connected home appliance, such as a crock-pot, a lightbulb, or a coffee maker, you can control it from the comfort of your smartphone. But a bug in the Android app that controls some of those devices made by a popular manufacturer also allowed hackers to steal all your cellphone photos and even track your movements.
Security researchers found that the Android app for internet-connected gizmos made by Belkin had a critical bug that let anyone who was on the same network hack the app and get access to the user’s cellphone. This gave them a chance to download all photos and track the user’s position, according to new research by Scott Tenaglia and Joe Tanen, from Invincea Labs.
The two researchers looked into the security of Belkin’s popular WeMo home-automation devices and found several issues, including one in WeMo’s Android app, which has between 100,000 and 500,000 downloads, according to stats on the Google Play app store. They also found one flaw in the devices’ themselves, which allowed hackers to take control of the device.
Belkin fixed the Android app’s vulnerability in August, and the company said that it’s releasing a firmware update to fix the devices’ flaw on Wednesday. (The update won’t be automatic, however, and owners will have to download and install it themselves.)
But these bugs, especially the one that allowed hackers to use a WeMo device to hack the user’s Android phone, are the umpteenth reminder that the devices that are part of the so-called Internet of Things are often riddled with security flaws. And even if users might not particularly care if their toasters or DVRs are part of an army of zombie computers that can take down websites, they probably will have a different opinion about their smart appliances if hackers can use them to get into their smartphones.

“The insecurity of my [Internet of Things device] now affects the security of another device I own, something that I probably care a lot more about.”

“The insecurity of my [Internet of Things device] now affects the security of another device I own, something that I probably care a lot more about than my IoT,” Tenaglia told Motherboard in a phone call.
The good news here is that Belkin answered quickly to these vulnerabilities, and attackers needed to be on the same network as the WeMo devices to attack them. That’s not a guarantee it can’t happen to anyone though. Tenaglia and Tanen posited a scenario where hackers get into an DVR or camera that has default credentials. At that point, they’re inside the network. They scan for WeMo devices, and from there, they hack the user’s Android phone.
The bad news is that the flaw in the WeMo device gave hackers full control of the gizmos, even more than the owners themselves. That way, the hackers could even disable the owners’ ability to remove malware and update firmware. At that point, according to the researchers, the only solution is tossing your IoT device.
There’s no evidence that these bugs were found and exploited by criminals against Belkin users, but once again, they are a reminder that in this day and age, our internet-connected crock-pot are a threat to our data—even to our phones.

Secret links between Trump and Russian bank’s servers uncovered

When a group of computer scientists went out to determine if the hackers were interfering with Donald Trump campaign, they found shocking results and revealed the world that Trump has maintained a private server for exclusive communication with a Russian bank.

However, the campaign has denied the report of having any relationship with Russia’s largest private commercial bank in Moscow, Alfa Bank and so has the bank.

Earlier also the presidential candidate who has lauded Russian president, Vladimir putin for his leadership has been accused with the same for spying over its rival, Hilary Clinton. Rumors of an internet connection between the bank and a web address linked to the Trump Organization have been circulating in Washington for a number of weeks.

The group of computer scientists who are nicknamed as Tea Leaves claimed that the servers of the organization were designed to communicate in 'secretive' way.

Earlier this year, the Russian hackers had infiltrated the servers of the Democratic National Committee, an attack persuasively detailed by the respected cybersecurity firm CrowdStrike.

Slate website which published the report had conducted an investigation into the means by which scientists uncovered this data and the extent to which it may be linked to the 2016 election. Currently, sufficient evidence does not exist to bring forth allegations. However, the evidence found is reasonable enough to trust.

Closer observation revealed the server, registered to Trump Organization on Fifth Avenue, was communicating exclusively and covertly with Alfa Bank’s two servers.

The Trump Organization server was created in 2009 for marketing purposes but press secretary of campaign, Hope Hicks has said that the server “operated by a third-party has not been used since 2010. The current traffic on the server from Alphabank’s IP address is regular DNS server traffic – not email traffic.”

The scientists have claimed that Trump’s servers went dark after the reporters pounded the organisatin with questions.

Alfa Bank, helmed by Mikhail Fridman and Pyotyr Aven, does have dealings in the United States. LetterOne, one of the bank’s holding companies, invested $200 million in Uber this year and intends to commit $3 billion to United States health care. Alfa Bank has not involved itself in shady business; it has even received an award for “Corporate Citizenship.”

