• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.

AplusWebMaster

SWI Friend
  • Content count

    10,609
  • Joined

  • Last visited

About AplusWebMaster

  • Rank
    AplusWebMaster
  • Birthday

Contact Methods

  • Website URL
    http://www.apluswebmaster.net/
  • ICQ
    0

Profile Information

  • Gender
    Male
  • Location
    USA
  • Interests
    ... The never-ending battle for Truth, Justice, and the American way.
  1. FYI... Fake 'Western Union' SPAM - delivers java adwind - https://myonlinesecurity.co.uk/more-spoofed-western-union-malspam-continues-to-deliver-java-adwind/ 21 Feb 2017 - "... -fake- financial themed emails containing java adwind or Java Jacksbot attachments. I have previously mentioned many of these HERE[1]. We have been seeing these sort of emails almost every day... 1] https://myonlinesecurity.co.uk/?s=java+adwind The java Adwind versions are exactly the same as Yesterday’s versions detailed HERE[2]. The zip once again contains -2- different sized and named java files, although named differently to yesterday’s versions, they are identical. 2] https://myonlinesecurity.co.uk/spoofed-western-union-it-dept-wupos-agent-upgrade-delivers-java-adwind/ Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/Western-Union-rtra-rules.png DETAILS OF PROHIBITED INDIVIDUALS SCREENED FOR THIS TRANSACTION AND MTCN.jar (507kb) VirusTotal 8/58* Payload Security** WESTERN UNION RTRA RULES AND REFUND IN FULL..jar (333kb) VirusTotal 8/57*** | Payload Security[4] ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..." * https://www.virustotal.com/en/file/7700eb067c966f5b6015ebd4e4945e00c224c01efaf1f77604f1a06996f678a2/analysis/1487577130/\ ** https://www.hybrid-analysis.com/sample/7700eb067c966f5b6015ebd4e4945e00c224c01efaf1f77604f1a06996f678a2?environmentId=100 *** https://www.virustotal.com/en/file/6a56eeb1172b8b895a53ed47691239dae93d19fc1f140a120a0464beacdae303/analysis/1487577144/ 4] https://www.hybrid-analysis.com/sample/6a56eeb1172b8b895a53ed47691239dae93d19fc1f140a120a0464beacdae303?environmentId=100 Contacted Hosts 83.243.41.200 ___ BoA 'Access Locked' - phish - https://myonlinesecurity.co.uk/bank-america-phishing-scam/ 21 Feb 2017 - "A slightly different phishing scam for a change. The phishing site is a FTP site which is very unusual... Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/Bank-of-America-Alert-Your-Online-Access-is-Temporarily-Locked.png The link-in-the-email goes to: ftp ://121.170.178.35 /License/logon.htm where you see a site looking like: > https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/BofA_FTP_signon.png " 121.170.178.35: https://www.virustotal.com/en/ip-address/121.170.178.35/information/ > https://www.virustotal.com/en/url/317ec9b5c767caf2f0697361e99c2f8fe2254e7ee51abb1779a2954dd63e2497/analysis/
  2. FYI... Fake 'Urgent Compliance' SPAM - delivers java adwind - https://myonlinesecurity.co.uk/spoofed-xpressmoney-western-union-urgent-compliance-status-of-transfer-malspam-delivers-java-adwind/ 20 Feb 2017 - "... previously mentioned many of these HERE[1]... a slightly different subject and email content to previous ones. They can’t seem to decide if it should be Xpress money or Western Union, so they decided to have an email body with a Western Union Content but pretend to send from Xpress money. I am also getting some from Spoofed Western Union Addresses... 1] https://myonlinesecurity.co.uk/?s=java+adwind ... The email looks like: From: elizabethst2 .mel@ xpressmoney .com Date: Mon 20/02/2017 00:47 Subject: Urgent Compliance, Status of transfer Attachment: Details.zip Dear agent, Please kindly check the status of this transaction. The remitter demands for the payment record, because the beneficiary denied the payment that He didn’t receive this money. So Please kindly check this transaction if it was paid,please arrange us the receipt of transaction Regards, Senzo Dlamini Regional Ops Executive WesternUnion International ... 20 February 2017: Urgent Compliance.jar - Current Virus total detections 6/58* Payload Security**.. The basic rule is NEVER open any attachment to an email, unless you are expecting it..." * https://www.virustotal.com/en/file/f766da864a8dfd5574d80c137e00ab698164fd444ba8ce18bc538dbc76a26f1b/analysis/1487576150/ ** https://www.hybrid-analysis.com/sample/f766da864a8dfd5574d80c137e00ab698164fd444ba8ce18bc538dbc76a26f1b?environmentId=100 ___ Fake 'Western Union' SPAM - delivers java adwind - https://myonlinesecurity.co.uk/spoofed-western-union-it-dept-wupos-agent-upgrade-delivers-java-adwind/ 20 Feb 2017 - "... -fake- financial themed emails containing java adwind or Java Jacksbot attachments... previously mentioned many of these HERE[1]... 