Hackin9
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Introduction

Originally reported by Malwarebytes in October 2014 [1], the EITest campaign has been going strong ever since. Earlier this year, I documented how the campaign has evolved over time [2].

During its run, I had only noticed the EITest campaign use Angler EK to distribute a variety of malware payloads. That changed earlier this month, when I noticed an EITest gate leading to Neutrino EK instead of Angler on 2016-05-05 [3].

This is not a new situation. Weve seen at least one other campaign switch between Angler and Neutrino EK in the fall of 2015 [4, 5, 6]. However, May 2016 is the first time Ive noticed it from the EITest campaign.

The EITest campaign predominantly uses Angler, but it now uses Neutrino EK on occasion. In todays diary, we" />
Shown above: Flow chart for the EITest campaign.

Details

Since January 2016, the EITest campaign has used 85.93.0.0/24 for a gate between the compromised website and the EK. The TLD for these gate domains has most often been .tk but weve seen .co.uk domains used this week [7]." />
Shown above: An example of injected EITest script in a page from a compromised website.

Using the same compromised website, I generated two full infection chains from the EITest campaign. The infections were 11 minutes apart. The first one used Neutrino EK and sent Gootkit malware." />
Shown above:" />
Shown above: 11 minutes later, the same gate led to Angler EK.

wing indicators of compromise (IOCs) were noted from these infections:

Date/Time: 2016-05-19 20:06 UTC:

  • 85.93.0.33 port 80 - true.imwright.co.uk - EITest gate
  • 104.238.185.187 port 80 - ndczaqefc.anein.top - Neutrino EK
  • Payload: Gootkit information stealer - Virus Total link - malwr.com link - Payload Security link

Date/Time: 2016-05-19 20:17 UTC:

  1. 85.93.0.33 port 80 - true.imwright.co.uk - EITest gate
  2. 185.117.75.219 port 80 - kmgb0.yle6to.top - Angler EK
  3. Payload: undetermined - Virus Total link - malwr.com link - Payload Security link

I wasnt able to generate any post-infection traffic from the Angler EK payload, and I havent had time to examine the malware to determine what it is. The Neutrino EK payload was Gootkit (an information stealer). I generated the following IOCs from the Neutrino EK payload:

 

Fortune

US House Lifts Block on Google-Hosted Apps
Fortune
Yahoo Mail remains inaccessible, however, and has been blacklisted since the House Information Security Office said in an April 30 memo it had detected an increase of ransomware attacks on the network. The two restrictions were not related, but came ...

and more »
 

The Inquisitr

James R. Clapper: U.S. Intelligence Chief Says Foreign Governments Have Made Attempts To Hack Into The Websites ...
The Inquisitr
As ABC News reports, the nation's intelligence chief believes the hackers are working for foreign governments by snooping around potential presidential candidates. Clapper said government officials are working with campaigns of all the candidates to ...

and more »
 

(credit: Rockydallas)

ISPs around the world are being attacked by self-replicating malware that can take complete control of widely used wireless networking equipment, according to reports from customers and a security researcher who is following the ongoing campaign.

San Jose, California-based Ubiquiti Networks confirmed on Friday that attackers are actively targeting a flaw in AirOS, the Linux-based firmware that runs the wireless routers, access points, and other gear sold by the company. The vulnerability, which allows attackers to gain access to the devices over HTTP and HTTPS connections without authenticating themselves, was patched last July, but the fix wasn't widely installed. Many customers claimed they never received notification of the threat.

Nico Waisman, a researcher at security firm Immunity, said he knows of two Argentina-based ISPs that went dark for two days after being hit by the worm. He said he's seen credible reports of ISPs in Spain and Brazil being infected by the same malware and that it's likely that ISPs in the US and elsewhere were also hit, since the exploit has no geographic restrictions. Once successful, the exploit he examined replaces the password files of an infected device and then scans the network it's on for other vulnerable gear. After a certain amount of time, the worm resets infected devices to their factory default configurations, with the exception of leaving behind a backdoor account, and then disappears. Ubiquiti officials have said there are at least two variations, so it's possible that other strains behave differently.

Read 9 remaining paragraphs | Comments

 
[security bulletin] HPSBGN03564 rev.1 - HPE Release Control using Java Deserialization, Remote Code Execution
 
[SECURITY] [DSA 3584-1] librsvg security update
 

In a surprising move...The TeslaCrypt ransomware developers have have stopped distributing TeslaCrypt and released their master decryption keyto the public. Various TeslaCrypt decryptor tools have been updated to include this key permitting anyone who gets compromised with TeslaCrypt a way of decrypting their data without paying the ransom.

Further information can be found in the ESET blog post.

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

ImageMagick calls into question responsible disclosure reporting
TechTarget
Worse, because the ImageMagick libraries are used in so many applications and services, many users may be completely unaware they are affected by the vulnerability, making it all the more important to spread the news of the vulnerability quickly. The ...

 

Imprivata UK unveils latest range of security solutions created for the healthcare industry at InfoSec Europe
ResponseSource (press release)
London, UK.— May 19, 2016—Imprivata, the healthcare IT security company, will be revealing its latest comprehensive range of security solutions for the healthcare market at Infosec Europe, including Imprivata OneSign® 5.2 and Imprivata Confirm ID® 2.0.

and more »
 
[SEARCH-LAB advisory] LG NAS N1A1 multiple vulnerabilities in Familycast
 
[ERPSCAN-16-011] SAP NetWeaver AS JAVA â?? SQL injection vulnerability
 
[ERPSCAN-16-010] SAP NetWeaver AS JAVA â?? information disclosure vulnerability
 
TYPO3 RemoveXSS.php vulnerability versions 6.2.19 and 7.6.4
 

The Guardian

US intelligence: Foreign hackers spying on campaigns
Sentinel-Tribune
"This exceeded traditional lobbying and public diplomacy." Jonathan Lampe with InfoSec Institute, a private information security company in Chicago, said security hasn't improved significantly since then. In October, he evaluated the security of 16 ...
Presidential candidates may be vulnerable to foreign hackers, US saysThe Guardian
Clapper: Hackers target US presidential campaignsDeutsche Welle

all 130 news articles »
 

Reuters

House lifts block on Google-hosted apps, Yahoo Mail remains blacklisted
Reuters
Yahoo Mail remains inaccessible, however, and has been blacklisted since the House Information Security Office said in an April 30 memo it had detected an increase of ransomware attacks on the network. The two restrictions were not related, but came ...

and more »
 
Internet Storm Center Infocon Status