Denying all the reports and links with the campaign, Alfa Bank has said that the cybersecurity experts hired by the bank are investigating into the act and have doubts that the activity could have been caused by a spam attack.

The relationship between the Trump Organization and Alfa Bank also seems connected to or at least influenced by the election.

Tea Leaves encountered the server registered to the Trump Organization by scouring the domain name system (DNS). According to the DNS specialists two Alfa Bank servers accounted for 87% of the DNS lookups involving the Trump Organization server.

The DNS is a protocol that regulates communications on the internet. It is what allows internet users to type in the name of the website and to land on the appropriate page.

Trump has indicated that he favors Russia, from his disinclination to protect NATO allies from a Russian attack, to his campaign’s alleged demand that the GOP adjust its position on Ukraine so that it was more amenable to Russia. And Russia is suspected of hacking into Democratic National Committee emails, and into other voting systems in the U.S. Russian officials have even asked to be present at polling stations on November 8.

Though more evidence is awaited, this looks a grave matter

VolatilityBot – An Automated Memory Analyzer For Malware Samples And Memory Dumps

VolatilityBot is an automation tool for researchers cuts all the guesswork and manual tasks out of the binary extraction phase, or to help the investigator in the first steps of performing a memory analysis investigation. Not only does it automatically extract the executable (exe), but it also fetches all new processes created in memory, code injections, strings, IP addresses, etc.

Motivation

Part of the work security researchers have to go through when they study new malware or wish to analyse suspicious executables is to extract the binary file and all the different injections and strings decrypted during the malware’s execution.
In the new version of VolatilityBot, a new feature is automated analysis of memory dumps, using heuristics and YARA/Clam AV Scanners (Clam scan coming soon). This feature is useful for memory analysis at scale. Usually, this initial process is done manually, either of a malware sample, or a memory dump and it can be lengthy and tedious.

Current features

Automated analysis of malware samples (Based on diff-ing between clean memory image and infected one )

• Extraction of injected code
• Dump of new processes
• Yara scan, static analysis, string extraction, etc. on all outputs

Automated heuristic analysis of memory dumps

• Detect anomallies using heuristics and dump the relevant code
• Yara scan, static analysis, string extraction, etc. on all outputs.

Prepare the VM (Currently only vmware)

Create a new virtual machine, with Windows XP up to windows 10 x64.
Make sure the machine has windows defender and FW disabled, and has a static IP
Install python 3.5
Create c:\temp folder, or change the destination folder in config
Copy the agent.py from Utils and launch it (you can execute it without the console using pythonw.exe)
Take a snapshot of the VM
repeat steps 1-6 for as many VMs as you want

Configuring the host

Edit the required parameters, as instructed in the conf/conf.py file
Execute db_builder.py – in order to create the database
Execute gi_builder.py – in order to build the golden images for all active VMs

Submit

Analyze a memory dump using heuristics, and dump output to folder
VolatilityBot.py  -m –dump -f /Users/Martin/Downloads/stuxnet.vmem
Submit an executable and analyze it using Volatility:
VolatilityBot.py  -f <Sample Path>
VolatilityBot.py  -D
Download Tool

Arizona Teen Arrested For Disrupting iPhone 911 Emergency Services

(PC-GOOGLE IMAGES)

An 18-year-old teenager from Arizona has been arrested after he disrupted the emergency 911 system for the Phoenix metro area and surrounding states this week with a malicious link shared on social media.

iPhone app developer MeetKumar Hiteshbhai Desai is accused of publishing Web links that caused iPhones to repeatedly dial 911.

Per authorities, Desai created a JavaScript exploit, which he shared with his friends on Twitter and other websites. The link shared by Desai saw users who clicked on it have their iPhones automatically and repeatedly dial 911. The volume of the calls allegedly put the responders and authorities "in immediate danger of losing services to their switches". Authorities said apart from Arizona, agencies in California and Texas were also affected.

An official press release from the Maricopa County's Sheriff's Office said: "The Surprise Police Department received the over (100) hang up 911 phone calls within a matter of minutes due to this cyber-attack and were in immediate danger of losing service to their switches. The Peoria Police Department and the Maricopa County Sheriff's Office also received a large volume of these repeated 911 hang up calls and had the potential danger of losing service throughout Maricopa County.” 

"Sheriff's Detectives were able to identify 'Meet' as the suspect behind the 911 disruption and was taken into custody and transported him to the Major Crimes Division for questioning late last night. Meet explained to Sheriff's detectives that he was interested in programs, bugs, and viruses which he could manipulate and change to later inform Apple about how to fix their bug issues for further iOS updates. He claimed that Apple would pay for information about bugs and viruses and provide that particular programmer with credit for the discovery."