1] https://myonlinesecurity.co.uk/?s=java+adwind ... the email contains a genuine PDF file with an-embedded-link that downloads the java Adwind zip. The zip contains -2- different sized and named java files. The link in the pdf goes to: http ://www.greavy .com/wp-includes/certificates/CERTIFICATE%20DETAILS%20AND%20WUPOS%20UPDATE%20MANUAL.zip which extracts to -2- java.jar files hoping that if one fails the second will get you. Although both are detected as Java Adwind on Virus Total, the Payload Security reports does show different behaviour for each file... New E-maual and updated payout procedures.jar (507kb) VirusTotal 6/58* | Payload Security** WU certificate and agent updated branch details..jar (333kb) VirusTotal 8/57*** | Payload Security[4] The email looks like: From: Western Union IT Dept. <wu.it-dept@ outlook .com> Date: Mon 20/02/2017 02:37 Subject: WUPOS Agent Upgrade For All Branches. Attachment: Details.zip Dear All, Western Union ,IT Department data is posting upgrade for new version of WUPOS.Please download attachment by clicking the link.as seen below, run the file and go ahead of checking western union intermediate screen Before doing that please read directives in attachments then map the Western Union user ID in the Symex application and proceed. Please let me know if you face any issue. Thanks & Regards, IT Department Western Union... The pdf looks like: > https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/wupos-update.png ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..." * https://www.virustotal.com/en/file/7700eb067c966f5b6015ebd4e4945e00c224c01efaf1f77604f1a06996f678a2/analysis/1487577130/ ** https://www.hybrid-analysis.com/sample/7700eb067c966f5b6015ebd4e4945e00c224c01efaf1f77604f1a06996f678a2?environmentId=100 *** https://www.virustotal.com/en/file/6a56eeb1172b8b895a53ed47691239dae93d19fc1f140a120a0464beacdae303/analysis/1487577144/ 4] https://www.hybrid-analysis.com/sample/6a56eeb1172b8b895a53ed47691239dae93d19fc1f140a120a0464beacdae303?environmentId=100 Contacted Hosts 83.243.41.200 greavy .com: 180.240.134.105: https://www.virustotal.com/en/ip-address/180.240.134.105/information/ > https://www.virustotal.com/en/url/059494b4e1a329645378d93c797dbdebe5e5c428f155f8c6bf9d69b3e3aa83b4/analysis/ ___ Fake 'Secure Bank Documents' SPAM - delivers Trickbot - https://myonlinesecurity.co.uk/spoofed-lloyds-bank-important-secure-bank-documents-malspam-delivers-trickbot-banking-trojan/ 20 Feb 2017 - "... an email with the subject of 'Important – Secure Bank Documents'... pretending to come from Lloyds Bank <no-reply@ lloydsbanksecuredocs .com> delivers Trickbot banking Trojan... Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/lloyds-bank-secure-documents.png 20 February 2017: BACs.doc - Current Virus total detections 7/55* I am informed about 2 known download locations for the Trickbot malware: www .sungkrorsang .com/hostelfrost.png and wp .pilbauer .com/wp-content/uploads/lordsofsteel.png There probably are many more. VirusTotal 11/57*... The sending email Address lloydsbanksecuredocs .com was registered by criminals -today- using Godaddy and Privacy protection. It is -not- a genuine Lloyds bank web site or web address.. DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..." * https://www.virustotal.com/en/file/2ba82eb83d32e55787f00b753be8d75b143e7a0984918010719a3ee0f0334743/analysis/1487606754/ ** https://www.virustotal.com/en/file/6356ed6ca05c8f87f1ae34aa1f3c4a119c5b6e811b00cb996ba688cc6695f683/analysis/1487607471/ lloydsbanksecuredocs .com: 45.55.36.38 159.203.126.233 159.203.117.63 159.203.115.143 159.203.170.214 sungkrorsang .com: 61.19.252.134: https://www.virustotal.com/en/ip-address/61.19.252.134/information/ > https://www.virustotal.com/en/url/27e7a98cde7df7094f20d32db75dcfa5d9625fa9e2a73bcf2e89e9fe32184e02/analysis/ pilbauer .com: 178.217.244.53: https://www.virustotal.com/en/ip-address/178.217.244.53/information/
  3. FYI... Fake 'Company Complaint' SPAM - delivers Trickbot - https://myonlinesecurity.co.uk/spoofed-companies-house-id-8d6ba737-775e8bdc-f95f16f3-1b460259-company-complaint-malspam-delivers-trickbot/ 16 Feb 2017 - "An email with the subject of 'ID 8d6ba737-775e8bdc-f95f16f3-1b460259 – Company Complaint' pretending to come from Companies House <no-reply@ companieshousecomplaints .uk> with a malicious word doc attachment delivers Trickbot... Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/ID-8d6ba737-775e8bdc-f95f16f3-1b460259-Company-Complaint.png If you open the word doc you see a screen looking like this*. DO NOT enable macros or content or enable editing, you -will- be infected: * https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/spoofed-companies-house-complaint-secure-document.png 16 February 2017: 8d6ba737-775e8bdc-f95f16f3-1b460259.doc - Current Virus total detections 4/55* Payload Security**.. Neither shows the download but it looks like the download location for the trickbot payload is http ://www.sungkrorsang .com/hustonweare.png which is -not- an image file but a renamed .exe (VirusTotal 12/57***) (Payload Security[4])... As usual the domain sending these was registered by criminals today 16 February 2017 using Godaddy, with what are certain to be -fake- details: canonical name: companieshousecomplaints .uk addresses: 104.130.246.14 23.253.233.18 104.130.246.9 .. 104.239.201.9 ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..." * https://www.virustotal.com/en/file/d93ffc25e757c4d7dcec4573427d3e13609e963c1b491b06cb9513980c97ccc2/analysis/1487245555/ ** https://www.hybrid-analysis.com/sample/d93ffc25e757c4d7dcec4573427d3e13609e963c1b491b06cb9513980c97ccc2?environmentId=100 *** https://www.virustotal.com/en/file/1107257bb6b724ca634f31088235a0919f8c18808f424a317f87d03aa9b1f665/analysis/1487246635/ 4] https://www.hybrid-analysis.com/sample/1107257bb6b724ca634f31088235a0919f8c18808f424a317f87d03aa9b1f665?environmentId=100 Contacted Hosts 78.47.139.102 58.52.155.163 217.29.220.255 200.120.214.150 77.222.42.240 sungkrorsang .com: 61.19.252.134: https://www.virustotal.com/en/ip-address/61.19.252.134/information/ > https://www.virustotal.com/en/url/47ea3703624f7191b559848afef5f956cbd563ed86ba13c0ede6b3c956b0bb92/analysis/
