The FBI has made an appeal to organizations victimized by DDoS attacks to share details and characteristics of those incidents.
Three critical SQL injection vulnerabilities in Oracle’s popular E-Business Suite make up a part of 250 bugs patched for the company’s quarterly Critical Patch Update,
Hacking ATM is now easier than ever before.
Usually, hackers exploit hardware and software vulnerabilities to hack ATMs and force them to spit out cash, but now anyone can simply buy a malware to steal millions in cash from ATMs.
Hackers are selling ready-made ATM malware on an underground hacking forum that anybody can simply buy for around $5000, researchers at Kaspersky Lab discovered after spotting a forum post advertising the malware, dubbed Cutlet Maker.
The forum post provides a brief description and a detailed manual for the malware toolkit designed to target various ATMs models with the help of a vendor API, without interacting with ATM users and their data.
Therefore, this malware does not affect bank customers directly; instead, it is intended to trick the bank ATMs from a specific vendor to release cash without authorisation.
The manual also mentions an infamous piece of ATM malware, dubbed Tyupkin, which was first analysed in 2014 by Kaspersky Lab and used by an international cybercrime gang to conduct Jackpotting attack and make Millions by infecting ATMs across Europe and beyond.
The list of crimeware contains in the toolkit includes:
- Cutlet Maker—ATM malware which is the primary element of the toolkit
- Stimulator—an application to gather cash cassette statuses of a targeted ATM
- c0decalc—a simple terminal-based application to generate a password for the malware.
According to Kaspersky researchers, the functionality of the Cutlet Maker malware suggests that two people are supposed to be involved in the ATM money theft—the roles are called “drop” and “drop master.”
“Access to the dispense mechanism of CUTLET MAKER is password protected. Though there could be just one person with the c0decalc application needed to generate a password,” the researchers say.
“Either network or physical access to an ATM is required to enter the code in the application text area and also to interact with the user interface.”
In order to operate, the application needs a special library, which is part of a proprietary ATM API and controls the cash dispenser unit—this shows how cyber “criminals are using legitimate proprietary libraries and a small piece of code to dispense money from an ATM.”
The price of this ATM malware toolkit was $5000 at the time of Kaspersky’s research.
The advertisement of this Cutlet Maker ATM malware was initially published on the AlphaBay Darknet marketplace, which was recently taken down by the FBI.
Powered by WPeMatico
Hyatt said its payment systems have been breached, exposing credit card data from 41 hotels in 11 countries between March and July this year.
Researchers uncover a misconfigured Elasticsearch database, exposing data tied to NFL players and their agents.
During the Virus Bulletin closing keynote, Brian Honan urged the security industry to share more, victim-shame less and work harder to establish trust.
The Apache Tomcat team has recently patched several security vulnerabilities in Apache Tomcat, one of which could allow an unauthorised attacker to execute malicious code on affected servers remotely.
Apache Tomcat, developed by the Apache Software Foundation (ASF), is an open source web server and servlet system, which uses several Java EE specifications like Java Servlet, JavaServer Pages (JSP), Expression Language, and WebSocket, and provides a “pure Java” HTTP web server environment for Java concept to run in.
Unlike Apache Struts2 vulnerabilities, which have recently been exploited to breach the systems of American credit reporting agency Equifax, Apache Tomcat flaws are less likely to be exploited.
The critical Remote Code Execution (RCE) vulnerability (CVE-2017-12617) discovered in Apache Tomcat is due to insufficient validation of user-supplied input by the affected software.
Only systems with HTTP PUTs enabled (via setting the “read-only” initialization parameter of the Default servlet to “false”) are affected.
“Tomcat versions before 9.0.1 (Beta), 8.5.23, 8.0.47 and 7.0.82 contain a potentially dangerous remote code execution (RCE) vulnerability on all operating systems if the default servlet is configured with the parameter readonly set to false or the WebDAV servlet is enabled with the parameter readonly set to false,” says Peter Stöckli of Alphabot Security.
Exploiting this vulnerability requires an attacker to upload a maliciously crafted Java Server Page (JSP) file to a targeted server running an affected version of Apache Tomcat, and the code contained in the JSP file would be executed by the server when the file is requested.
To upload the maliciously crafted JSP, the attacker just needs to send an HTTP PUT request to the vulnerable server, as mentioned in the proof-of-concept (PoC) exploit code published by Peter on the Apache mailing list.
The exploit would eventually allow the attacker to execute malicious code on the targeted server.
“Since this feature is typically not wanted, the most publicly exposed system will not have readonly set to false and are thus not affected,” Peter explains.
This RCE vulnerability, marked as “important,” impacts all Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81, and has been addressed with the release of Tomcat versions 9.0.1 (Beta), 8.5.23, 8.0.47 and 7.0.82.
A similar security issue (CVE-2017-12615) discovered in Tomcat 7 on Windows was patched by the Apache Tomcat developers on September 19 with the release of version 7.0.81.
Administrators are strongly recommended to apply the software updates as soon as possible and are advised to allow only trusted users to have network access as well as monitor affected systems.
The researchers have not detected any incident of the exploitation of one of these Apache Tomcat vulnerabilities in the wild.
Powered by WPeMatico
Cloudflare’s chief technology officer was frank and apologetic about February’s Cloudbleed bug during today’s Virus Bulletin 2017 keynote.
A domain name system server implementation is at risk of remote code execution, information exposure and denial-of-service attacks after a seven vulnerability were disclosed by Google and patched by the maintainers of Dnsmasq.