Critical Flaws in MySQL Give Hackers Root Access to Server (Exploits Released)

Over a month ago we reported about two critical zero-day vulnerabilities in the world's 2nd most popular database management software MySQL:

• MySQL Remote Root Code Execution (CVE-2016-6662)
• Privilege Escalation (CVE-2016-6663)

At that time, Polish security researcher Dawid Golunski of Legal Hackers who discovered these vulnerabilities published technical details and proof-of-concept exploit code for the first bug only and promised to release details of the second bug (CVE-2016-6663) later.

On Tuesday, Golunski has released proof-of-concept (POC) exploits for two vulnerabilities:

One is the previously promised critical privilege escalation vulnerability (CVE-2016-6663), and another is a new root privilege escalation bug (CVE-2016-6664) that could allow an attacker to take full control over the database.

Both the vulnerabilities affect MySQL version 5.5.51 and earlier, MySQL version 5.6.32 and earlier, and MySQL version 5.7.14 and earlier, as well as MySQL forks — Percona Server and MariaDB.

Privilege Escalation/Race Condition Bug (CVE-2016-6663)

The more severe of the two is the race condition bug (CVE-2016-6663) that can allow a low-privileged account (with CREATE/INSERT/SELECT grants) with access to the affected database to escalate their privileges and execute arbitrary code as the database system user (i.e. 'mysql').

Once exploited, an attacker could successfully gain access to all databases within the affected database server.

Root Privilege Escalation (CVE-2016-6664)

Another critical flaw in MySQL database is a root privilege escalation bug that could allow attackers with 'MySQL system user' privilege to further escalate their privileges to root user, allowing them to fully compromise the system.

The issue actually stems from unsafe file handling of error logs and other files, which comes under MySQL system user privileges, allowing it to be replaced with an arbitrary system file, which opens the door to root privileges.

What's more troublesome? An attacker with a low-privileged account can also achieve root privilege by first exploiting the Privilege Escalation flaw (CVE-2016-6663) to become 'MySQL system user' and thus allow attackers to fully compromise the targeted server.

All these vulnerabilities could be exploited in shared hosting environments where users are assigned access to separate databases. By exploiting the flaws, they could gain access to all databases.

Golunski has published the proof-of-concept exploit code (Exploit 1, Exploit 2) for both the flaws and will soon upload videos.

MySQL has fixed the vulnerabilities and all of the patches ultimately found their way into Oracle's quarterly Critical Patch Update last month.

Administrators are strongly advised to apply patches as soon as possible in order to avoid hackers seeking to exploit the vulnerabilities.

If you are unable to immediately apply patches, then as a temporary mitigation you can also disable symbolic link support within your database server configuration to this setting — my.cnf to symbolic-links = 0 — in an attempt to protect yourself against cyber attacks

Hundreds Of Operations Canceled After Malware Hacks Hospitals Systems

Computer viruses do not discriminate.

They are not just hacking your email and online banking accounts anymore.

Computer viruses do not distinguish between a personal computer or a hospital machine delivering therapy to patients — and the results could prove deadly.

Cyber attacks on hospitals have emerged as a significant cyber security risk in 2016, which not only threaten highly sensitive information but also potentially harm the very lives of those being protected.

In the latest incident, hundreds of planned operations, outpatient appointments, and diagnostic procedures have been canceled at multiple hospitals in Lincolnshire, England, after a "major" computer virus compromised the National Health Service (NHS) network on Sunday.

In a bright-red alert warning labeled "Major incident" on its website, the Northern Lincolnshire and Goole NHS Foundation Trust (NLAG) said its systems in Scunthorpe and Grimsby were infected with a virus on October 30.

The incident forced the trust to shut down all the major systems within its shared IT network in order to "isolate and destroy" the virus and cancel surgeries.

"We have taken the decision, following expert advice, to shut down the majority of our systems so we can isolate and destroy it," the NHS wrote on its website. "All planned operations, outpatient appointments and diagnostic procedures have been canceled for Wednesday, Nov. 2 with a small number of exceptions."

Some patients, including major trauma patients and high-risk women in labor, were diverted to neighbouring hospitals.

Although the majority of systems are now back and working, the NHS Trust has not provided any specific information about the sort of virus or malware or if it managed to breach any defense.

