Hackin9

Chris Mohan --- Internet Storm Center Handler on Duty

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

The good people of FireEye Labs posted on discovery of a IE 10 zero-day being used in watering hole attack on a breached server in the US [1].

FireEye are working with Microsoft, so details are fairly thin. To quote from their first short blog post:

"It’s a brand new zero-day that targets IE 10 users visiting the compromised website–a classic drive-by download attack. Upon successful exploitation, this zero-day attack will download a XOR encoded payload from a remote server, decode and execute it."

Those looking after IE 10 users may want to keep an eye on their proxy logs for the follow on download as a potential indicator. 

UPDATE

FireEye have provided a great deal of detail on the attack in a second blog post, which is well worth a read and gives plenty of the indicators of compromise to run through your logs and filters:

http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html

[1] http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/new-ie-zero-day-found-in-watering-hole-attack-2.html

Chris Mohan --- Internet Storm Center Handler on Duty

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Three ways to raise infosec awareness among non-security executives
TechTarget
With an ever-evolving threat landscape to monitor, CISOs tend to spend much of their time focused on the latest infosec risk, making it difficult to build relationships with other executives. This is especially true when a CISO is unable to pivot ...

 
Cornering the Bitcoin market may be easier than cornering orange juice futures.
Paramount Pictures / Aurich Lawson

Not only are Bitcoin trading sites like Bitstamp and Mt. Gox susceptible to the recent accleration of the "transaction malleability" problem, but apparently the Silk Road—or at least its newest incarnation—is too.

On Thursday "Defcon," one of the anonymous administrators of the Silk Road, declared ominously: "We have been hacked." (The message was later reposted in full to reddit.)

According to rough estimates by Nicholas Weaver, a computer security researcher at the International Computer Science Institute in Berkeley, California, the exploit has resulted in the site losing approximately 4,400 bitcoins, presently worth around $2.6 million, that were taken from Silk Road’s escrow account.

Read 7 remaining paragraphs | Comments


    






 
One of our reader, Mike, wrote with some unusual hits in his web logs for /siemens/bootstrapping/JnlpBrowser/Development/ HTTP/1.1 which he thoughtfully shared.
 
The first scan was a solitary scan on the 12th of February 2014 and then followed up by three new scans on the 13th of February 2014.
 
The scanning IP address 194.95.72.110 has a host name of fb02itsscan.fh-muenster.de, a quick look up shows the web site and that web site offers this hearty welcome: Welcome to the University of Applied Sciences Münster
 
So potentially another academic "study" that scans the internet.  Anyone had information on what they may be looking for or if this is attached to a legitimate study?
 
Please write in a let us know.
 

Chris Mohan --- Internet Storm Center Handler on Duty

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
LinuxSecurity.com: A vulnerabilitt has been discovered and corrected in mysql: Buffer overflow in client/mysql.cc in Oracle MySQL and MariaDB before 5.5.35 allows remote database servers to cause a denial of service (crash) and possibly execute arbitrary code via a long server version [More...]
 
LinuxSecurity.com: Multiple vulnerabilities has been discovered and corrected in mariadb: Buffer overflow in client/mysql.cc in Oracle MySQL and MariaDB before 5.5.35 allows remote database servers to cause a denial of service (crash) and possibly execute arbitrary code via a long server version [More...]
 
LinuxSecurity.com: An updated piranha package that fixes one security issue and one bug is now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having [More...]
 
LinuxSecurity.com: An updated piranha package that fixes one security issue is now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having [More...]
 
LinuxSecurity.com: Updated mysql55-mysql packages that fix several security issues are now available for Red Hat Software Collections 1. The Red Hat Security Response Team has rated this update as having moderate [More...]
 
LinuxSecurity.com: USN-2098-1 introduced a regression in LibYAML.
 
A Ford executive told U.S. Sen. Al Franken (D-Minn.) that the automaker does not collect or share location data from cars without the operator's explicit permission.
 
Hackers are circulating credentials for thousands of FTP sites and appear to have compromised file transfer servers at The New York Times and other organizations, according to a security expert.
 
Microsoft Internet Explorer CVE-2014-0281 Memory Corruption Vulnerability
 
Mozilla Firefox/SeaMonkey CVE-2014-1483 Multiple Information Disclosure Vulnerabilities
 
Following a solid year of intensive work, the National Institute of Standards and Technology (NIST) released yesterday its "final" framework for improving critical infrastructure cybersecurity as mandated under a February 2013 executive order by President Obama. The 41-page document closely tracks, with some notable changes, the preliminary framework released by NIST in November.
 
Apple marketing chief Phil Schiller is among the witnesses that lawyers for Samsung plan to call when the two companies return to court in California in late March.
 
