in March . Ransomware is no longer just a nuisance . Now it 's quite literally a matter of life and death . A massive ransomware attackAttack.Ransombeing labeled as `` WannaCryAttack.Ransom`` has been reported around the world and is responsible for shutting down hospitals in the United Kingdom and encrypting files at Spanish telecom firm Telefonica . The WannaCry attackAttack.Ransomis not a zero-day flaw , but rather is based on an exploit that Microsoft patchedVulnerability-related.PatchVulnerabilitywith its MS17-010 advisory on March 14 in the SMB Server . However , Microsoft did not highlightVulnerability-related.DiscoverVulnerabilitythe SMB flaw until April 14 , when a hacker group known as the Shadow Brokers releasedVulnerability-related.DiscoverVulnerabilitya set of exploits , allegedly stolenAttack.Databreachfrom the U.S.National Security Agency . SMB , or Server Message Block , is a critical protocol used by Windows to enable file and folder sharing . It 's also the protocol that today 's WannaCry attackAttack.Ransomis exploiting to rapidly spread from one host to the next around the world , literally at the speed of light . The attack is what is known as a worm , `` slithering '' from one host to the next on connected networks . Among the first large organizations to be impacted by WannaCry is The National Health Service in the UK , which has publicly confirmed that it was attackedAttack.Ransomby the Wan na Decryptor. `` This attackAttack.Ransomwas not specifically targeted at the NHS and is affecting organisations from across a range of sectors , '' the NHS stated . `` At this stage we do not have any evidence that patient data has been accessedAttack.Databreach. '' Security firm Kaspersky Lab reported that by 2:30 p.m . ET May 12 it had already seen more than 45,000 WannaCry attacksAttack.Ransomin 74 countries . While the ransomware attackAttack.Ransomis making use of the SMB vulnerability to spread , the encryption of files is done by the Wanna Decryptor attackAttack.Ransomthat seeks out all files on a victim 's network . Once the ransomware has completed encrypting files , victims are presented with a screen demanding a ransomAttack.Ransom. Initially , the ransom requestedAttack.Ransomwas reported to be $ 300 worth of Bitcoin , according to Kaspersky Lab . `` Many of your documents , photos , videos , databases and other files are no longer accessible because they have been encrypted , '' the ransom note states . `` Maybe you are busy looking for a way to recover your files , but do not waste your time . Nobody can recover your files without our decryption service . '' It 's not clear who the original source of the global WannaCry attacksAttack.Ransomis at this point , or even if it 's a single threat actor or multiple actors . What is clear is that despite the fact that a software patch has been availableVulnerability-related.PatchVulnerabilitysince March for the SMB flaws , WannaCry is using tens of thousands of organizations that did n't patchVulnerability-related.PatchVulnerability.
SAN FRANCISCO — Hackers took advantage of an Equifax security vulnerability two months after an industry group discoveredVulnerability-related.DiscoverVulnerabilitythe coding flaw and sharedVulnerability-related.PatchVulnerabilitya fix for it , raising questions about why Equifax did n't updateVulnerability-related.PatchVulnerabilityits software successfully when the danger became known . A week after Equifax revealed one of the largest breachesAttack.Databreachof consumers ' private financial data in history — 143 million consumers and accessAttack.Databreachto the credit-card data of 209,000 — the industry group that manages the open source software in which the hack occurred blamed Equifax . `` The Equifax data compromiseAttack.Databreachwas due to ( Equifax 's ) failure to install the security updates providedVulnerability-related.PatchVulnerabilityin a timely manner , '' The Apache Foundation , which oversees the widely-used open source software , said in a statement Thursday . Equifax told USA TODAY late Wednesday the criminals who gained accessAttack.Databreachto its customer data exploitedVulnerability-related.DiscoverVulnerabilitya website application vulnerability known asVulnerability-related.DiscoverVulnerabilityApache Struts CVE-2017-5638 . The vulnerability was patchedVulnerability-related.PatchVulnerabilityon March 7 , the same day it was announcedVulnerability-related.DiscoverVulnerability, The Apache Foundation said . Cybersecurity professionals who lend their free services to the project of open-source software — code that 's shared by major corporations and that 's tested and modified by developers working at hundreds of firms — had shared their discovery with the industry group , making the risk and fix known to any company using the software . Modifications