Information Security News
E-mails stolen in a phishing attack on a prominent critic of Russian President Vladimir Putin were manipulated before being published on the Internet. That's according to a report published Thursday, which also asserts that the e-mails were manipulated in order to discredit a steady stream of unfavorable articles.
The phishing attack on journalist David Satter's Gmail account was strikingly similar to the one that hit Hillary Clinton presidential campaign chairman John Podesta last year. The attack on Satter looked almost identical to the security warnings Google sends when attackers obtain a subscriber's password. Code embedded inside led Satter to a credential-harvesting site that was disguised to look like Google's password-reset page. With that, the site automatically downloaded all of Satter's private correspondence.
Thursday's report from the University of Toronto's Citizen Lab stopped short of saying Russia's government was behind the phishing attack and subsequent manipulation of Satter's e-mail. US intelligence officials, however, have determined that Russia was behind the attacks on Podesta and other Democratic officials. Thursday's report also said the same attack on Satter targeted 218 other individuals, including a former Russian Prime Minister, members of cabinets from Europe and Eurasia, ambassadors, high-ranking military officers, and CEOs of energy companies.
A Florida GOP campaign consultant who runs a blog under a pseudonym directly contacted the hackers behind the breach of the Democratic National Committee and the Democratic Congressional Campaign Committee, and he solicited material from them. The Wall Street Journal reports that Aaron Nevins set up a Dropbox account specifically for “Guccifer 2.0” to drop files into, and he received 2.5 GB of data from the Democratic Party breaches—including the “get out the vote” strategy for congressional candidates in Florida.
Nevins analyzed the data and posted his analysis on his blog, HelloFLA.com. Guccifer 2.0 sent a link to the blog to Trump backer Roger Stone, who told the paper he was also in communication with the hackers. Nevins told the Journal that the hackers didn't understand what they had until he explained the data's value.
Some of the most valuable data, Nevins said, was the Democratic Party's voter turnout models. “Basically, if this was a war, this is the map to where all the troops are deployed,” Nevins told the person or persons behind the Guccifer 2.0 account via Twitter. He also told them, “This is probably worth millions of dollars."
Developers of Samba disclosed a critical vulnerability that affects the file sharing component. Samba is a suite of tools that helps in the interoperability between UNIX with Microsoft Windows. The vulnerable component is the daemon that offers file sharing capabilities.
As reported by HD Moore on his Twitter account, its trivial to trigger the vulnerability(just a one-liner exploit). An attacker has to find an open SMB share (TCP/445), padding:5px 10px"> nt pipe support = no
to the [global] section of your smb.conf and restart smbd.
Samba is a very popular tool and used on many corporate networks, it is also a core component in many residential products like NAS. Many vendors could be affected (Synology, WD, Qnap, DLink, ...). Some vendors like Synology already communicated about this issue and are working on a patch but others might take more time to react. Home users do not patch their products and many NAS could remain vulnerable for a long time.
As always, if you are exposing writable SMB shares for your users, be sure to restrict access to authorisedpeople/hosts and do NOT share data across the Internet. They are risks that bad guys are already scanning the whole Internet.
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant