Microsoft has pushed an emergency patch to remediate a zero-day vulnerability in Internet Explorer that is actively being exploited in-the-wild.

Today, August 18th, 2015, Microsoft released an emergency patch after being notified of a critical vulnerability in all supported versions of Internet Explorer. All versions of Microsoft Internet Explorer from IE7 to IE11 are affected by this zero-day vulnerability.

The vulnerability, referenced by CVE as CVE-2015-2502 or by Microsoft as MS15-093, has been described by Brian Krebsas a "browse-and-get-owned" vulnerability. What this means is that this zero-day vulnerability is essentially exploited in "drive-by" fashion; no user intervention other than browsing a malicious web page will result in the infection of users utilizing vulnerable versions of IE.

A vulnerability of this criticality level, with a delivery mechanism that requires no more than a simple click or re-direct has the capability of causing a very large quantity of damage.

The zero-day flaw is Actively Being Exploited In-the-Wild

According to Qualys' CTO Wolfgang Kandek, this vulnerability is currently being exploited in-the-wild. The delivery mechanisms utilized by threat actors looking to exploit this vulnerability and their methods of increasing their damaging potential can be inferred based on past vulnerability disclosures, however, Qualys has stated that the following methods are being utilized by attackers to carry out these two goals:

Malvertising
Compromise and Infection of Once-Legitimate Websites (i.e. vulnerable WordPress sites)
Deployment of Dedicated Attack Websites & Utilizing Blackhat SEO Tactics to Boost Site Traffic
Phishing Methods Delivering URLs to the Malicious Webpage to Target Users
As we have observed in the past with the somewhat recent release of several zero-day vulnerabilities in popular software (e.g. Adobe Flash Player), it is only a matter of time before exploit kit integration begins. We should expect to see this vulnerability integrated in top exploit kits very soon; I would be surprised if some of the top players do not integrate this vulnerability into their arsenal within the next 24 hours.

Additionally, even if you do not use Microsoft Internet Explorer, it is recommended that you update the version of IE installed on your (Windows) device.

"Windows users should install the patch whether or not they use IE as their main browser, as IE components can be invoked from a variety of applications, such as Microsoft Office." – Brian Krebs
Note: Windows 10's Edge browser is not affected by this vulnerability.

Where to Retrieve the Emergency Patch

The emergency patch can be downloaded and install both via Windows Update as well as from Microsoft's website.

By Exploiting a flaw in the SS7 protocol hackers can access every conversation and text message mobile users send from everywhere in the world.
Hackers can spy on every mobile phone user wherever it is.

Channel Nine's 60 Minutes has revealed the existence of a security hole in modern telecommunication systems that could be exploited by cyber criminals to listen in on phone conversations and read text messages.

The program explained that German hackers, who are based in Berlin, were able to intercept data and geo-track every mobile user by exploiting a flaw in the SS7 signalling system.

SS7 is a set of protocols used in telecommunications ever since the late 1970s, enabling smooth transportation of data without any breaches.

The security issue in the SS7 signalling system could be exploited by criminals, terrorists and intelligence agencies to spy on communications. The SS7 protocol allows cell phone carriers to collect location data related to the user's device from cell phone towers and share it with other carriers, this means that exploiting the SS7 a carrier is able to discover the position of its customer everywhere he is.

"The flaws, to be reported at a hacker conference in Hamburg this month, are the latest evidence of widespread insecurity on SS7, the global network that allows the world's cellular carriers to route calls, texts and other services to each other. Experts say it's increasingly clear that SS7, first designed in the 1980s, is riddled with serious vulnerabilities that undermine the privacy of the world's billions of cellular customers.

The flaws discovered by the German researchers are actually functions built into SS7 for other purposes – such as keeping calls connected as users speed down highways, switching from cell tower to cell tower – that hackers can repurpose for surveillance because of the lax security on the network." reports The Washington Post.

In the hacking community is known the existence of several techniques that hackers and snoopers can make use of, in order to eavesdrop and intercept phone calls or written text messages. In December 2014, German researchers have placed the matter to the public for consideration at the Chaos Communication Hacker Congress, since there can be a great many problems emerging.