were made on March 10 , according to the National Vulnerability Database . But two months later , hackers took advantage of the vulnerability to enter the credit reporting agency 's systems : Equifax said the unauthorized access began in mid-May . Equifax did not respond to a question Wednesday about whether the patches were appliedVulnerability-related.PatchVulnerability, and if not , why not . `` We continue to work with law enforcement as part of our criminal investigation and have shared indicators of compromise with law enforcement , '' it said . It should have have acted faster to successfully deal with the problem , other cybersecurity professionals said . `` They should have patchedVulnerability-related.PatchVulnerabilityit as soon as possible , not to exceed a week . A typical bank would have patchedVulnerability-related.PatchVulnerabilitythis critical vulnerability within a few days , ” said Pravin Kothari , CEO of CipherCloud , a cloud security company . Federal regulators are now investigating whether Equifax is at fault . The Federal Trade Commission and the Consumer Financial Protection Bureau have said they 've opened probes into the hack . So far dozens of state attorneys general are investigating the breach , and on Tuesday Massachusetts Attorney General Maura Healey said she plans to sue the company for violating state consumer protection laws . More than 23 class-action lawsuits against the company have also been proposed . Proof that Equifax failed to protect customers , particularly when it had the tools and information to do so , is likely to further damage Equifax 's financial outlook . Shares fell 2.5 % Thursday after news of the FTC probe and are down 33 % since it revealed the link .
PureVPN has had two vulnerabilities which would allow hackers to retrieve stored passwords through the VPN client . This was confirmedVulnerability-related.DiscoverVulnerabilityby Trustwave ’ s security researcher Manuel Nader , and the VPN provider itself . One of the two vulnerabilities were fixedVulnerability-related.PatchVulnerabilityin the meantime , while the other one remains active , and PureVPN has , according to Nader , “ accepted the risk ” . The vulnerability that was patchedVulnerability-related.PatchVulnerabilitysaw saved passwords stored in plaintext , on this location : ' C : \ProgramData\purevpn\config\login.conf All users have had the chance to access and read the file by simply opening it through the CMD . This vulnerability has been patchedVulnerability-related.PatchVulnerabilityin the version 6.1.0. and whoever uses PureVPN is strongly advised to update to the latest version , as soon as possible . The second vulnerability is the one that remains open , and the company has decided to ‘ accept the riskVulnerability-related.DiscoverVulnerability’ . So basically , you ’ d need to open the Windows client , open Configuration , User Profile , and click on ‘ Show Password ’ . A spokesperson for PureVPN sent us the following statement . `` This is not a vulnerability rather a feature that we deployed for ease of our users . Back in April 2018 , when Trustwave reported it to us , we assessed the risk , and found it minimally due to how our systems are designed . Our systems work a bit different than most of the other VPN providers . For enhanced security , we use separate passwords for Member Area and VPN access . Member Area password which is more privileged is not shown in apps , it 's the VPN access password that is the subject of this feature . Furthermore , by default , our VPN passwords are system generated and not set by users . This curtails the risk of users using the same password for VPN accounts that they use for their sensitive accounts elsewhere on the Internet . On the other hand , this enhanced security design proved a little difficult for quite a few of our users and hence we offered a way for them to easily retrieve their VPN password . For now the community has raised concerns and is confusing it as a vulnerability , we have temporarily removed the feature and releasedVulnerability-related.PatchVulnerabilitya newer version 6.2.2 . To those users of our who pretty much use this feature to retrieve the separate password for VPN we would like to inform that we plan to redesign the future , keeping these concerns in mind , and release it back in our November 2018 release . We use Bugcrowd , a public Bug Bounty Program that employees some 90,000 ethical hackers to test our product . We remain in heavy collaboration with the InfoSec community and hence have such aggressive and streamlined processes in place to have releasedVulnerability-related.PatchVulnerabilitythe new version 6.2.2 within a few hours only . '' Those interested in learning more about VPNs and how they help improve your online privacy , make sure to read our Best VPN article .
