WatchGuard Security Week in Review: Ruby on Rails Botnet

Welcome to our weekly network and information security (Infosec) highlights. While I normally deliver these highlights in a short video, I’m currently attending WatchGuard’s 2013 Global Partner Conference, and couldn’t find the time to shoot this week’s episode. I’ll return to my regular programming cycle next week. Until then, here’s a written summary of the week’s security news.

Today’s stories includes a Ruby on Rail exploit plaguing web servers, a new Windows zero day flaw, a Drupal.org user account leak, and much more. Read below for more details, and join us next week when the regular video returns:

• Ruby on Rails exploit in the wild – During the past week, attackers have exploited a vulnerability in a popular web framework called Ruby on Rails to hijack web servers and force them to join a botnet. The flaw responsible for the hijackings was first discussed and patched back in January, but apparently many web administrators haven’t applied it yet. If you run a server with Ruby on Rail, make sure it’s up to date.
• Google researcher discloses zero day Windows kernel-mode driver flaw – A Google security researcher named Tavis Ormandy disclosed a zero day vulnerability in the kernel-mode driver that could allow local attackers to gain full system privileges on Windows 7 and 8 computers (and perhaps earlier versions too). In his normal style, Ormandy released details and proof of concept (PoC) code for this flaw before giving Microsoft time to patch the issue. I’ve never personally liked Ormandy’s disclosure strategy, but he does find many security flaws. The good news is attackers can only exploit this flaw if they can run a program locally or the victim’s computer, or can trick one of your users into doing it for them. We’ll let you know when Microsoft patches.
• Drupal.org breached and user accounts leaked – Like the many sites before them, Drupal.org was breached by an unidentified hacker who stole the user credentials, email addresses, and hashed passwords of millions of their users. They claim no financial information was stolen. If you have a Drupal account, change your Drupal password immediately (and hopefully you don’t use that password anywhere else).
• Suspected game company hacker charged in Perth –  A  teenaged, Perth-based hacker who calls himself SuperDaE was charged  this week in Australia with various computer related offenses. SuperDaE claims to have breached many game companies, including Microsoft, Sony, Epic, and Blizzard. He also claims to have stolen game engine code, SDK, and early information and details about Sony and Microsoft’s upcoming new consoles. Before his arrest, he threatened to release all this stolen information publicly if he wasn’t released at a certain time. The authorities haven’t shared much detail about the charges yet, but apparently SuperDaE is out on bail.
• Chinese attackers alleged to steal U.S. weapon system designs – According to a report to the Pentagon from the Defense Science Board, alleged Chinese attackers breached private government networks and accessed the designs of two dozen weapon systems. The report doesn’t blame China outright, but contains language that suggests the attacks were part of a long-term Chinese cyber attack campaign. Other articles correctly point out that many of these reports lack evidence, and we should avoid knee-jerk reactionscblaming China for every attack.
• Financial service targeted with another huge DDoS attack – According to a DDoS vendor, hackers targeted an unnamed financial service with a 167Gbps DDoS attack. While not quite as large as the recent 300Gbps DDoS attack against Spamhaus, it’s further proof that DDoS attackers are getting bigger every day.
• Anonymous related twitter feeds hijacked – In an ironic turn of events, a few twitter feeds that promote the Anonymous hacktivist group have been hijacked by rivals.

— Corey Nachreiner, CISSP (@SecAdept)

Share This: