Thursday, January 18, 2018
Home Tags Microsoft Silverlight

Tag: Microsoft Silverlight

Firm says it'll rebrief everyone to 'meet its usual high standards' Virgin Media has promised to ensure all its agents are fully equipped to offer advice on the Poodle vulnerability, after a security expert exposed the failure of outsourced Indian call centre staff to explain and fix the problem. Independent security consultant Paul Moore, who is also a Virgin customer, was contacted by the company, told that he was vulnerable to Poodle and was offered a £20 "premium technical support" service to fix it. However, following a series of calls made to Virgin's Gadget Rescue service, run by an outsourced company based in India, the agents repeatedly failed to explain what the problem was. On the final call the agent tried – and failed – and failed to fix the problem remotely by installing Java, Adblock+, Silverlight, Flash and various other software. Moore recorded the calls, which The Register has listened to. "I made six calls, each landing with a different call handler.
It's abundantly clear that not a single call handler had even heard of Poodle, let alone had the knowledge required to fix it," he said. He added: "Beyond Poodle, the technician made a number of dangerous and unauthorised changes to the device.

They're also yet to clarify why it was necessary to disable F-Secure antivirus completely; something which could be described as 'reckless' as it introduces a significant risk to the end user. He also purged the 'prefetch' directory, further demonstrating a complete lack of technical knowledge." Moore said he was been promised a refund for the service. He was also contacted by a senior executive of Virgin's outsourced company. “He admitted the level of service 'was appalling', to use his words,” Moore told The Register, “and that they're taking several steps to ensure it cannot happen again.” A Virgin spokesman said: “We strive to maintain high levels of customer satisfaction with our Gadget Rescue service and ensure that agents are able to handle all enquiries.
In this case, we apologise that a Gadget Rescue agent did not meet our usual high standards. We have ensured that all agents are fully equipped to offer advice on the Poodle vulnerability.” ® Sponsored: Securing personal and mobile device use with next-gen network access controls
EnlargeMalware Don't Need Coffee Malicious websites are exploiting a recently fixed vulnerability in Microsoft's Silverlight application framework to perform drive-by malware attacks on vulnerable visitor devices, a security researcher has determined. ...
If you're a gamer (or anyone else), this is not a screen you want to see.Bromium LabsIt's still not clear how, but a disproportionately large number of websites that run on the WordPress content management system are being hacked to deliver crypto ransomware and other malicious software to unwitting end users. In the past four days, researchers from three separate security firms have reported that a large number of legitimate WordPress sites have been hacked to silently redirect visitors to a series of malicious sites.

The attack sites host code from the Nuclear exploit kit that's available for sale in black markets across the Internet. People who visit the WordPress sites using out-of-date versions of Adobe Flash Player, Adobe Reader, Microsoft Silverlight, or Internet Explorer can then find their computers infected with the Teslacrypt ransomware package, which encrypts user files and demands a hefty ransom for the decryption key needed to restore them. "WordPress sites are injected with huge blurbs of rogue code that perform a silent redirection to domains appearing to be hosting ads," Malwarebytes Senior Security Researcher Jérôme Segura wrote in a blog post published Wednesday. "This is a distraction (and fraud) as the ad is stuffed with more code that sends visitors to the Nuclear Exploit Kit." According to a Monday blog post published by website security firm Sucuri, the compromised WordPress sites he observed have been hacked to include encrypted code at the end of all legitimate JavaScript files.

The encrypted content is different from site to site, but once decrypted, it looks similar to that shown in the image below: EnlargeSucuri To prevent detection by researchers visiting the compromised site, the code takes pains to infect only first-time visitors.

To further conceal the attack, the code redirects end users through a series of sites before delivering the final, malicious payload. Sucuri said Google's Safe Browsing mechanism—which browser makers use to help users avoid malicious websites—had blacklisted some of the Internet domains used in the ruse.

A post published Thursday by Heimdal Security, however, listed a different domain, leaving open the possibility that the attackers are regularly refreshing as old ones get flagged. Heimdal Security also warned that antivirus programs may do little to protect end users.

During the latest leg of the campaign, for instance, the exploit code was detected by just two of the 66 leading AV packages, while the payload it delivered was also limited (the blog post didn't provide specifics). Driveby attacks not just on porn sites anymore The attacks are the latest reminder that people can be exposed to potent malware attacks even when visiting legitimate websites they know and trust.

The best defense against such driveby attacks is to install security updates as soon as they become available. Other measures include running Microsoft's Enhanced Mitigation Experience Toolkit on any Windows-based computers and using the 64-bit version of Google's Chrome browser if possible. It's not yet clear how the WordPress sites are getting infected in the first place.
It's possible that administrators are failing to lock down the login credentials that allow the site content to be changed.
It's also feasible that attackers are exploiting an unknown vulnerability in the CMS, one of the plugins it uses, or the operating system they run on. Once a system is infected, however, the website malware installs a variety of backdoors on the webserver, a feature that's causing many hacked sites to be repeatedly reinfected.

As Sucuri researcher Denis Sinegubko wrote: The malware tries to infect all accessible .js files.

This means that if you host several domains on the same hosting account all of them will be infected via a concept known as cross-site contamination.
It’s not enough to clean just one site (e.g. the one you care about) or all but one (e.g. you don’t care about a test or backup site) in such situations – an abandoned site will be the source of the reinfection.
In other words, you either need to isolate every site or clean/update/protect all of them at the same time! People running WordPress sites should take time to make sure their servers are fully patched and locked down with a strong password and two-factor authentication.

This post will be updated if researchers uncover a cause of this ongoing hack campaign. Until then, admins and end users alike should stay vigilant for signs one of their systems is being targeted and follow the usual best practices listed earlier.