Title: Attacks against Internet Explorer 0-day continuing in the wild

Description: Despite a major wave of publicity following the discovery last week of a 0-day remote code execution flaw in Internet Explorer, and the release of a workaround by Microsoft, in-the-wild exploitation of the flaw (CVE-2013-3893) is continuing to take place, with security vendor FireEye releasing an in-depth report about attacks occurring specifically in Japan. Live exploit code began appearing on public security research sites by Tuesday of this week, and worldwide exploitation by exploit kits and other large-scale vectors is likely to begin occurring well before the October 8 release of Microsoft’s standard patch cycle. System administrators are urged to ensure that Microsoft’s temporary fix has been applied immediately.

Reference:

http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html

http://community.websense.com/blogs/securitylabs/archive/2013/09/18/up-to-70-of-pcs-vulnerable-to-zero-day-cve-2013-3893.aspx

https://community.rapid7.com/community/infosec/blog/2013/09/24/ie-0-day-exploit-code-is-now-widely-available-cve-2013-3893

Snort SID: 27943, 27944

ClamAV: BC.Exploit.CVE_2013_3893

Title: Apple iPhone TouchID broken

Description: The Chaos Computer Club – one of the planet’s oldest hacking organizations – was declared the official winner of a bounty program that sprung up over the weekend to crack the new touch ID authentication system in new iPhone 5 hardware, after the group successfully lifted a print, replicated it with commonly available technology, and gained access to a phone protected by the system. The contest featured its share of hacker drama, after a pledge of $10,000 to the crowd-funded bounty was made by a venture capitalist who later reneged on his promise, after having received considerable media coverage for the pledge.

Reference:

http://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid

http://www.zdnet.com/charlatan-hijacks-iphone-5s-fingerprint-hack-contest-fools-press-7000020978/

Snort SID: N/A

ClamAV: N/A

Title: Fake iMessage for Android surfaces, sends data to China

Description: An unofficial Apple iMessage client appeared in Google’s Android market this week, with tens of thousands of downloads before being pulled by Google. Several security researchers independently noted that the application sent copies of all of the user’s data to an IP address in China without any warning to the end user. While the developer of the app insisted that the data being sent was for legitimate purposes, the episode shows how easy it is for rogue apps to harvest huge amounts of data from unsuspecting users even in relatively well-policed markets such as Google Play.

Reference:

https://plus.google.com/u/0/116098411511850876544/posts/UkgaXa1oa6M

http://www.engadget.com/2013/09/24/imessage-for-android-app-risk/

Snort SID: 28046

ClamAV: Andr.Trojan.FakeiMessage

Title: Java reflection attack allows remote code execution on Android < 4.2

Description: Security research firm MWR InfoSecurity released an advisory this week detailing a reflection attack against the addJavaScriptInterface functionality offered by the Android operating system’s WebKit component, which allows developers to define methods which can be called by JavaScript. Although the original intent of the functionality was to expose only clearly defined methods, a trivial sequence of calls could allow full command execution by malicious web pages if any methods are exported at all through this interface. While the issue has been fixed in Android 4.2, MWR’s research shows a wide array of popular apps and ad networks still vulnerable to attacks.

Reference:

http://labs.mwrinfosecurity.com/blog/2013/09/24/webview-addjavascriptinterface-remote-code-execution/

Snort SID: 28043

ClamAV: Andr.Exploit.JavaReflect

============================================================

USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK

F-Secure 1H13 threat report:

http://www.f-secure.com/static/doc/labs_global/Research/Threat_Report_H1_2013.pdf

Format string exploitation tutorial:

http://packetstorm.igor.onlinedirect.bg/papers/attack/formatstring-tutorial.pdf

Cracking WatchGuard passwords:

http://funoverip.net/2013/09/cracking-watchguard-passwords/

Data exfiltration in targeted attacks:

http://blog.trendmicro.com/trendlabs-security-intelligence/data-exfiltration-in-targeted-attacks/

Account hijacking with third-party login:

https://lightraft.com/blog/account-hijacking-with-third-party-login/

Building OS X trojans with AppleScript, homoglyphs, and iTunes:

http://www.tripwire.com/state-of-security/vulnerability-management/trojan-mac-building-os-x-trojans-applescript-homoglyphs-itunes/

Shylock financial malware back, targeting 2 dozen major banks:

http://threatpost.com/shylock-financial-malware-back-and-targeting-two-dozen-major-banks/102343#.Ujq5wFAkf2k.twitte

Global phishing survey: trends and domain name use, 1H2013:

http://docs.apwg.org/reports/APWG_GlobalPhishingSurvey_1H2013.pdf

Affiliate network for mobile malware impersonates Google Play:

http://www.webroot.com/blog/2013/09/18/affiliate-network-mobile-malware-impersonates-google-play-tricks-users-installing-premium-rate-sms-sending-rogue-apps/

Apple ships OS X 10.8.5 security update, fixes sudo bug at last:

http://nakedsecurity.sophos.com/2013/09/13/apple-ships-os-x-10-8-5-security-update-fixes-sudo-bug-at-last/