Oracle releasedVulnerability-related.PatchVulnerabilityits latest Critical Patch Update on July 18 , fixingVulnerability-related.PatchVulnerability334 vulnerabilities across the company 's product portfolio . The company rated 61 of the vulnerabilities as having critical impact . Among the products patchedVulnerability-related.PatchVulnerabilityby Oracle are Oracle Database Server , Oracle Global Lifecycle Management , Oracle Fusion Middleware , Oracle E-Business Suite , Oracle PeopleSoft , Oracle Siebel CRM , Oracle Industry Applications , Oracle Java SE , Oracle Virtualization , Oracle MySQL and Oracle Sun Systems Products Suite . While there are issues of varying severity in the update , Oracle is blaming third-party components as being the cause of the majority of the critical issues . `` It is fair to note that bugs in third-party components make up a disproportionate amount of severe vulnerabilities in this Critical Patch Update , '' Eric Maurice , director of security assurance at Oracle , wrote in a blog post . `` 90 percent of the critical vulnerabilities addressedVulnerability-related.PatchVulnerabilityin this Critical Patch Update are for non-Oracle CVEs . '' Of the 334 issues fixedVulnerability-related.PatchVulnerabilityin the July Critical Patch Update , 37 percent were for third-party components included in Oracle product distributions . While many flaws were from third-party libraries , there were also flaws in Oracle 's own development efforts . Oracle 's namesake database was patchedVulnerability-related.PatchVulnerabilityfor three issues , one of which is remotely exploitable without user authentication . Oracle 's Financial Services application receivedVulnerability-related.PatchVulnerabilitythe highest total number of patches at 56 , with 21 identified as being remotely exploitable without user authentication . Oracle 's Fusion Middleware , on the other hand , gotVulnerability-related.PatchVulnerability44 new security fixes , with 38 of them rated as being critical . Oracle Enterprise Manager Products were patchedVulnerability-related.PatchVulnerabilityfor 16 issues , all of which are remotely exploitable without authentication . Looking at flaws in Java , Oracle 's July CPU providesVulnerability-related.PatchVulnerabilityeight security fixes , though organizations likely need to be cautious when applyingVulnerability-related.PatchVulnerabilitythe patches , as certain functionality has been removed . `` Several actions taken to fixVulnerability-related.PatchVulnerabilityJava SE vulnerabilities in the July CPU are likely to break the functionality of certain applications , '' security firm Waratek warned in an advisory . `` Application owners who applyVulnerability-related.PatchVulnerabilitybinary patches should be extremely cautious and thoroughly test their applications before puttingVulnerability-related.PatchVulnerabilitypatches into production . '' The reason why the Oracle fixes could break application functionality is because Oracle has decided to remove multiple vulnerable components from its Java Development Kit ( JDK ) . At 334 fixed flaws , the July update is larger than last Critical Patch Update releasedVulnerability-related.PatchVulnerabilityon Jan 15 , which providedVulnerability-related.PatchVulnerabilitypatches for 237 flaws . While the number of patches issues has grown , Matias Mevied , Oracle security researcher at Onapsis , commented that Oracle is working in the right way , fixingVulnerability-related.PatchVulnerabilitythe reported vulnerabilities and is getting faster every year . `` Unfortunately , based in our experience , the missing part is that the companies still do n't implement the patches as soon as they should be , '' Mevied told eWEEK .
US Postal Service website flaw was patchedVulnerability-related.PatchVulnerabilitythis week but reportedVulnerability-related.DiscoverVulnerabilityby a security researcher a year ago . The US Postal Service has fixedVulnerability-related.PatchVulnerabilitya security bug in its website that allowed anyone with an account to see the account details of the site 's 60 million users . The flaw was patchedVulnerability-related.PatchVulnerabilitythis week after USPS was informedVulnerability-related.DiscoverVulnerabilityof the issue by Krebs on Security , which reports that an unnamed independent researcher reportedVulnerability-related.DiscoverVulnerabilitythe bug a year ago but never received a response . According to Krebs , the flaw was caused by an authentication weakness in the application programming interface ( API ) on usps.com that supported the USPS 'Informed Visibility ' program , which offers business customers `` near real-time tracking data '' about mail campaigns and packages . The bug let anyone who was logged in to usps.com to see account details for others users , including email address , username , user ID , account number , street address , phone number , authorized users , mailing campaign data and more . Krebs notes that the `` API also let any user request account changes for any other user , such as email address , phone number or other key details '' . USPS said in a statement it had no information that the vulnerability had been used to access customer records . `` Computer networks are constantly under attackAttack.Databreachfrom criminals who try to exploit vulnerabilities to illegally obtainAttack.Databreachinformation . Similar to other companies , the Postal Service 's Information Security program and the Inspection Service uses industry best practices to constantly monitor our network for suspicious activity , '' USPS said . `` Any information suggesting criminals have tried to exploit potential vulnerabilities in our network is taken very seriously . Out of an abundance of caution , the Postal Service is further investigating to ensure that anyone who may have sought to access our systems inappropriately is pursued to the fullest extent of the law . '' However , a recent vulnerability assessment of the Informed Visibility program by the Office of Inspector General of the US Postal Service turned up weaknesses , including a lack of audit logs , in the Informed Visibility database . The partially redacted audit report , published in October , assessed 13 Informed Visibility ( IV ) servers . It found overall compliance with Postal Service server configuration baselines , but weakness in the IV database 's account-management systems . `` We identified weaknesses in account management controls , specifically with password complexity , disabling user accounts , and maintaining audit logs , '' the OIG report notes . `` Without account management controls , the IV system is at risk for [ redacted ] . Further , if expired accounts are not disabled in a timely manner , this increases the duration that Postal Service information resources are vulnerable to compromise . `` Additionally , without audit logs , the Postal Service would not be able to obtain sufficient detail to reconstruct activities in the event of a compromise or malfunction '' . USPS has faced scrutiny in the past , after a 2014 hack exposedAttack.Databreachpersonal information on 800,000 employees , 485,000 workers ' compensation records , and 2.9 million customer-inquiry records . The OIG in 2015 criticized the USPS for focusing on compliance and failing to foster a `` culture of effective cybersecurity across the enterprise '' .
US Postal Service website flaw was patchedVulnerability-related.PatchVulnerabilitythis week but reportedVulnerability-related.DiscoverVulnerabilityby a security researcher a year ago . The US Postal Service has fixedVulnerability-related.PatchVulnerabilitya security bug in its website that allowed anyone with an account to see the account details of the site 's 60 million users . The flaw was patchedVulnerability-related.PatchVulnerabilitythis week after USPS was informedVulnerability-related.DiscoverVulnerabilityof the issue by Krebs on Security , which reports that an unnamed independent researcher reportedVulnerability-related.DiscoverVulnerabilitythe bug a year ago but never received a response . According to Krebs , the flaw was caused by an authentication weakness in the application programming interface ( API ) on usps.com that supported the USPS 'Informed Visibility ' program , which offers business customers `` near real-time tracking data '' about mail campaigns and packages . The bug let anyone who was logged in to usps.com to see account details for others users , including email address , username , user ID , account number , street address , phone number , authorized users , mailing campaign data and more . Krebs notes that the `` API also let any user request account changes for any other user , such as email address , phone number or other key details '' . USPS said in a statement it had no information that the vulnerability had been used to access customer records . `` Computer networks are constantly under attackAttack.Databreachfrom criminals who try to exploit vulnerabilities to illegally obtainAttack.Databreachinformation . Similar to other companies , the Postal Service 's Information Security program and the Inspection Service uses industry best practices to constantly monitor our network for suspicious activity , '' USPS said . `` Any information suggesting criminals have tried to exploit potential vulnerabilities in our network is taken very seriously . Out of an abundance of caution , the Postal Service is further investigating to ensure that anyone who may have sought to access our systems inappropriately is pursued to the fullest extent of the law . '' However , a recent vulnerability assessment of the Informed Visibility program by the Office of Inspector General of the US Postal Service turned up weaknesses , including a lack of audit logs , in the Informed Visibility database . The partially redacted audit report , published in October , assessed 13 Informed Visibility ( IV ) servers . It found overall compliance with Postal Service server configuration baselines , but weakness in the IV database 's account-management systems . `` We identified weaknesses in account management controls , specifically with password complexity , disabling user accounts , and maintaining audit logs , '' the OIG report notes . `` Without account management controls , the IV system is at risk for [ redacted ] . Further , if expired accounts are not disabled in a timely manner , this increases the duration that Postal Service information resources are vulnerable to compromise . `` Additionally , without audit logs , the Postal Service would not be able to obtain sufficient detail to reconstruct activities in the event of a compromise or malfunction '' . USPS has faced scrutiny in the past , after a 2014 hack exposedAttack.Databreachpersonal information on 800,000 employees , 485,000 workers ' compensation records , and 2.9 million customer-inquiry records . The OIG in 2015 criticized the USPS for focusing on compliance and failing to foster a `` culture of effective cybersecurity across the enterprise '' .
