New White House petition seeks to legitimize DDoS attacks

This week, a petition was filed on the White House's "We the People" website that aims to legitimize the use of distributed denial of service attacks (DDoS) as a legitimate form of protest.

“It is the equivalent of repeatedly hitting the refresh button on a webpage. It is, in that way, no different than any ‘occupy,’ protest,” the petition states.

“Instead of a group of people standing outside a building to occupy the area, they are having their computer occupy a website to slow (or deny) service of that particular website for a short time. As part of this petition, those who have been jailed for DDoS should be immediately released and have anything regarding a DDoS, that is on their ‘records,’ cleared.”

Read 5 remaining paragraphs | Comments

Java Zero-Day Dished Up from Cool Exploit Kit

The use of zero-day exploits in attacks has not been too far from the headlines of late. Today, Kafeine from Malware don't need Coffee has released a blog detailing yet another Java zero-day—Oracle Java Runtime Environment Unspecified Remote Code Execution Vulnerability (CVE-2013-0422)—active in the wild and distributed through the Cool Exploit pack. The good news, however, for Symantec customers who use our intrusion prevention signature (IPS) technology, is that Symantec proactively blocked the JAR file containing the exploit from the Cool Exploit Kit with IPS signature Web Attack: Malicious JAR File Download 11. Symantec telemetry also shows the Cool Exploit Kit beginning to serve the exploit as of January 9, and it being proactively caught by our products. There are also new reports of other Exploit kits containing this exploit that Symantec is actively investigating.

Figure 1. Cool Exploit Kit attack serving new Java zero-day

Additional information on Trojan.Ransomlock.G can be found here.

The use of a zero-day in the Cool Exploit Kit does not come as much of a surprise. There has been a lot of coverage of late in relation to the Cool Exploit Kit author (supposedly the same author as the Blackhole exploit kit) having a large budget for buying up new zero-days. If this is the case, this may be the first zero-day in a string of zero-days to come from the Cool Exploit Kit.

While an advisory from Oracle has not been released yet, in tests Symantec confirmed that the zero-day was successful in exploiting the latest version of Java (1.7.0_10) available from their website.

Symantec has the following IPS signatures in place that specifically protect against the Cool Exploit Kit:

Symantec detects the JAR file that contains the exploit as Trojan.Maljava and our analysis is ongoing.

There is a rise in zero-days being seen in the wild recently. To aid in protection against zero-day attacks, Symantec recommends that you employ the latest Symantec technologies.

Critical Java zero-day bug is being “massively exploited in the wild” (Updated)

A previously unknown and currently unpatched security hole in the latest version of the Java software framework is under attack online, according to security researchers and bloggers.

Attack code that exploits vulnerability in Java's browser plugin has been added to the Blackhole, Cool, Nuclear Pack, and Redkit exploit kits, according to the Malware Don't Need Coffee blog, prompting its author to say that the bug is being "massively exploited in the wild." Miscreants use these products to turn compromised websites into platforms for silently installing keyloggers and other types of malicious software on the computers of unsuspecting visitors. KrebsOnSecurity reporter Brian Krebs said the curators of both Blackhole and Nuclear Pack have taken to the underweb to boast of the addition to their wares. It's not yet clear how many websites have been outfitted with the exploits.

According to researchers at Alienvault Labs, the exploits work against fully patched installations of Java. Attack files are highly obfuscated and are most likely succeeding by bypassing security checks built in to the program. KrebsOnSecurity said the malware authors say the exploits work against all versions of Java 7.

Read 3 remaining paragraphs | Comments

Hack turns the Cisco phone on your desk into a remote bugging device

Internet phones sold by Cisco Systems are vulnerable to stealthy hacks that turn them into remote bugging devices that eavesdrop on private calls and nearby conversations.

The networking giant warned of the vulnerability on Wednesday, almost two weeks after a security expert demonstrated how people with physical access to the phones could cause them to execute malicious code. Cisco plans to release a stop-gap software patch later this month for the weakness, which affects several models in the CiscoUnified IP Phone 7900 series. The vulnerability can also be exploited remotely over corporate networks, although Cisco has issued workarounds to make those hacks more difficult.

"Cisco recognizes that while a number of network, device, and configuration based mitigations exist, there is no way to mitigate the physical attack vector on the affected devices," the company's advisory stated. "To this end, Cisco will conduct a phased remediation approach and will be releasing an intermediate Engineering Special software release for affected devices to mitigate known attack vectors for the vulnerability documented in this advisory."

Read 6 remaining paragraphs | Comments