• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

WatchGuard Security Week in Review: Ruby on Rails Botnet

May 31, 2013 By Corey Nachreiner

Welcome to our weekly network and information security (Infosec) highlights. While I normally deliver these highlights in a short video, I’m currently attending WatchGuard’s 2013 Global Partner Conference, and couldn’t find the time to shoot this week’s episode. I’ll return to my regular programming cycle next week. Until then, here’s a written summary of the week’s security news.

Today’s stories includes a Ruby on Rail exploit plaguing web servers, a new Windows zero day flaw, a Drupal.org user account leak, and much more. Read below for more details, and join us next week when the regular video returns:

  • Ruby on Rails exploit in the wild – During the past week, attackers have exploited a vulnerability in a popular web framework called Ruby on Rails to hijack web servers and force them to join a botnet. The flaw responsible for the hijackings was first discussed and patched back in January, but apparently many web administrators haven’t applied it yet. If you run a server with Ruby on Rail, make sure it’s up to date.
  • Google researcher discloses zero day Windows kernel-mode driver flaw – A Google security researcher named Tavis Ormandy disclosed a zero day vulnerability in the kernel-mode driver that could allow local attackers to gain full system privileges on Windows 7 and 8 computers (and perhaps earlier versions too). In his normal style, Ormandy released details and proof of concept (PoC) code for this flaw before giving Microsoft time to patch the issue. I’ve never personally liked Ormandy’s disclosure strategy, but he does find many security flaws. The good news is attackers can only exploit this flaw if they can run a program locally or the victim’s computer, or can trick one of your users into doing it for them. We’ll let you know when Microsoft patches.
  • Drupal.org breached and user accounts leaked – Like the many sites before them, Drupal.org was breached by an unidentified hacker who stole the user credentials, email addresses, and hashed passwords of millions of their users. They claim no financial information was stolen. If you have a Drupal account, change your Drupal password immediately (and hopefully you don’t use that password anywhere else).
  • Suspected game company hacker charged in Perth –  A  teenaged, Perth-based hacker who calls himself SuperDaE was charged  this week in Australia with various computer related offenses. SuperDaE claims to have breached many game companies, including Microsoft, Sony, Epic, and Blizzard. He also claims to have stolen game engine code, SDK, and early information and details about Sony and Microsoft’s upcoming new consoles. Before his arrest, he threatened to release all this stolen information publicly if he wasn’t released at a certain time. The authorities haven’t shared much detail about the charges yet, but apparently SuperDaE is out on bail.
  • Chinese attackers alleged to steal U.S. weapon system designs – According to a report to the Pentagon from the Defense Science Board, alleged Chinese attackers breached private government networks and accessed the designs of two dozen weapon systems. The report doesn’t blame China outright, but contains language that suggests the attacks were part of a long-term Chinese cyber attack campaign. Other articles correctly point out that many of these reports lack evidence, and we should avoid knee-jerk reactionscblaming China for every attack.
  • Financial service targeted with another huge DDoS attack – According to a DDoS vendor, hackers targeted an unnamed financial service with a 167Gbps DDoS attack. While not quite as large as the recent 300Gbps DDoS attack against Spamhaus, it’s further proof that DDoS attackers are getting bigger every day.
  • Anonymous related twitter feeds hijacked – In an ironic turn of events, a few twitter feeds that promote the Anonymous hacktivist group have been hijacked by rivals.

— Corey Nachreiner, CISSP (@SecAdept)

Share This:

Related

Filed Under: Security Bytes Tagged With: Drupal, Drupal.org, Hacking, kernel-mode driver, Malware, Ormandy, Ruby on Rails, SuperDaE, Updates and patches, Zero day exploit

Comments

  1. Alexander Kushnarev (Rainbow Security) says

    June 9, 2013 at 11:16 am

    1. From my own admin experience (in the past) – I know, that regular patching can be a tremendous headache, especially than you look after a number of servers/services and workstations, and I know how it is hard to create “test zone” for patches…But anyway, a half of a year (that particular exploit for Ruby on Rails was found in Jan 2013) is enough to patch public-available Web-servers. Better to be faster, than to be sorry…
    2. For everyone, who curious about additional technical details of Linux/Cdorked.A mechanisms – the article below will be interesting to read:
    http://www.welivesecurity.com/2013/05/07/linuxcdorked-malware-lighttpd-and-nginx-web-servers-also-affected/

    Reply
  2. chat ohne anmeldung says

    March 11, 2014 at 3:54 am

    Can I just say what a comfort to discover someone that genuinely understands what they are discussing on the
    net. You definitely realize how to bring an issue to light and make it important.
    A lot more people must check this out and understand this
    side of the story. I can’t believe you aren’t more popular since you
    certainly possess the gift.

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Cybersecurity’s Toll on Mental Health

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • The NSA’s Guidance on Securing Authentication
  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use