The gate to the Bowman Avenue Dam facility in Rye Brook, NY is locked, but the cellular modem used for its controls wasn't. (credit: Google)

In 2013, someone gained access to the operations center for the Bowman Avenue Dam, a small flood control dam on Blind Brook in Rye Brook, New York. The attackers were later identified in a classified Department of Homeland Security report as being the same Iranian group alleged to have been responsible for attacks on PNC Financial Services Group, SunTrust, and Capital One Financial.

The attack was first made public in December 2015 by a Wall Street Journal report. Now, according to a CNN report, the US Department of Justice is preparing to file an indictment against those believed to be behind the intrusion—individuals believed to have been operating at the direction of the Iranian government.

Calling the intrusion an "attack" may be a bit of an overstatement—the controls of the dam were not accessed, according to government officials cited anonymously by CNN, and only "back office systems" were penetrated. The intrusion was made possible by a broadband cellular modem used to connect the small facility to the Internet, and the Bowman Avenue facility was targeted by a network scan for industrial control systems exposed to the Internet.

Read 2 remaining paragraphs | Comments


Making a typo in a tweet that then gets retweeted is bad enough, but imagine how dumb these hackers feel. Reuters reports that hackers broke into Bangladesh's central bank in February and started transferring large sums to accounts in the Philippines and Sri Lanka from an account held at the Federal Reserve Bank of New York.

Unfortunately for the hackers, only four of these transfers, for a total value of about $81 million, went through successfully. Not because the break-in was detected by the Bangladesh Bank or because heavily armed police kicked down the hackers' doors and arrested them all at gunpoint... but because one of the transfers had a typo. Attempting to transfer $20 million to a Sri Lankan non-governmental organization called the Shalika Foundation, the hackers instead attempted a transfer to the Shalika "Fandation." Staff at Deutsche Bank spotted this error and got in contact with the Bangladeshis to ask for clarification. The ruse was discovered and the remaining transfers were canceled.

Reuters writes that the NGO does not in fact appear to exist.

Read 3 remaining paragraphs | Comments

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Adobe has issued an emergency update for its Flash media player that patches almost two dozen critical vulnerabilities, including one that's being maliciously exploited in the wild.

"These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system," Adobe officials wrote in an advisory published Thursday. "Adobe is aware of a report that an exploit for CVE-2016-1010 is being used in limited, targeted attacks." The notice advises Flash users to install the update as soon as possible.

CVE-2016-1010 is the common vulnerabilities and exposures designation for an integer overflow vulnerability that allows attackers to remotely execute malicious code on vulnerable computers. Adobe credited Anton Ivanov of Kaspersky Lab with discovering the zero-day vulnerability but provided no additional details. In an e-mail, a Kaspersky representative wrote:

Read 2 remaining paragraphs | Comments



KaiXin exploit kit (EK) was first identified in August 2012 by Kahu Security [1]. KaiXin has remained a staple of the EK scene, and it generally hasnt changed too much in the years since it first appeared. Ive most often kicked off infection chains for this EK by browsing Korean websites. Last week on Thursday 2016-03-04, I saw some ad traffic with injected script that led to KaiXin EK. Let">Todays infection chain was kicked off by a banner ad after viewing a Korean website. I" />
Shown above:" />
Shown above:">Patterns seen in the KaiXin EK landing page are similar to images shown in the Kahu Security article from 2012 [1]. In this case, a Flash exploit was sent before the payload. Thats something I hadnt noticed before. This Flash exploit was first submitted to Virus Total on 2015-08-18 [2], and it appears to be based on the CVE-2014-0569 vulnerability." />
Shown above:" />
Shown above:" />
Shown above:">I used tcpreplay to run this traffic through Security Onion and generate alerts. I tried it once using the Talos subscriber ruleset and once using the EmergingThreats rulset. As a reminder, Security Onion 14.04 was released earlier this year [4]. If you havent transitioned from 12.04 yet, I highly recommend it." />
Shown above:" />
Shown above:">Final words

in September 2015 [5]. That traffic showed a Java exploit sent as a .jar file. However, no .jar files were noted in the March 2016 traffic for todays diary. Instead, we saw a Flash exploit. Other EKs have already been using Flash exploits for a long while now. I guess KaiXin EK is trying to keep up with more advanced EKs like Angler, Neutrino, Nuclear, and Rig.

Traffic and malware for this diary can be found here.

Brad Duncan
brad [at] malware-traffic-analysis.net


[1] http://www.kahusecurity.com/2012/new-chinese-exploit-pack/
[2] https://www.virustotal.com/en/file/32b4d011c312873e58e47e6a6dd9410f11ed08f5a02328f45765a17e240816e6/analysis/
[3] http://malware.dontneedcoffee.com/2014/10/cve-2014-0569.html
[4] http://blog.securityonion.net/2016/03/reminder-upgrade-from-security-onion.html
[5] https://twitter.com/malware_traffic/status/646394072362557442

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(credit: Tim Ellis)

Cothority, a new software project designed to make secret backdoored software updates nearly impossible, is offering to help Apple ensure that any secret court orders to backdoor its software cannot escape public scrutiny.

Currently, when Apple or any software maker issues a software update, they sign the update with their encryption keys. But those keys can be stolen, and a government could coerce the company to sign a backdoored software update for a targeted subset of end users—and do so in secret.

Cothority decentralises the signing process, and scales to thousands of cosigners. For instance, in order to authenticate a software update, Apple might require 51 percent of 8,000 cosigners distributed around the world.

Read 20 remaining paragraphs | Comments

Internet Storm Center Infocon Status