Hackin9
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

A leaked database from a hacked denial-of-service site has provided some insight on what sorts of targets individuals will pay to knock offline for a few dollars or bitcoin. And it's safe to say that a significant percentage of them are not the brightest stars in the sky. To get an idea of who would use such a service and for what purposes, Ars analyzed the data from a recently-hacked DDoS for hire site: LizardSquad's LizardStresser.

"Booter" or "stresser" sites offer users the ability to pay for distributed denial of service attacks against a target, and these sites promise to try to disguise the nature of the attack with the fig leaf of being legitimate load testing sites. That wasn't so much the case with LizardStresser, the botnet-for-hire set up by the distributed denial of service crew known as LizardSquad. The group used its Christmas week DDoS attacks on Microsoft's Xbox Live network and Sony's Playstation Network as a form of advertising for the new service.

Since then, attacks on gamers have made up a significant percentage of the LizardStresser's workload. While more than half of the attacks launched by customers of the service have been against Web servers, a significant portion have targeted individuals or small community gaming servers—including Minecraft servers.

Read 12 remaining paragraphs | Comments

 
[SECURITY] [DSA 3132-1] icedove security update
 
MSA-2015-01: Wordpress Plugin Pixabay Images Multiple Vulnerabilities
 
libssh 'kex.c' Double Free Denial of Service Vulnerability
 
Libevent CVE-2014-6272 Multiple Heap Based Buffer Overflow Vulnerabilities
 

Citing anonymous sources in and close to the US government, The New York Times reports that the fingering of North Korea as responsible for the attack on the network of Sony Pictures Entertainment was through evidence gathered by National Security Agency surveillance. This includes software taps into networks associated with North Korea's network warfare and espionage unit, Bureau 121, among others. The actual evidence, however, will likely never see the light of day because of the highly classified nature of how it was obtained.

David Sanger and Martin Fackler of the Times report that the NSA started to ramp up efforts to penetrate North Korea's networks in 2010 to monitor the growth of Bureau 121 and the rest of the country's "computer network exploitation" capabilities:

A classified security agency program expanded into an ambitious effort, officials said, to place malware that could track the internal workings of many of the computers and networks used by the North’s hackers, a force that South Korea’s military recently said numbers roughly 6,000 people. Most are commanded by the country’s main intelligence service, called the Reconnaissance General Bureau, and Bureau 121, its secretive hacking unit, with a large outpost in China.

The evidence gathered by the “early warning radar” of software painstakingly hidden to monitor North Korea’s activities proved critical in persuading President Obama to accuse the government of Kim Jong-un of ordering the Sony attack, according to the officials and experts, who spoke on the condition of anonymity about the classified NSA operation.

The NSA's Tailored Access Office, according to the report, "drilled into the Chinese networks that connect North Korea to the outside world, picked through connections in Malaysia favored by North Korean hackers, and penetrated directly into the North with the help of South Korea and other American allies." According to NSA documents released by Der Spiegel, some of South Korea's initial assistance was not voluntary—the NSA secretly exploited South Korea's existing hacks of North Korea to gain intelligence information. But despite the level of access they gained, according to an unnamed investigator into the Sony Pictures attack, the NSA and other US agencies "couldn't really understand the severity" of the attack that would be launched against Sony when they began on November 24.

Read on Ars Technica | Comments

 

This is a guest diary submitted by Brad Duncan.

Various sources have reported version 3 of CryptoWall has appeared [1] [2] [3]. This malware is currently seen from exploit kits and phishing emails. CryptoWall is one of many ransomware trojans that encrypt the personal files on your computer and demand a bitcoin payment before you can unlock them.

I got a sample on Wednesday, January 14th 2015 while infecting a virtual machine (VM) from a malicious server hosting the Magnitude exploit kit.

If youre registered with Malwr.com, you can get a copy of this CryptoWall 3.0 sample at:

https://malwr.com/analysis/MDA0MjIzOGFiMzVkNGEzZjg3NzdlNDAxMDljMDQyYWQ/

Lets look at the traffic from my infected VM:

In this example, the infected VM checked ip-addr.es to determine its public IP address. Then the VM communicated with a server at 194.58.109.158 over a non-standard HTTP port. In this case it was port 2525, but I saw different ports in other hosts Ive infected with this sample.

Finally, the user viewed a web page for the decrypt instructions at 5.199.166.220.

When monitoring the infection traffic with Security Onion [5], we see an EmergingThreats alert for CryptoWall check-in [4].

The decryption instructions specify the following bitcoin account for a ransom payment: 1GJRTp9YRKFEvzZCTSaRAzrHskFjEwsZy

Heres what the user would see on their desktop screen:

----------

Brad Duncan is a Security Researcher at Rackspace, and he runs a blog on malware traffic analysis at http://www.malware-traffic-analysis.net

References:

[1] http://malware.dontneedcoffee.com/2015/01/guess-whos-back-again-cryptowall-30.html
[2] http://www.bleepingcomputer.com/forums/t/563169/after-a-brief-hiatus-malware-developers-release-cryptowall-3/
[3] https://forums.malwarebytes.org/index.php?/topic/163485-cryptowall-30/
[4] http://doc.emergingthreats.net/2018452
[5] http://blog.securityonion.net/p/securityonion.html

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Cpio Symlink Directory Traversal Vulnerability
 
ha Multiple Directory Traversal Vulnerabilities
 

ZDNet

Blackhat the movie, as reviewed in Loki gifs
ZDNet
No-one had anything negative to say about the film, showing Hollywood that Silicon Valley infosec will gladly mimic Silicon Valley startup jock culture when it comes to being star-struck, seeking validation, and becoming sycophantic in the presence of ...

and more »
 
Linux Kernel CVE-2014-6418 Denial of Service Vulnerability
 
Linux Kernel 'keys/gc.c' Local Memory Corruption Vulnerability
 
[SECURITY] [DSA 3131-1] xdg-utils security update
 
CVE-2015-1032 Kiwix Cross-Site Scripting Vulnerability
 
[slackware-security] seamonkey (SSA:2015-016-04)
 
[slackware-security] mozilla-thunderbird (SSA:2015-016-03)
 

WHY is the FBI so sure North Korea hacked Sony? NSA: *BLUSH*
The Register
The latest twist in the tale supports the argument of those in the infosec world who had argued that the US must have had some sig-int (signals intelligence) that allowed it to be confident that North Korea was behind the Sony hack. Whether or not this ...

and more »
 
Cisco WebEx Meetings Server CVE-2014-8030 Cross Site Scripting Vulnerability
 

What will 2015 bring to infosec?
CSO Australia (blog)
It's always wonderful to start a new year. A new year brings a fresh perspective and renewed enthusiasm. So what do I think twenty-fifteen will bring us? More breaches! No organisation's security is perfect, security breaches, data theft and public ...

 
Internet Storm Center Infocon Status