  4. FYI... PHP 7.1.2, 7.0.16 released - https://secure.php.net/ 17 Feb 2017 - "The PHP development team announces the immediate availability of PHP 7.1.2. Several bugs have been fixed. All PHP 7.1 users are encouraged to upgrade to this version..." ChangeLog - http://www.php.net/ChangeLog-7.php#7.1.2 ___ PHP 7.0.16 - https://secure.php.net/ 16 Feb 2017 - "The PHP development team announces the immediate availability of PHP 7.0.16. Several bugs have been fixed. All PHP 7.0 users are encouraged to upgrade to this version..." ChangeLog - http://www.php.net/ChangeLog-7.php#7.0.16 ___ Downloads - http://www.php.net/downloads.php Windows: - http://windows.php.net/download/
  5. FYI... MS Patches delayed - https://isc.sans.edu/diary.html?storyid=22066 Feb 14, 2017 - "Microsoft delayed the release of all bulletins* scheduled for today. Today was supposed to be the first month of Microsoft using its new update process, which meant that we would no longer see a bulletin summary, and patches would be released as monolithic updates vs. individually. It is possible that this change in process caused the delay... we do not know when Microsoft will release it's February patches. There is still the unpatched SMB 3 DoS vulnerability... hoped to be addressed in this round..." * https://blogs.technet.microsoft.com/msrc/2017/02/14/february-2017-security-update-release/ Feb 14, 2017 - "... This month, we discovered a last minute issue that could impact some customers and was not resolved in time for our planned updates today. After considering all options, we made the decision to delay this month’s updates..."
  6. FYI... Flash 24.0.0.221 released - https://helpx.adobe.com/security/products/flash-player/apsb17-04.html Feb 14, 2017 CVE number: CVE-2017-2982,CVE-2017-2984, CVE-2017-2985, CVE-2017-2986, CVE-2017-2987, CVE-2017-2988,CVE-2017- 2990, CVE-2017-2991, CVE-2017-2992, CVE-2017-2993, CVE-2017-2994, CVE-2017-2995, CVE-2017-2996 Platform: Windows, Macintosh, Linux and Chrome OS Summary: Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system... Solution: ... Adobe recommends users of the Adobe Flash Player Desktop Runtime for Windows, Macintosh and Linux update to Adobe Flash Player 24.0.0.221 via the update mechanism within the product [1] or by visiting the Adobe Flash Player Download Center. - Adobe Flash Player installed with Google Chrome will be automatically updated to the latest Google Chrome version, which will include Adobe Flash Player 24.0.0.221 for Windows, Macintosh, Linux and Chrome OS. - Adobe Flash Player installed with Microsoft Edge and Internet Explorer 11 for Windows 10 and 8.1 will be automatically updated to the latest version, which will include Adobe Flash Player 24.0.0.221. - Please visit the Flash Player Help page for assistance in installing Flash Player. [1] Users of Flash Player 11.2.x or later for Windows, or Flash Player 11.3.x or later for Macintosh, who have selected the option to 'Allow Adobe to install updates' will receive the update automatically. Users who do not have the 'Allow Adobe to install updates' option enabled can install the update via the update mechanism within the product when prompted... For I/E - some versions get 'Automatic' updates: - https://fpdownload.macromedia.com/pub/flashplayer/latest/help/install_flash_player_ax.exe For Firefox and other Plugin-based browsers: - https://fpdownload.macromedia.com/pub/flashplayer/latest/help/install_flash_player.exe For Chrome: - https://fpdownload.macromedia.com/pub/flashplayer/latest/help/install_flash_player_ppapi.exe Flash test site: https://www.adobe.com/software/flash/about/ ___ Adobe Digital Editions 4.5.4 released - https://helpx.adobe.com/security/products/Digital-Editions/apsb17-05.html Feb 14, 2017 CVE numbers: CVE-2017-2973, CVE-2017-2974, CVE-2017-2975, CVE-2017-2976, CVE-2017-2977, CVE-2017-2978, CVE-2017-2979, CVE-2017-2980, CVE-2017-2981 Platform: Windows, Macintosh and Android Summary: Adobe has released a security update for Adobe Digital Editions for Windows, Macintosh and Android. This update resolves a critical heap buffer overflow vulnerability that could lead to code execution and important buffer overflow vulnerabilities that could lead to a memory leak... Customers using Adobe Digital Editions 4.5.3 can download the update from the Adobe Digital Editions download page*, or utilize the product’s update mechanism when prompted. * https://www.adobe.com/solutions/ebook/digital-editions/download.html For more information, please reference the release notes**." ** http://www.adobe.com/solutions/ebook/digital-editions/release-notes.html ___ Adobe Campaign updates released - https://helpx.adobe.com/security/products/campaign/apsb17-06.html Feb 14, 2017 CVE number: CVE-2017-2968, CVE-2017-2969 Platform: Windows and Linux Summary: Adobe has released a security update for Adobe Campaign v6.11 for Windows and Linux. This update resolves a moderate security bypass affecting the Adobe Campaign client console. An authenticated user with access to the client console could upload and execute a malicious file, potentially resulting in read and write access to the system (CVE-2017-2968). This update also resolves a moderate input validation issue that could be used in cross-site scripting attacks (CVE-2017-2969)... Solution: Adobe categorizes these updates with the following priority rating and recommends users update their installation to the newest version... Release Notes: https://docs.campaign.adobe.com/doc/AC6.1/en/RN.html#8757 - Customers may refer to the FAQ* for instructions on downloading the latest build. * https://docs.campaign.adobe.com/doc/AC6.1/en/FAQ/FAQ.html#AdobeCampaignFAQ-PublishedinHelpX-WherecanIfindthelatestbuildand%2Forthelistofrelatedchanges(changelog)%3F For customers with Adobe Campaign 16.4 Build 8724 and earlier, please refer to the documentation page** for instructions to resolve CVE-2017-2968 by restricting uploads by file type. ** http://docs.campaign.adobe.com/doc/AC6.1/en/INS_Additional_configurations__Server_side_configurations.html#Limiting_uploadable_files Please refer to this documentation page*** for assistance in upgrading Adobe Campaign server, and this documentation page for assistance in upgrading the Client Console. *** https://docs.campaign.adobe.com/doc/AC6.1/en/INS_Installation_for_Windows__Installing_the_client_console.html
  7. FYI... Fake 'Xpress Money' SPAM - delivers java adwind - https://myonlinesecurity.co.uk/spoofed-xpress-money-compliant-report-malspam-delivers-java-adwind/ 14 Feb 2017 - "... fake financial themed emails containing java adwind or Java Jacksbot attachments... previously mentioned many of these HERE[1]... 1] https://myonlinesecurity.co.uk/?s=java+adwind ... The email looks like: From: elizabethst2.mel@ xpressmoney .com Date: Mon 13/02/2017 23:45 Subject: Fwd: Reference: Xpress Money compliant report Attachment: XPRESS MONEY UPTHRONI DATA.zip (contains 2 identical although differently named java.jar files) Dear Agent, The attached Compliant report was issued yesterday online by a customer about you. We will need your feedback as soon as possible before 24hours or your terminal will be blocked. Regards Nasir Usuman Regional Compliance Manager Pakistan & Afghanistan Global Compliance, Xpress Money ... 14 February 2017: XPRESS MONEY REFERENCES FOLLOW UP.jar.jar (287 kb) - Current Virus total detections 8/57* Payload Security**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..." * https://www.virustotal.com/en/file/fdc45122dd010da0b460acd822b0fcf7bfedbc62ffad3c67a91a639c100825af/analysis/1487047920/ ** https://www.hybrid-analysis.com/sample/fdc45122dd010da0b460acd822b0fcf7bfedbc62ffad3c67a91a639c100825af?environmentId=100 ___ Fake 'Secure Message' SPAM - delivers malware - https://myonlinesecurity.co.uk/rbc-royal-bank-secure-message-malspam-delivers-malware/ 14 Feb 2017 - "An email with the subject of 'Secure Message' pretending to come from RBC Royal Bank but actually coming from a -fake- domain imitating the RBC <service@ rbcroyalbanksecuremessage .com> with a malicious word doc attachment delivers an unknown malware... The domain in the email address rbcroyalbanksecuremessage .com was registered today by criminals using privacy protection by Godaddy and hosted on Rackspace... rbcroyalbanksecuremessage .com: 104.130.159.40: https://www.virustotal.com/en/ip-address/104.130.159.40/information/ 23.253.233.16: https://www.virustotal.com/en/ip-address/23.253.233.16/information/ The email looks like: From: RBC Royal Bank <service@rbcroyalbanksecuremessage .com> Date: Tue 14/02/2017 17:13 Subject: Secure Message Attachment: SecureMessage.doc Secure Message This is an automated message send by Royal Bank Secure Messaging Server. To ensure both you and the RBC Royal Bank comply with current legislation, this message has been encrypted. Please check attached documents for more information. Note: You should not store confidential information unless it is encrypted. CONFIDENTIALITY NOTICE:The contents of this email message and any attachments are intended solely for the addressee(s)and may contain confidential and/or privileged information and may be legally protected from disclosure... 