Posts in advisory

A new type of malware found on the wild called SmallB

Sceptive has found a new brand of malware called SmallB during an incident investigation. After initial analysis, we have detected C&C servers for the malware but could not find any major clue about whereabouts or origins of the attackers. Due to our contact with service providers and financial corporations and banks that malware targeted, we observed that C&C servers went down immediately without a trace.

Main targets are mostly Eastern European and Turkish financial institutions including stock brokerage firms and commercial banks. SmallB injects various methods into login pages to pass over two-factor-authentication to retrieve confidential information and access to account pages.

It is spotted that attackers was using zero-day exploits such as CVE-2015-3113 and CVE-2016-1001 for Adobe Flash Player and CVE-2016-0034 for Silverlight on server-side to install SmallB to the victims. Also it uses RDP protocol attacks to transfer itself from one victim to another. And copies itself to shared folders and other drives to get incidentally run by other victims.

read more

Unpatched Atlassian products still reign over a critical security flaw

Atlassian released a security advisory nearly 8 months ago and released patches for a very critical vulnerability contained nearly all web based products.

Description of vulnerability was not sufficent for potential black hats but given patches leaked all the details they need. Any average level attacker would understand components of the issue when patches downloaded and compared with previous releases. But some advanced capabilities required to figure out how and where to attack.

And here we tell a little bit more about the attack to make users aware of the threat.

read more

CVE-2014-3518 JBoss EAP/AS 5: Remote code execution

Overview

JBoss Application Server (JBoss AS) is an open-source, cross-platform Java application server developed by JBoss, a division of Red Hat Inc. JBoss AS is an open-source implementation of Java 2 Enterprise Edition (J2EE) that is used for implementing Java applications and other Web-based applications and software.

JBoss AS is released through Lesser General Public License. The JBoss.org community provides free support for this application server.

We have discovered that default installations of JBoss AS 5.x products prone to remote code execution attacks.

read more

Memcached < 1.4.17 SASL authentication bypass

Overview

We have approved that configurations of memcached prior to 1.4.17 suffers authentication bypassing on SASL configurations.

Description

When SASL enabled in memcached prior to 1.4.17 with

./configure --enable-sasl

and memcached daemon started with -S parameter memcached configures itself to authenticate over saslauthd.

Due to coding failure in memcached.c on second try with wrong password memcached fails authentication but still runs as authenticated which you can see detailed logs down below.

read more