• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.

AplusWebMaster

SWI Friend
  • Content count

    10,612
  • Joined

  • Last visited

About AplusWebMaster

  • Rank
    AplusWebMaster
  • Birthday

Contact Methods

  • Website URL
    http://www.apluswebmaster.net/
  • ICQ
    0

Profile Information

  • Gender
    Male
  • Location
    USA
  • Interests
    ... The never-ending battle for Truth, Justice, and the American way.

Recent Profile Visitors

161,289 profile views
  1. FYI... Fake 'Secure Bank Comm' SPAM - delivers Trickbot - https://myonlinesecurity.co.uk/spoofed-canada-revenue-agency-important-secure-bank-communication-malspam-delivers-trickbot-banking-trojan/ 22 Feb 2017 - "An email with the subject of 'Important – Secure Bank Communication' coming from either Canada Revenue Agency <no-reply@ secure-gc .ca> or Canada Revenue Agency <no-reply@ securegcemail .ca> with a malicious word doc attachment delivers Trickbot banking Trojan... Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/canada-revenue-agaency-secure-doc.png 22 February 2017: SecureDoc.doc - Current Virus total detections 2/55[1] 2/55[2] Payload Security [1A] [2A] none of which are showing the download location of the actual Trickbot itself, although it is on Virus Total 20/58[3]. I am informed[4] the download location is www .TPSCI .COM/pngg/granionulos.png -or- http ://www .sungkrorsang .com/fileFTP/granionulos.png which of course is -not- an image file but a renamed .exe... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..." 1] https://www.virustotal.com/en/file/fcd0eef7dec8141df9704da6fcf6543d6b18526ef2944b2a225b36883c7a0b4a/analysis/1487783258/ 2] https://www.virustotal.com/en/file/bea79c0a9445e48019cb65c494d90a366ae9f4f45ea3a330beb39dbddecb072b/analysis/ 1A] https://www.hybrid-analysis.com/sample/fcd0eef7dec8141df9704da6fcf6543d6b18526ef2944b2a225b36883c7a0b4a?environmentId=100 2A] https://www.hybrid-analysis.com/sample/bea79c0a9445e48019cb65c494d90a366ae9f4f45ea3a330beb39dbddecb072b?environmentId=100 3] https://www.virustotal.com/en/file/8dbddb55d22bff09a5286e10edc104e67dec8c864bc06a797183e9b898423427/analysis/ 4] https://twitter.com/GossiTheDog/status/834453695299518464 TPSCI .COM: 203.121.180.74: https://www.virustotal.com/en/ip-address/203.121.180.74/information/ > https://www.virustotal.com/en/url/8d2abb870d46dd468b8c01246ce20f2266da858215f65b960ff1e1960a1ce0cb/analysis/ sungkrorsang .com: 61.19.252.134: https://www.virustotal.com/en/ip-address/61.19.252.134/information/ > https://www.virustotal.com/en/url/773bfa543ee80ce5ca0db5dda59ec2002f0de997b3d2975fb071e258e1fda633/analysis/ ___ Dropbox phish - https://myonlinesecurity.co.uk/you-have-2-new-documents-dropbox-phishing/ 22 Feb 2017 - "Another phishing email, this time spoofing -Dropbox- where you land on a page with lots of different email providers and the evil scum doing these phishes will pop up the appropriate one for you to enter all your details, pretending that you can now sign into dropbox using your email address. After giving the details you get sent to the genuine DropBox site: Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/dropbox_phishing_email.png The -link- goes to http ://www.pedraforte .net/js/index/klnkjfe/dropbox/dropbox/ (there might be other sites, there usually are with these scams) where you see a page looking like: > https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/dropbox_phishing.png Select -any- of the links and you get: > https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/dropbox_phishing1.png " pedraforte .net: 192.185.217.111: https://www.virustotal.com/en/ip-address/192.185.217.111/information/ > https://www.virustotal.com/en/url/85c6b743832fca360807f9633efbab6f1ee415ab0ccafc0188e1d05ae6a5552e/analysis/
  2. FYI... Microsoft Security Bulletin MS17-005 - Critical Security Update for Adobe Flash Player (4010250) - https://technet.microsoft.com/en-us/library/security/MS17-005 Feb 21, 2017 - "This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016..." - https://support.microsoft.com/en-us/help/4010250/ms17-005-security-update-for-adobe-flash-player-february-21-2017 Last Review: Feb 21, 2017 - Rev: 28 - https://isc.sans.edu/diary.html?storyid=22097 2017-02-21 23:55:22 UTC - https://blogs.technet.microsoft.com/msrc/2017/02/21/adobe-flash-player-security-vulnerability-release/ Feb 21, 2017
  3. FYI... - https://support.apple.com/en-us/HT201222 Logic Pro X 10.3.1 - https://support.apple.com/en-us/HT207519 Feb 21, 2017 - "Available for: OS X Yosemite v10.10 and later (64 bit) Impact: Opening a maliciously crafted GarageBand project file may lead to arbitrary code execution Description: A memory corruption issue was addressed through improved memory handling." - https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2374 ___ - https://www.us-cert.gov/ncas/current-activity/2017/02/21/Apple-Releases-Security-Update Feb 21, 2017