 
Aviv Raff, Seculert

Microsoft has confirmed reports of a recently active attack that surreptitiously installed malware on computers running a fully patched version 10 of the Internet Explorer browser.

The zero-day exploit was served on vfw[.]org, the official website for the Veterans of Foreign Wars, according to a blog post published Thursday afternoon by security firm FireEye. The people behind the attack compromised the VFW website and then embedded an iframe tag that silently loaded a page on another site that hosted the exploit. While FireEye researchers didn't identify the second site, Aviv Raff, chief technology officer of Israel-based security firm Seculert, said it was aliststatus[.]com. He provided the screenshot above, which he said showed the exploit in action.

The FireEye researchers wrote:

Read 6 remaining paragraphs | Comments


    






 
Microsoft Internet Explorer CVE-2014-0289 Memory Corruption Vulnerability
 
EMC AlphaStor Library Control Program CVE-2013-0946 Buffer Overflow Vulnerability
 
Pressure on the cellphone industry to introduce technology that could disable stolen smartphones has intensified with the introduction of proposed federal legislation that would mandate such a system.
 
Microsoft has fixed a variety of bugs that affected people's ability to use Skype's instant messaging feature across different devices.
 
All's fair in love, war and job hunting. Learn how to use 'guerilla' job search tactics to use applicant tracking system technology to your advantage.
 
FireEye today said it had discovered that attackers are actively exploiting a new, unpatched vulnerability in Internet Explorer 10.
 
Antitrust enforcement agencies should reject a proposed $45.2 billion acquisition of Time Warner Cable by Comcast, because it would give the combined company huge market power in the broadband and cable TV industries, a handful of consumer and digital rights groups said.
 
A Ford executive told U.S. Sen. Al Franken (D-Minn.) that the automaker does not collect or share location data from cars without the operator's explicit permission.
 
IBM QRadar Security Information and Event Manager CVE-2013-6307 Cross Site Scripting Vulnerability
 
IBM QRadar Security Information and Event Manager CVE-2013-5448 Cross Site Scripting Vulnerability
 
Pressure on the cellphone industry to introduce technology that could disable stolen smartphones has intensified with the introduction of proposed federal legislation that would mandate such a system.
 
Hewlett-Packard is launching a service that could help organizations better manage their Android and iOS mobile apps on employee-owned devices, supporting the BYOD (bring your own device) trend.
 
Microsoft Internet Explorer CVE-2014-0288 Memory Corruption Vulnerability
 
Microsoft Internet Explorer CVE-2014-0269 Memory Corruption Vulnerability
 
IBM Lotus Quickr for Domino ActiveX Control CVE-2013-6749 Buffer Overflow Vulnerability
 
Microsoft Internet Explorer CVE-2014-0270 Memory Corruption Vulnerability
 
Verizon Wireless jumped into a growing price war with other national carriers by announcing a "More Everything" plan that doubles the data allowance for some customers, including small businesses.
 

Researchers say they have uncovered an ongoing attack that infects home and small-office wireless routers from Linksys with self-replicating malware, most likely by exploiting a code-execution vulnerability in the device firmware.

Johannes B. Ullrich, CTO of the Sans Institute, told Ars he has been able to confirm that the malicious worm has infected around 1,000 Linksys E1000, E1200, and E2400 routers, although the actual number of hijacked devices worldwide could be much higher. A blog post Sans published shortly after this article was posted expanded the range of vulnerable models to virtually the entire Linksys E product line. Once a device is compromised, it scans the Internet for other vulnerable devices to infect.

"We do not know for sure if there is a command and control channel yet," Ullrich wrote in the update. "But the worm appears to include strings that point to a command and control channel. The worm also includes basic HTML pages with images that look benign and more like a calling card. They include images based on the movie "The Moon" which we used as a name for the worm."

Read 15 remaining paragraphs | Comments


    






 
tpp 'exec' Command Arbitrary Code Execution Vulnerability
 
D.R. Software Easy CD-DA Recorder '.pls' File Remote Buffer Overflow Vulnerability
 

I am writing this summary as the prior diaries about this topic became a bit difficult to parse. 

At this point, we are aware of a worm that is spreading among various models of Linksys routers. We do not have a definite list of routers that are vulnerable, but the following routers may be vulnerable depending on firmware version: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000,E900

The worm will connect first to port 8080, and if necessary using SSL, to request the "/HNAP1/" URL. This will return an XML formatted list of router features and firmware versions. The worm appears to extract the router hardware version and the firmware revision. The relevant lines are:

<ModelName>E2500</ModelName>
<FirmwareVersion>1.0.07 build 1</FirmwareVersion> 

(this is a sample from an E2500 router running firmware version 1.0.07 build 1)

Next, the worm will send an exploit to a vulnerable CGI script running on these routers. The request does not require authentication. The worm sends random "admin" credentials but they are not checked by the script. Linksys (Belkin) is aware of this vulnerability.