Carriers of mobile telephony spend large amounts of money towards expanding their network and securing the conditions of communication with 3G and high-end encryption. To quote Tobias Engel, one of the German researchers mentioned above,

"It's like you secure the front door of the house, but the back door is wide open".
One of the major incidents registered by NKRZI (which is the National Commission for the State Regulation of Communications and Informatization in Ukraine) involved Russian addresses back in April 2014.

The expert noticed that many Ukrainian holders of mobile phones have been affected by notorious SS7 packets that possibly derived from Russia. As a result, the mobile phone holders were intercepted of their address details and everything that was stored inside each phone. MTS Ukraine obviously participated in the interception, in relation to MTS Russia.

As a direct consequence of security breaches related to SS7 protocols of telecommunication, the eminent threat is none other than the surveillance taking place between different countries.

The system is being used by major Australian providers, this means that Aussies data could be exposed to hackers. Names, addresses, bank account details and medical data stolen due to a security vulnerability that could give hackers the access to their mobile devices.

"Everything about our lives is contained in the palm of our hand,'" reporter Ross Coulthart said. 'Your sensitive, private data is opened for anyone to see. You could be bugged, tracked and hacked from anywhere in the world. It's long been the dirty little secret of international espionage. What it means is that your smartphone is an open book."
In the TV show, Mr Coulthart was speaking from Germany with the Independent senator Nick Xenophon who was located at the Parliament House in Canberra at the time of phone call.

With the support of the German hacker Luca Melette, Mr Coulthart demonstrated how to track its interlocutor by exploiting the security issue into the SS7.

SS7 hacking 2

"What if I could tell you senator, that it's possible to listen in to any mobile phone from anywhere in the world – would you believe me?'" Mr Coulthart asked to Mr Xenophon while Melette was listening the conversation.

"I find it very hard to believe." replied the incredulous Mr Xenophon.

Mr Coulhart then asked the senator for consent to record the phone call.

"But if you reckon they can pull it off, I give my consent but I find this incredibly hard to believe." responded Mr Xenophon.

The reporter also anticipated to Mr Xenophon hat the hackers could intercept his text messages, but once again he skeptical immediately sent the following text message:

"Hi Ross, I don't believe you!! Nick."

The senator was shocked by the live demo provided by the reporter and the hacker.

"This is actually quite shocking because this affects every Australia," Mr Xenophon said. "It means anyone with a mobile phone can be hacked, can be bugged – it's just chilling. This is the end of anyone's privacy as we know it." 'This is not about spies or terrorists and pollies – this is about every Australian that is vulnerable because their phones can be hacked."

The attack scenario is worrying and open the door to massive surveillance activities, months ago the American Civil Liberties Union (ACLU) has also warned people against possible abuse of such vulnerabilities by Intelligence agencies and Law enforcement.
"Don't use the telephone service provided by the phone company for voice. The voice channel they offer is not secure," principle technologist Christopher Soghoian told Gizmodo. "If you want to make phone calls to loved ones or colleagues and you want them to be secure, use third-party tools. You can use FaceTime, which is built into any iPhone, or Signal, which you can download from the app store. These allow you to have secure communication on an insecure channel."
Unfortunately, the vulnerabilities into SS7 protocol will continue to be present, even as cellular carriers upgrade to advanced 3G technology to avoid eavesdropping.

The Turkish security researchers Utku Sen has published the first open source ransomware for educational purposes that anyone can use.
Ransomware is now open Source and available in GitHub. Ransomware is one of most dangerous cyber threats for end-users, in the recent months the number of ransomware in the wild is increased as never before. Criminal underground has used ransomware to increase their business, security experts also discovered in a case the adoption of malware-as-a-service model to give the opportunity to everybody to build its ransomware campaign.

However is not easy for common people to give a look to the source code of ransomware, but now the Turkish researcher utkusen published on the Github platform the first open course Ransomware, for educational purposes.