  4. FYI... Rogue Chrome extension - tech support scam - https://blog.malwarebytes.com/threat-analysis/2017/02/rogue-chrome-extension-pushes-tech-support-scam/ Feb 21, 2017 - "... Google Chrome... no surprise to see it being more and more targeted these days. In particular, less than reputable -ad- networks are contributing to the distribution of malicious Chrome extensions via very deceptive means... Google Chrome users are profiled based on the user-agent string they show whenever they visit a website. Rather than redirecting them to an exploit kit, they are often redirected to fake software updates, scams, or rogue browser extensions... Once installed, this extension ensures it stays in hiding by using a 1×1 pixel image as its logo... and by hooking chrome://extensions and chrome://settings such that any attempt to access those is automatically redirected to chrome://apps. That makes it much more difficult for the average user to see what extensions they have, let alone uninstalling one of them... 'wouldn’t be complete without a tech support scam which it seems one can’t avoid these days. If the user clicked on a new tab or typed a ‘forbidden’ keyword, the redirection chain would then deliver a -fake- Microsoft warning: > https://blog.malwarebytes.com/wp-content/uploads/2017/02/TSS1.png ... We detect and remove this one as Rogue.ForcedExtension. IOCs: Fake extension: pakistance .club: 104.27.185.37: https://www.virustotal.com/en/ip-address/104.27.185.37/information/ 104.27.184.37: https://www.virustotal.com/en/ip-address/104.27.184.37/information/ lfbmleejnobidmafhlihokngmlpbjfgo Backend server (ad fraud/malvertising): amserver .info: 104.31.70.128: https://www.virustotal.com/en/ip-address/104.31.70.128/information/ 104.31.71.128: https://www.virustotal.com/en/ip-address/104.31.71.128/information/ qma0.2dn .xyz: 173.208.199.163: https://www.virustotal.com/en/ip-address/173.208.199.163/information/ Tech support scam: microsoft-official-warning .info: 66.23.230.31: https://www.virustotal.com/en/ip-address/66.23.230.31/information/ ___ Fake 'Western Union' SPAM - delivers java adwind - https://myonlinesecurity.co.uk/more-spoofed-western-union-malspam-continues-to-deliver-java-adwind/ 21 Feb 2017 - "... -fake- financial themed emails containing java adwind or Java Jacksbot attachments. I have previously mentioned many of these HERE[1]. We have been seeing these sort of emails almost every day... 1] https://myonlinesecurity.co.uk/?s=java+adwind The java Adwind versions are exactly the same as Yesterday’s versions detailed HERE[2]. The zip once again contains -2- different sized and named java files, although named differently to yesterday’s versions, they are identical. 2] https://myonlinesecurity.co.uk/spoofed-western-union-it-dept-wupos-agent-upgrade-delivers-java-adwind/ Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/Western-Union-rtra-rules.png DETAILS OF PROHIBITED INDIVIDUALS SCREENED FOR THIS TRANSACTION AND MTCN.jar (507kb) VirusTotal 8/58* Payload Security** WESTERN UNION RTRA RULES AND REFUND IN FULL..jar (333kb) VirusTotal 8/57*** | Payload Security[4] ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..." * https://www.virustotal.com/en/file/7700eb067c966f5b6015ebd4e4945e00c224c01efaf1f77604f1a06996f678a2/analysis/1487577130/\ ** https://www.hybrid-analysis.com/sample/7700eb067c966f5b6015ebd4e4945e00c224c01efaf1f77604f1a06996f678a2?environmentId=100 *** https://www.virustotal.com/en/file/6a56eeb1172b8b895a53ed47691239dae93d19fc1f140a120a0464beacdae303/analysis/1487577144/ 4] https://www.hybrid-analysis.com/sample/6a56eeb1172b8b895a53ed47691239dae93d19fc1f140a120a0464beacdae303?environmentId=100 Contacted Hosts 83.243.41.200 ___ BoA 'Access Locked' - phish - https://myonlinesecurity.co.uk/bank-america-phishing-scam/ 21 Feb 2017 - "A slightly different phishing scam for a change. The phishing site is a FTP site which is very unusual... Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/Bank-of-America-Alert-Your-Online-Access-is-Temporarily-Locked.png The link-in-the-email goes to: ftp ://121.170.178.35 /License/logon.htm where you see a site looking like: > https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/BofA_FTP_signon.png " 121.170.178.35: https://www.virustotal.com/en/ip-address/121.170.178.35/information/ > https://www.virustotal.com/en/url/317ec9b5c767caf2f0697361e99c2f8fe2254e7ee51abb1779a2954dd63e2497/analysis/ ___ 'TurboTax' - phish - https://myonlinesecurity.co.uk/turbotax-important-notice-request-for-account-update-phishing/ 21 Feb 2017 - "Another phishing scam, this time TurboTax: Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/turbotax-Important-Notice-Request-for-Account-Update.png The link goes to http ://whitesandscampground .com/images/www.turbotax.com/index.html where you see this page, asking for all the usual details to steal your identity as well as all your bank and credit card accounts and all your money: > https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/turbotax-phishing-page.png " whitesandscampground .com: 205.204.89.214: https://www.virustotal.com/en/ip-address/205.204.89.214/information/ > https://www.virustotal.com/en/url/293b141852f722080d51e30d062d8f5703a1646296e460b0ede687cdb8fd26d6/analysis/