14 February 2017: SecureMessage.doc - Current Virus total detections 4/55* Payload Security**.. neither give any real indication what it downloads.. Update: Thanks to help from another researcher***.. It downloads http ://sungkrorsang .com/jerohnimo.png which of course is -not- a png (image file) but a renamed .exe that the macro will rename & autorun. VirusTotal 10/59[4] | Payload Security[5]... sungkrorsang .com: 61.19.252.134: https://www.virustotal.com/en/ip-address/61.19.252.134/information/ > https://www.virustotal.com/en/url/a1b3d6504fbe577145c86b7191d5d4bd9a0486ba2c1d36145c37d4c4ff101b8e/analysis/ ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..." * https://www.virustotal.com/en/file/e144c16fa6397a2e73fdc69c65c754a3d8d955b4a04ed4aacd7e93fbe59fcfaa/analysis/1487094048/ ** https://www.hybrid-analysis.com/sample/e144c16fa6397a2e73fdc69c65c754a3d8d955b4a04ed4aacd7e93fbe59fcfaa?environmentId=100 *** 4] https://www.virustotal.com/en/file/b8d2aea697f53294e4102643ab9424fb0684f2b0a0b3b45a7d76cf7d9a42e0e3/analysis/1487095755/ 5] https://www.hybrid-analysis.com/sample/b8d2aea697f53294e4102643ab9424fb0684f2b0a0b3b45a7d76cf7d9a42e0e3?environmentId=100 Contacted Hosts 78.47.139.102 47.18.17.114 213.25.134.75 219.93.24.2 192.189.25.143 ___ Safeguard Account Update – phish - https://myonlinesecurity.co.uk/hsbc-safeguard-account-update-phishing/ 14 Feb 2017 - "Another Banking phish. This time HSBC. What makes this “slightly” more believable is the url the phishing email leads to http ://hsbc-verify .org.uk/ - which is a very plausible web address... Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/hsbc-safeguard-phishing-email.png The link goes to http ://hsbc-verify .org.uk/ where you see a webpage like this*, which leads to a typical set of phishing pages asking for all your bank, credit card and personal details, so they can empty your bank and credit card accounts and take over your identity completely: * https://myonlinesecurity.co.uk/wp-content/uploads/2017/02/hsbc_verify.png ... registrars are not taking enough precautions and allowing dodgy domain names to be registered to non existent people..." hsbc-verify .org.uk: 91.218.247.93: https://www.virustotal.com/en/ip-address/91.218.247.93/information/ > https://www.virustotal.com/en/url/7f9c17276c63fe0e02de98f7ac20f058e88c3b61e507ea81d7842c425d7952f2/analysis/
  8. FYI... - https://support.apple.com/en-us/HT201222 GarageBand 10.1.6 - https://support.apple.com/en-us/HT207518 Feb 13, 2017 - "Available for: OS X Yosemite v10.10 and later Impact: Opening a maliciously crafted GarageBand project file may lead to arbitrary code execution Description: A memory corruption issue was addressed through improved memory handling. CVE-2017-2374 ..." ___ - https://www.us-cert.gov/ncas/current-activity/2017/02/14/Apple-Releases-Security-Update Feb 14, 2017
  9. FYI... Fake 'Confidential documents' SPAM - delivers Trickbot - https://myonlinesecurity.co.uk/confidential-documents-spoofed-anz-bank-delivers-trickbot-banking-trojan/ 9 Feb 2017 - "... An email with the subject of 'Confidential documents' pretending to come from random names @ anz .com with a malicious word doc attachment delivers Trickbot banking Trojan... The email looks like: From: Kathy.Hilton@ anz .com Date: Thu 09/02/2017 01:45 Subject: Confidential documents Attachment: ANZ_message00207.doc Please review attached document. Kathy.Hilton@ anz .com Australia and New Zealand Bank 1800-575-892 office 1800-640-855 cell Investments in securities and insurance products are: NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE CONFIDENTIAL NOTICE ... 9 February 2017: ANZ_message00207.doc - Current Virus total detections 6/54* Payload Security**. Neither show anything definite, but searching around gave me these links to VirusTotal reports from the same campaign: > https://virustotal.com/en/file/03f75c3d5cddbf39f6a9cad72ccc6649cec8959dd3bca87b2de80e036d054461/analysis/ Behavioural information > TCP connections 78.47.139.102: https://www.virustotal.com/en/ip-address/78.47.139.102/information/ 47.18.17.114: https://www.virustotal.com/en/ip-address/47.18.17.114/information/ 13.107.4.50: https://www.virustotal.com/en/ip-address/13.107.4.50/information/ 213.25.134.75: https://www.virustotal.com/en/ip-address/213.25.134.75/information/ > https://virustotal.com/en/file/8b90a15f656b86e0843c2b6ce93a2a70ae149b1c79c869c7bded2e3f569946a5/analysis/ > https://virustotal.com/en/file/0456c1052b86d6b7e36ca1246a7be81015762721a950fd56bb84c8bdafaf49d0/analysis/ Download sites appear to be: - andiamoluggage .com/skin/frontend/holloway.png - andiamoluggage .com/skin/frontend/fortis/ahjakacbakawda.png - andiamoluggage .com/skin/install/not16.png All of which are NOT png (image files) but renamed .exe files... Thanks to @Techhelplist[1]... 