Hackin9

SANS Institute to Tackle Credit Card Fraud at Minneapolis Information Security ...
MarketWatch
SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; it also operates the Internet's early warning system--the Internet Storm Center. At the heart of SANS are the many security ...

and more »
 

A security researcher has published attack code he said makes it easy to steal the iCloud passwords of people using the latest version of Apple iOS for iPhones and iPads.

The proof-of-concept attack exploits a flaw in Mail.app, the default iOS e-mail program. Since the release of version 8.3 in early April, the app has failed to properly strip out potentially dangerous HTML code from incoming e-mail messages. The proof-of-concept exploit capitalizes on this failure by downloading a form from a remote server that looks identical to the legitimate iCloud log-in prompt. It can be displayed each time the booby-trapped message is viewed.

"This bug allows remote HTML content to be loaded, replacing the content of the original e-mail message," a user with the GitHub name jansoucek wrote in a readme file accompanying the exploit. "JavaScript is disabled in this UIWebView, but it is still possible to build a functional password 'collector' using simple HTML and CSS [cascading style sheets]."

Read 5 remaining paragraphs | Comments

 

Introduction

Since Monday2015-05-25(a bitmore than 2 weeks ago), weve seen a significantamount of CryptoWall 3.0 ransomware from">) and theAngler exploit kit (EK).

A malspam campaign pushing CryptoWall 3.0 started as early as Monday 2015-05-25, but it hasincreased significantly since Monday 2015-06-08. The CryptoWall3.0push from Angler EK appears to have started around the same time. Both campaigns (malspam and Angler EK) were active as recently as Wednesday 2015-06-10.

The timing of these campaigns indicatesthey mightbe related and possibly initiated by" />
Shown above: Path 1 shows theinfection chain">Thiscampaign has been using Yahoo email addresses to send the malspam. So far, allthe attachments have been named my_resume.zip. The firstweek of thiscampaign, material extracted from the zip attachments were all HTML files named my_resume.svg. At that time,the CryptoWall 3.0 ransomwarewas downloadedfroma compromised server. This week, the extracted HTML file namesuse random numbers, with names like resume4210.html or resume9647.html. Furthermore, the CryptoWallis nowhosted on various">Opening the attachment and extracting the malicious file gives you an HTML document. " />">Here are some of theURLs from the unzip-ed HTML files">If you open one of these HTML files, your browser will generatetraffic to a compromised">The return traffic is gzip compressed, so you wont see it in the TCP stream from Wireshark. Exporting the text from Wireshark shows">Here are some of docs.google.comURLs we saw from the trafficon Wednesday">(https) docs.google.com - GET /uc?export=download">(https) docs.google.com - GET /uc?export=download">(https) docs.google.com - GET /uc?export=download">(https) docs.google.com - GET /uc?export=download">(https) docs.google.com - GET /uc?export=download">(https) docs.google.com - GET /uc?export=download">(https) docs.google.com - GET /uc?export=download">(https) docs.google.com - GET /uc?export=download">(https) docs.google.com - GET /uc?export=download">(https) docs.google.com - GET /uc?export=download">(https) docs.google.com - GET /uc?export=download">Examining the traffic in Wireshark, youll find see a chain of events" />
Shown above: Wireshark display one">Run the downloadedmalware on a Windows host, and youll findtraffic thats typical for">The bitcoinaddress for ransom payment by this malware sampleis16REtGSobiQZoprFnXZBR2mSWvRyUSJ3ag. Its the same bitcoin address from a previoussamplefound on Thursday2015-06-04, when we were first notified of this particularmalspam [1]. We also saw the same bitcoin address used on Tuesday 2015-06-09 [2] associated withanother">">Shown above: Decrypt instructions from the">CryptoWall 3.0 from">We first noticed Angler EK pushing CryptoWall 3.0 on Tuesday 2015-05-26 [3]. Iposted a diary about it on Thursday 2015-05-28 [4]. This was the first time Id seen version 3.0 of CryptoWall sent byAngler. Iseen">My last documented instance of Angler EK sending CryptoWall3.0 happened on Tuesday 2015-06-09 [5]. Were still seeingexamples where">In each case Ive documented, the bitcoin address for the ransom payment was">Angler EK is still being used by other groups to send different malware payloads. However, the appearance ofCryptoWall 3.0 in Angler since 2015-06-26 using the same bitcoin addressindicates this is a separate campaign by a specific">This week, compromised websites that redirected to Angler had code injected into their web pages, much like the example">A fellow security professional notified me this is a common injection technique used on WordPress sites that have been">The image below shows the 2015-06-09">Shown above: Wireshark display on Angler EK and the post-infection traffic by CryptoWall 3.0.

rong>Final Wordsp>The timing of these two campaigns, along withtheir consistent use of the same bitcoin addresses for the ransom payment,suggest they are related. They may have beeninitiatedbythe same actor. This is a significant trend in ourcurrent threat landscape. We will continue to monitor this activityand report any significantchanges in the situation.