Six months of relative quiet around exploit kits recently changed when a public proof-of-concept attack disclosedVulnerability-related.DiscoverVulnerabilityby a Texas startup was integrated into the Sundown Exploit Kit . The proof-of-concept exploit was developedVulnerability-related.DiscoverVulnerabilityby Theori , a research and development firm in Austin , which opened its doors last spring . The PoC targets two vulnerabilities , CVE-2016-7200 and CVE-2016-7201 , in Microsoft Edge that were patchedVulnerability-related.PatchVulnerabilityin November in MS16-129 and privately disclosedVulnerability-related.DiscoverVulnerabilityto Microsoft by Google Project Zero researcher Natalie Silvanovich . French researcher Kafeine said on Saturday that he had spotted weaponized versions of the Theori exploits in Sundown two days after they were made public . The payload is most likely the Zloader DLL injector , but Sundown has also moved other malware in the past including banking Trojans such as Zeus Panda and Dreambot , and even Bitcoin mining software . Kafeine said this is the first significant exploit kit activity he ’ s seen in six months . This is the second time a Theori proof-of-concept exploit has ended up in an exploit kit , Kafeine saidVulnerability-related.DiscoverVulnerability, harkening back to CVE-2016-0189 , which was patchedVulnerability-related.PatchVulnerabilityin May by Microsoft and yet eventually found its way into Neutrino , RIG , Sundown and Magnitude . Kafeine said he expects other exploit kits to quickly integrate this attack as well , but activity could be slowed by Christmas and New Year holidays in the West , and the recently concluded Russian holiday season . A request for comment from researchers at Theori was not returned in time for publication . In the Readme for the exploits posted to Github , Theori said its PoC was tested on the latest version of Edge running on Windows 10 . The vulnerabilities are in the Chakra JavaScript engine developed for Microsoft in Internet Explorer 9 . The Theori exploits trigger information leak and type confusion vulnerabilities in the browser , leading to remote code execution . The bugs were patchedVulnerability-related.PatchVulnerabilityNov. 8 by Microsoft in a cumulative update for the Edge browser ; Microsoft characterizedVulnerability-related.DiscoverVulnerabilitythem as memory corruption flaws and rated them both critical for Windows clients and moderate for Windows server . An attacker could also embed an ActiveX control marked ‘ safe for initialization ’ in an application or Microsoft Office document that hosts the Edge rendering engine . The integration of new exploits , however , has slowed significantly since the erasure of Angler and other popular kits from the underground . Angler ’ s disappearance coincided with the June arrests of 50 people in Russia allegedly connected to the development and distribution of the Lurk Trojan . Researchers at Kaspersky Lab who investigated the infrastructure supporting Lurk said there was little doubt that the criminals behind Lurk were also responsible for Angler ’ s constant development and profit-making . Since the end of the summer , however , exploit kit development has all but ended while attackers have returned to large-scale spamming campaigns and a resurgence of macro malware to move attacks along . “ Regarding the why , I don ’ t know for sure , ” Kafeine said . “ Either it ’ s harder to code those , [ or ] those who were providing fully working exploits ( for Angler for instance ) are not anymore into this . “ I think [ exploit kits ] have not been so far behind in years ” . Microsoft patchedVulnerability-related.PatchVulnerabilitythis on Nov 8th , bug the huge problem is that whenever you buy a new computer , it doesn ’ t come with that pacth… You have to run the updates once you set up the new computer . And from what I have been finding over the last 6 months , is that the moment you open a brand new laptop with windows 10 and start to try to update it , the vulnerability is wide open for attack . The WORST part is that if you are a regular person not knowing anything about security , and you set up windows 10 with the “ express settings ” the computer is setup to connect to any open wifi hotspot and Bluetooth devices ! So if you live in NYC or any heavy populated area , or your home wifi is already infected by Miria Botnet , you are screwed instantly… I have proof that it is happening to everyone and no one knows it . The internet is going to implode within the next 3-4 months and the government will have to shut it down .
