Six months of relative quiet around exploit kits recently changed when a public proof-of-concept attack disclosed Vulnerability-related.DiscoverVulnerability by a Texas startup was integrated into the Sundown Exploit Kit . The proof-of-concept exploit was developed Vulnerability-related.DiscoverVulnerability by Theori , a research and development firm in Austin , which opened its doors last spring . The PoC targets two vulnerabilities , CVE-2016-7200 and CVE-2016-7201 , in Microsoft Edge that were patched Vulnerability-related.PatchVulnerability in November in MS16-129 and privately disclosed Vulnerability-related.DiscoverVulnerability to Microsoft by Google Project Zero researcher Natalie Silvanovich . French researcher Kafeine said on Saturday that he had spotted weaponized versions of the Theori exploits in Sundown two days after they were made public . The payload is most likely the Zloader DLL injector , but Sundown has also moved other malware in the past including banking Trojans such as Zeus Panda and Dreambot , and even Bitcoin mining software . Kafeine said this is the first significant exploit kit activity he ’ s seen in six months . This is the second time a Theori proof-of-concept exploit has ended up in an exploit kit , Kafeine said Vulnerability-related.DiscoverVulnerability , harkening back to CVE-2016-0189 , which was patched Vulnerability-related.PatchVulnerability in May by Microsoft and yet eventually found its way into Neutrino , RIG , Sundown and Magnitude . Kafeine said he expects other exploit kits to quickly integrate this attack as well , but activity could be slowed by Christmas and New Year holidays in the West , and the recently concluded Russian holiday season . A request for comment from researchers at Theori was not returned in time for publication . In the Readme for the exploits posted to Github , Theori said its PoC was tested on the latest version of Edge running on Windows 10 . The vulnerabilities are in the Chakra JavaScript engine developed for Microsoft in Internet Explorer 9 . The Theori exploits trigger information leak and type confusion vulnerabilities in the browser , leading to remote code execution . The bugs were patched Vulnerability-related.PatchVulnerability Nov. 8 by Microsoft in a cumulative update for the Edge browser ; Microsoft characterized Vulnerability-related.DiscoverVulnerability them as memory corruption flaws and rated them both critical for Windows clients and moderate for Windows server . An attacker could also embed an ActiveX control marked ‘ safe for initialization ’ in an application or Microsoft Office document that hosts the Edge rendering engine . The integration of new exploits , however , has slowed significantly since the erasure of Angler and other popular kits from the underground . Angler ’ s disappearance coincided with the June arrests of 50 people in Russia allegedly connected to the development and distribution of the Lurk Trojan . Researchers at Kaspersky Lab who investigated the infrastructure supporting Lurk said there was little doubt that the criminals behind Lurk were also responsible for Angler ’ s constant development and profit-making . Since the end of the summer , however , exploit kit development has all but ended while attackers have returned to large-scale spamming campaigns and a resurgence of macro malware to move attacks along . “ Regarding the why , I don ’ t know for sure , ” Kafeine said . “ Either it ’ s harder to code those , [ or ] those who were providing fully working exploits ( for Angler for instance ) are not anymore into this . “ I think [ exploit kits ] have not been so far behind in years ” . Microsoft patched Vulnerability-related.PatchVulnerability this on Nov 8th , bug the huge problem is that whenever you buy a new computer , it doesn ’ t come with that pacth… You have to run the updates once you set up the new computer . And from what I have been finding over the last 6 months , is that the moment you open a brand new laptop with windows 10 and start to try to update it , the vulnerability is wide open for attack . The WORST part is that if you are a regular person not knowing anything about security , and you set up windows 10 with the “ express settings ” the computer is setup to connect to any open wifi hotspot and Bluetooth devices ! So if you live in NYC or any heavy populated area , or your home wifi is already infected by Miria Botnet , you are screwed instantly… I have proof that it is happening to everyone and no one knows it . The internet is going to implode within the next 3-4 months and the government will have to shut it down .

A handful of worrisome vulnerabilities in Honeywell building automation system software disclosed Vulnerability-related.DiscoverVulnerability last week are case in point of how far the industry continues to lag in securing SCADA and industrial control systems . Honeywell published in September new firmware that patches Vulnerability-related.PatchVulnerability vulnerabilities privately disclosed Vulnerability-related.DiscoverVulnerability by researcher Maxim Rupp in its XL Web II controllers . The flaws could give an attacker the ability to access relatively unprotected credentials and use those to manipulate , for example , environmental controls inside a building . While these aren ’ t critical infrastructure systems such as wastewater , energy or manufacturing , building automation system hacks can be expensive to remedy , and in a worst-case scenario , afford an attacker the ability to pivot to a corporate network . Experts told Threatpost that building automation systems can be used to remotely manage heating , air conditioning , water , lighting and door security , and help reduce building operations costs . They ’ re also popping up as more and more buildings go green ; such systems , for example , are crucial to Leadership in Energy and Environmental Design ( LEED ) certification from the United States Green Building Council . “ The main risk from this is a super simple method of accessing building system HMIs , whether for mischief or maybe even ransom . Controllers like this provide an easy interface to operating the entire building system , no additional programming knowledge or protocol expertise required , ” said Michael Toecker of Context Information Security . Unless very poorly designed , a user can ’ t damage equipment from the HMI , but they can make the building inhospitable , inefficient , and expensive to fix ” . The Industrial Control System Cyber Emergency Response Team ( ICS-CERT ) issued Vulnerability-related.DiscoverVulnerability an advisory last Thursday warning Vulnerability-related.DiscoverVulnerability of five vulnerabilities in the Honeywell XL1000C500 XLWebExe-2-01-00 and prior , and XLWeb 500 XLWebExe-1-02-08 and prior . Four of the five are authentication-related Vulnerability-related.DiscoverVulnerability flaws , the most serious of which involved passwords either stored in clear text or reachable by accessing a particular URL . A user with low privileges could also open and change parameters via a URL , ICS-CERT said . Honeywell also patched Vulnerability-related.PatchVulnerability a session fixation vulnerability allowing an attacker to establish new users sessions without invalidating prior sessions , giving them access to authenticated sessions . It also patched Vulnerability-related.PatchVulnerability a path traversal bug that allowed attackers to carry out directory traversal attacks via a URL .