  5. FYI... Fake 'Urgent Compliance' SPAM - delivers java adwind - https://myonlinesecurity.co.uk/spoofed-xpressmoney-western-union-urgent-compliance-status-of-transfer-malspam-delivers-java-adwind/ 20 Feb 2017 - "... previously mentioned many of these HERE[1]... a slightly different subject and email content to previous ones. They can’t seem to decide if it should be Xpress money or Western Union, so they decided to have an email body with a Western Union Content but pretend to send from Xpress money. I am also getting some from Spoofed Western Union Addresses... 1] https://myonlinesecurity.co.uk/?s=java+adwind ... The email looks like: From: elizabethst2 .mel@ xpressmoney .com Date: Mon 20/02/2017 00:47 Subject: Urgent Compliance, Status of transfer Attachment: Details.zip Dear agent, Please kindly check the status of this transaction. The remitter demands for the payment record, because the beneficiary denied the payment that He didn’t receive this money. So Please kindly check this transaction if it was paid,please arrange us the receipt of transaction Regards, Senzo Dlamini Regional Ops Executive WesternUnion International ... 20 February 2017: Urgent Compliance.jar - Current Virus total detections 6/58* Payload Security**.. The basic rule is NEVER open any attachment to an email, unless you are expecting it..." * https://www.virustotal.com/en/file/f766da864a8dfd5574d80c137e00ab698164fd444ba8ce18bc538dbc76a26f1b/analysis/1487576150/ ** https://www.hybrid-analysis.com/sample/f766da864a8dfd5574d80c137e00ab698164fd444ba8ce18bc538dbc76a26f1b?environmentId=100 ___ Fake 'Western Union' SPAM - delivers java adwind - https://myonlinesecurity.co.uk/spoofed-western-union-it-dept-wupos-agent-upgrade-delivers-java-adwind/ 20 Feb 2017 - "... -fake- financial themed emails containing java adwind or Java Jacksbot attachments... previously mentioned many of these HERE[1]... 1] https://myonlinesecurity.co.uk/?s=java+adwind ... the email contains a genuine PDF file with an-embedded-link that downloads the java Adwind zip. The zip contains -2- different sized and named java files. The link in the pdf goes to: http ://www.greavy .com/wp-includes/certificates/CERTIFICATE%20DETAILS%20AND%20WUPOS%20UPDATE%20MANUAL.zip which extracts to -2- java.jar files hoping that if one fails the second will get you. Although both are detected as Java Adwind on Virus Total, the Payload Security reports does show different behaviour for each file... New E-maual and updated payout procedures.jar (507kb) VirusTotal 6/58* | Payload Security** WU certificate and agent updated branch details..jar (333kb) VirusTotal 8/57*** | Payload Security[4] The email looks like: From: Western Union IT Dept. <wu.it-dept@ outlook .com> Date: Mon 20/02/2017 02:37 Subject: WUPOS Agent Upgrade For All Branches. Attachment: Details.zip Dear All, Western Union ,IT Department data is posting upgrade for new version of WUPOS.Please download attachment by clicking the link.as seen below, run the file and go ahead of checking western union intermediate screen Before doing that please read directives in attachments then map the Western Union user ID in the Symex application and proceed. Please let me know if you face any issue. Thanks & Regards, IT Department Western Union... The pdf looks like: > https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/wupos-update.png ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..." * https://www.virustotal.com/en/file/7700eb067c966f5b6015ebd4e4945e00c224c01efaf1f77604f1a06996f678a2/analysis/1487577130/ ** https://www.hybrid-analysis.com/sample/7700eb067c966f5b6015ebd4e4945e00c224c01efaf1f77604f1a06996f678a2?environmentId=100 *** https://www.virustotal.com/en/file/6a56eeb1172b8b895a53ed47691239dae93d19fc1f140a120a0464beacdae303/analysis/1487577144/ 4] https://www.hybrid-analysis.com/sample/6a56eeb1172b8b895a53ed47691239dae93d19fc1f140a120a0464beacdae303?environmentId=100 Contacted Hosts 83.243.41.200 greavy .com: 180.240.134.105: https://www.virustotal.com/en/ip-address/180.240.134.105/information/ > https://www.virustotal.com/en/url/059494b4e1a329645378d93c797dbdebe5e5c428f155f8c6bf9d69b3e3aa83b4/analysis/ ___ Fake 'Secure Bank Documents' SPAM - delivers Trickbot - https://myonlinesecurity.co.uk/spoofed-lloyds-bank-important-secure-bank-documents-malspam-delivers-trickbot-banking-trojan/ 20 Feb 2017 - "... an email with the subject of 'Important – Secure Bank Documents'... pretending to come from Lloyds Bank <no-reply@ lloydsbanksecuredocs .com> delivers Trickbot banking Trojan... Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/lloyds-bank-secure-documents.png 20 February 2017: BACs.doc - Current Virus total detections 7/55* I am informed about 2 known download locations for the Trickbot malware: www .sungkrorsang .com/hostelfrost.png and wp .pilbauer .com/wp-content/uploads/lordsofsteel.png There probably are many more. VirusTotal 11/57*... The sending email Address lloydsbanksecuredocs .com was registered by criminals -today- using Godaddy and Privacy protection. It is -not- a genuine Lloyds bank web site or web address.. DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..." * https://www.virustotal.com/en/file/2ba82eb83d32e55787f00b753be8d75b143e7a0984918010719a3ee0f0334743/analysis/1487606754/ ** https://www.virustotal.com/en/file/6356ed6ca05c8f87f1ae34aa1f3c4a119c5b6e811b00cb996ba688cc6695f683/analysis/1487607471/ lloydsbanksecuredocs .com: 45.55.36.38 159.203.126.233 159.203.117.63 159.203.115.143 159.203.170.214 sungkrorsang .com: 61.19.252.134: https://www.virustotal.com/en/ip-address/61.19.252.134/information/ > https://www.virustotal.com/en/url/27e7a98cde7df7094f20d32db75dcfa5d9625fa9e2a73bcf2e89e9fe32184e02/analysis/ pilbauer .com: 178.217.244.53: https://www.virustotal.com/en/ip-address/178.217.244.53/information/
