Information Security News
On Saturday, the New York Times published an article based on slides obtained from former NSA contractor Edward Snowden as well as interviews with anonymous intelligence officials that alleged the NSA had broken into the servers of Chinese telecom giant Huawei. There, the spy agency obtained sensitive information about the company's routers and switches that served to link its customers to its network. The NSA also monitored the communications of Huawei's executives, the NYT reports.
The US has long had a fraught relationship with Huawei, a company that has maintained that it is independent from the Chinese government and has no ties to the People's Liberation Army (PLA). Still, citing national security concerns, US authorities blocked Huawei's purchase of 3Com in 2008, accused it of un-American activities in 2012, and then convinced Sprint and SoftBank to limit their use of Huawei gear in 2013.
The New York Times report said that the 2010 NSA operation, code-named “Shotgiant” (link goes to leaked classified slides), was looking for clues that the giant telecom was working with the PLA.
ISC contributor Simon transmitted the following results of their investigation to the local users of their forum highlighting how a safety lapse on a user machine resulted into some dramatic consequences. It highlights the IR steps taken by the response team to cleanup, return the mail service in operation and dealing with the aftermath of the spam campaign.
Late last night we had an occurrence that raised a red alert on one of our servers indicating it might have been compromised. We received notification from the abuse department of our ISP, that our servers were transmitting spams.
We immediately shut down all e-mail services then started to analyse the log files.
We found that all spams had been sent using a particular user account on this very server, that user enjoying the privilege of an e-mail account on this server. A whole botnet was participating in "delivering" the spams for distribution by our servers.
Further analysis of log files as well as packet captures showed that there had been no occurrence prior to the first login to the user's account, no attempts to break into that account was registered. The first attempt to log into that account already used the correct password.
We changed the password of that user, effectively taking control of that account away from that user, removed more than 17,000 spams still waiting to be delivered from the server's mail transmit queue, and began to partially restart the mail services until all mail servers were operating in full again with no further anomalies.
While we are waiting for reply from that particular user, who had instantly been notified about the issue as well, we can only assume what may have happened: we believe the user's computer has been compromised and the credentials for this server as well as possibly other sites (including telebanking etc.) have been stolen. That way the spammer then could use the correct password for the correct account a short while later and started his spam campaign.
In the meantime we are continuing to work on that affair to ensure, that ISPs affected by the spam campaign get to know about the result of our analysis (the whole spam campaign was stopped within one hour), also in the attempt to limit the impact of spam protection which might blacklist our e-mail servers.
The occurrence highlights the dangers of the highly networked environment we are operating in. A user's PC being compromised is not just a local event, it affects the user's ISPs and mail service providers, the banks the user works with. A compromised PC thus provides not only headache to the owner of that PC for exposing private and confidential details to others, but also a lot of headache to other people who provide service and trust in the PCs being handled securely.
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
du's newly-launched Student InfoSec Award invites UAE students to change the ...
In the spirit of fostering innovation and nurturing the progression of local talent in the field of information security, du invites students across the UAE to participate in its newly-launched Student InfoSec Award. The Student InfoSec Award is a ...