Enlarge / This fraudulent e-mail was sent in a successful attempt to phish the Gmail password for reporter David Satter. (credit: Citizen Lab)

E-mails stolen in a phishing attack on a prominent critic of Russian President Vladimir Putin were manipulated before being published on the Internet. That's according to a report published Thursday, which also asserts that the e-mails were manipulated in order to discredit a steady stream of unfavorable articles.

The phishing attack on journalist David Satter's Gmail account was strikingly similar to the one that hit Hillary Clinton presidential campaign chairman John Podesta last year. The attack on Satter looked almost identical to the security warnings Google sends when attackers obtain a subscriber's password. Code embedded inside led Satter to a credential-harvesting site that was disguised to look like Google's password-reset page. With that, the site automatically downloaded all of Satter's private correspondence.

Thursday's report from the University of Toronto's Citizen Lab stopped short of saying Russia's government was behind the phishing attack and subsequent manipulation of Satter's e-mail. US intelligence officials, however, have determined that Russia was behind the attacks on Podesta and other Democratic officials. Thursday's report also said the same attack on Satter targeted 218 other individuals, including a former Russian Prime Minister, members of cabinets from Europe and Eurasia, ambassadors, high-ranking military officers, and CEOs of energy companies.

Read 4 remaining paragraphs | Comments

 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

(credit: DonkeyHotey)

A Florida GOP campaign consultant who runs a blog under a pseudonym directly contacted the hackers behind the breach of the Democratic National Committee and the Democratic Congressional Campaign Committee, and he solicited material from them. The Wall Street Journal reports that Aaron Nevins set up a Dropbox account specifically for “Guccifer 2.0” to drop files into, and he received 2.5 GB of data from the Democratic Party breaches—including the “get out the vote” strategy for congressional candidates in Florida.

Nevins analyzed the data and posted his analysis on his blog, HelloFLA.com. Guccifer 2.0 sent a link to the blog to Trump backer Roger Stone, who told the paper he was also in communication with the hackers. Nevins told the Journal that the hackers didn't understand what they had until he explained the data's value.

Some of the most valuable data, Nevins said, was the Democratic Party's voter turnout models. “Basically, if this was a war, this is the map to where all the troops are deployed,” Nevins told the person or persons behind the Guccifer 2.0 account via Twitter. He also told them, “This is probably worth millions of dollars."

Read 3 remaining paragraphs | Comments

 
[security bulletin] HPESBHF03746 rev.1 - HPE Intelligent Management Center (iMC) PLAT, Remote Code Execution
 
Linux Kernel 'crypto/algif_hash.c' Local Denial of Service Vulnerability
 
Ghostscript CVE-2017-5951 Denial of Service Vulnerability
 
Ghostscript CVE-2017-8291 Multiple Remote Code Execution Vulnerabilities
 
Ghostscript CVE-2016-9601 Local Integer Overflow Vulnerability
 
Samba CVE-2017-7494 Remote Code Execution Vulnerability
 
Cisco TelePresence IX5000 Series CVE-2017-6652 Directory Traversal Vulnerability
 
Linux Kernel CVE-2017-7261 Local Denial of Service Vulnerability
 
WebKitGTK+ Security Advisory WSA-2017-0004
 
Resteasy CVE-2016-9606 Remote Code Execution Vulnerability
 
 
IBM Java SDK CVE-2017-1289 XML External Entity Injection Vulnerability
 

Developers of Samba[1] disclosed a critical vulnerability that affects the file sharing component. Samba is a suite of tools that helps in the interoperability between UNIX with Microsoft Windows. The vulnerable component is the daemon that offers file sharing capabilities.

As reported by HD Moore on his Twitter account[2], its trivial to trigger the vulnerability(just a one-liner exploit). An attacker has to find an open SMB share (TCP/445), padding:5px 10px"> nt pipe support = no

to the [global] section of your smb.conf and restart smbd.

Samba is a very popular tool and used on many corporate networks, it is also a core component in many residential products like NAS. Many vendors could be affected (Synology, WD, Qnap, DLink, ...). Some vendors like Synology[5] already communicated about this issue and are working on a patch but others might take more time to react. Home users do not patch their products and many NAS could remain vulnerable for a long time.

As always, if you are exposing writable SMB shares for your users, be sure to restrict access to authorisedpeople/hosts and do NOT share data across the Internet. They are risks that bad guys are already scanning the whole Internet.

[1]https://www.samba.org/
[2]https://twitter.com/hdmoore/status/867446072670646277
[3]https://www.samba.org/samba/security/CVE-2017-7494.html
[4]http://www.samba.org/samba/security/
[5]https://www.synology.com/en-global/support/security/Important_Information_Regarding_Samba_Vulnerability_CVE_2017_7494

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

 
[slackware-security] samba (SSA:2017-144-01)
 
[security bulletin] HPESBHF03751 rev.1 - HPE Aruba AirWave Glass, Remote Code Execution
 
Internet Storm Center Infocon Status