Hackin9
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Researchers have uncovered a group of Wall Street-savvy hackers that has penetrated the e-mail accounts of more than 100 companies, a feat that has allowed them to obtain highly valuable plans concerning corporate acquisitions and other insider information.

FIN4, as the group is known, relies on a set of extremely simple tactics that in many cases has allowed them to remain undetected since at least the middle of 2013, according to a report published Monday from security firm FireEye. Members boast a strong command of the English language and knowledge of corporate finance and Fortune 500 culture. They use that savvy to send highly targeted spearphishing e-mails that harvest login credentials for Microsoft Outlook accounts. The group then uses compromised accounts of one employee, customer, or partner to send spearphishing e-mails to other company insiders. At times, the attackers will inject a malicious message into an ongoing e-mail discussion among multiple people, furthering their chances of success.

E-mails are sent from the accounts of people the target knows, and they discuss mergers, acquisitions, or other topics already in progress. The attackers often bcc other recipients to make it more difficult to detect the malicious e-mail. The messages appear to be written by native English speakers and often contain previously exchanged Microsoft Office documents that embed hidden malicious macros. This results in fraudulent e-mails that are extremely hard to detect, even by some people who have been trained to spot such phishing campaigns. Witness the following:

Read 6 remaining paragraphs | Comments

 
Graphviz 'agerr()' Function Remote Format String Vulnerability
 
LinuxSecurity.com: Libksba could be made to crash or run programs if it opened a speciallycrafted file.
 
LinuxSecurity.com: FLAC could be made to crash or run programs as your login if it opened aspecially crafted file.
 
LinuxSecurity.com: ppp could be made to crash or run programs as an administrator if it openeda specially crafted file.
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Updated perl-Mojolicious package fixes security vulnerability: An assumption in Mojolicious before 5.48 CGI parameter handling that can result in parameter injection attacks. [More...] _______________________________________________________________________
 
LinuxSecurity.com: Updated file packages fix security vulnerability: An out-of-bounds read flaw was found in file's donote() function in the way the file utility determined the note headers of a elf file. This could possibly lead to file executable crash (CVE-2014-3710). [More...]
 
LinuxSecurity.com: Updated perl-Plack package fixes security vulnerability: Plack::App::File would previously strip trailing slashes off provided paths. This in combination with the common pattern of serving files with Plack::Middleware::Static could allow an attacker to bypass a [More...]
 
LinuxSecurity.com: Updated libksba packages fix security vulnerability: By using special crafted S/MIME messages or ECC based OpenPGP data, it is possible to create a buffer overflow, which could lead to a denial of service (CVE-2014-9087). [More...]
 

The depth and breadth of the cyber attack on Sony Pictures Entertainment was further revealed this weekend as at least five full-length films have been released on file-sharing sites—including some films that have not yet been released in theaters.

The World War II film Fury, currently in release, is among the films apparently released by hackers on file-sharing sites, as are the soon-to-be-released remake Annie, Mr. Turner, To Write Love on Her Arms, and Still Alice, according to a report by Variety on Saturday. By Sunday, Fury had been downloaded more than 1.2 million times, according to figures provided to Variety by the German IT forensics firm Excipio.

Meanwhile, Sony has reportedly brought in federal law enforcement to investigate the attack and retained the cyber security firm Mandiant to help restore its corporate network, though a Sony Pictures spokesperson would not confirm those reports.

Read 5 remaining paragraphs | Comments

 

This is a guest diary submitted by Brad Duncan.

During the past few months, Botnet-based campaigns have sent waves of phishing emails associated with Dridex. Today, well examine a wave that occurred approximately 3 weeks ago. The emails contained malicious Word documents, and with macros enabled, these documents infected Windows computers with Dridex malware.

Various people have posted about Dridex [1] [2], and some sites like Dynamoos blog [3] and TechHelpList [4] often report on these and other phishing campaigns.

Lets take a closer look at one of the November phishing waves.

On 11 Nov 2014, I saw at least 60 emails with Duplicate Payment Received in the subject line." />

After opening the attached Word document on a Windows host, Dridex was downloaded if macros were enabled." />

Shown above: events from Sguil in Security Onion.

File hashes changed during this wave of emails, indicating at least 3 different Word documents were used. During this phishing run, Dridex malware came from IP addresses in the 62.76.185.0/24 block.">Brad Duncan is a Security Analyst at Rackspace, and he runs a blog on malware traffic analysis at">http://www.malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Trade Arabia

SANS to host advanced InfoSec training in Dubai
Trade Arabia
A leading InfoSec training event is set to offer three intensive training courses on hacker techniques, web app penetration testing and reverse-engineering of malware in Dubai, UAE next month. The SANS Dubai 2015 will be led by SANS certified ...

and more »
 
Huawei P7-L10 'PackageInstaller' Module Remote Security Bypass Vulnerability
 
[RT-SA-2014-011] EntryPass N5200 Credentials Disclosure
 
[RT-SA-2014-009] Information Disclosure in TYPO3 Extension ke_questionnaire
 
[RT-SA-2014-007] Remote Code Execution in TYPO3 Extension ke_dompdf
 
Slider Revolution Responsive/Showbiz Pro Responsive Teaser Multiple Security Bypass Vulnerabilities
 
libFLAC 'src/libFLAC/stream_decoder.c' Stack Buffer Overflow Vulnerability
 
Mutt 'mutt_substrdup()' Function Heap Based Buffer Overflow Vulnerability
 

Just when folks get around to implementing SSL, we need to retire SSL! Not a week goes buy that a client isnt asking me about SSL (or more usually TLS) vulnerabilities or finding issues on their network.