  6. FYI... Fake 'Company Complaint' SPAM - delivers Trickbot - https://myonlinesecurity.co.uk/spoofed-companies-house-id-8d6ba737-775e8bdc-f95f16f3-1b460259-company-complaint-malspam-delivers-trickbot/ 16 Feb 2017 - "An email with the subject of 'ID 8d6ba737-775e8bdc-f95f16f3-1b460259 – Company Complaint' pretending to come from Companies House <no-reply@ companieshousecomplaints .uk> with a malicious word doc attachment delivers Trickbot... Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/ID-8d6ba737-775e8bdc-f95f16f3-1b460259-Company-Complaint.png If you open the word doc you see a screen looking like this*. DO NOT enable macros or content or enable editing, you -will- be infected: * https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/spoofed-companies-house-complaint-secure-document.png 16 February 2017: 8d6ba737-775e8bdc-f95f16f3-1b460259.doc - Current Virus total detections 4/55* Payload Security**.. Neither shows the download but it looks like the download location for the trickbot payload is http ://www.sungkrorsang .com/hustonweare.png which is -not- an image file but a renamed .exe (VirusTotal 12/57***) (Payload Security[4])... As usual the domain sending these was registered by criminals today 16 February 2017 using Godaddy, with what are certain to be -fake- details: canonical name: companieshousecomplaints .uk addresses: 104.130.246.14 23.253.233.18 104.130.246.9 .. 104.239.201.9 ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..." * https://www.virustotal.com/en/file/d93ffc25e757c4d7dcec4573427d3e13609e963c1b491b06cb9513980c97ccc2/analysis/1487245555/ ** https://www.hybrid-analysis.com/sample/d93ffc25e757c4d7dcec4573427d3e13609e963c1b491b06cb9513980c97ccc2?environmentId=100 *** https://www.virustotal.com/en/file/1107257bb6b724ca634f31088235a0919f8c18808f424a317f87d03aa9b1f665/analysis/1487246635/ 4] https://www.hybrid-analysis.com/sample/1107257bb6b724ca634f31088235a0919f8c18808f424a317f87d03aa9b1f665?environmentId=100 Contacted Hosts 78.47.139.102 58.52.155.163 217.29.220.255 200.120.214.150 77.222.42.240 sungkrorsang .com: 61.19.252.134: https://www.virustotal.com/en/ip-address/61.19.252.134/information/ > https://www.virustotal.com/en/url/47ea3703624f7191b559848afef5f956cbd563ed86ba13c0ede6b3c956b0bb92/analysis/
  7. FYI... PHP 7.1.2, 7.0.16 released - https://secure.php.net/ 17 Feb 2017 - "The PHP development team announces the immediate availability of PHP 7.1.2. Several bugs have been fixed. All PHP 7.1 users are encouraged to upgrade to this version..." ChangeLog - http://www.php.net/ChangeLog-7.php#7.1.2 ___ PHP 7.0.16 - https://secure.php.net/ 16 Feb 2017 - "The PHP development team announces the immediate availability of PHP 7.0.16. Several bugs have been fixed. All PHP 7.0 users are encouraged to upgrade to this version..." ChangeLog - http://www.php.net/ChangeLog-7.php#7.0.16 ___ Downloads - http://www.php.net/downloads.php Windows: - http://windows.php.net/download/
  8. FYI... MS Patches delayed - https://isc.sans.edu/diary.html?storyid=22066 Feb 14, 2017 - "Microsoft delayed the release of all bulletins* scheduled for today. Today was supposed to be the first month of Microsoft using its new update process, which meant that we would no longer see a bulletin summary, and patches would be released as monolithic updates vs. individually. It is possible that this change in process caused the delay... we do not know when Microsoft will release it's February patches. There is still the unpatched SMB 3 DoS vulnerability... hoped to be addressed in this round..." * https://blogs.technet.microsoft.com/msrc/2017/02/14/february-2017-security-update-release/ Feb 14, 2017 - "... This month, we discovered a last minute issue that could impact some customers and was not resolved in time for our planned updates today. After considering all options, we made the decision to delay this month’s updates..."
  9. FYI... Flash 24.0.0.221 released - https://helpx.adobe.com/security/products/flash-player/apsb17-04.html Feb 14, 2017 CVE number: CVE-2017-2982,CVE-2017-2984, CVE-2017-2985, CVE-2017-2986, CVE-2017-2987, CVE-2017-2988,CVE-2017- 2990, CVE-2017-2991, CVE-2017-2992, CVE-2017-2993, CVE-2017-2994, CVE-2017-2995, CVE-2017-2996 Platform: Windows, Macintosh, Linux and Chrome OS Summary: Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system... Solution: ... Adobe recommends users of the Adobe Flash Player Desktop Runtime for Windows, Macintosh and Linux update to Adobe Flash Player 24.0.0.221 via the update mechanism within the product [1] or by visiting the Adobe Flash Player Download Center. - Adobe Flash Player installed with Google Chrome will be automatically updated to the latest Google Chrome version, which will include Adobe Flash Player 24.0.0.221 for Windows, Macintosh, Linux and Chrome OS. - Adobe Flash Player installed with Microsoft Edge and Internet Explorer 11 for Windows 10 and 8.1 will be automatically updated to the latest version, which will include Adobe Flash Player 24.0.0.221. - Please visit the Flash Player Help page for assistance in installing Flash Player. [1] Users of Flash Player 11.2.x or later for Windows, or Flash Player 11.3.x or later for Macintosh, who have selected the option to 'Allow Adobe to install updates' will receive the update automatically. Users who do not have the 'Allow Adobe to install updates' option enabled can install the update via the update mechanism within the product when prompted... For I/E - some versions get 'Automatic' updates: - https://fpdownload.macromedia.com/pub/flashplayer/latest/help/install_flash_player_ax.exe For Firefox and other Plugin-based browsers: - https://fpdownload.macromedia.com/pub/flashplayer/latest/help/install_flash_player.exe For Chrome: - https://fpdownload.macromedia.com/pub/flashplayer/latest/help/install_flash_player_ppapi.exe Flash test site: https://www.adobe.com/software/flash/about/ ___ Adobe Digital Editions 4.5.4 released - https://helpx.adobe.com/security/products/Digital-Editions/apsb17-05.html Feb 14, 2017 CVE numbers: CVE-2017-2973, CVE-2017-2974, CVE-2017-2975, CVE-2017-2976, CVE-2017-2977, CVE-2017-2978, CVE-2017-2979, CVE-2017-2980, CVE-2017-2981 Platform: Windows, Macintosh and Android Summary: Adobe has released a security update for Adobe Digital Editions for Windows, Macintosh and Android. This update resolves a critical heap buffer overflow vulnerability that could lead to code execution and important buffer overflow vulnerabilities that could lead to a memory leak... Customers using Adobe Digital Editions 4.5.3 can download the update from the Adobe Digital Editions download page*, or utilize the product’s update mechanism when prompted. * https://www.adobe.com/solutions/ebook/digital-editions/download.html For more information, please reference the release notes**." ** http://www.adobe.com/solutions/ebook/digital-editions/release-notes.html ___ Adobe Campaign updates released - https://helpx.adobe.com/security/products/campaign/apsb17-06.html Feb 14, 2017 CVE number: CVE-2017-2968, CVE-2017-2969 Platform: Windows and Linux Summary: Adobe has released a security update for Adobe Campaign v6.11 for Windows and Linux. This update resolves a moderate security bypass affecting the Adobe Campaign client console. An authenticated user with access to the client console could upload and execute a malicious file, potentially resulting in read and write access to the system (CVE-2017-2968). This update also resolves a moderate input validation issue that could be used in cross-site scripting attacks (CVE-2017-2969)... Solution: Adobe categorizes these updates with the following priority rating and recommends users update their installation to the newest version... Release Notes: https://docs.campaign.adobe.com/doc/AC6.1/en/RN.html#8757 - Customers may refer to the FAQ* for instructions on downloading the latest build. * https://docs.campaign.adobe.com/doc/AC6.1/en/FAQ/FAQ.html#AdobeCampaignFAQ-PublishedinHelpX-WherecanIfindthelatestbuildand%2Forthelistofrelatedchanges(changelog)%3F For customers with Adobe Campaign 16.4 Build 8724 and earlier, please refer to the documentation page** for instructions to resolve CVE-2017-2968 by restricting uploads by file type. ** http://docs.campaign.adobe.com/doc/AC6.1/en/INS_Additional_configurations__Server_side_configurations.html#Limiting_uploadable_files Please refer to this documentation page*** for assistance in upgrading Adobe Campaign server, and this documentation page for assistance in upgrading the Client Console. *** https://docs.campaign.adobe.com/doc/AC6.1/en/INS_Installation_for_Windows__Installing_the_client_console.html
  10. FYI... Fake 'Xpress Money' SPAM - delivers java adwind - https://myonlinesecurity.co.uk/spoofed-xpress-money-compliant-report-malspam-delivers-java-adwind/ 14 Feb 2017 - "... fake financial themed emails containing java adwind or Java Jacksbot attachments... previously mentioned many of these HERE[1]... 1] https://myonlinesecurity.co.uk/?s=java+adwind ... The email looks like: From: elizabethst2.mel@ xpressmoney .com Date: Mon 13/02/2017 23:45 Subject: Fwd: Reference: Xpress Money compliant report Attachment: XPRESS MONEY UPTHRONI DATA.zip (contains 2 identical although differently named java.jar files) Dear Agent, The attached Compliant report was issued yesterday online by a customer about you. We will need your feedback as soon as possible before 24hours or your terminal will be blocked. Regards Nasir Usuman Regional Compliance Manager Pakistan & Afghanistan Global Compliance, Xpress Money ... 14 February 2017: XPRESS MONEY REFERENCES FOLLOW UP.jar.jar (287 kb) - Current Virus total detections 8/57* Payload Security**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..." * https://www.virustotal.com/en/file/fdc45122dd010da0b460acd822b0fcf7bfedbc62ffad3c67a91a639c100825af/analysis/1487047920/ ** https://www.hybrid-analysis.com/sample/fdc45122dd010da0b460acd822b0fcf7bfedbc62ffad3c67a91a639c100825af?environmentId=100 ___ Fake 'Secure Message' SPAM - delivers malware - https://myonlinesecurity.co.uk/rbc-royal-bank-secure-message-malspam-delivers-malware/ 14 Feb 2017 - "An email with the subject of 'Secure Message' pretending to come from RBC Royal Bank but actually coming from a -fake- domain imitating the RBC <service@ rbcroyalbanksecuremessage .com> with a malicious word doc attachment delivers an unknown malware... The domain in the email address rbcroyalbanksecuremessage .com was registered today by criminals using privacy protection by Godaddy and hosted on Rackspace... rbcroyalbanksecuremessage .com: 104.130.159.40: https://www.virustotal.com/en/ip-address/104.130.159.40/information/ 23.253.233.16: https://www.virustotal.com/en/ip-address/23.253.233.16/information/ The email looks like: From: RBC Royal Bank <service@rbcroyalbanksecuremessage .com> Date: Tue 14/02/2017 17:13 Subject: Secure Message Attachment: SecureMessage.doc Secure Message This is an automated message send by Royal Bank Secure Messaging Server. To ensure both you and the RBC Royal Bank comply with current legislation, this message has been encrypted. Please check attached documents for more information. Note: You should not store confidential information unless it is encrypted. CONFIDENTIALITY NOTICE:The contents of this email message and any attachments are intended solely for the addressee(s)and may contain confidential and/or privileged information and may be legally protected from disclosure... 