Update - Thursday 2015-06-11 at 01:13 UTC

I generated more Angler EK traffic on 2015-06-11 at 00:09 UTC. This time, I got asample using a different bitcoin address than Id seen from previous Angler-based CryptoWall 3.0 payloads. This bitcoin address, 12LE1yNak3ZuNTLa95KYR2CQSKb6rZnELb, began transactions during the same timeframe as other samples associated with this campaign.

At this point, Im not 100 percent certain its the same actor behind all this CryptoWall 3.0 weve been seeing lately. However, my gut feeling tells me this activity is all related to the same actor or group. The timing is too much of a coincidence.

Traffic and the associated malware can be found at:

The zip file is protected with the standard password. If you dont know it, email [email protected] and ask.

---
Brad Duncan
ISC Handler and Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic

References:

[1] http://malware-traffic-analysis.net/2015/06/04/index.html
[2] http://malware-traffic-analysis.net/2015/06/09/index2.html
[3] http://malware-traffic-analysis.net/2015/05/26/index.html
[4] https://isc.sans.edu/diary/Angler+exploit+kit+pushing+CryptoWall+30/19737
[5] http://malware-traffic-analysis.net/2015/06/09/index.html

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Lockheed Martin, the global security and aerospace company, estimates that widely used software testing methods developed at the National Institute of Standards and Technology (NIST) can trim test planning and design costs by up to 20 ...
 

Thanks to Rob for reminding me of IPv4auction websites again. I looked at them a couple years ago, but there was very little real activity at the time. Looks like that has changed now. ARIN is essentially out of IPv4 space, and very restrictive in handing out any addition addresses. It has gotten very hard, if not impossible, to obtain a larger block of IPv4 space. So no surprise that markets for IPv4 space are coming up.

These markets are not in line with registrar policies [1]. If someone receives an IP address assignment, then they dont technically own the addresses. Once they are no longer needed, they are supposed to be returned to ARIN to be handed to the next applicant in line. But there has been little enforcement, and there have always been grey areas. For example, a company may buy another company, and in the process obtain access to that companies IP address space. Later, assets other then the IP address space could be sold off, leaving the buy with the rights to the IP address space.

Here are some of the sites offering IP address space (I am not endorsing them, and have no idea how real they are):

- ipv4auctions.com. Currently three offers for space up to a /20 at $7-$10 per address. There are a couple of bids.
- ebay.com. There are a number of auctions with IP addresses for sale and for rent. Looks like they are going for about the same price as the addresses at ipv4auctions.com [2]

Some sites have dones so in the past, but already shut down (e.g. tradeipv4.com). In other cases, the nanog mailing list was used to offer IP address space, or IP addresses were purchased as part of bankruptcy auctions [3]

[1]http://www.internetsociety.org/internet-society-open-letter-transfer-internet-protocol-addresses
[2]http://www.ebay.com/itm/IP-Address-22-Routable-IP-Block-Four-Class-C-For-Sale-or-Rent-/181769443467?pt=LH_DefaultDomain_0hash=item2a524d988b
[3]http://www.maximumpc.com/borders-sells-65536-ipv4-addresses-for-12-each/

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Shared hardware has always been a weakness of virtualization products. In some cases side channel attacks can be exploited to collect information from other virtual machines, or bugs in drivers can be exploited to fully escape a virtual machines, like recently with floppy disk drivers. [1] [2]

The latest variation of this is an attack against VMWare Workstation taking advantage of COM1. This serial port is configured by default and used for printer sharing. Using printer sharing, the user can access a printer connected to the host [3].

To implement this feature, VMWareuses vprintproxy.exe. This executable receives the file to be printed from the guest, and passes it to the hosts printer. The guest uses the serial port COM1 to send data vprintproxy.exe. The data is sent to vprintproxy.exe as an Enhanced Metafile Spool Format file, or EMFSPOOL file for short. Sadly, vprintproxy.exe does not parse these files safely, and crafted files can leadto exploits against vprintproxy.exe, which runs as whatever user started VMWare.

This is a threat to VMWare Workstation. In particular if you are using VMWare Workstation to analyze malicious code, you should be extra careful. VMWare released a patch yesterday, but you may have missed it among other patch Tuesdayissues.