1] https://twitter.com/Techhelplistcom/status/829468826676899840 ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..." * https://www.virustotal.com/en/file/a4927bc6bb5771a0f9c4e8c30be70a39504511813f1c1ac1f855e556d96fee13/analysis/1486618849/ ** https://www.hybrid-analysis.com/sample/a4927bc6bb5771a0f9c4e8c30be70a39504511813f1c1ac1f855e556d96fee13?environmentId=100 andiamoluggage .com: 173.254.28.82: https://www.virustotal.com/en/ip-address/173.254.28.82/information/ > https://www.virustotal.com/en/url/e3a65811fdcaa954144fea3ea0bd1684f35155bf283c860df04a76deb17b9bd0/analysis/ ___ Fake 'Final payment' SPAM - delivers malware - https://myonlinesecurity.co.uk/spoofed-hmrc-final-payment-request-delivers-something-looking-like-zbot-malware/ 9 Feb 2017 - "An email with the subject of 'Final payment request' pretending to come from MatthewPeters@ hmrc.gsi .gov.uk with a malicious word doc attachment delivers what looks like a Zbot variant... The email looks like: From: MatthewPeters@hmrc.gsi.gov.uk” <info@ nestpensions63 .top> Date: Thu, 9 Feb 2017 13:24:00 +0100 Subject: Final payment request Attachment: debt_93498438747.doc Date of issue 09 February 2017 Reference K2135700006 Don’t ignore this letter – you need to pay us now if you want to stop us taking enforcement action against you. We contacted you previously asking you to pay the above amount but you still haven’t done so. The attached statement of liability gives a breakdown of what you owe. As you’re in the very small minority of people who haven’t paid. We’re treating your case as a priority. If you don’t pay now, we’ll take action to make you pay. The law allows us to enforce debts by seizing your goods and selling them by public auction A regional sheriff officer acting on a summary warrant will do this for us. We can charge fees for this so if you don’t act now it could cost you more money. For more information and how to pay us please see attached statement. We’ll continue to add interest to the original debt until you pay in full. Debt Management ... 9 February 2017: debt_93498438747.doc - Current Virus total detections 7/53* Payload Security** shows a download from http ://jsmkitchensandbedrooms .co.uk/explo.exe (VirusTotal 4/57***) - Payload Security[4]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..." * https://www.virustotal.com/en/file/a14e7835032ae95be99ed102fbdd54d639e69427185f2d652f0e041ce766ff4f/analysis/1486645244/ ** https://www.hybrid-analysis.com/sample/a14e7835032ae95be99ed102fbdd54d639e69427185f2d652f0e041ce766ff4f?environmentId=100 94.199.185.21 172.227.109.213 185.162.9.59 *** https://www.virustotal.com/en/file/ca0e68593feffec57994bd02c6a84abd51375fe092f6a04e57e2d69d7e00c5ef/analysis/1486642865/ 4] https://www.hybrid-analysis.com/sample/ca0e68593feffec57994bd02c6a84abd51375fe092f6a04e57e2d69d7e00c5ef?environmentId=100 Contacted Hosts 104.85.50.185 178.77.110.129 185.162.9.59 jsmkitchensandbedrooms .co.uk: 94.199.185.21: https://www.virustotal.com/en/ip-address/94.199.185.21/information/ > https://www.virustotal.com/en/url/f4ca65a193fd7b79eef486bd40e2688049454facb77b9ec2ef2cbf48f001cd55/analysis/ ___ MacDownloader malware targets defense industry - https://blog.malwarebytes.com/threat-analysis/2017/02/macdownloader-malware-targeting-defense-industry/ Feb 9, 2017 - "... this -malware- appears to be the work of Iranian hackers and is targeting US defense contractors, such as Lockheed Martin, Sierra Nevada Corporation, Raytheon, and Boeing. The malware was first found on a -spearphishing- site, claiming to offer 'Special Programs and Courses' to interns at these companies. The site showed a 'broken video' using the common trick of claiming that Adobe Flash Player was outdated and offering a link to a 'Flash installer': > https://blog.malwarebytes.com/wp-content/uploads/2017/02/Screen-Shot-2017-02-06-at-3.12.27-PM-600x472.png To those who know better, this doesn’t really look much like an actual Adobe Flash Player installer, but many people won’t realize that. There are some other red flags as well, such as some odd phrasing and other errors in the text shown. The biggest red flag, though, is the name of the application shown in the menu bar next to the Apple menu. As can be seen from the screenshot above, it claims to be Bitdefender Adware Removal Tool. This is the first sign of a serious split personality issue in this malware, which can’t seem to decide whether it’s a Flash installer or an anti-adware program. Interestingly, if the user clicks the Close button here the malware quits without doing anything else. If the user chooses to proceed with the “update,” the malware will then show a rather odd window for what is supposed to be a Flash updater: a claim to have detected malware: > https://blog.malwarebytes.com/wp-content/uploads/2017/02/MacDownloader-2-600x276.png ... there are some issues with phrasing and spacing in the text of this alert, not to mention the fact that a Flash updater should -not- be scanning your system like anti-virus software... This malware continues the recent malware trends on macOS. In the past year, nearly all true Mac malware (as opposed to adware) has been 1) lame and 2) targeted... This malware is no different, as it is being used to target US defense contractors via spearphishing, a technique in which links to specially-crafted malicious sites are sent to targeted individuals or groups via e-mail or other messaging services. The majority of Mac users will never see this malware and one would hope that most of those who do would not be fooled by the clumsy behavior. Still, it doesn’t take many to fall for the tricks employed by this malware to get access to sensitive accounts within an organization, which can be used to -pwn- the entire company."
