News briefs May 2015
»Premera Blue Cross confirmed that information belonging to roughly 11 million members and applicants may have been compromised after an unauthorized intruder accessed its IT systems. That initial attack took place on May 5, 2014, but the company learned of the incident on Jan. 29 of this year. Data that was potentially accessed in the breach varies, as Premera holds different types of data on individuals.»In early April, President Obama issued an executive order with the aim of combating “malicious cyber-enabled activities” executed wholly, or in “substantial part,” by foreign attackers targeting the U.S. The executive order detailed a new sanctions program which authorized the Secretary of the Treasury, in consultation with the Attorney General and Secretary of State, to sanction threat actors posing a significant threat to the nation's safety or economy. Obama, who declared the threat a national emergency, said the sanctions would apply to individuals who harmed or significantly compromised a computer (or network of computers) that support one or more entities in the critical infrastructure sector. Foreign attackers that cause a “significant misappropriation” of funds or economic resources, financial data, trade secrets or personal identifiers are also among those who could be blocked from all financial dealings with the U.S.
»Sakurity researchers disclosed a bug affecting Facebook Login that could allow attackers to compromise accounts on websites that use the account sign-in alternative. Websites such as Bit.ly, About.me and Mashable.com were among those vulnerable to attack, Sakurity found, noting that Facebook had failed to fix the bug despite a warning about the issue more than a year ago. Egor Homakov, a Sakurity consultant, wrote on the company's blog that the bug “abuses triple-CSRFs at once” – CSRF on logout, login and account connection. He noted that the CSRF account connection abuse must be addressed by website owners.
»In late March, security firm Trustwave revealed that nearly six months after a major Drupal SQL injection vulnerability was disclosed, attackers were still successfully exploiting websites that hadn't employed an available patch for the issue. In one attack method, for instance, an attacker exploited the vulnerability to create a new admin account. After gaining access to the site's Drupal system with administrative credentials, the attacker pivoted locations by switching up his IP address to one based in Morocco. Ultimately, the hacker was able to login and initiate multiple PHP files to create backdoors into the system in case access was ever lost. Once in, the attacker defaced the targeted site, though the damage could have been worse, Ryan Barnett, Trustwave senior lead security researcher, told SCMagazine.com at the time.
»Researchers with Trend Micro uncovered malware that connects to home routers and scans for connected devices, and then sends the information it gathers to a command-and-control server before deleting itself without a trace. Detected as TROJ_VICEPASS.A, or VICEPASS, the malware was observed infecting users that navigate to malicious websites hosting a purported Adobe Flash update. Trend Micro noted that the malware appeared to be primarily used for intelligence gathering, and that attackers may be specifically using VICEPASS as part of reconnaissance for larger attack campaigns.