(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.


Since Monday 2015-10-26, weve noticed a particular campaign sending malicious spam (malspam) with links to download CryptoWall 3.0 ransomware. This campaign has been impersonating domain registrars. Conrad Longmore blogged about it last week [1], and Techhelplist.com has a good write-up on the campaign [2]. Several other sources have also discussed this wave of malspam [3, 4, 5, 6, 7, 8 to name a few].

For this diary, well take a closer look at the emails and associated CryptoWall 3.0 malware.

The malspam

Based on what Ive seen, this malspam was delivered to recipients who didnt use privacy protection when they registered their domains. Their contact information is publicly-listed in the whois records for their domains. Criminals behind the campaign are collecting this publicly-available information, impersonating the registrars, and sending malspam to the email addresses listed as points of contact. Below are two examples of the emails I" />
Shown above: Screenshot from one of the emails that spoofed Tucows, Inc.

Enom and Tucows are just two of the many examples people have reported. When looking at the email headers, youll find these were not sent from the actual registrars." />
Shown above: Header lines that show the second example was not sent by Tucows, Inc.

If you receive one of the emails, the link follows a specific pattern: http://[unrelated compromised website]/abuse_report.php?[your domain name]. The domain names are not important." />
Shown above: I substituted a string of Xs for the domain name in a URL from one of the emails.

The emails have different senders, and they contain a variety of domains in the URLs to download the malware. Ive compiled a list of the first 100 emails I found to provide an idea on the scope of this campaign." />
Shown above: Some of the emails seen from this CryptoWall 3.0 malspam campaign.

The malware

I grabbed a sample of the CryptoWall 3.0 on Tuesday 2015-11-03." />

File name: [domain name]_copy_of_complaints.pdf.scr


FBI General Counsel James Baker discussing encryption with cybersecurity policy expert Susan Landau. (credit: Jon Brodkin)

FBI General Counsel James Baker today spoke about how encryption is making it increasingly difficult for law enforcement agencies to conduct surveillance. While the FBI has previously argued in favor of backdoors that let authorities defeat encryption, Baker said the issue must ultimately be decided by the American people.

“We are your servants,” Baker said. “The FBI are your servants, we will do what you want us to do.”

Baker was speaking in a panel discussion titled “Going Dark: The Balance Between Encryption, Privacy, and Public Safety” at the annual Advanced Cyber Security Center conference in Boston.

Read 31 remaining paragraphs | Comments


(credit: UCR Today)

Researchers have uncovered a new type of Android adware that's virtually impossible to uninstall, exposes phones to potentially dangerous root exploits, and masquerades as one of thousands of different apps from providers such as Twitter, Facebook, and even Okta, a two-factor authentication service.

The researchers have found more than 20,000 samples of trojanized apps that repackage the code or other features found in official apps available in Google Play and then are posted to third-party markets. From the end user's perspective, the modified apps look just like the legitimate apps, and in many cases they provide the same functionality and experience. Behind the scenes, however, the apps use powerful exploits that gain root access to the Android operating system. The exploits—found in three app families known as Shedun, Shuanet, and ShiftyBug—allow the trojanized apps to install themselves as system applications, a highly privileged status that's usually reserved only for operating system-level processes.

"For individuals, getting infected with Shedun, Shuanet, and ShiftyBug might mean a trip to the store to buy a new phone," researchers from mobile security firm Lookout wrote in a blog post published Wednesday. "Because these pieces of adware root the device and install themselves as system applications, they become nearly impossible to remove, usually forcing victims to replace their device in order to regain normalcy."

Read 5 remaining paragraphs | Comments


Have you ever considered how many Critical Controls that your contextual (e.g. Next Generation) platform applies to? I bet it is more than you think. Consider your application aware platforms feature, in which it does deep layer 7 packet inspection and identifies applications. Wait a second, I assumed by inventory that the Control mean going around to every workstation and assessing what was installed? Sure, that is a critical component, but with application aware platforms, your platform can quickly be turned into an audit device. Set up a span/mirror/tap on a spare port and assess VLANs. Pull reports on ingress/egress segments. This is all part of implementing critical controls.

