Information Security News
Over the past few years, consumer-grade routers have emerged as a key security threat. Whether manufactured by Asus, Linksys, D-Link, Micronet, Tenda, TP-Link, or others, small office/home office (SOHO) routers have suffered a variety of real-world attacks that in some cases have allowed hackers to remotely commandeer hundreds of thousands of devices.
Now, security advocates are sponsoring "SOHOpelessly BROKEN," a no-holds-barred router hacking competition at next month's Defcon hacker conference in Las Vegas. The contest will challenge attendees to unleash novel exploits on 10 off-the-shelf SOHO routers running recent firmware versions.
"The objective in this contest is to demonstrate previously unidentified vulnerabilities in off-the-shelf consumer wireless routers," organizers said. "Contestants must identify weaknesses and exploit the routers to gain control. Pop as many as you can over the weekend to win. Contest will take place at Defcon 22, August 7-12, 2014 in the Wireless Village contest area."
More than three months after the disclosure of the catastrophic Heartbleed vulnerability in the OpenSSL library, critical industrial control systems sold by Siemens remain susceptible to hijacking or crashes that can be triggered by the bug, federal officials have warned.
The products are used to control switches, valves, and other equipment in chemical, manufacturing, energy, and wastewater facilities. Heartbleed is the name given to a bug in the widely used OpenSSL cryptographic library that leaks passwords, usernames, and secret encryption keys. While Siemens has updated some of its industrial control products to patch the Heartbleed vulnerability, others remain susceptible, an advisory published Thursday by the Industrial Control Systems Cyber Emergency Response Team warned.
"The vulnerabilities identified could impact authenticity, integrity, and availability of affected devices," the notice stated. "The man-in-the-middle attack could allow an attacker to hijack a session between an authorized user and the device. The other vulnerabilities reported could impact the availability of the device by causing the web server of the product to crash."
As reported by Sophos and submitted by multiple ISC readers (thank you), Gameover Zeus is resurfacing.
According to the Sophos post, they have "only seen a few samples of the new version, but it has been distributed through widespread spam campaigns, so the number of infections may already be large. Typical Gameover spams include an attachment pretending to be an account statement."
If you spot what you belief are related SPAM samples or actual binaries, please send them our way for analysis.
Posted by InfoSec News on Jul 18http://krebsonsecurity.com/2014/07/even-script-kids-have-a-right-to-be-forgotten/
Posted by InfoSec News on Jul 18http://www.infosecnews.org/chinese-collegiate-hacking-team-hacks-the-tesla-model-s-well-sort-of/
Posted by InfoSec News on Jul 18http://news.techworld.com/security/3531445/aloha-point-of-sale-terminal-sold-on-ebay-yields-security-surprises/
Posted by InfoSec News on Jul 18http://www.bankinfosecurity.com/treasurys-new-focus-on-cyber-risks-a-7068
Posted by InfoSec News on Jul 18http://www.csoonline.com/article/2455088/identity-access/why-123456-is-a-great-password.html
Posted by InfoSec News on Jul 18http://www.businessweek.com/articles/2014-07-17/how-russian-hackers-stole-the-nasdaq
Posted by InfoSec News on Jul 18http://www.chinadaily.com.cn/opinion/2014-07/18/content_17830716.htm
As we learned in Part One of our exploration of Hazrat Supply's series of unfortunate events, our malicious miscreants favored multiple tools. We first discussed developing IOCs for HackTool:Win32/Zeloxat.A which opens a convenient backdoor on a pwned host. One note on that front, during analysis I saw network calls to zeroplace.cn (no need to visit, just trust me) and therefore added matching URI and DNS items to the IOC file. Again, I'll share them all completed for you in a day or two.
I know I promised you an analysis of the svchost dump file Jake provided using Volatility but unfortunately that effort did not bear much fruit; the
imagecopy module didn't return actionable results. The actual svchost.exe sample is still an analysis work-in-progress as well given, while certainly malicious, the file we have was not an original payload and is exhibiting limited functionality. I do hope to have insight on that front tomorrow.
That said, one of the other tools that was found on the server by Jake was PWDump7. This is a commonly used tool and is often part of larger hacker or pentester kits; you should be detecting and blocking them both equally :-).
By definition, PwDump7.exe is not malware per se, it's simply a tool that can be used for malicious purposes. It doesn't make file system changes, it doesn't phone home, it doesn't change the registry, but it sure does dump password hashes as seen in Figure 1.
The first reader who emails me (russ @ holisticinfosec dot org) my clear text password from the 500 hash as seen in Figure 1
wins a prize of my choosing (probably shwag or a book), I'll Tweet out the winner. *UPDATE* - We have a winner as of 0146 PST last night, thank you, Martin R. The password for you all is IveBeenHacked.
In the absence of particularly interesting artifacts, can we still create IOCs for hack tools such as PwDump?
But of course!
File name, file size, and hashes are obvious, but what else can we use when so little presents itself with a hack tool that is standalone and basically just runs?
Tools such as PEStudio can give us additional options if we look beyond the obvious. PEStudio, by default, will sort by color coded (red), flagged items. Often this presents some obvious enough indicators but with PwDump7, not so much. But sorting by something different such as Value under Strings and Unclassified gives us a perfectly unique indicator not likely to occur very often, particularly in the context of established file name and hashes. Figure 2 exemplifies.
As such, our IOC elements would be derived as seen in Figure 3.
Can't miss with strings keywords like that. :-)
I'll leave you with this. As we've been learning from the kind transparency of Jake and Hazrat Supply, **it happens, it really does.
Just another reason not to tailgate.