In a recent case, my client had just finished a datacenter / PCI audit, and had one of his servers come up as using SSL 2.0, which of course has been deprecated since 1996 - the auditors recommendation was to update to SSL 3.0 (bad recommendation, keep reading on).">1/ W-a-a-a-y too many assessments consist of scanning the target, and pasting the output of the scanning tool into the final report. ">2/ In this case, the person writing the report had either not read the text they were pasting, or was not knowledgeable enough to understand that updating from SSL 2 to SSL 3 wasnt going to get to a final good state. Shame on them either way!

As a side note, if the site (it was on an internal network remember) was running plain old HTTP, then the scanner would not have identified a problem, and the person behind the scanner would very likely have missed this completely! (OOPS)

Anyway, my clients *real* question was how can we scan our network for vulnerable SSL versions and ciphers, but not pay big bucks for an enterprise scanning tool or a consultant?

My answer was (that day) - NMAP of course!

To check for weak or strong ciphers on a server or subnet, use the script ssl-enum-ciphers">nmap -Pn -p443 isc.sans.edu --script=ssl-enum-ciphers">Nmap scan report for isc.sans.edu (66.35.59.249)
Host is up (0.097s latency).
rDNS record for 66.35.59.249: isc.sans.org
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| SSLv3: No supported ciphers found
| TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.1:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| compressors:
| NULL
|_">Nmap done: 1 IP address (1 host up) scanned in 34.63 seconds

You can scan specifically for SSHv2 devices using the script sshv2.nse">nmap -Pn -p443 --open">Nmap scan report for 192.168.122.246
Host is up (0.029s latency).
PORT STATE SERVICE
443/tcp open https
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC2_CBC_128_CBC_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_RC4_64_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC2_CBC_128_CBC_WITH_MD5
|_ SSL2_RC4_128_EXPORT40_WITH_MD5
MAC Address: 00:E0:81:CE:9E:74 (Tyan Computer)

NMAP also has scripts ssl-heartbleed script (if youre still focused on that), and has an ssl-poodle script, but youll need to download that one from their script page at http://nmap.org/nsedoc/scripts/ - its not in the base installation.

While youre at it, take a look at cipher support on any SSH enabled devices on your network - you are likely to be surprised at what you find. For instance, this is the management interface of my home firewall - Im not thrilled with the 3des-cbc and MD5 support, but I guess thats why there">Nmap scan report for 192.168.122.1
Host is up (0.0020s latency).
PORT STATE SERVICE
22/tcp open ssh
| ssh2-enum-algos:
| kex_algorithms: (1)
| diffie-hellman-group1-sha1
| server_host_key_algorithms: (1)
| ssh-rsa
| encryption_algorithms: (4)
| aes128-cbc
| 3des-cbc
| aes192-cbc
| aes256-cbc
| mac_algorithms: (4)
| hmac-sha1
| hmac-sha1-96
| hmac-md5
| hmac-md5-96
| compression_algorithms: (1)
|_">Nmap done: 1 IP address (1 host up) scanned in 47.39 seconds

Or, for a real eye-opener, scan your subnet for SSHv1 enabled devices - note that this scan (and the previous one) assumes that your SSH service is on port 22. In a zero knowledge scan, youd of course scan a wider range of ports (all of them if there">nmap -Pn -p22 192.168.122.0/24 --script=sshv1.nse

This scan didnt find anything at my house, but it *always* finds stuff at client sites!

What crypto support issues have you found when you scanned for them? And how long do you thing these problems were there? Please, share your story using our comment link!

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Trade Arabia

SANS to host advanced InfoSec training in Dubai
Trade Arabia
A leading InfoSec training event is set to offer three intensive training courses on hacker techniques, web app penetration testing and reverse-engineering of malware in Dubai, UAE next month. The SANS Dubai 2015 will be led by SANS certified ...
SANS Dubai 2015 to Host Advanced InfoSec Training on Hacker Techniques ...Zawya (registration)

all 2 news articles »
 
LibYAML and Perl YAML-LibYAML Module 'scanner.c' Remote Denial of Service Vulnerability
 
CVE-2014-3809: Reflected XSS in Alcatel Lucent 1830 PSS-32/16/4
 

SANS Dubai 2015 to Host Advanced InfoSec Training on Hacker Techniques ...
Zawya (registration)
SANS Dubai 2015, one of the Gulf region's largest InfoSec training events will be offering three intensive training courses led by SANS certified instructors from Saturday 31st January to Thursday 5th February 2015 at the Hilton Dubai Jumeirah Resort.

 
[SECURITY] [DSA 3081-1] libvncserver security update
 
[The ManageOwnage Series, part IX]: 0-day arbitrary file download in NetFlow Analyzer and IT360
 
libFLAC 'src/libFLAC/stream_decoder.c' Heap Buffer Overflow Vulnerability
 
[SECURITY] [DSA 3083-1] mutt security update
 
[SECURITY] [DSA 3082-1] flac security update
 
[SECURITY] [DSA 3080-1] openjdk-7 security update
 
[SECURITY] [DSA 3079-1] ppp security update
 
WordPress <=4.0 Denial of Service Exploit (CVE-2014-9034)
 
Internet Storm Center Infocon Status