[1]http://arstechnica.com/security/2015/05/extremely-serious-virtual-machine-bug-threatens-cloud-providers-everywhere/
[2]https://eprint.iacr.org/2014/248.pdf
[3]https://docs.google.com/document/d/1sIYgqrytPK-CFWfqDntraA_Fwi2Ov-YBgMtl5hdrYd4/preview?sle=true#heading=h.dv8d1g4lp83q

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Use-After-Free in PHP
 
Multiple Vulnerabilities in ISPConfig
 
Arbitrary File Disclosure and Open Redirect in Bonita BPM
 
Heroku Bug Bounty #2 - (API) Re Auth Session Bypass Vulnerability
 

SANS Institute to Tackle Credit Card Fraud at Minneapolis Information Security ...
Virtual-Strategy Magazine (press release) (registration) (blog)
BETHESDA, Md., June 10, 2015 /PRNewswire-USNewswire/ -- SANS Institute, the global leader in information security training, today announced the SANS Minneapolis 2015 security training event taking place July 20 – 25. The event features hands-on ...

and more »
 

SANS Institute to Tackle Credit Card Fraud at Minneapolis Information Security ...
MarketWatch
BETHESDA, Md., June 10, 2015 /PRNewswire-USNewswire/ -- SANS Institute, the global leader in information security training, today announced the SANS Minneapolis 2015 security training event taking place July 20 – 25. The event features hands-on ...

and more »
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Updated abrt packages that fix multiple security issues are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security [More...]
 
LinuxSecurity.com: Updated kernel packages that fix two security issues are now available for Red Hat Enterprise Linux 6.2 Advanced Update Support. Red Hat Product Security has rated this update as having Important security [More...]
 
LinuxSecurity.com: Updated kernel packages that fix multiple security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6. [More...]
 
LinuxSecurity.com: - Update to 1.3.11This release is mainly fixing a number of outstanding issues and security fixes. Minor features have been added to enhance functionality and usability.Release notes: https://tls.mbed.org/tech-updates/releases/mbedtls-1.3.11-released
 
LinuxSecurity.com: Update to 2.9.4, which fixes CVE-2015-3202.
 
LinuxSecurity.com: Security fixes The XSRF token is now encoded with a random mask on each request. This makes it safe to include in compressed pages without being vulnerable to the BREACH attack. This applies to most applications that use both the xsrf_cookies and gzip options (or have gzip applied by a proxy).Backwards-compatibility notes If Tornado 3.2.2 is run at the same time as older versions on the same domain, there is some potential for issues with the differing cookie versions. The Application setting xsrf_cookie_version=1 can be used for a transitional period to generate the older cookie format on newer servers.
 
LinuxSecurity.com: Security fix for CVE-2015-3201
 
LinuxSecurity.com: strongSwan could be made to expose sensitive information over the network.
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Security Report Summary
 

Not long after blowing the lid off a National Security Agency-backed hacking group that operated in secret for 14 years, researchers at Moscow-based Kaspersky Lab returned home from February's annual security conference in Cancun, Mexico to an even more startling discovery. Since some time in the second half of 2014, a different state-sponsored group had been casing their corporate network using malware derived from Stuxnet, the highly sophisticated computer worm reportedly created by the US and Israel to sabotage Iran’s nuclear program.

Some of the malware's stealth capabilities were unlike anything Kaspersky researchers had ever seen, and in many respects, the malware was more advanced than the malicious programs developed by the NSA-tied Equation Group that Kaspersky just exposed. More intriguing still, Kaspersky antivirus products showed the same malware has infected one or more venues that hosted recent diplomatic negotiations the US and five other countries have convened with Iran over its nuclear program. Also puzzling: among the other 100 or fewer estimated victims were parties involved in events remembering the 70th anniversary of the liberation of the Auschwitz-Birkenau extermination camp.

Developers planted several false flags in the malware to give the appearance its origins were in Eastern Europe or China. But as the Kaspersky researchers delved further into the 100 modules that encompass the platform, they discovered it was an updated version of Duqu, the malware discovered in late 2011 with code directly derived from Stuxnet. Evidence later suggested Duqu was used to spy on Iran's efforts to develop nuclear material and keep tabs on the country's trade relationships. Duqu's precise relation to Stuxnet remained a mystery when the group behind it went dark in 2012. Now, not only was it back with updated Stuxnet-derived malware that spied on Iran, it was also escalating its campaign with a brazen strike on Kaspersky.

Read 44 remaining paragraphs | Comments

 
[security bulletin] HPSBUX03341 SSRT102068 rev.1 - HP-UX Apache Tomcat v7.x, Remote Denial of Service (DoS) and Other Vulnerabilities
 
Elasticsearch vulnerability CVE-2015-4165
 
Logstash vulnerability CVE-2015-4152
 
Kibana vulnerability CVE-2015-4093
 

Catch all the highlights from Infosec in one video
Naked Security (blog)
infosec-150 If you couldn't make it to Infosecurity Europe in London last week, you missed quite a bit – great talks by our security experts, plus lots of games, prizes and fun at our very popular event stand. Well, don't feel bad. You can catch up on ...

 
Internet Storm Center Infocon Status