  10. FYI... BIND9 - CVE-2017-3135: Combination of DNS64 and RPZ Can Lead to Crash - https://kb.isc.org/article/AA-01453 2017-02-08 Some configurations using both DNS64 and RPZ can lead to an INSIST assertion failure or a NULL pointer read; in either case named will terminate. CVE: CVE-2017-3135 Program Impacted: BIND Versions affected: 9.9.3-S1 -> 9.9.9-S7, 9.9.3 -> 9.9.9-P5, 9.9.10b1, 9.10.0 -> 9.10.4-P5, 9.10.5b1, 9.11.0 -> 9.11.0-P2, 9.11.1b1 Severity: High, for servers with specific configurations Exploitable: Remotely, but only affecting servers with specific configurations Description: Under some conditions when using both DNS64 and RPZ to rewrite query responses, query processing can resume in an inconsistent state leading to either an INSIST assertion failure or an attempt to read through a NULL pointer... Impact: Servers utilizing both DNS64 and RPZ are potentially susceptible to encountering this condition. When this condition occurs, it will result in either an INSIST assertion failure (and subsequent abort) or an attempt to read through a NULL pointer. On most platforms a NULL pointer read leads to a segmentation fault (SEGFAULT), which causes the process to be terminated. Only servers which are configured to simultaneously use both Response Policy Zones (RPZ) and DNS64 (a method for synthesizing AAAA records from A records) can be affected by this vulnerability. CVSS Score: 7.5 ... Workarounds: While it is possible to avoid the condition by removing either DNS64 or RPZ from the configuration, or by carefully restricting the contents of the policy zone, for an affected configuration the most practical and safest course of action is to upgrade to a version of BIND without this vulnerability. Active exploits: No known active exploits... Solution: Upgrade to the patched release most closely related to your current version of BIND. These can all be downloaded from: - http://www.isc.org/downloads. BIND 9 version 9.9.9-P6 BIND 9 version 9.10.4-P6 BIND 9 version 9.11.0-P3 BIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers. BIND 9 version 9.9.9-S8 ... ___ - http://www.securitytracker.com/id/1037801 CVE Reference: CVE-2017-3135 Feb 9 2017 Fix Available: Yes Vendor Confirmed: Yes ... Impact: A remote user can cause the target service to crash. Solution: The vendor has issued a fix (9.9.9-P6, 9.10.4-P6, 9.11.0-P3)... ___ - https://www.us-cert.gov/ncas/current-activity/2017/02/08/ISC-Releases-Security-Updates-BIND Feb 8, 2017
  11. FYI... Thunderbird 45.7.1 released - https://www.mozilla.org/en-US/thunderbird/45.7.1/releasenotes/ Feb 7, 2017 Fixed: Crash when viewing certain IMAP messages (introduced in 45.7.0) Automated Updates: https://support.mozilla.org/en-US/kb/updating-thunderbird Manual check: Go to >Help >About Thunderbird Download - https://www.mozilla.org/en-US/thunderbird/all/ v45.7.1
  12. FYI... - https://tools.cisco.com/security/center/publicationListing.x Cisco AnyConnect Secure Mobility Client for Windows SBL Privileges Escalation Vuln - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170208-anyconnect 8 Feb 2017 v1.0 High - " Summary: A vulnerability in the Start Before Logon (SBL) module of Cisco AnyConnect Secure Mobility Client Software for Windows could allow an unauthenticated, local attacker to open Internet Explorer with the privileges of the SYSTEM user. The vulnerability is due to insufficient implementation of the access controls. An attacker could exploit this vulnerability by opening the Internet Explorer browser. An exploit could allow the attacker to use Internet Explorer with the privileges of the SYSTEM user. This may allow the attacker to execute privileged commands on the targeted system. Cisco has released software updates that address this vulnerability. Workarounds that address this vulnerability are not available... Vulnerable Products: This vulnerability affects Cisco AnyConnect Secure Mobility Client for Windows when configured for SBL..." - http://www.securitytracker.com/id/1037796 CVE Reference: CVE-2017-3813 Feb 8 2017 Fix Available: Yes Vendor Confirmed: Yes ... The vendor has assigned bug ID CSCvc43976 to this vulnerability. Impact: A local user can obtain system privileges on the target system. Solution: The vendor has issued a fix (4.3.05017, 4.4.00243)... ___ Cisco ASA Clientless SSL VPN CIFS Heap Overflow Vuln - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170208-asa 8 Feb 2017 v1.1 High - " Summary: A vulnerability in Common Internet Filesystem (CIFS) code in the Clientless SSL VPN functionality of Cisco ASA Software could allow an authenticated, remote attacker to cause a heap overflow. The vulnerability is due to insufficient validation of user supplied input. An attacker could exploit this vulnerability by sending a crafted URL to the affected system. An exploit could allow the remote attacker to cause a reload of the affected system or potentially execute code. Note: Only traffic directed to the affected system can be used to exploit this vulnerability. This vulnerability affects systems configured in routed firewall mode only and in single or multiple context mode. This vulnerability can be triggered by IPv4 or IPv6 traffic. A valid TCP connection is needed to perform the attack. The attacker needs to have valid credentials to log in to the Clientless SSL VPN portal. Cisco has released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available... Vulnerable Cisco ASA Software running on the following products may be affected by this vulnerability: Cisco ASA 5500 Series Adaptive Security Appliances Cisco ASA 5500-X Series Next-Generation Firewalls Cisco Adaptive Security Virtual Appliance (ASAv) Cisco ASA for Firepower 9300 Series Cisco ASA for Firepower 4100 Series Cisco ISA 3000 Industrial Security Appliance Vulnerable Products: Cisco ASA Software is affected by this vulnerability if the Clientless SSL VPN portal is enabled... - http://www.securitytracker.com/id/1037797 CVE Reference: CVE-2017-3807 Feb 8 2017 Fix Available: Yes Vendor Confirmed: Yes ... The vendor has assigned bug ID CSCvc23838 to this vulnerability. Impact: A remote authenticated user can execute arbitrary code on the target system. Solution: The vendor has issued a fix (9.1(7.13), 9.4(4), 9.6(2.10)). The vendor plans to issue a fix for 9.2 and 9.5 in April 2017..."