14 February 2017: SecureMessage.doc - Current Virus total detections 4/55* Payload Security**.. neither give any real indication what it downloads.. Update: Thanks to help from another researcher***.. It downloads http ://sungkrorsang .com/jerohnimo.png which of course is -not- a png (image file) but a renamed .exe that the macro will rename & autorun. VirusTotal 10/59[4] | Payload Security[5]... sungkrorsang .com: 61.19.252.134: https://www.virustotal.com/en/ip-address/61.19.252.134/information/ > https://www.virustotal.com/en/url/a1b3d6504fbe577145c86b7191d5d4bd9a0486ba2c1d36145c37d4c4ff101b8e/analysis/ ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..." * https://www.virustotal.com/en/file/e144c16fa6397a2e73fdc69c65c754a3d8d955b4a04ed4aacd7e93fbe59fcfaa/analysis/1487094048/ ** https://www.hybrid-analysis.com/sample/e144c16fa6397a2e73fdc69c65c754a3d8d955b4a04ed4aacd7e93fbe59fcfaa?environmentId=100 *** 4] https://www.virustotal.com/en/file/b8d2aea697f53294e4102643ab9424fb0684f2b0a0b3b45a7d76cf7d9a42e0e3/analysis/1487095755/ 5] https://www.hybrid-analysis.com/sample/b8d2aea697f53294e4102643ab9424fb0684f2b0a0b3b45a7d76cf7d9a42e0e3?environmentId=100 Contacted Hosts 78.47.139.102 47.18.17.114 213.25.134.75 219.93.24.2 192.189.25.143 ___ Safeguard Account Update – phish - https://myonlinesecurity.co.uk/hsbc-safeguard-account-update-phishing/ 14 Feb 2017 - "Another Banking phish. This time HSBC. What makes this “slightly” more believable is the url the phishing email leads to http ://hsbc-verify .org.uk/ - which is a very plausible web address... Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/hsbc-safeguard-phishing-email.png The link goes to http ://hsbc-verify .org.uk/ where you see a webpage like this*, which leads to a typical set of phishing pages asking for all your bank, credit card and personal details, so they can empty your bank and credit card accounts and take over your identity completely: * https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/hsbc_verify.png ... registrars are not taking enough precautions and allowing dodgy domain names to be registered to non existent people..." hsbc-verify .org.uk: 91.218.247.93: https://www.virustotal.com/en/ip-address/91.218.247.93/information/ > https://www.virustotal.com/en/url/7f9c17276c63fe0e02de98f7ac20f058e88c3b61e507ea81d7842c425d7952f2/analysis/
  11. FYI... - https://support.apple.com/en-us/HT201222 GarageBand 10.1.6 - https://support.apple.com/en-us/HT207518 Feb 13, 2017 - "Available for: OS X Yosemite v10.10 and later Impact: Opening a maliciously crafted GarageBand project file may lead to arbitrary code execution Description: A memory corruption issue was addressed through improved memory handling." - https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2374 ___ - https://www.us-cert.gov/ncas/current-activity/2017/02/14/Apple-Releases-Security-Update Feb 14, 2017
  12. FYI... Fake 'Confidential documents' SPAM - delivers Trickbot - https://myonlinesecurity.co.uk/confidential-documents-spoofed-anz-bank-delivers-trickbot-banking-trojan/ 9 Feb 2017 - "... An email with the subject of 'Confidential documents' pretending to come from random names @ anz .com with a malicious word doc attachment delivers Trickbot banking Trojan... The email looks like: From: Kathy.Hilton@ anz .com Date: Thu 09/02/2017 01:45 Subject: Confidential documents Attachment: ANZ_message00207.doc Please review attached document. Kathy.Hilton@ anz .com Australia and New Zealand Bank 1800-575-892 office 1800-640-855 cell Investments in securities and insurance products are: NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE CONFIDENTIAL NOTICE ... 9 February 2017: ANZ_message00207.doc - Current Virus total detections 6/54* Payload Security**. Neither show anything definite, but searching around gave me these links to VirusTotal reports from the same campaign: > https://virustotal.com/en/file/03f75c3d5cddbf39f6a9cad72ccc6649cec8959dd3bca87b2de80e036d054461/analysis/ Behavioural information > TCP connections 78.47.139.102: https://www.virustotal.com/en/ip-address/78.47.139.102/information/ 47.18.17.114: https://www.virustotal.com/en/ip-address/47.18.17.114/information/ 13.107.4.50: https://www.virustotal.com/en/ip-address/13.107.4.50/information/ 213.25.134.75: https://www.virustotal.com/en/ip-address/213.25.134.75/information/ > https://virustotal.com/en/file/8b90a15f656b86e0843c2b6ce93a2a70ae149b1c79c869c7bded2e3f569946a5/analysis/ > https://virustotal.com/en/file/0456c1052b86d6b7e36ca1246a7be81015762721a950fd56bb84c8bdafaf49d0/analysis/ Download sites appear to be: - andiamoluggage .com/skin/frontend/holloway.png - andiamoluggage .com/skin/frontend/fortis/ahjakacbakawda.png - andiamoluggage .com/skin/install/not16.png All of which are NOT png (image files) but renamed .exe files... Thanks to @Techhelplist[1]... 