Information Security News
Finally our honeypot did capture something that looks like it is responsible for the scanning activity we see:
The initial request, as discussed earlier, is:
So it looks like it will try to download a "second stage" from port 193 from the attacking router. I just got this request a couple minutes ago, and haven't been able to retrieve the second stage yet, it may "go away" shortly after the attack. The ".L26" file appears to be a lock file to prevent multiple exploitation.
I am withholding the full URL for now until I can figure out if there is a patch or if this is a public/known exploit.
The breach at Target that exposed payment card data and personal details for as many as 110 million of its customers may have begun with a simple malware-laced phishing e-mail sent to a refrigeration contractor that worked for the retailer, according to a report published Wednesday by KrebsOnSecurity.
The article builds off details unearthed last week by the same publication. Reporter Brian Krebs wrote that the hackers who penetrated Target's corporate network gained entry using authentication credentials stolen from a heating, ventilation, and air-conditioning (HVAC) subcontractor that did work for a variety of large retailers. The HVAC firm, Fazio Mechanical located in Sharpsburg, Pennsylvania, later issued a statement saying its data connection to Target's network was solely for purposes of electronic billing, contract submission, and project management.
Citing multiple people familiar with the ongoing investigation, Krebs said Wednesday that the Target credentials were obtained using an e-mail malware attack that began about two months before thieves began siphoning data for 40 million payment cards from Target's network-connected cash registers. Two of the sources said the malware was the Citadel password stealing program, but that detail hasn't been confirmed. Krebs went on to raise the possibility that the people who compromised the HVAC firm may not have done so with the intent of hacking Target and carrying out one of the largest data thefts in history. He also said that documentation that Target left in plain view on its website may have made the subsequent attack much easier to carry out. Krebs explained:
Researchers have found dozens of fake certificates impersonating the secure sections of online banks, e-commerce sites, and social networks. Google, Facebook, iTunes, and even a POP e-mail server belonging to GoDaddy are a small sample of the services affected by the fraudulent credentials, which in some cases can allow attackers to read and modify encrypted traffic passing between end users and protected servers.
The secure sockets layer (SSL) certificates don't pose much of a threat to people using a popular Web browser to visit spoofed websites, because the credentials aren't digitally signed by a trusted certificate authority, researchers from Netcraft wrote in a blog post published Wednesday. They went on to say that people accessing sensitive websites with smartphone apps or other non-browser software may not be so lucky.
They cited several reports published in the past few years that detailed fatal weaknesses in popular software that made it possible for attackers to decrypt encrypted traffic and in some cases impersonate a cryptographically authenticated server. An October 2012 academic study, for instance, uncovered critical defects in a wide-range of applications running on computers and smartphones—some from banks such as Chase and services such as AOL—that failed to check the validity of SSL certificates. A separate study found that Android apps installed on as many as 185 million devices exposed end users' online banking and social networking credentials as well as e-mail and instant-messaging content because the programs used inadequate encryption protections. A more recent report from security firm IO Active uncovered similar weaknesses in apps written for Apple's iOS platform.
Posted by InfoSec News on Feb 12http://houston.cbslocal.com/2014/02/08/police-teen-tricked-oklahoma-walmart-managers-out-of-nearly-30000/
Posted by InfoSec News on Feb 12http://www.arabianbusiness.com/qatar-establish-cyber-security-committee-537614.html
Posted by InfoSec News on Feb 12http://www.stuff.co.nz/technology/digital-living/30015122/white-hat-hackers-to-gather-in-tokyo
Posted by InfoSec News on Feb 12http://www.nytimes.com/2014/02/12/us/politics/spy-chief-says-snowden-took-advantage-of-perfect-storm-of-security-lapses.html
Posted by InfoSec News on Feb 12Forwarded from: BSidesLV Info <info (at) bsideslv org>