Hackin9
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Introduction

Earlier this week, various blogs began reporting about compromisedMagento-based e-commerce websites. These compromised sites kicked off infection chains for Neutrino exploit kit (EK). Ive seen a few examples of this traffic leading to a Neutrino EK landing page, all dated last week.

Sucuris blog has information concerning the compromised Magento servers [1], while the Malwarebytes blog shows traffic from a compromised Magento site leading to Neutrino EK [2]. TheMalwarebytes blog illustrates the flow of traffic for these Neutrino EK infection chains. The examples Ive seen were similar, so lets review thetraffic.

Chain of events

The example I can share doesnt have a full infection chain, but it shows the same traffic patterns as the Malwarebytes blog entry." />
Shown above: Other traffic I found, from Friday 2015-10-16.

Last weeks chain of events appears to be:

  • Bad actors behind this campaign compromise a Magento website.
  • Pages from compromised sites have injected script pointingto a URL atguruincsite.com.
  • The URL to guruincsite.com returns an iframe pointing to a second malicious domain.
  • Second malicious URL returns HTML redirecting to a third URL ending with neitrino.php.
  • Neitrino.php from the third malicious domain returns an iframe to a Neutrino EK landing page.

I" />
Shown above: Flow chart for last week" />
Shown above: Traffic I found on Friday 2015-10-16, this time with IP addresses.

er examination, last weeks traffic followed specific URL patterns. " />
Shown above: HTTP GET request to guruincsite.com.

The HTTP GET request to the second URL ending with /app/?d22H returned HTML redirecting to another URL ending with neitrino.php (whichI assume has a mistakenly spelledneutrino" />
Shown above: " />
Shown above: HTTP GET request to the third URL.

em>Final words

I cant provide any pcaps related to the recent wave of Magento site compromises, although I did find some Neutrino EK from a different actor on Wednesday 2015-10-21 [3].

The compromised websites thatMagento has investigated were not up-to-date. They all neededa patch that was published earlier this year [4]. I havent seen anything yet thats led me to believe this was caused by a new or unpublished vulnerability. This is probably an issue where people havent been keeping their software updated or otherwise following poor security practices.

Sites will get compromised if they arent patched and their software kept up-to-date. Running a website on the Internet is like having a house in a bad neighborhood. People are always trying to break in.

---
Brad Duncan
Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic

References:

[1] https://blog.sucuri.net/2015/10/massive-magento-guruincsite-infection.html
[2] https://blog.malwarebytes.org/exploits-2/2015/10/new-neutrino-ek-campaign-drops-andromeda/
[3] http://malware-traffic-analysis.net/2015/10/21/index.html
[4] https://magento.com/security/news/important-security-update

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

(credit: Matteo Ianeselli )

Serious weaknesses in the Internet's time-synchronization mechanism can be exploited to cause debilitating outages, snoop on encrypted communications, or tamper with Bitcoin transactions, computer scientists warned Wednesday.

The vulnerabilities reside in the Network Time Protocol, the widely used specification computers use to ensure their internal clocks are accurate. Surprisingly, connections between computers and NTP servers are rarely encrypted, making it possible for hackers to perform man-in-the-middle attacks that reset clocks to times that are months or even years in the past. In a paper published Wednesday titled Attacking the Network Time Protocol, the researchers described several techniques to bypass measures designed to prevent such drastic time shifts. The paper also described ways to prevent large numbers of computers from successfully connecting to synchronization servers.

The attacks could be used by malicious actors to wreak havoc on the Internet. An attack that prevented sensitive computers and servers from receiving regular time-synchronization updates could cause malfunctions on a mass scale. In many cases, such denial-of-service hacks can be carried out even when attackers are "off-path," meaning the hacker need not have the ability to monitor traffic passing between a computer and NTP server.

Read 8 remaining paragraphs | Comments

 

Nasdaq's BWise Releases New Information Security Solution
Nasdaq
NEW YORK, Oct. 21, 2015 (GLOBE NEWSWIRE) -- Nasdaq's BWise (Nasdaq:NDAQ), a global leader in enterprise Governance, Risk Management and Compliance (eGRC), today announced the release of its new solution: BWise® Information Security ...
Nasdaq BWise releases information security package..Finextra (press release)

all 7 news articles »
 
Cisco Security Advisory: Cisco ASA Software VPN ISAKMP Denial of Service Vulnerability
 
Cisco Security Advisory: Cisco ASA Software DHCPv6 Relay Denial of Service Vulnerability
 
Cisco Security Advisory: Cisco ASA Software DNS Denial of Service Vulnerability
 
Cisco Security Advisory: Cisco ASA Software DHCPv6 Relay Denial of Service Vulnerability
 

Apple published one of its usual updates for everything. Below I took a shot at a quick summary. You can find details herehttps://support.apple.com/kb/HT201222

iOS 9.1

49 Vulnerabilities fixed. A number of these affect WebKit and are exploitable via Safari. The update also addresses numerous issues in the FontParser.

WatchOS 2.0.1

14 Vulnerabilities fixed.">CVE-2015-5916 looks like a repeat of what was fixed in WatchOS 2: ApplePay may allow malicious terminals to retrieve a partial transaction history.