Having had more than a week to digest Cloudbleed ’ s causes and impact , Cloudflare CEO Matthew Prince assessed the damage yesterday in a lengthy post-mortem as relatively low . Prince saidVulnerability-related.DiscoverVulnerabilitythere is no evidence the vulnerability , which leaked customer data from memory , was exploitedVulnerability-related.DiscoverVulnerabilityby attackers . The bug , however , was triggered more than 1.2 million times from 6,500 sites that met the criteria under which it could be exploitedVulnerability-related.DiscoverVulnerability. In the meantime , Cloudflare continues to work with Google and other search engine providers to scrub cached sites that could contain any leaked data from memory . “ We ’ ve successfully removed more than 80,000 unique cached pages . That underestimates the total number because we ’ ve requested search engines purge and recrawl entire sites in some instances , ” Prince said . Prince said leaksAttack.Databreachhave included internal Cloudflare headers and customer cookies , but no evidence of passwords , encryption keys , payment card data or health records among the leaksAttack.Databreach. The vulnerability was privately disclosedVulnerability-related.DiscoverVulnerabilityFeb 17 by Google Project Zero researcher Tavis Ormandy , who reported that he did see crypto keys , passwords , POST data and HTTPS requests for other Cloudflare-hosted sites among data from other requests . Ormandy initially said in a tweet that Cloudflare was leakingAttack.Databreachcustomer HTTPS sessions for Uber , FitBit , OKCupid and others , all of which said the impact of Cloudbleed on their data was minimal . “ While the bug was very bad and had the potential to be much worse , ” Prince said . Prince explained that the bug was triggered only when a webpage moving through the Cloudflare network contained HTML ending with an un-terminated attribute , and if a number of Cloudflare features were turned on . Those features hand in hand with a Cloudflare stream parser used to scan and modify content in real time such as rewriting HTTP links to HTTPS—a feature called Automatic HTTPS Rewrites—or hiding email addresses on a page from spammers—a feature called Email Address Obfuscation . The need to end with an un-terminated attribute was key . “ When a page for a particular customer is being parsed it is stored in memory on one of the servers that is a part of our infrastructure . Contents of the other customers ’ requests are also in adjacent portions of memory on Cloudflare ’ s servers , ” Prince said . “ The bug caused the parser , when it encountered un-terminated attribute at the end of a page , to not stop when it reached the end of the portion of memory for the particular page being parsed . Instead , the parser continued to read from adjacent memory , which contained data from other customers ’ requests . The contents of that adjacent memory were then dumpedAttack.Databreachonto the page with the flawed HTML ” . Anyone accessing one of those pages would see the memory dump , looking a lot like random text , below , Prince said . An attacker would need to pound one of those sites with numerous requests to trigger the bug and then record the results , getting a mix of useless data and sensitive information , Prince said . “ The nightmare scenario we have been worried about is if a hacker had been aware of the bug and had been quietly mining data before we were notifiedVulnerability-related.DiscoverVulnerabilityby Google ’ s Project Zero team and were able to patchVulnerability-related.PatchVulnerabilityit , ” Prince said . “ For the last 12 days we ’ ve been reviewing our logs to see if there ’ s any evidence to indicate that a hacker was exploitingVulnerability-related.DiscoverVulnerabilitythe bug before it was patchedVulnerability-related.PatchVulnerability. We ’ ve found nothing so far to indicate that was the case ” . Prince said Cloudflare customers who find any leaked cached data can send a link to the caches to parserbug @ cloudflare [ . ] com . Over 2,000 WordPress sites are infected as part of a keylogger campaign that leverages an old malicious script .