The incident took place after the U.S. and Canada issued a joint cyber alert, warning hospitals and other organizations against a surge in extortion attacks that infect computers with Ransomware that encrypts data and demand money for it to be unlocked.

Although it is unclear at the moment, the virus could likely be a ransomware that has previously targeted hospitals and healthcare facilities.

Life Threatening Cyber-Attacks

With the rise in Ransomware threat, we have seen an enormous growth in the malware businesses.
The countless transactions of Bitcoins into the dark web have energized the Ransomware authors to distribute and adopt new infection methods for the higher successful rate.

Today, Ransomware have been a soft target for both Corporates as well as Hospitals.

Since earlier this year, over a dozen hospitals have been targeted by ransomware, enforcing them to pay the ransom amount as per the demand by freezing the central medical systems.

Technological advancement in the medical arena has digitalized patients data in the form of Electronic Medical Record (EMR) in order to save them into the hospital's central database.

Since the delay in patients treatment by temporary locking down their details could even result in the patient's death, the attackers seek 100 percent guarantee ransom by infecting hospitals with Ransomware.

Due to this reason, in most of the cases, hospitals generally agrees to pay the ransom amount to the attackers.

Earlier this year, the Los Angeles-based Presbyterian Medical Center paid $17,000 in Bitcoins to cyber crooks in order to restore access to its electronic medical systems, after a ransomware virus hit the hospital.

Also back in April, the MedStar Health chain that runs a number of hospitals in the Baltimore and Washington area, was attacked with Samsam ransomware (or Samas) that encrypted sensitive data at the hospitals.

Someone is Using Mirai Botnet to Shut Down Internet for an Entire Country

Someone is trying to take down the whole Internet of a country by launching massive distributed denial-of-service (DDoS) attacks using a botnet of insecure IoT devices infected by the Mirai malware.

It all started early October when a cybercriminal publically released the source code of Mirai – a piece of nasty IoT malware designed to scan for insecure IoT devices and enslaves them into a botnet network, which is then used to launch DDoS attacks.

Just two weeks ago, the Mirai IoT Botnet caused vast internet outage by launching massive DDoS attacks against DNS provider Dyn, and later it turns out that just 100,000 infected-IoT devices participated in the attacks.

Experts believe that the future DDoS attack could reach 10 Tbps, which is enough to take down the whole Internet in any nation state.

One such incident is happening from past one week where hackers are trying to take down the entire Internet of Liberia, a small African country, using another Mirai IoT botnet known as Botnet 14.

Security researcher Kevin Beaumont has noticed that Botnet 14 has begun launching DDoS attacks against the networks of "Lonestar Cell MTN ", the telecommunication company which provides the Internet to entire Liberia via a single entry point from undersea fiber cable.

"From monitoring, we can see websites hosted in country going offline during the attacks — Additionally, a source in country at a Telco has confirmed to a journalist they are seeing intermittent internet connectivity, at times which directly match the attack," Beaumont said in a blog post published today.

According to Beaumont, transit providers confirm that the attacks were over 500 Gbps in size, but last for a short period. This volume of traffic indicates that the "Shadows Kill" Botnet, as the researcher called it, is "owned by the actor which attacked Dyn."

Why Taking Down Liberia's Internet Is easy?

Over a decade of civil war in Liberia destroyed the country's telecommunications infrastructure, and at that time a very small portion of citizens in Liberia had access to the internet via satellite communication.

However, some progress were made later in 2011 when a 17,000 km Africa Coast to Europe (ACE) submarine fiber-optic cable was deployed from France to Cape Town, via the west coast of Africa.

The ACE fiber cable, at depths close to 6,000 meters below sea level, eventually provides broadband connectivity to more 23 countries in Europe and Africa.

What's shocking? The total capacity of this cable is just 5.12 Tbps, which is shared between all of the 23 countries.

Since massive DDoS attack against DynDNS used a Mirai botnet of just 100,000 hacked IoT devices to close down the Internet for millions of users, one can imagine the capability of more than 1 Million hacked IoT devices, which is currently in control of the Mirai malware and enough to severely impact systems in any nation state.

This is extremely worrying because, with this capacity, not just Liberia, an attacker could disrupt the Internet services in all 23 countries in Europe and Africa, which relies on the ACE fiber cable for their internet connectivity.

The root cause? More insecure, vulnerable IoT devices, more Mirai bots.

So, in order to protect yourself, you need to be more vigilant about the security of your smart devices because they are dumber than one can ever be.