This second request will launch a simple shell script, that will request the actual worm. The worm is about 2MB in size, samples that we captured so far appear pretty much identical but for a random trailer at the end of the binary. The file is an ELF MIPS binary.

Once this code runs, the infected router appears to scan for other victims. The worm includes a list of about 670 different networks (some /21, some /24). All appear to be linked to cable or DSL modem ISPs in various countries.

An infected router will also serve the binary at a random low port for new victims to download. This http server is only opened for a short period of time, and for each target, a new server with a different port is opened. 

We do not know for sure if there is a command and control channel yet. But the worm appears to include strings that point to a command and control channel. The worm also includes basic HTML pages with images that look benign and more like a calling card. They include images based on the movie "The Moon" which we used as a name for the worm.

We call this a "worm" at this point, as all it appears to do is spread. This may be a "bot" if there is a functional command and control channel present.

Indicators of compromisse:

- heavy outbound scanning on port 80 and 8080.
- inbound connection attempts to misc ports < 1024.
 

Detecting potentially vulnerable system:

echo "GET /HNAP1/ HTTP/1.1\r\nHost: test\r\n\r\n" | nc routerip 8080

if you get the XML HNAP output back, then you MAY be vulnerable.

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Intel is continuing to build out its array of software tools for the Hadoop open-source big data processing framework, with an emphasis on the security and reliability features demanded by large enterprises.
 
Multiple IBM Products CVE-2013-6747 Denial of Service Vulnerability
 
[ISecAuditors Security Advisories] - Reflected XSS vulnerability in Boxcryptor (www.boxcryptor.com)
 
Apple is gearing up to launch a revamped Apple TV, but will not push into the television market this year, as many assumed.
 
Dozens of self-signed SSL certificates created to impersonate banking, e-commerce and social networking websites have been found on the Web. The certificates don't pose a big threat to browser users, but could be used to launch man-in-the-middle attacks against users of many mobile apps, according to researchers from Internet services firm Netcraft who found the certificates.
 
A coalition of consumer and privacy groups will ask a U.S. court to reject a settlement that allows Facebook to use minors' pictures in advertisements on the site without their parents' consent.
 
Global smartwatch shipments reached 1.9 million units last year, and Google's Android mobile OS captured a 61 percent market share, according to Strategy Analytics.
 
LinuxSecurity.com: A vulnerability has been discovered and corrected in php: * Fixed bug #66356 (Heap Overflow Vulnerability in imagecrop()) (CVE-2013-7226). [More...]
 
LinuxSecurity.com: LXC would allow unintended access to the host, bypassing intendedconfinement.
 
LinuxSecurity.com: Updated mysql packages that fix several security issues and one bug are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Moderate [More...]
 
LinuxSecurity.com: Updated kvm packages that fix two security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having [More...]
 
LinuxSecurity.com: A vulnerability has been discovered and corrected in openldap: The rwm overlay in OpenLDAP 2.4.23, 2.4.36, and earlier does not properly count references, which allows remote attackers to cause a denial of service (slapd crash) by unbinding immediately after a [More...]
 
LinuxSecurity.com: The security update released in DSA-2850-1 for libyaml introduced a regression in libyaml failing to parse a subset of valid yaml documents. For reference the original advisory text follows. [More...]
 
LinuxSecurity.com: Holger Levsen discovered that parcimonie, a privacy-friendly helper to refresh a GnuPG keyring, is affected by a design problem that undermines the usefulness of this piece of software in the intended threat model. [More...]
 
LinuxSecurity.com: Multiple vulnerabilities have been found in FreeType, allowing context-dependent attackers to possibly execute arbitrary code or cause Denial of Service.
 
LinuxSecurity.com: Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having [More...]
 
LinuxSecurity.com: Libav could be made to crash or run programs as your login if it opened aspecially crafted file.
 
Wordpress plugin Buddypress <= 1.9.1 stored xss vulnerability
 
Re: ASUS RT Series Routers FTP Service - Default anonymous access
 
Wordpress plugin Buddypress <= 1.9.1 privilege escalation vulnerability
 
ASUS RT Series Routers FTP Service - Default anonymous access
 
APPLE-SA-2014-02-11-1 Boot Camp 5.1
 
Mybb All Version Denial of Service Vulnerability
 
[ MDVSA-2014:026 ] openldap
 
Businesses share their crowdsourcing success stories and explain the different ways to enlist and use the crowd (communities of professionals, customers and employees) to improve and even help market your products and services.
 
