Hackin9
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

On Tuesday, WikiLeaks published five top secret documents definitively showing that the National Security Agency has been spying on French President François Hollande, and his two immediate predecessors, Nicolas Sarkozy, and Jacques Chirac, among other top officials.

The documents, as WikiLeaks released them, include excerpts of five intelligence briefs, that contain descriptions of what was intercepted, "taken from various editions of the National Security Agency's Top Secret Global SIGINT Highlights executive briefings." This wording suggests that WikiLeaks has even more complete intelligence briefs that it did not publish, an unusual move for the group. WikiLeaks also published a chart showing a list of redacted phone numbers of those officials.

One, dated March 24, 2010, includes notes from a conversation between two top French officials:

Read 11 remaining paragraphs | Comments

 
ESA-2015-110: EMC Documentum Thumbnail Server Directory Traversal Vulnerability
 
ESA-2015-109: EMC Documentum D2 Cross-Site Scripting
 

Posted by InfoSec News on Jun 23

http://www.wired.com/2015/06/airlines-security-hole-grounded-polish-planes/

By Kim Zetter
Security
Wired.com
6.22.15

MORE THAN 10 airplanes were grounded on Sunday after hackers apparently
got into computer systems responsible for issuing flight plans to pilots
of Poland’s state-owned LOT airline. The apparent weak link? The flight
plan-delivery protocol used by every airline. In fact, though this may be
the first confirmed hack of its...
 

-Kevin -- ISC Handler on Duty

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Despite reaching its official end of life over a year ago, Microsoft's Windows XP is still bringing the company some significant revenue—largely because Department of Defense and government customers can't seem to get rid of it. And the Navy is one of Microsoft's best custom-support customers.

The US Navy's Space and Naval Warfare Systems Command (SPAWAR) has closed a $9.1 million contract extension with Microsoft that the agency originally announced in April to further extend custom support for the venerable Windows XP operating system, as well as the Office 2003 suite and Exchange 2003 e-mail. According to a Navy contracting announcement, "Across the United States Navy, approximately 100,000 workstations currently use these applications. Support for this software can no longer be obtained under existing agreements with Microsoft because the software has reached the end of maintenance period."

The renewal, according to SPAWAR officials, will buy the Navy "time to migrate from its existing reliance on the expiring product versions to newer product versions approved for use in Ashore and Afloat networks, and will provide hotfixes to minimize risks while ensuring support and sustainability of deployed capabilities." Many of the systems are in shipboard administrative networks that have not been available for extended periods of maintenance; the Navy is also playing catch-up on its land-based network upgrades as the result of the long delays in the service's Next Generation Network (NGEN) contract—the follow-up to the outsourced Navy and Marine Corps Intranet (NMCI).

Read 3 remaining paragraphs | Comments

 

Posted by InfoSec News on Jun 23

http://www.networkworld.com/article/2939254/the-us-navys-warfare-systems-command-just-paid-millions-to-stay-on-windows-xp.html

By Martyn Williams
IDG News Service
June 22, 2015

The U.S. Navy is paying Microsoft millions of dollars to keep up to
100,000 computers afloat because it has yet to transition away from
Windows XP.

The Space and Naval Warfare Systems Command, which runs the Navy’s
communications and information networks, signed a...
 
 

Posted by InfoSec News on Jun 23

http://www.washingtonpost.com/sf/business/2015/06/22/net-of-insecurity-part-3/

By Craig Timberg
The Washington Post
June 22, 2015

The seven young men sitting before some of Capitol Hill’s most powerful
lawmakers weren’t graduate students or junior analysts from some think
tank. No, Space Rogue, Kingpin, Mudge and the others were hackers who had
come from the mysterious environs of cyberspace to deliver a terrifying
warning to the world....
 

Posted by InfoSec News on Jun 23

http://www.cnn.com/2015/06/22/politics/opm-hack-18-milliion/index.html

By Evan Perez and Shimon Prokupecz
CNN
June 23, 2015

Washington (CNN) - The personal data of an estimated 18 million current,
former and prospective federal employees were affected by a cyber breach
at the Office of Personnel Management - more than four times the 4.2
million the agency has publicly acknowledged. The number is expected to
grow, according to U.S. officials...
 

Posted by InfoSec News on Jun 23

http://www.csoonline.com/article/2936175/security-leadership/do-cruises-and-clouds-help-security-pros-relax-on-vacation.html

By Kacy Zurkus
CSO
June 22, 2015

Packing the suitcases and setting off on vacation doesn’t necessarily mean
that IT executives are able to completely disconnect while away from work,
but they are enjoying more downtime. Though they still feel the need to
check in at least once a day, more executives say that their...
 

Posted by InfoSec News on Jun 23

http://carnal0wnage.attackresearch.com/2015/06/hard-to-sprint-when-you-have-two-broken.html

By Valsmith
June 14, 2015

Now as a disclaimer, I don't work for the government so there is a lot I don't
know but I have friends who do or who have in the past and you hear things. I
also pay attention and listen to questions I get in my training classes and
conference talks.

This directive from the White House is laughable for a number of...
 

Posted by InfoSec News on Jun 23

Forwarded from: Antriksh Shah <antriksh (at) payatu.com>

Dear Hackers and Security Gurus,

hardwear is seeking innovative research on hardware security. If you have done
interesting research on attacks or mitigation on any Hardware and want to
showcase it to the security community, just submit your research paper. Please
find all the relevant details for the submission below.