First, you can run analysis and identify what applications and services are leaving your environment. Add on to that encryption inspection and then the platform becomes an effective shadow Information Technology (IT) audit device. Imagine for a moment business unit X, unit X we will call Marketing, for the moment (secretly I like to pick on marketingbecause they are maverick thinkers). Marketing decides they need a new website with explosive new features. They know that IT Security will have a cow on this but it will drive business, they say. Now, how many of us know this has either

A) Seen this

B) Had a colleague tell us

C) Can imagine

We will go one step further for this illustration and say super important Event Y is in 3 weeks. This event is the biggest XYZ event of our industry.

For this scenario we will even go a few strides further and say the event and the launch is a smashing success. Now ask yourself, does Marketing go back and update? Do they contract maintenance? Does all the regular order of what it takes to maintain an IT application occur? Who knows!

People drive business, features and function drive revenue to be sure! Now, lets get back to Critical Control number 2, know thyself (e.g. Software). For sure, you should inventory what software is deployed in your environment. This would include more than what your contextual next genration platform can do, however lets stop for a moment? Some software stays local on systems, a great deal of software talks to the cloud. What if there was a platform that could pervasively identify wait setting myself up to well Applications? The platform can provide you insight into applications and services running in your environment and serve as an analysis platform. This can clearly aid in Critical Control 2 as well as serve as an audit and control platform.

Let us say there is a research and development network segment that needs inventory. There is an effort underway to assess, pragmatically, each workstation. Now imagine if you could have a view into what applications were in regular use? Application aware platforms is a Critical Control 2 enabler!

Richard Porter

--- ISC Handler on Duty

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Enlarge / A sampling of third-party data sharing by Android apps. Images for iOS apps looked similar. (credit: Technology Science)

Apps in both Google Play and the Apple App Store frequently send users' highly personal information to third parties, often with little or no notice, according to recently published research that studied 110 apps.

The researchers analyzed 55 of the most popular apps from each market and found that a significant percentage of them regularly provided Google, Apple, and other third parties with user e-mail addresses, names, and physical locations. On average, Android apps sent potentially sensitive data to 3.1 third-party domains while the average iOS app sent it to 2.6 third-party domains. In some cases, health apps sent searches including words such as "herpes" and "interferon" to no fewer than five domains with no notification that it was happening.

"The results of this study point out that the current permissions systems on iOS and Android are limited in how comprehensively they inform users about the degree of data sharing that occurs," the authors of the study, titled Who Knows What About Me? A Survey of Behind the Scenes Personal Data Sharing to Third Parties by Mobile Apps, wrote. "Apps on Android and iOS today do not need to have permission request notifications for user inputs like PII and behavioral data."

Read 7 remaining paragraphs | Comments

The National Cybersecurity Center of Excellence (NCCoE) requests comments on a draft guide to help organizations better secure and manage their mobile devices.The draft NIST Cybersecurity Practice Guide Mobile Device Security: Cloud amp ...

In our data, we often find researchers performing internet wide scans. To better identify these scans, we would like to add a label to these IPs identifying them as part of a research project. If you are part of such a project, or if you know of a project, please let me know. You can submit any information as a comment or via our contact form. If the IP addresses change often, then a URLs with a parseable list would be appreciated to facilitate automatic updates.

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
FreeBSD Security Advisory FreeBSD-SA-15:25.ntp [REVISED]
[SECURITY] [DSA 3392-1] freeimage security update
[security bulletin] HPSBGN03429 rev.2 - HP Arcsight Logger, Remote Disclosure of Information
[security bulletin] HPSBGN03386 rev.2 - HP Central View Fraud Risk Management, Revenue Leakage Control, Dealer Performance Audit, Credit Risk Control, Roaming Fraud Control, Subscription Fraud Prevention, Remote Disclosure of Information, Local Disclosure
[security bulletin] HPSBGN03425 rev.1 - HP ArcSight SmartConnectors, Remote Disclosure of Information, Local Escalation of Privilege
[security bulletin] HPSBGN03430 rev.1 - HP ArcSight products, Local Elevation of Privilege
[SECURITY] [DSA 3391-1] php-horde security update
Internet Storm Center Infocon Status