SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM

Title: Identity theft service discovered breaking into several data brokers

Description: Independent security reporter Brian Krebs last week broke the news last week that the notorious underground identity theft service SSNDOB had gained access to several major personal and business data aggregation services, including Lexis/Nexis and Dun & Bradstreet. The intrusions, which were ongoing for at least several months, used malware that exfiltrated data via an encrypted channel to attacker-controlled systems. Investigations by the impacted firms are ongoing, but the scope of the damage is expected to be extremely widespread.

Reference:

https://krebsonsecurity.com/2013/09/data-broker-giants-hacked-by-id-theft-service/

Snort SID: 28085

ClamAV:

Title: Rapid7, University of Michigan release unprecedented scan data

Description: A collaboration between the creators of Metasploit and the University of Michigan last week is providing security researchers with massive data sets collected through responsible, detailed scanning of large sections of the Internet. The project, which aims to expose poor security practices and help clear up issues such as the 10,000 root shells available via Telnet found during the scans, is so far receiving positive reviews from other researchers, and is likely to grow in scope as others use the data provided by the project.

Reference:

http://threatpost.com/new-project-sonar-crowdsources-embedded-device-vulnerability-analysis/102457

https://community.rapid7.com/community/infosec/sonar/blog/2013/09/26/welcome-to-project-sonar

Snort SID: N/A

ClamAV: N/A

Title: Linksys WRT110 router remote command execution

Description: A trivially exploitable remote command execution vulnerability, initially disclosed in July, had a Metasploit module released last week, dramatically increasing the likelihood of widespread exploitation in the wild. The bug, which likely applies to other related firmware sets, can be exploited via the web without authentication. No patches are available at this time.

Reference:

http://seclists.org/bugtraq/2013/Jul/78

http://www.exploit-db.com/exploits/28484/

Snort SID: 28052

ClamAV: N/A

 =========================================================

 USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK

 Resources for getting started with iOS hacking:

http://winocm.com/research/2013/09/20/resources-for-getting-started/

 CVE-2013-3122: from null to control – persistence pays off with crashes:

http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/CVE-2013-3112-From-NULL-to-Control-Persistence-pays-off-with/ba-p/6217089#.Ukmb_sbktB1

 – From Russia with love.exe – the Russian underground hacking culture:

http://privacy-pc.com/articles/from-russia-with-love-exe-the-russian-underground-hacking-culture.html

 Large-scale detection of DOM-based XSS:

http://ben-stock.de/wp-content/uploads/domxss.pdf

 Delivering an executable without an executable:

http://vrt-blog.snort.org/2013/09/delivering-executable-without-executable.html

 CVE-2013-0640: Adobe Reader XFA oneOfChild uninitialized memory vulnerability:

http://labs.portcullis.co.uk/blog/cve-2013-0640-adobe-reader-xfa-oneofchild-un-initialized-memory-vulnerability-part-1/

 Blind SQLi -> SQLi -> Command execution -> Meterpreter – based on a true story:

http://breenmachine.blogspot.com/2013/02/blind-sqli-sqli-command-execution.html

 Mailbox.app JavaScript execution:

http://miki.it/blog/2013/9/24/mailboxapp-javascript-execution/

 OSX/Leverage.a analysis:

http://www.alienvault.com/open-threat-exchange/blog/osx-leverage.a-analysis

 Analysis of the FBI Tor malware:

http://oweng.myweb.port.ac.uk/fbi-tor-malware-analysis/