1] https://twitter.com/Techhelplistcom/status/829468826676899840 ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..." * https://www.virustotal.com/en/file/a4927bc6bb5771a0f9c4e8c30be70a39504511813f1c1ac1f855e556d96fee13/analysis/1486618849/ ** https://www.hybrid-analysis.com/sample/a4927bc6bb5771a0f9c4e8c30be70a39504511813f1c1ac1f855e556d96fee13?environmentId=100 andiamoluggage .com: 173.254.28.82: https://www.virustotal.com/en/ip-address/173.254.28.82/information/ > https://www.virustotal.com/en/url/e3a65811fdcaa954144fea3ea0bd1684f35155bf283c860df04a76deb17b9bd0/analysis/ ___ Fake 'Final payment' SPAM - delivers malware - https://myonlinesecurity.co.uk/spoofed-hmrc-final-payment-request-delivers-something-looking-like-zbot-malware/ 9 Feb 2017 - "An email with the subject of 'Final payment request' pretending to come from MatthewPeters@ hmrc.gsi .gov.uk with a malicious word doc attachment delivers what looks like a Zbot variant... The email looks like: From: MatthewPeters@hmrc.gsi.gov.uk” <info@ nestpensions63 .top> Date: Thu, 9 Feb 2017 13:24:00 +0100 Subject: Final payment request Attachment: debt_93498438747.doc Date of issue 09 February 2017 Reference K2135700006 Don’t ignore this letter – you need to pay us now if you want to stop us taking enforcement action against you. We contacted you previously asking you to pay the above amount but you still haven’t done so. The attached statement of liability gives a breakdown of what you owe. As you’re in the very small minority of people who haven’t paid. We’re treating your case as a priority. If you don’t pay now, we’ll take action to make you pay. The law allows us to enforce debts by seizing your goods and selling them by public auction A regional sheriff officer acting on a summary warrant will do this for us. We can charge fees for this so if you don’t act now it could cost you more money. For more information and how to pay us please see attached statement. We’ll continue to add interest to the original debt until you pay in full. Debt Management ... 9 February 2017: debt_93498438747.doc - Current Virus total detections 7/53* Payload Security** shows a download from http ://jsmkitchensandbedrooms .co.uk/explo.exe (VirusTotal 4/57***) - Payload Security[4]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..." * https://www.virustotal.com/en/file/a14e7835032ae95be99ed102fbdd54d639e69427185f2d652f0e041ce766ff4f/analysis/1486645244/ ** https://www.hybrid-analysis.com/sample/a14e7835032ae95be99ed102fbdd54d639e69427185f2d652f0e041ce766ff4f?environmentId=100 94.199.185.21 172.227.109.213 185.162.9.59 *** https://www.virustotal.com/en/file/ca0e68593feffec57994bd02c6a84abd51375fe092f6a04e57e2d69d7e00c5ef/analysis/1486642865/ 4] https://www.hybrid-analysis.com/sample/ca0e68593feffec57994bd02c6a84abd51375fe092f6a04e57e2d69d7e00c5ef?environmentId=100 Contacted Hosts 104.85.50.185 178.77.110.129 185.162.9.59 jsmkitchensandbedrooms .co.uk: 94.199.185.21: https://www.virustotal.com/en/ip-address/94.199.185.21/information/ > https://www.virustotal.com/en/url/f4ca65a193fd7b79eef486bd40e2688049454facb77b9ec2ef2cbf48f001cd55/analysis/ ___ MacDownloader malware targets defense industry - https://blog.malwarebytes.com/threat-analysis/2017/02/macdownloader-malware-targeting-defense-industry/ Feb 9, 2017 - "... this -malware- appears to be the work of Iranian hackers and is targeting US defense contractors, such as Lockheed Martin, Sierra Nevada Corporation, Raytheon, and Boeing. The malware was first found on a -spearphishing- site, claiming to offer 'Special Programs and Courses' to interns at these companies. The site showed a 'broken video' using the common trick of claiming that Adobe Flash Player was outdated and offering a link to a 'Flash installer': > https://blog.malwarebytes.com/wp-content/uploads/2017/02/Screen-Shot-2017-02-06-at-3.12.27-PM-600x472.png To those who know better, this doesn’t really look much like an actual Adobe Flash Player installer, but many people won’t realize that. There are some other red flags as well, such as some odd phrasing and other errors in the text shown. The biggest red flag, though, is the name of the application shown in the menu bar next to the Apple menu. As can be seen from the screenshot above, it claims to be Bitdefender Adware Removal Tool. This is the first sign of a serious split personality issue in this malware, which can’t seem to decide whether it’s a Flash installer or an anti-adware program. Interestingly, if the user clicks the Close button here the malware quits without doing anything else. If the user chooses to proceed with the “update,” the malware will then show a rather odd window for what is supposed to be a Flash updater: a claim to have detected malware: > https://blog.malwarebytes.com/wp-content/uploads/2017/02/MacDownloader-2-600x276.png ... there are some issues with phrasing and spacing in the text of this alert, not to mention the fact that a Flash updater should -not- be scanning your system like anti-virus software... This malware continues the recent malware trends on macOS. In the past year, nearly all true Mac malware (as opposed to adware) has been 1) lame and 2) targeted... This malware is no different, as it is being used to target US defense contractors via spearphishing, a technique in which links to specially-crafted malicious sites are sent to targeted individuals or groups via e-mail or other messaging services. The majority of Mac users will never see this malware and one would hope that most of those who do would not be fooled by the clumsy behavior. Still, it doesn’t take many to fall for the tricks employed by this malware to get access to sensitive accounts within an organization, which can be used to -pwn- the entire company."