Utku Sen unleashed his ransomware, the "Hidden Tear" is available on GitHub and it's fully functional, it uses AES encryption to encrypt the files and displays a warning to users to pay up to get back their data.

ransomware hidden tear open source

utkusen warns, "While this may be helpful for some, there are significant risks. The Hidden Tear may be used only for Educational Purposes. Do not use it as a ransomware!"

The Features of Hidden Tear are:

Uses AES algorithm to encrypt files.
Sends encryption key to a server.
Encrypted files can be decrypt in decrypter program with encryption key.
Creates a text file in Desktop with given message.
Small file size (12 KB)
Doesn't detected to antivirus programs (15/08/2015)
Note: At this point, I am not sure that the "Hidden Tear" it is not detected by AV programs, but I am not sure.

This Ransomware it is not so advanced like other threat like Cryptowall or Cryptolocker but it does his job, as educational purposes.

According to two former employees the Russian antivirus firm Kaspersky has faked malware to harm competitors and cause false positive in their solutions.
Two former employees, who requested anonymity, revealed that Kaspersky Lab tried to trick antivirus solutions of its competitors into flagging more false positives.

Two anonymous former Kaspersky Lab employees told Reuters that disconcerting story related to the popular Russian security firm. According to the employees the antivirus solutions of Kaspersky's competitors were flagging benign files as malware, disabling or deleting important documents of their customers.

Among the targeted security firms, according to the two former employees, there are AVG Technologies, Avast Software, and Microsoft.

Kaspersky Lab denied the claims.

"Our company has never conducted any secret campaign to trick competitors into generating false positives to damage their market standing. Such actions are unethical, dishonest and their legality is at least questionable." is the official reply of Kaspersky Lab.
According to the sources, the attacks were ordered by Eugene Kaspersky in person, to retaliate against smaller antivirus solutions that were gaining market share by aping Kaspersky software.

"Eugene considered this stealing," said one of the former employees. "It was decided to provide some problems" for rivals, "It is not only damaging for a competing company but also damaging for users' computers."
According to Reuters, executives at major security firms, including Microsoft, AVG and Avast previously reported that unknown parties had tried to induce false positives in recent years, but there is no comment on the recent revelations.

According to the former employees, Kaspersky dedicated a team to the sabotage operations that reverse-engineered antivirus solutions of the competitors in order to deceive them.

The employees said Kaspersky Lab manipulated files in order to cause false positives in competitors' antivirus solution for more than 10 years, with the peak period between 2009 and 2013.

How to sabotage the rivals?

One of the techniques adopted by Kaspersky consists in the injection of the malicious code in an important piece of software commonly found in PCs so that the file appears as infected. The Kaspersky engineers that sent the "doctored file" anonymously to the VirusTotal online service.

When rivals' antivirus systems examined the doctored file it would be flagged as potentially malicious.

Kaspersky denied the unfair practice, telling to the Reuters it had been a victim of a similar attack in November 2012

"when an "unknown third party" manipulated Kaspersky into misclassifying files from Tencent (0700.HK), Mail.ru (MAILRq.L) and the Steam gaming platform as malicious." states the Reuters.

According to the former employees, Microsoft was targeted by Kaspersky because rival antivirus firms follow it in the malware classification.

Kaspersky confirmed the improvement of its algorithms to defend against false virus samples, regarding the case it believed no antivirus company conducted such kind of attacks "as it would have a very bad effect on the whole industry."

The Industrial Control Systems Computer Emergency Response Team (ICS-CERT) has published a total of six advisories to warn organizations about a series of Supervisory Control and Data Acquisition (SCADA) system vulnerabilities disclosed by a researcher at the recent DEFCON conference in Las Vegas.

Elastica researcher Aditya K. Sood revealed on August 8 the existence of several vulnerabilities affecting SCADA systems, particularly human machine interfaces (HMI).