The big data era calls for NoSQL databases. Explore the new alternatives to old RDBMS and find out which one is best for you
 
WiFi Camera Roll v1.2 iOS - Multiple Web Vulnerabilities
 
[ MDVSA-2014:025 ] pidgin
 
[SECURITY] [DSA 2860-1] parcimonie security update
 

Ethiopian journos hit by Hacking Team spyware, say infosec bods
Register
Ethiopian journalists in the US were targeted by malware sold exclusively to governments by the Hacking Team company, according to security researchers. Staffers at Ethiopian Satellite Television Service (ESAT), an independent TV, radio, and online ...

and more »
 
Mitsubishi Electric is developing a vehicle assistant system that can anticipate driver needs when controlling things like car navigation systems and stereos.
 
Comcast announced this morning that it will acquire Time Warner Cable in an all-stock deal
 
Lenovo reported a 30% jump in its net profit for the fourth quarter of last year, with its earnings driven by a record number of devices shipped.
 
Nvidia isn't interested in the mainstream smartphone market and will focus its Tegra efforts on tablets and high-end "superphones," the company's CEO said Wednesday.
 
The fledgling Tizen smartphone OS has managed to attract 15 new backers, three of which are big name brands in Asia, including the Chinese search giant Baidu, handset maker ZTE, and Japanese mobile operator SoftBank Mobile.
 
LG Electronics' G Pro 2 has a bigger screen than its predecessor, but improved video and camera features are what the company hopes will make the device stick out from the competition.
 
cinnamon-screensaver CVE-2014-1949 Lock Screen Local Security Bypass Vulnerability
 
The energy industry is complex and growing, but also needs to be more modern and efficient. From analytics to networking to mobility, the IT opportunities abound.
 
Researchers at the Lawrence Livermore National Laboratory Wednesday said they've achieved a first: A nuclear fusion system has produced more energy than it initially absorbed
 

Posted by InfoSec News on Feb 13

http://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach-at-target/

By Brian Krebs
Krebs on Security
February 12, 2014

The breach at Target Corp. that exposed credit card and personal data on
more than 110 million consumers appears to have begun with a malware-laced
email phishing attack sent to employees at an HVAC firm that did business
with the nationwide retailer, according to sources close to the
investigation.

Last...
 

Posted by InfoSec News on Feb 13

http://www.computerworld.com/s/article/9246266/White_House_pushes_cybersecurity_framework_for_critical_infrastructure

By Grant Gross
IDG News Service
February 12, 2014

A new cybersecurity framework released Wednesday by the Obama
administration aims to help operators of critical infrastructure develop
comprehensive cybersecurity programs.

The voluntary framework creates a consensus on what a good cybersecurity
program looks like, senior...
 

Posted by InfoSec News on Feb 13

http://www.timesofisrael.com/hackers-target-adelson-casino-empires-website/

BY JTA
February 13, 2014

The website of the casino operation owned by Jewish billionaire Sheldon
Adelson was hacked by unidentified vandals who criticized his support for
Israel

The hackers on Tuesday took over the home page of websites run by the Las
Vegas Sands Corp., the world's largest casino operator, which is owned by
Adelson. In addition to criticizing...
 

Posted by InfoSec News on Feb 13

http://www.nbcnews.com/news/investigations/exclusive-snowden-swiped-password-nsa-coworker-n29006

BY MICHAEL ISIKOFF
NBC News
February 12th 2014

A civilian NSA employee recently resigned after being stripped of his
security clearance for allowing former agency contractor Edward Snowden to
use his personal log-in credentials to access classified information,
according to an agency memo obtained by NBC News.

In addition, an active duty member...
 

Posted by InfoSec News on Feb 13

http://www.forbes.com/sites/andygreenberg/2014/02/12/inside-endgame-a-new-direction-for-the-blackwater-of-hacking/

By Andy Greenberg
Forbes Staff
2/12/2014

This story appears in the March 3, 2014 issue of Forbes.

In the classic hacker career narrative, a juvenile genius breaks into the
Internet's most sensitive networks, gets caught and then settles into a
lucrative corporate gig selling his skills for defense. Nate Fick is
trying to...
 

Baffert reject Infosec showing solid potential
San Francisco Chronicle
A local horse hasn't won the Grade 3, $200,000 El Camino Real Derby since Autism Awareness in 2008, and the best chance for Saturday's 33rd running at Golden Gate Fields is one who began his career in Southern California. Early last fall, Infosec was a ...

 
Cisco Unified Communications Manager Java Database Interface SQL Injection Vulnerability
 
Oracle MySQL Server CVE-2014-0401 Remote Security Vulnerability
 
Internet Storm Center Infocon Status