  13. FYI... BIND9 - CVE-2017-3135: Combination of DNS64 and RPZ Can Lead to Crash - https://kb.isc.org/article/AA-01453 2017-02-08 Some configurations using both DNS64 and RPZ can lead to an INSIST assertion failure or a NULL pointer read; in either case named will terminate. CVE: CVE-2017-3135 Program Impacted: BIND Versions affected: 9.9.3-S1 -> 9.9.9-S7, 9.9.3 -> 9.9.9-P5, 9.9.10b1, 9.10.0 -> 9.10.4-P5, 9.10.5b1, 9.11.0 -> 9.11.0-P2, 9.11.1b1 Severity: High, for servers with specific configurations Exploitable: Remotely, but only affecting servers with specific configurations Description: Under some conditions when using both DNS64 and RPZ to rewrite query responses, query processing can resume in an inconsistent state leading to either an INSIST assertion failure or an attempt to read through a NULL pointer... Impact: Servers utilizing both DNS64 and RPZ are potentially susceptible to encountering this condition. When this condition occurs, it will result in either an INSIST assertion failure (and subsequent abort) or an attempt to read through a NULL pointer. On most platforms a NULL pointer read leads to a segmentation fault (SEGFAULT), which causes the process to be terminated. Only servers which are configured to simultaneously use both Response Policy Zones (RPZ) and DNS64 (a method for synthesizing AAAA records from A records) can be affected by this vulnerability. CVSS Score: 7.5 ... Workarounds: While it is possible to avoid the condition by removing either DNS64 or RPZ from the configuration, or by carefully restricting the contents of the policy zone, for an affected configuration the most practical and safest course of action is to upgrade to a version of BIND without this vulnerability. Active exploits: No known active exploits... Solution: Upgrade to the patched release most closely related to your current version of BIND. These can all be downloaded from: - http://www.isc.org/downloads. BIND 9 version 9.9.9-P6 BIND 9 version 9.10.4-P6 BIND 9 version 9.11.0-P3 BIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers. BIND 9 version 9.9.9-S8 ... ___ - http://www.securitytracker.com/id/1037801 CVE Reference: CVE-2017-3135 Feb 9 2017 Fix Available: Yes Vendor Confirmed: Yes ... Impact: A remote user can cause the target service to crash. Solution: The vendor has issued a fix (9.9.9-P6, 9.10.4-P6, 9.11.0-P3)... ___ - https://www.us-cert.gov/ncas/current-activity/2017/02/08/ISC-Releases-Security-Updates-BIND Feb 8, 2017
  14. FYI... Thunderbird 45.7.1 released - https://www.mozilla.org/en-US/thunderbird/45.7.1/releasenotes/ Feb 7, 2017 Fixed: Crash when viewing certain IMAP messages (introduced in 45.7.0) Automated Updates: https://support.mozilla.org/en-US/kb/updating-thunderbird Manual check: Go to >Help >About Thunderbird Download - https://www.mozilla.org/en-US/thunderbird/all/ v45.7.1
  15. FYI... - https://tools.cisco.com/security/center/publicationListing.x Cisco AnyConnect Secure Mobility Client for Windows SBL Privileges Escalation Vuln - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170208-anyconnect 8 Feb 2017 v1.0 High - " Summary: A vulnerability in the Start Before Logon (SBL) module of Cisco AnyConnect Secure Mobility Client Software for Windows could allow an unauthenticated, local attacker to open Internet Explorer with the privileges of the SYSTEM user. The vulnerability is due to insufficient implementation of the access controls. An attacker could exploit this vulnerability by opening the Internet Explorer browser. An exploit could allow the attacker to use Internet Explorer with the privileges of the SYSTEM user. This may allow the attacker to execute privileged commands on the targeted system. Cisco has released software updates that address this vulnerability. Workarounds that address this vulnerability are not available... Vulnerable Products: This vulnerability affects Cisco AnyConnect Secure Mobility Client for Windows when configured for SBL..." - http://www.securitytracker.com/id/1037796 CVE Reference: CVE-2017-3813 Feb 8 2017 Fix Available: Yes Vendor Confirmed: Yes ... The vendor has assigned bug ID CSCvc43976 to this vulnerability. Impact: A local user can obtain system privileges on the target system. Solution: The vendor has issued a fix (4.3.05017, 4.4.00243)... ___ Cisco ASA Clientless SSL VPN CIFS Heap Overflow Vuln - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170208-asa 8 Feb 2017 v1.1 High - " Summary: A vulnerability in Common Internet Filesystem (CIFS) code in the Clientless SSL VPN functionality of Cisco ASA Software could allow an authenticated, remote attacker to cause a heap overflow. The vulnerability is due to insufficient validation of user supplied input. An attacker could exploit this vulnerability by sending a crafted URL to the affected system. An exploit could allow the remote attacker to cause a reload of the affected system or potentially execute code. Note: Only traffic directed to the affected system can be used to exploit this vulnerability. This vulnerability affects systems configured in routed firewall mode only and in single or multiple context mode. This vulnerability can be triggered by IPv4 or IPv6 traffic. A valid TCP connection is needed to perform the attack. The attacker needs to have valid credentials to log in to the Clientless SSL VPN portal. Cisco has released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available... Vulnerable Cisco ASA Software running on the following products may be affected by this vulnerability: Cisco ASA 5500 Series Adaptive Security Appliances Cisco ASA 5500-X Series Next-Generation Firewalls Cisco Adaptive Security Virtual Appliance (ASAv) Cisco ASA for Firepower 9300 Series Cisco ASA for Firepower 4100 Series Cisco ISA 3000 Industrial Security Appliance Vulnerable Products: Cisco ASA Software is affected by this vulnerability if the Clientless SSL VPN portal is enabled... - http://www.securitytracker.com/id/1037797 CVE Reference: CVE-2017-3807 Feb 8 2017 Fix Available: Yes Vendor Confirmed: Yes ... The vendor has assigned bug ID CSCvc23838 to this vulnerability. Impact: A remote authenticated user can execute arbitrary code on the target system. Solution: The vendor has issued a fix (9.1(7.13), 9.4(4), 9.6(2.10)). The vendor plans to issue a fix for 9.2 and 9.5 in April 2017..."