Sood has identified remote and local file inclusion, weak password hashing, insecure authentication, hardcoded credentials, weak crypto, cross-site request forgery (CSRF) and other types of vulnerabilities affecting web-based HMIs from companies such as Rockwell Automation, Siemens, Schneider Electric, KACO, Prisma and Moxa.

ICS-CERT has published two advisories for flaws affecting the web interfaces of Rockwell Automation 1766-L32BWAA/1766-L32BXBA and 1769-L18ER/A LOGIX5318ER programmable logic controllers (PLC) used for automation in industrial processes. According to the agency, Rockwell Automation 1769-L18ER/A and LOGIX5318ER devices are affected by a remotely exploitable cross-site scripting (XSS) vulnerability, while 1766-L32BWAA and 1766-L32BXBA controllers are affected by a remotely exploitable remote file inclusion flaw.

"Rockwell Automation is aware of these issues and we are in direct contact with ICS-CERT on these vulnerabilities. Our incident response teams are engaged and are actively determining our plans for remediation," a Rockwell Automation spokesperson told SecurityWeek.

An advisory has also been published for KACO HMI products. The code of the client designed to allow users to control the HMI reportedly includes hardcoded passwords.

Sood also claims to have identified hardcoded credentials and local/remote file inclusion vulnerabilities in Schneider Electric Modicon M340 PLC Station P34 CPU modules. The security bugs can be exploited for remote code execution, directory traversal, and denial-of-service (DoS).

In the case of Prisma, the researcher reporter discovering that the passwords used for accessing web products are not properly protected (i.e. they are present on a web page accessible to remote users). Furthermore, a CSRF vulnerability allows a remote, unauthenticated attacker to update the configuration of affected devices.

The Moxa ioLogik E2210 Ethernet Micro RTU controller, a PC-based data acquisition and control device, is plagued by three vulnerabilities that make it easier for an attacker to gain unauthorized access to the product.

Sood did not give affected vendors the opportunity to patch the vulnerabilities before their existence was disclosed. The researcher and ICS-CERT are currently working with vendors on confirming and addressing the security holes. Sood says his DEFCON slides will not be published until the companies get a chance to release patches.

ICS‑CERT has issued alerts for the vulnerabilities in an effort to provide early notice and mitigations for reducing the risks associated with these weaknesses. ICS-CERT's recommendations include minimizing network exposure for control systems, using a VPN when remote access is required, and placing control system networks and devices behind firewalls.

A new version of OpenSSH is available, the new release of OpenSSH 7.0 fixes four security flaws and several other bugs. Update it!

Then new OpenSSH 7.0 fixes a use-after-free vulnerability and three other flaws, two of which only affect the version Portable OpenSSH.

One of the vulnerabilities patched in version 7.0, a fix for circumvention of MaxAuthTries using keyboard- interactive authentication, is an issue with the way OpenSSH handles some authentication requests.

"By specifying a long, repeating keyboard-interactive "devices" string, an attacker could request the same authentication method be tried thousands of times in a single pass. The LoginGraceTime timeout in sshd(8) and any authentication failure delays implemented by the authentication mechanism itself were still applied," states the release notes.

One of the bugs in the Portable OpenSSH is a use-after-free that could be exploited by attackers to remote code execution.

"Fixed a use-after-free bug related to PAM support that was reachable by attackers who could compromise the pre-authentication process for remote code execution," continues the advisory.

The other vulnerability that affects only the Portable OpenSSH could be also exploited to remote code execution.

"Fixed a privilege separation weakness related to PAM support. Attackers who could successfully compromise the pre-authentication process for remote code execution and who had valid credentials on the host could impersonate other users," the advisory says.

The maintainers of the OpenSSH project also announced that the next version of the software, the OpenSSH 7.1, would deprecate several old cipher suites and cryptographic algorithms because they are no longer secure.

The list of changes includes:

Refusing all RSA keys smaller than 1024 bits (the current minimum is 768 bits)
Several ciphers will be disabled by default: blowfish-cbc, cast128-cbc, all arcfour variants and the rijndael-cbc aliases for AES.
MD5-based HMAC algorithms will be disabled by default.