(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Enlarge / Dmitry Dokuchaev, Igor Sushchin, Alexsey Belan, and Karim Baratov—the four indicted by the US in the Yahoo hacking case.

SAN FRANCISCO—The indictment unsealed Wednesday by US authorities against two agents of the Russian Federal Security Service, or FSB, (Dmitry Dokuchaev and Igor Sushchin) and two hackers (Alexsey Belan and Karim Baratov) provides some details of how Yahoo was pillaged of user data and its own technology over a period of over two years. But at a follow-up briefing at the FBI office here today, officials gave fresh insight into how they think the hack began—with a "spear phishing" e-mail to a Yahoo employee early in 2014.

Malcolm Palmore, the FBI special agent in charge of the bureau’s Silicon Valley office, told Ars in an interview that the initial breach that led to the exposure of half a billion Yahoo accounts likely started with the targeting of a “semi-privileged” Yahoo employee and not top executives. He said social engineering or spear phishing “was the likely avenue of infiltration" used to gain the credentials of an “unsuspecting employee” at Yahoo.

Palmore declined Ars’ request to elaborate during a brief interview inside the San Francisco FBI office, and he would not say whether the government or Yahoo discovered the breach. He also would not say how long the intrusion lasted before it was cut off.

Read 11 remaining paragraphs | Comments

Cisco Unified Communications Manager CVE-2017-3877 Cross Site Request Forgery Vulnerability
Cisco StarOS CVE-2017-3819 Privilege Escalation Vulnerability
Cisco Unified Communications Manager CVE-2017-3872 Cross Site Scripting Vulnerability
Cisco Unified Communications Manager CVE-2017-3874 Cross Site Scripting Vulnerability
WordPress Wp2android Plugin CVE-2017-1002003 Arbitrary File Upload Vulnerability
Cisco Mobility Express 1800 Access Point Series CVE-2017-3831 Authentication Bypass Vulnerability
Multiple Cisco Products CVE-2017-3846 Arbitrary File Read Vulnerability
Cisco AsyncOS CVE-2017-3870 Remote Security Bypass Vulnerability
Open.GL CVE-2017-6907 Cross Site Scripting Vulnerability
SAP Enterprise Portal 'styleservice' Cross Site Scripting Vulnerability
SAP Security Diagnostic Tool Unspecified Cross Site Scripting Vulnerability
SiberianCMS CVE-2017-6906 Cross Site Scripting Vulnerability
Microsoft Windows Hyper-V CVE-2017-0097 Remote Denial of Service Vulnerability
Microsoft Windows Hyper-V CVE-2017-0076 Remote Denial of Service Vulnerability
Microsoft Windows Hyper-V CVE-2017-0098 Remote Denial of Service Vulnerability
Red Hat JBoss Enterprise Application Platform CVE-2016-8657 Local Privilege Escalation Vulnerability

Enlarge (credit: Bloomberg / Getty Images News)

Federal prosecutors charged two Russian intelligence agents with orchestrating a 2014 hack that compromised 500 million Yahoo accounts in a brazen campaign to access the e-mails of thousands of journalists, government officials, and technology company employees.

In a 38-page indictment unsealed Wednesday, the prosecutors said Dmitry Aleksandrovich Dokuchaev, 33, and Igor Anatolyevich Sushchin, 43—both officers of the Russian Federal Security Service—worked with two other men—Alexsey Alexseyevich Belan, 29, and Karim Baratov, 22—who were also indicted. The men gained initial access to Yahoo in early 2014 and began their reconnaissance, the indictment alleged. By November or December, Belan used the file transfer protocol to download part or all of a Yahoo database that contained user names, recovery e-mail accounts, and phone numbers. The user database (UDB) also contained the cryptographic nonces needed to generate the account-authentication browser cookies for more than 500 million accounts.

Belan also downloaded an account management tool (AMT) that Yahoo used to make and track changes to user accounts. Together, the pilfered UDB and AMT allowed Belan, Dokuchaev and Sushchin to locate Yahoo e-mail accounts of interest and to mint authentication cookies needed to access 6,500 accounts without authorization. The accounts belonged to Russian journalists, Russian and US government officials, employees of a prominent Russian security company, and employees of other Internet companies the indicted men wanted to target. Belan and Baratov also used their access to commit additional crimes, including by manipulating Yahoo search results to promote a scam involving erectile dysfunction drugs, stealing electronic gift cards, and sending spam messages to Yahoo users' contacts.

Read 10 remaining paragraphs | Comments

JIRA Server XML External Entity Injection and Arbitrary Code Execution Vulnerability
concrete5 Multiple Cross Site Scripting Vulnerabilities
Fatek Automation PLC Ethernet Module CVE-2017-6023 Stack Based Buffer Overflow Vulnerability
SAP NetWeaver Visual Composer Denial of Service Vulnerability
Microsoft Office CVE-2017-0029 Denial of Service Vulnerability

For a while, one of the securitytrends is to integrate information from 3rd-party feeds to improve the detection of suspicious activities. By collecting indicators of compromize[1], other tools may correlate them with their own data and generate alerts on specific conditions. The initial goal is to share as fast as possible new IOCs with peers to improve the detection capability and, maybe, prevent further attacks or infections.

However, the 2016 SANS Incident Response Survey[2] demonstrated that, in many cases, the time to detect a compromise width:501px" />

If your organization is targeted, there are few chances to see your malware sample analysed by security researchers and it may take some time to see new IOCs extracted and distributed via classic channels. Thats why playing retro hunting is also important. I like this name: it comes from a VirusTotal feature that allows the creation of YARA rules and to search backwards for samples that match them. (Note: this is only available to paid subscriptions - VT Intelligence[3])

In the same philosophy, its interesting to perform retro-hunting inyour logs to detect malicious activity that occurred in the past. Here is an example based on MISP and Splunk. The first step is to export interesting IOCs like IP addresses, hostnames or hashesfrom the last day. padding:5px 10px"> 0 0 * * * curl -H Authorization: xxxxxx -k -s \ https://misp.xxx.xxx/events/csv/download/false/false/false/Network%20activity/ip-src/true/false/false/1d | \ awk -F , { print $5 }| sed -e s/value/src_ip/g /opt/splunk/etc/apps/search/lookups/misp-ip-src.csv 15 0 * * * curl -H Authorization: xxxxxx -k -s \ https://misp.xxx.xxx/events/csv/download/false/false/false/Network%20activity/hostname/true/false/false/1d | \ awk -F , { print $5 }| sed -e s/value/qclass/g /opt/splunk/etc/apps/search/lookups/misp-hostnames.csv

It is possible to fine tune the query and export IOCs that really matter (TLP:RED, with or without this tag, )

Now, lookup tables are ready to be used on Splunk queries. Exported data are for the last day, lets focus on a larger time period width:798px" />

Now let width:900px" />

You can schedule those searches on a daily basis and generate a notification if at least one hit is detected. If its the case, it could be interesting to start an investigation.

Happy retro hunting!


Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Internet Storm Center Infocon Status