  13. FYI... February 2017 Non-Security Office Update Release - https://blogs.technet.microsoft.com/office_sustained_engineering/2017/02/07/february-2017-non-security- office-update-release/ Feb 7, 2017 - "Listed below are the non-security updates we released on the Download Center and Microsoft Update yesterday. See the linked KB articles for more information. Office 2013 Update for Skype for Business 2015: http://support.microsoft.com/KB/3161988 Update for Microsoft Office 2013: http://support.microsoft.com/KB/3115489 Update for Microsoft Office 2013: http://support.microsoft.com/KB/3141491 Update for Microsoft Office 2013: http://support.microsoft.com/KB/3127966 Update for Microsoft OneNote 2013: http://support.microsoft.com/KB/3141494 Update for Microsoft Office 2013: http://support.microsoft.com/KB/3127972 Update for Microsoft Outlook 2013: http://support.microsoft.com/KB/3141495 Update for Microsoft PowerPoint 2013: http://support.microsoft.com/KB/3141461 Update for Microsoft Project 2013: http://support.microsoft.com/KB/3141499 Update for Microsoft Visio 2013: http://support.microsoft.com/KB/3141492 Office 2016 Update for Microsoft Office 2016: http://support.microsoft.com/KB/3141504 Update for Skype for Business 2016: http://support.microsoft.com/KB/3141501 Update for Microsoft Office 2016: http://support.microsoft.com/KB/3114389 Update for Microsoft Office 2016: http://support.microsoft.com/KB/3141508 Update for Microsoft Office 2016: http://support.microsoft.com/KB/3127991 Update for Microsoft Office 2016: http://support.microsoft.com/KB/3141510 Update for Microsoft Office 2016: http://support.microsoft.com/KB/3141513 Update for Microsoft Office 2016: http://support.microsoft.com/KB/3141505 Update for Microsoft Office 2016: http://support.microsoft.com/KB/3128048 Update for Microsoft OneNote 2016: http://support.microsoft.com/KB/3141512 Update for Microsoft Office 2016: http://support.microsoft.com/KB/3128052 Update for Microsoft Outlook 2016: http://support.microsoft.com/KB/3141511 Update for Microsoft PowerPoint 2016: http://support.microsoft.com/KB/3128051 Update for Microsoft Project 2016: http://support.microsoft.com/KB/3141514 Update for Microsoft Office 2016: http://support.microsoft.com/KB/3141509 Update for Microsoft Visio 2016: http://support.microsoft.com/KB/3141500 "
  14. FYI... Fake sex lure SPAM - delivers ransomware - https://myonlinesecurity.co.uk/get-laid-tonight-sex-lure-malspam-delivers-ransomware/ 7 Feb 2017 - "The sex lures in an email always work. Curiosity is just too much for some recipients... an email with the subject of 'get laid tonight' pretending to come from Alice Olsen <Alice.Olsen@ mail .com> with a very enticingly named zip attachment 'ourSexPhoto.zip' containing an .exe file with a definite sexy or pornographic lure 'byAliceforyouOurSexPhotosiwantyou .exe'... One of the emails looks like: From: Alice Olsen <Alice.Olsen@ mail .com> Date: Mon 06/02/2017 22:42 Subject: get laid tonight Attachment: ourSexPhoto.zip Iam Thinking Of You ! My photos after our party 7 February 2017: ourSexPhoto.zip: Extracts to: byAliceforyouOurSexPhotosiwantyou.exe Current Virus total detections 8/56*. Payload Security**... VT is differing between Sage ransomware and generic malware detections. Payload Security is inconclusive. Returns from Anti-Virus submissions vary between Generic Ransomware and Yakes Trojan... we can pretty much assume it is -ransomware- but there is some doubt which one... The basic rule is NEVER open any attachment to an email, unless you are expecting it..." * https://www.virustotal.com/en/file/3428e9fb2d250ff24621f948f061f0ed12fba0a210ada1e38b83c8af5a09f0ca/analysis/1486431675/ ** https://www.hybrid-analysis.com/sample/3428e9fb2d250ff24621f948f061f0ed12fba0a210ada1e38b83c8af5a09f0ca?environmentId=100 ___ Fake 'Your order Canceled' SPAM - delivers sage ransomware - https://myonlinesecurity.co.uk/your-order-canceled-fraud-malspam-delivers-sage-ransomware/ 7 Feb 2017 - "... an email with the subject of 'Your order Canceled. fraud' pretending to come from Security Service <security-service@ mail .com> with a zip attachment containing an .exe file. The bad spelling should be enough to alert recipients... 'looks like a new version of Sage with updated decryption and what to do instructions... Drops a vbs file that gives -audio- alerts telling you that your files are encrypted: “Attention! Attention! This is not a test! All you documents, data bases and other important files were encrypted and Windows can not restore them without special software.User action is required as soon as possible to recover the file” It also changes Bcdedit to prevent system recovery and of course deletes all shadow copies... One of the emails looks like: From: Security Service <security-service@ mail .com> Date: Tue 07/02/2017 18:19 Subject: Your order Canceled. fraud Attachment: Your order has been canceled. Your credit card is invalid. For an explanation of the reason you have 3 days. By discharging is distributed 3 days, your card will be blocked. All the details in the attached documents. 7 February 2017: Your.orderCanceled.fraud.zip Extracts to: Your.order10988322.Canceled. fraud.2017-01-15.exe Current Virus total detections 9/57*. Payload Security**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..." * https://www.virustotal.com/en/file/f042302d6de8e5e5cefb53820e950ecbd5f4113d565afde543a9524059b71d8d/analysis/1486490294/ ** https://www.hybrid-analysis.com/sample/f042302d6de8e5e5cefb53820e950ecbd5f4113d565afde543a9524059b71d8d?environmentId=100 Contacted Hosts 91.214.114.197
  15. FYI... MDB updates ... - http://www.malwaredomains.com/?p=4084 Feb 6, 2017 - "Our list is currently at 17,534 malicious domains. Thanks to everyone who has submitted domains to our list. If your domain is no longer malicious, please contact us at malwar1edomain3s@gm2ail.c9om for removal (remove all numbers). Mirror 1 is fully operational again..." ___ Malware Domains - Subscribe in AdblockPlus: > https://adblockplus.org/en/subscriptions#type_other