Information Security News
As early as Wednesday2015-05-27, there have been more waves of malicious spam (malspam) spoofing myfax.com. On Tuesday 2015-06-02, the messages contained links to a zip archive ofa Pony downloader. Tuesdaysmessages also had links pushingNeutrinoexploit kit (EK). Spoofed myfax emails are nothing new. Theyve been around for years. This is yet another wave in the continuous onslaught of malspam that organizations face every day.
I noticedsimilar messages last week, but they were all blocked. At that time,I wasnt able to investigate any further. On 2015-06-02, checkingmy employers spam filters revealed spoofed myfax">Below is an example of the messages blocked by my organization" />
Shown above: myfax-themed">The aboveexample shows 2 types of">URLs. The firstpointsto a zip file. The second points toURLs ending in fax.php that pushNeutrino EK. Last weeks">Shown above:myfax-themedmalspamfrom Thursday,">In a lab environment,those links ending with fax.php returned HTML with iframes">Unfortunately,I wasnt able to generate any Neutrino EK traffic. The domain names for the Neutrino URLs didn">We saw the following fax.php URLsfrom the malspam:">www.faura-casas.com - GET /wp-content/plugins/feedweb_data/fax.php">We also found the following URLs for zip files from the malspam:
Click on the above image for a full-size view
Indicators of compromise (IOC) from the infection traffic:
The imagebelow shows Emerging Threats-based Snort events on the infection traffic using Security Onion. The eventsindicate a Fareit/Pony downloaderinfectedthe labhost with Graftor" />
A sample of the Pony downloader was submitted to malwr.com at:https://malwr.com/analysis/ODExOWNlY2Y4N2QwNDhkNmE4YmFkODc2ODA3NzlkNDI/
A sample of the follow-up malware was also submitted to malwr.com at:https://malwr.com/analysis/OTc4MWY3OTdmZDZkNGYxMGJhNGRkMDAzOThlNmQ1NmI/
Post-infection traffic contains HTTP GET requests for a small image file with an image of Marlon Brandofrom the Godfather movies. Matthew Mesafound" />
The image contains some ASCII text for the last 1.4 KB or so of the file, which indicates">-artifacts.zip
The zip file is password-protected with the standard password. If you dont know it, email [email protected] and ask.
GitHub has revoked an unknown number of cryptographic keys used to access accounts after a developer found they contained a catastrophic weakness that came to light some seven years ago.
The keys, which allow authorized users to log into public repository accounts belonging to the likes of Spotify, Yandex, and UK government developers, were generated using a buggy pseudo random number generator originally contained in the Debian distribution of Linux. During a 20-month span from 2006 to 2008, the pool of numbers available was so small that it made cracking the secret keys trivial. Almost seven years after Debian maintainers patched the bug and implored users to revoke old keys and regenerate new ones, London-based developer Ben Cartwright-Cox said he discovered the weakness still resided in a statistically significant number of keys used to gain secure shell (SSH) access to GitHub accounts.
"If you have just/as of late gotten an email about your keys being revoked, this is because of me, and if you have, you should really go through and make sure that no one has done anything terrible to you, since you have opened yourself to people doing very mean things to you for what is most likely a very long time," Cartwright-Cox wrote in a blog post published Monday. "It would be safe to assume that due to the low barrier of entry for this, that the users that have bad keys in their accounts should be assumed to be compromised and anything that allowed that key entry may have been hit by an attacker."
Infosec 2015: Cloud location doesn't deter hackers, says Google chief
So claims Eran Feigenbaum, director of security for Google Apps, who said that where data resides has no bearing on how safe it is. Speaking at a keynote at this week's Infosec show in London, he asked delegates if they thought where data was stored ...
Data centre location is irrelevant to hackers, argues Google
by Sean Gallagher
Thanks to resistance from Senator Rand Paul and other members of the Senate, the provisions of the USA Patriot Act that were used to justify the National Security Administration's broad collection of phone call metadata have expired. The Senate leadership is now scrambling to pass legislation that will restore some of these provisions, though the phone metadata provision—Section 215 of the Patriot Act—will likely not be renewed as it stood prior to its expiration.
So what does that do to the NSA's surveillance capabilities from a technical standpoint? All it really does is change where phone records are retained—they're back at the telephone carriers. It may create some technical and administrative hurdles to gain access to records, but those are hurdles the NSA has likely already addressed.
Section 215 changed aspects of the Foreign Intelligence Surveillance Act to allow requests through the Foreign Intelligence Surveillance Court for secret warrants that would grant access to "certain business records" by the FBI—including individuals' library and medical records, book sales records, educational records, and other "tangible things" related to interactions with businesses and public institutions. The NSA's bulk collection of phone records was justified under this provision—the request was made jointly with the FBI, and the phone companies who were served with the warrants were compelled to provide the data directly to the NSA. Because of their secrecy, these warrants compelled those served with them not to reveal that they had turned over data.
Infosec 2015: More UK businesses than ever face data breaches as costs spiral
The number of security breaches suffered by UK companies has increased, according to a government-backed report. Unveiled at the Infosec conference in London this week, the 2015 Information Security Breaches Report found that nine-in-ten organisations ...
Do You Know How Much a Data Breach Would Cost Your Organization?
Infosec 2015: Power, money and propaganda are main aims of cyberattacks ...
GCHQ's cyber security chief warned that the nation's businesses are at risk of being attacked by criminals and terrorists whose main motivations are money, power and propaganda. Giving a keynote speech at the Infosec conference held in London this week ...
GCHQ gros fromage stays schtum on Snowden and snooping
GCHQ 'genuinely surprised' at scale and scope of cyberattacks against UK
GCHQ launches cybersecurity consultancy to help reduce vulnerabilities in ...
[Guest Diary: Xavier Mertens] [Playing with IP Reputation with Dshield ">]
When investigating incidents or searching for malicious activity in your logs, IP reputation is a nice way to increasethe reliability of generated alerts. It can help toprioritizeincidents. Lets take an example with a Wordpress blog. Itwill, sooner or later, be targeted by a brute-force attack on the default /wp-admin page. In this case, IP reputationcan be helpful: An attack performed from an IP address reported as actively scanning the Internet will not (or less)attract my attention. On the contrary, if the same kind of attack is coming from an unkown IP address, this could bemore suspicious...
By using a reputation system, our monitoring tool can tag an IP address with a label like reported as maliciousbased on a repository. The real value of this repository depends directly of the value of collected information. Im abig fan ofdshield.org(https://www.dshield.org), a free service provided by the SANS Internet Storm Center. Such service is working thanks tothe data submitted by many people across the Internet. For years, Im also pushing my firewall logs to dshield.orgfrom my OSSEC server. I wrote a tool to achieve this:ossec2dshield (https://github.com/xme/ossec2dshield). By contributing to the system, its now time toget some benefits from my participation: Im re-using the database to automatically check the reputation of the IPaddresses attacking me. We come full circle!
To achieve this, lets use theAPI (https://isc.sans.edu/api/)provided on isc.sans.org and theOSSEC (http://www.ossec.net)feature called Active-Response whichallows to trigger a script upon a set of conditions. In this example, we call the reputation script with ourattacker address for any alert with a level = 6.
Thousands of 'lost data' reports mean we should ARM the ICO, says infosec bod
Infosec 2015 Thefts and losses of computers and laptops often go unreported to data privacy watchdogs and could represent a huge hidden risk for the leak of confidential data, according to new research. The Information Commissioner's Office received 1 ...