Shadow Brokers Revelas List of Servers Hacked by NSA, Contains DATA of 300+ Domains

A hacker group Shadow Brokers were known for their revelation of the hacking tools used by NSA. After being quite for some time, they are now back in news once again and gives NSA a Halloween surprise and it’s very scarier than before.
The new leak contains a list of more than 300 IP addresses and more than 300 domain names the Equation Group may have compromised. According to a Hacker House analysis, the affected hosts appear to be spread around the world. “However, the top 10 impacted countries are China, Japan, Korea, Spain, Germany, India, Taiwan, Mexico, Italy & Russia,” Hacker House reports. “The top three, China, Japan and Korea, make up a substantial number of the attacked hosts.”

Top 3 Targeted Countries — China, Japan, and Korea

The data dump [Download / File Password: payus] that experts believe contains 306 domain names, and 352 IP addresses belong to at least 49 countries. As many as 32 domains of the total were run by educational institutes in China and Taiwan.
A few target domains were based in Russia, and at least nine domains include .gov websites.
The top 10 targeted countries include China, Japan, Korea, Spain, Germany, India, Taiwan, Mexico, Italy, and Russia.
The latest dump has been signed by the same key as the first Shadow Brokers’ dump of NSA exploits, though there is a lot to be done to validate the contents of the leaked data dump fully.
“USSA elections is coming! 60% of Amerikansky never voting,” the group @shadowbrokerss/message-5-trick-or-treat-e43f946f93e6#.gk2jg3j6f” target=”_blank” rel=”external nofollow” title=”wrote” class=”wp-links-icon”>wrote. “TheShadowBrokers is having suggestion. On November 8th, instead of not voting, maybe be stopping the vote all together? Maybe being grinch who stopped election from coming? Maybe hacking election is being the best idea? #hackelection2016. If peoples is not being hackers, then #disruptelection2016, #disruptcorruption2016. Maybe peoples not be going to work, be finding local polling places and protesting, blocking , disrupting , smashing equipment, tearing up ballots?”

▼Advertisements

Targeted Systems — Solaris, Unix, Linux and FreeBSD

Security researcher Mustafa Al-Bassam, an ex-member of Lulzsec and the Anonymous hacking collective, said the NSA likely compromised all the servers between 2000 and 2010.
“So even the NSA hacks machines from compromised servers in China and Russia. This is why attribution is hard,” Al-Bassam added.

Universal hijack hole turns DIY Wix blogs into botnets

Millions of do-it-yourself websites built with the Wix web maker were at risk of hijack thanks to a brief zero day DOM-based cross-site scripting vulnerability.
Wix boasts some 87 million users, among them two million paying subscribers.
Contrast Security researcher Matt Austin (@mattaustin) dug up the flaw he rates as severe, and attempted to get Wix to patch it under quiet private disclosure since October.
He says he heard nothing back from the web firm other than an initial receipt of the disclosure on 14 October after three subsequent update requests.
Checks appear to confirm the holes have been quietly shuttered after Austin's public disclosure. Wix has been contacted for comment.
"Wix.com has a severe DOM cross-site scripting vulnerability that allows an attacker complete control over any website hosted at Wix," Austin says in his disclosure.
"Simply by adding a single parameter to any site created on Wix, the attacker can cause their JavaScript to be loaded and run as part of the target website.
"Administrator control of a wix.com site could be used to widely distribute malware, create a dynamic, distributed, browser-based botnet, mine cryptocurrency, and otherwise generally control the content of the site as well as the users who use it."
More attack scenarios awaited attackers who either found the flaw before Austin or spotted his disclosure before Wix could patch it.
Austin says attackers could have:

• Changed content of a hosted website for targeted users;
• Challenged the user for their Wix username and password;
• Challenged the user for their Facebook or Twitter username and password;
• Attempted to trick users of the website into downloading malware and executing it;
• Generated ad revenue by inserting ads into website pages;
• Spoofed bank web pages and attempted to have users log in;
• Make it difficult or impossible to find and delete the infection, and,
• Create new website administrator accounts.

Austin supplied then working proof-of-concept links showing the DOM cross-site scripting in action against Wix template sites.
He also provided five steps required for attackers to spin the vulnerability into a worm to hit scores of sites.
The public disclosure, while made sooner than the fastest industry standard 30 day bug fix window, should serve as a reminder to all businesses with an online presence to have a process in place to handle vulnerability disclosures. This should preferably include a nominated staffer to handle the disclosures, along with security@* email address which is visible on the business website.
Researchers should be offered regular patch updates and lawyers kept firmly at bay