(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Two days after researchers exposed a National Security Agency-tied hacking group that operated in secret for more than a decade, CIA hackers convened an online discussion aimed at preventing the same kind of unwelcome attention. The thread, according to a document WikiLeaks published Tuesday, was titled "What did Equation do wrong, and how can we avoid doing the same?"

Equation Group is the name Kaspersky Lab researchers gave to the hacking unit that was responsible for a string of hacks so sophisticated and audacious they were unlike almost any the world had seen before. For 14 years, and possibly longer, the hackers monitored computers in at least 42 countries, sometimes by exploiting the same Microsoft Windows vulnerabilities that would later be exploited by the Stuxnet worm that targeted Iran's nuclear program. The backdoors hid inside hard drive firmware and in virtual file systems, among other dark places, and had their own self-destruct mechanism, making it impossible for outsiders to grasp the true scope of the group's hacks.

Equation Group eventually came to light because of a handful of errors its members made over the years. One was the widespread use of a distinctive encryption function that used the RC5 cipher with negative programming constants rather than with the positive constants favored by most developers. The nonstandard practice made it easier to identify Equation Group tools. Another mistake: failing to scrub variable names, developer account names, and similar fingerprints left in various pieces of Equation Group malware. A third error was the failure to renew some of the domain name registrations Equation Group-infected computers reported to. When Kaspersky Lab obtained the addresses, the researchers were shocked to find some machines infected by a malware platform abandoned more than 10 years earlier were still connecting to it.

Read 8 remaining paragraphs | Comments

BlackBerry Good Control Server CVE-2016-3127 Information Disclosure Vulnerability
IBM WebSphere Commerce CVE-2016-5894 Local Information Disclosure Vulnerability
Multiple I-O DATA Network Camera Products Multiple Security Vulnerabilities
Access CX App CVE-2017-2110 SSL Certificate Validation Security Bypass Vulnerability
Stack-based buffer overflow in Western Digital My Cloud allows for remote code execution

Enlarge / The old headquarters building of the CIA in McLean, Virginia. A cache of files from CIA's Langley, Virginia, cyber-intelligence center has apparently been obtained by Wikileaks.

This morning, WikiLeaks posted the first of what the organization's spokesperson says is a multi-part series of documents and files from the Central Intelligence Agency. "The first full part of the series, 'Year Zero', comprises 8,761 documents and files from an isolated, high-security network situated inside the CIA's Center for Cyber Intelligence in Langley, Virgina [sic]," WikiLeaks' spokesperson said in a press release.

The documents, many of them incomplete or redacted, appear to be pulled in part from an internal Wiki, while others appear to have been part of a user file directory. In a move unusual for WikiLeaks, individuals' names have been redacted and replaced with unique identifiers. "These redactions include tens of thousands of CIA targets and attack machines throughout Latin America, Europe, and the United States," WikiLeaks' spokesperson explained in the release. "While we are aware of the imperfect results of any approach chosen, we remain committed to our publishing model and note that the quantity of published pages already eclipses the total number of pages published over the first three years of the Edward Snowden NSA leaks."

The documents include instructions for using hacking tools, tips on configuration of Microsoft Visual Studio (classified as Secret/NOFORN), and testing notes for various hacking tools. Among the hacking tools listed are those for iOS, a collection of Android zero-days, and hacking techniques from various sources, including the UK's GCHQ and the National Security Agency. These tools, WikiLeaks claimed, "permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Weibo, Confide, and Cloackman by hacking the 'smart' phones that they run on and collecting audio and message traffic before encryption is applied." That doesn't mean the CIA has broken encryption on those tools—WikiLeaks' claim is based on their ability to "root" those devices.

Read 3 remaining paragraphs | Comments

SEC Consult SA-20170307-0 :: Unauthenticated OS command injection & arbitrary file upload in Western Digital WD My Cloud
CloudFlare Information Disclosure Vulnerability
Trend Micro SafeSync for Enterprise Multiple Security Vulnerabilities
PrimeDrive Desktop Application Installer DLL Loading Remote Code Execution Vulnerability
Linux Kernel Multiple Information Disclosure Vulnerabilities
dotCMS VU#168699 Multiple Security Vulnerabilities
IBM QRadar SIEM CVE-2016-2880 Local Hardcoded Credentials Information Disclosure Vulnerability
QEMU 'hw/usb/hcd-ohci.c' Denial of Service Vulnerability
Multiple AlienVault Products Authentication Bypass Vulnerability
WordPress Prior to 4.7.3 Cross Site Request Forgery Vulnerability
WordPress Prior to 4.7.3 Multiple Cross Site Scripting Vulnerabilities
Pivotal Cloud Foundry Elastic Runtime CVE-2017-4959 Privilege Escalation Vulnerability
Linux Kernel 'net/sctp/socket.c' Local Denial of Service Vulnerability
PhreeBooksERP CVE-2017-5990 Multiple Cross Site Scripting Vulnerabilities
Linux Kernel 'kvm/emulate.c' Null Pointer Dereference Denial of Service Vulnerability
WordPress audio playlist functionality is affected by Cross-Site Scripting
Internet Storm Center Infocon Status