About hardwear.io
----------------------------
Somewhere in...
 
KMPlayer 3.9.1.136 Capture Unicode Buffer Overflow (ASLR Bypass)
 
LinuxSecurity.com: The system could be made to crash under certain conditions.
 
LinuxSecurity.com: The system could be made to crash under certain conditions.
 
LinuxSecurity.com: The system could be made to crash under certain conditions.
 
LinuxSecurity.com: The system could be made to crash under certain conditions.
 
LinuxSecurity.com: The system could be made to crash under certain conditions.
 
LinuxSecurity.com: The system could be made to crash under certain conditions.
 
LinuxSecurity.com: Multiple vulnerabilities have been fixed in GnuTLS, the worst of which can cause Denial of Service
 
LinuxSecurity.com: Multiple vulnerabilities have been found in OpenSSL that can result in either Denial of Service or information disclosure.
 
LinuxSecurity.com: Updated php packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security [More...]
 
LinuxSecurity.com: Multiple vulnerabilities have been fixed in Chromium, the worst of which can cause arbitrary remote code execution.
 
ManageEngine Asset Explorer v6.1 - Persistent Vulnerability
 
[oCERT-2015-008] FreeRADIUS insufficent CRL application
 
[security bulletin] HPSBMU03356 rev.1 - HP Business Service Automation Essentials (BSAE) running TLS, Remote Disclosure of Information
 
The "localhosed" attack - stealing IE local machine cookies and exposing its internal IP address
 

XOR DDOS Trojan Trouble


I have struggled over the past recent months with a clients environment becoming infected and reinfected with an XOR DDOS trojan. The disruption and reinfection rates were costly at times. The client in question is asmall business with limited resources. Since the systems would get reinfected, a baited system was eventually put into place to determine the incoming vector. It was not proven, but believed that ssh brute force was the incoming vector of attack. Once the attackerswere onto the server, a root kit trojan was used. A very intelligent one. I highly recommend that anyone that gets nabbed by this trojan or one like it reinstall your operating system as soon as possible and executemy prevention steps outlined below.

However, there are some circumstances that require mitigation before available resources can be used for reinstall/replacement and prevention measures. The client was in a situation where taking the system offline was not an immediate option. I placedsome really great links below. [1] [2] [3] Theyreview, analyze and fully confirm what wewere experiencing was the same. There were some minor differences. However, they never really offered a short term mitigation path to follow. Only somewhere in a comment on a forum (possibly one of the three articles below), did someone make a suggestion to change the file/directory attributes to assist in mitigation. It was only a suggestion with no further follow-up. Mitigation of this trojanwas difficult as it was intelligent enough to always restart when it was killed, which includedhelp from crontab entries every three minutes.">The victim server was CentOS 6.5 system with a basic LAMP setup, that offered ssh and VSFTP services. Iptables was in use, but NOT SELinux. It is my untested claim that SELinux likely would have prevented this trojan from taking hold. I am not an SELinux user/expert so I was unable to take time to add it to this environment. ">/lib/libgcc4.so . This exe was perpetuatedvia cron"> /etc/crontab every three minutes. ">(*/3 * * * * root /etc/cron.hourly/udev.sh )
If crontab gets cleaned and an executable is still running, then the crontab will be repopulated on Friday night around midnight. ">/etc/init.d/* . ">ls -lrt /etc/init.d/* to discover some evidence. ">top utility, you can determine how many are running. If the startups are deleted, then more executables and startup scripts will be created and begin to run as well.

The malware itself was used as a DDOSagent. It took commands from a CC. The IP addresses it would communicate with were available from the strings output of the executable. When the malware agentwas called into action, the entire server and local pipe was saturated and consequently cut off from service.

Mitigation

The following steps were taken for mitigation. ">chattr command. ">/lib directories were helpful in preventing the malware from repopulating. I put together the following for loop script and added the following IP addresses to IP tables to drop all communication. The for loop consists of clean up of four running processes. ">PID">kill command. ">for f in zyjuzaaame lcmowpgenr belmyowxlc aqewcdyppt
do
mv /etc/init.d/$f /tmp/ddos/
rm -f /etc/cron.hourly/udev.sh
rm -f /var/run/udev.pid
mv /lib/libgcc4.so /tmp/ddos/libgcc4.so.$f
chattr -R +i /lib
chattr -R +i /etc/init.d
">IP Addresses to drop all traffic: ">103.25.9.228 ">Prevention

I now keep the immutable bit set on /lib on a clean system. It turn it off before patching and software installs, in the event the /lib directory is needed for updating.

I also recommend installing fail2ban and configuring it to watch many of your services. I have it currently watching apache logs, ssh, vsftp, webmail, etc. It really seems to be hitting the mark for prevention. There is a whitelist feature to ignore traffic from a given IP or IP range. This helps to keep the annoying customers from becoming a nag.

If you have experienced anything like the above, then please feel free to share. This analysis is only scratching the surface. The links below do a much deeper dive on this piece of malware.


[1]https://www.fireeye.com/blog/threat-research/2015/02/anatomy_of_a_brutef.html
[2]https://blog.avast.com/2015/01/06/linux-ddos-trojan-hiding-itself-with-an-embedded-rootkit/#more-33072
[3]http://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html


-Kevin
--
ISC Handler on Duty

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

 
Internet Storm Center Infocon Status