The following is this week’s sample of ThreatScape® Media Highlights – an email roundup of security headlines augmented by insights and analysis from iSIGHT Partners. Our cyber threat intelligence clients receive this update daily.
Thursday, 12 May 2016
Adobe Readies Patch for Flash Player Zero-Day Exploit Found in Attacker Toolkits
From The Media
Adobe is working to patch a zero-day vulnerability in Flash Player that is actively being exploited by attackers. The zero-day, CVE-2016-4117, affects Windows, Mac, Linux and Chrome operating systems and could allegedly allow an attacker to crash and take control of a compromised system. A patch for the vulnerability will not be available until 12 May.
Read the Story: ZDNet
iSIGHT Partners Analyst Comment
As FireEye is responsible for disclosing CVE-2016-4117 to Adobe, we are able to confirm that the vulnerability is being actively exploited in the wild for malicious activity. However, we have been asked that further information be shared following Adobe’s patch release. That said, since this vulnerability is being actively exploited, we highly recommend prioritizing the forthcoming patch, which may be installed automatically depending on the browser used.
Related iSIGHT Partners Reports
16-00007356 (Adobe Flash Player Vulnerability CVE-2016-4117), 11 May 2016
16-00004486 (Adobe Flash Player Zero-Day Vulnerability CVE-2016-1019 Confirmed to Be Exploited by Magnitude and Nuclear Exploit Kits), 7 April 2016
15-00014638 (Survey of Vulnerabilities Exploited in Major Exploit Kits, 2014-2015), 15 March 2016
Security Bug SAP Patched Years Ago Draws U.S. Government Alert
From The Media
A SAP vulnerability disabled six years ago can still allow attackers remote control over old SAP systems. The U.S. Department of Homeland Security’s Computer Emergency Response Team (US-CERT) recently advised SAP customers of the security alert and issued guidance on how to patch their systems. SAP issued a fix for the flaw six years ago, but the fix was known to disable customized software used by many SAP customers.
Read the Story: Reuters
iSIGHT Partners Analyst Comment
US-CERT’s advisory was based on conducted by Onapsis, a company that provides SAP security solutions. While we believe the claim that many SAP systems remain vulnerable, portions of Onapsis’s official release are unclear. Specifically, how or if they confirmed exploitation in the 36 organizations is not well clarified.
Related iSIGHT Partners Reports
16-00001650 (Hacktivist Actors Post Obsolete Data from SAP Joint Enterprise Petronect), 8 Feb. 2016
16-00007260 (Weekly Vulnerability Exploitation Report), 10 May 2016
Wendy’s: Breach Affected 5 Percent of Restaurants
From The Media
The investigation into the recent Wendy’s breach has revealed that less than 300 of the 5,500 franchised North American restaurants had malicious software on their point-of-sale systems. Wendy’s reported that the malware was installed through compromised third-party vendor credentials. According to Wendy’s, the investigation is still ongoing; however, the malware has been removed from the affected systems.
Read the Story: Krebs On Security
iSIGHT Partners Analyst Comment
It is common for malicious actors to target third parties to gain access to their actual desired targets of compromise. Third-party vendors often have remote authorized access to restricted areas of enterprise networks. At times, infecting a third party to gain access to targeted corporate systems can be easier than targeting the ultimate victim directly. For example, according to open sources, the late 2013 POS malware campaign affecting major retailer Target was allegedly enabled by the compromise of a Pennsylvania-based heating, air conditioning and ventilation (HVAC) vendor.
Related iSIGHT Partners Reports
16-00003820 (Overview of Point-of-Sale Malware: Continuous and Sustained Development, Use in Ongoing Campaigns Expected to Continue), 22 April 2016
16-00005610 (A Shotgun Approach: Targeting Hotels, Restaurants and Point of Sale Providers), 27 April 2016
15-00013604 (Cyber Criminal Targeted Intrusions as a Threat to Financial Institutions), 30 Dec. 2015
Congress Blocks Yahoo Mail over Its Failure to Filter Phishing Attempts
From The Media
The U.S. House of Representatives IT support team advised all House staff that it had noticed an increase in attempted ransomware attacks through web-based e-mail services such as Yahoo Mail. In response to increased level of attacks, the House’s IT team blocked access to Yahoo Mail. Specific incidents targeting House staff appeared to come from known senders, making identification more difficult.
Read the Story: The Next Web
iSIGHT Partners Analyst Comment
We are uncertain whether Yahoo’s phishing filtering is uniquely poor, but insecure e-mail practices and providers may enable actors to circumvent network defenses. At this point, we have no evidence to suggest that adversaries are especially targeting Yahoo services or that they are exploiting a systemic weakness in the service.
Related iSIGHT Partners Reports
15-00007278 (Notable Developments in Cyber Crime Tools During June 2015), 29 July 2015
15-00003212 (Proposed Computer Fraud and Abuse Act (CFAA) Amendments Aim to Bolster Counter Cyber Crime Efforts; Could Hamper Security Research), 20 April 2015
A Quarter of Businesses Run Outdated Internet Explorer Browsers
From The Media
According to Duo’s 2016 Trusted Access Report, one in four devices at businesses are running an outdated version of Internet Explorer. Duo further noted that half of the devices in use across business networks are still operating Windows XP. Additionally, the report details that of the devices scanned, only 40 percent of all Flash installs were up-to-date.
Read the Story: Softpedia
iSIGHT Partners Analyst Comment
Adversaries regularly develop and re-use exploits that have existing patches available simply because targeting slow-to-patch individuals or organizations remains an effective distribution strategy. As such, users running outdated software, especially Internet Explorer and Flash, expose themselves and their organizations to unnecessary risk.
Related iSIGHT Partners Reports
15-00014258 (Overview of Exploit Kits and the Exploit Kit Market), 11 Jan. 2016
Intel-1024599 (Limited Support to Continue for Windows XP After April 2014 End-of-Life), 27 Jan. 2014
The post ThreatScape Media Highlights Update – Week Of May 12th appeared first on iSIGHT Partners.