Safari 9.0.1

9 Vulnerabilities in WebKit fixed (pretty much the same vulnerabilities fixed in iOS 9.0.1)

iTunes 12.3.1

12 Vulnerabilities fixed, 9 of which affect WebKit which is included in iTunes.

EFI

EFI contained unused functions that could be abused. This update removes these unused functions.

Apple OS X 10.11.1

41 Vulnerabilities fixed. Again WebKit and some Fontparser vulnerabilities. This update also addresses issues with open source software included in OS X like php. The Safari 9.0.1 update is included in this update.

I didnt see an update for AppleTV yet, but wouldnt be surprised if it will be released as well. At least the WebKit issues will also affect AppleTV.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Nasdaq's BWise Releases New Information Security Solution
MarketWatch
Nasdaq's BWise NDAQ, -1.00% a global leader in enterprise Governance, Risk Management and Compliance (eGRC), today announced the release of its new solution: BWise® Information Security (InfoSec), at its Global BWise Customer Summit in New York ...

and more »
 

Nasdaq's BWise Releases New Information Security Solution
MarketWatch
NEW YORK, Oct. 21, 2015 (GLOBE NEWSWIRE) -- Nasdaq's BWise NDAQ, -0.21% a global leader in enterprise Governance, Risk Management and Compliance (eGRC), today announced the release of its new solution: BWise(R) Information Security ...
Nasdaq BWise releases information security package..Finextra (press release)

all 7 news articles »
 

A reader sent us an odd looking DNS TXT record. The record was recovered from an old, decommissioned, DNS server. Has anybody seen this before? The zone also include the Google Apps authentication records, so it is possible that this is a similar scheme. According to the reader, the change times on the file are from 2010, but it is not certain that these times are correct. The file was maintained manually, so it is unlikely that a bad ip management script corrupted it.

We have seen DNS TXT records used as a covert channel in the past, so it is is possible this attempts to try something like this, or that these records were used for reflective DNS attacks. At this point, I really have no idea and was wondering if someone else has seen this.

">bradmbig">">">">TXT @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@Cc::.:::cc:[email protected]@@@@@@@ @@@@@@@Oc::....:...:::co@@@@@@ @@@@@@c:::........:::::[email protected]@@@@ @@@@@o:::::::c::::c:....:@@@@@ @@@@O::::[email protected]@@@ @@@@Oc.:CCCoCCOOOOCCCCC.:@@@@@ @@@@@c::[email protected]@@@ @@@[email protected]@@@@ @@@[email protected]@@@@ @@@@@[email protected]@@@@ @@@[email protected]@@@@@@ @@@@[email protected]@@@@@@@ @@@@[email protected]@@@@@@@ @@@OOOOOCooocc:c::[email protected]@@@@@@@ @@[email protected]@@@@@@ @@[email protected]:ooCCCCoocoCooo:[email protected]@@@ c..:....oCCCOCCCOCCoCo...:..cO .....:...oCCCCCCOOCOo....:....">bradbig">">">">TXT @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@Cc::.:::cc:[email protected]@@@@@@@ @@@@@@@Oc::....:...:::[email protected]@@@@@ @@@@@@c:::........:::::[email protected]@@@@ @@@@@o:::::::c::::c:....:@@@@@ @@@@O::::[email protected]@@@ @@@@Oc.:CCCoCCOOOOCCCCC.:@@@@@ @@@@@c::[email protected]@@@ @@@[email protected]@@@@ @@@[email protected]@@@@ @@@@@[email protected]@@@@ @@@[email protected]@@@@@@ @@@@[email protected]@@@@@@@ @@@@[email protected]@@@@@@@ @@@OOOOOCooocc:c::[email protected]@@@@@@@ @@[email protected]@@@@@@ @@[email protected]:ooCCCCoocoCooo:[email protected]@@@ c..:....oCCCOCCCOCCoCo...:..cO .....:...oCCCCCCOOCOo....:....">bradmsmall">">">TXT @@@@@@@@@@@@@@@@@ @@@@@8c:::[email protected]@@@ @@@O::....:::[email protected]@@ @@@::c:cc:c:[email protected]@ @@8:[email protected]@ @@[email protected]@ @@[email protected]@@ @@[email protected]@@@ @@[email protected]@@@ @88c:CCooooo:[email protected]@@ Oc..cCCCCCCCc.:O8 .....cCCCOCc.....">bradm">">">TXT @@@@@@@@@@@@@@@@@ @@@@@8c:::[email protected]@@@ @@@O::....:::[email protected]@@ @@@::c:cc:c:[email protected]@ @@8:[email protected]@ @@[email protected]@ @@[email protected]@@ @@[email protected]@@@ @@[email protected]@@@ @88c:CCooooo:[email protected]@@ Oc..cCCCCCCCc.:O8 .....cCCCOCc.....

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
SiteWIX - (edit_photo2.php id) SQL Injection Exploit
 
[SE-2014-02] Google App Engine Java security sandbox bypasses (Issue 42)
 

Infosec pros should start preparing for the future, say experts
ComputerWeekly.com
Infosec professionals should work to bring security into the mindset of management by explaining the cyber security-related risks to the business, which in turn should encourage senior executives to provide the resources necessary to mitigate and ...

 
[SECURITY] [DSA 3376-1] chromium-browser security update
 
Internet Storm Center Infocon Status