Hackin9
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Introduction

In the past two days, Ive infected two hosts from Angler exploit kit (EK) domains at 216.245.213.0/24. Both hosts were infected with CryptoWall 3.0 ransomware using the same bitcoin address for the ransom payment: 16Z6sidfLrfNoxJNu4qM5zhRttJEUD3XoB

On Tuesday, 2015-05-26 at 15:17 UTC, I infected a host whereAngler EK sent Bedep as a malware payload before getting CryptoWall 3.0 [1]. On Wednesday, 2015-05-27 at 17:30 UTC, I infected a host whereAngler EK sent CryptoWall 3.0 as the malware payload.

I usually seeAngler EK send different types of ransomware [2, 3], and I however, this is the first time I" />
Shown above: CryptWall 3.0 decrypt instructions from the 2015-05-27 sample

Traffic from the infected host

CryptoWall 3.0 traffic has changed a bit from my first diaryabout it on 2015-01-19 [4]. " />
Shown above: Angler EK and CryptWall 3.0 traffic as seen in Wireshark

Associated domains:

 
LinuxSecurity.com: openslp: denial of service vulnerability (CVE-2010-3609)
 
LinuxSecurity.com: This is an update to the set of CA certificates released with NSS version 3.18.1However, the package modifies the CA list to keep several legacy CAs still trusted for compatibility reasons. Please refer to the project URL for details.If you prefer to use the unchanged list provided by Mozilla, and if you accept any compatibility issues it may cause, an administrator may configure the system by executing the "ca-legacy disable" command.This update adds a manual page for the ca-legacy command.This update changes the names of the possible values in the ca-legacy configuration file. It still uses the term legacy=disable to override the compatibility option and follow the upstream Mozilla.org decision. However it now uses the term legacy=default for the default configuration, to make it more obvious that the legacy certificates won't be kept enabled forever.
 
LinuxSecurity.com: Security update for integer underflow in AP mode WMM Action frame processing.
 
LinuxSecurity.com: 14 May 2015, **PHP 5.5.25****Core:*** Fixed bug #69364 (PHP Multipart/form-data remote dos Vulnerability). (Stas)* Fixed bug #69403 (str_repeat() sign mismatch based memory corruption). (Stas)* Fixed bug #69418 (CVE-2006-7243 fix regressions in 5.4+). (Stas)* Fixed bug #69522 (heap buffer overflow in unpack()). (Stas)* Fixed bug #69467 (Wrong checked for the interface by using Trait). (Laruence)* Fixed bug #69420 (Invalid read in zend_std_get_method). (Laruence)* Fixed bug #60022 ("use statement [...] has no effect" depends on leading backslash). (Nikita)* Fixed bug #67314 (Segmentation fault in gc_remove_zval_from_buffer). (Dmitry)* Fixed bug #68652 (segmentation fault in destructor). (Dmitry)* Fixed bug #69419 (Returning compatible sub generator produces a warning). (Nikita)* Fixed bug #69472 (php_sys_readlink ignores misc errors from GetFinalPathNameByHandleA). (Jan Starke)**FTP:*** Fixed bug #69545 (Integer overflow in ftp_genlist() resulting in heap overflow). (Stas)**ODBC:*** Fixed bug #69474 (ODBC: Query with same field name from two tables returns incorrect result). (Anatol)* Fixed bug #69381 (out of memory with sage odbc driver). (Frederic Marchall, Anatol Belski)**OpenSSL:*** Fixed bug #69402 (Reading empty SSL stream hangs until timeout). (Daniel Lowrey)**PCNTL:*** Fixed bug #68598 (pcntl_exec() should not allow null char). (Stas)**Phar:*** Fixed bug #69453 (Memory Corruption in phar_parse_tarfile when entry filename starts with null). (Stas)
 
LinuxSecurity.com: update to 9.4.2 per release notes
 
LinuxSecurity.com: 14 May 2015, **PHP 5.6.9**Core:* Fixed bug #69467 (Wrong checked for the interface by using Trait). (Laruence)* Fixed bug #69420 (Invalid read in zend_std_get_method). (Laruence)* Fixed bug #60022 ("use statement [...] has no effect" depends on leading backslash). (Nikita)* Fixed bug #67314 (Segmentation fault in gc_remove_zval_from_buffer). (Dmitry)* Fixed bug #68652 (segmentation fault in destructor). (Dmitry)* Fixed bug #69419 (Returning compatible sub generator produces a warning). (Nikita)* Fixed bug #69472 (php_sys_readlink ignores misc errors from GetFinalPathNameByHandleA). (Jan Starke)* Fixed bug #69364 (PHP Multipart/form-data remote dos Vulnerability). (Stas)* Fixed bug #69403 (str_repeat() sign mismatch based memory corruption). (Stas)* Fixed bug #69418 (CVE-2006-7243 fix regressions in 5.4+). (Stas)* Fixed bug #69522 (heap buffer overflow in unpack()). (Stas)FTP:* Fixed bug #69545 (Integer overflow in ftp_genlist() resulting in heap overflow). (Stas)ODBC:* Fixed bug #69354 (Incorrect use of SQLColAttributes with ODBC 3.0). (Anatol)* Fixed bug #69474 (ODBC: Query with same field name from two tables returns incorrect result). (Anatol)* Fixed bug #69381 (out of memory with sage odbc driver). (Frederic Marchall, Anatol Belski)OpenSSL:* Fixed bug #69402 (Reading empty SSL stream hangs until timeout). (Daniel Lowrey)PCNTL:* Fixed bug #68598 (pcntl_exec() should not allow null char). (Stas)PCRE:* Upgraded pcrelib to 8.37.Phar:* Fixed bug #69453 (Memory Corruption in phar_parse_tarfile when entry filename starts with null). (Stas)
 
LinuxSecurity.com: Security fix for CVE-2015-3885 (dcraw input sanitization), bz #1221257
 
LinuxSecurity.com: Security update for integer underflow in AP mode WMM Action frame processing.
 
LinuxSecurity.com: updated to 8u45-b14 with hope to fix rhbz#1123870This update adds debugging information to all the Java code included in the JDK, make it easier to debug the code.
 
LinuxSecurity.com: Updated qemu-kvm packages that fix one security issue are now available for Red Hat Enterprise Linux 6.5 Extended Update Support. Red Hat Product Security has rated this update as having Important security [More...]
 
LinuxSecurity.com: Updated kernel packages that fix one security issue and three bugs are now available for Red Hat Enterprise Linux 6.4 Advanced Update Support. Red Hat Product Security has rated this update as having Important security [More...]
 
LinuxSecurity.com: NTFS-3G could be made to overwrite files as the administrator.
 

So #wassenaar has infected your Twitter timeline for the past several days. I thought I'd explain what the big deal is.

What’s a Wassenaar?

Wassenaar is a town in Europe, where in 1996 a total of 41 nations agreed to an arms control treaty. The name of the agreement, the Wassenaar Arrangement, comes from the name of the town. The US, Europe, and Russia are part of the agreement. Africa, the Middle East, and China are not.

The primary goal of the arrangement is anti-proliferation, stopping uranium enrichment and chemical weapons precursors. Another goal is to control conventional weapons, keeping them out of the hands of regimes that would use them against their own people or to invade their neighbors.

Read 40 remaining paragraphs | Comments

 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

A New, Post-Snowden InfoSec Model
BankInfoSecurity.com
"There were so many worries about intelligence agencies being able to get at communications that the amount of encryption being used by commercial [email] providers has gone way up," Swire says in an interview with Information Security Media Group.

and more »
 
[Onapsis Security Advisory 2015-007] SAP HANA Log Injection Vulnerability
 
[Onapsis Security Advisory 2015-006] SAP HANA Information Disclosure via SQL IMPORT FROM statement
 

There's yet another iOS bug that causes Apple devices to crash when they receive text messages containing a string of special characters. With further finessing, the same exploit may be able to attack Macs, since OS X is also unable to process the same combination of characters, which are technically known as glyphs.

The menacing combination of ASCII and unicode-based characters looks like this:

According to people investigating the bug on reddit, the text causes iPhones running various versions of iOS to promptly crash. A flurry of Twitter users, angry that their devices fell victim to text messages, indicates that the bug is causing problems. Apple will almost certainly issue a fix. In the meantime, users can protect themselves against the nuisance text by going to system settings, navigating to Notifications>Messages>Show Previews, and turning it to off.

Read 3 remaining paragraphs | Comments

 

Naked Security

Get into Infosec Europe 2015 for free, hear great talks!
Naked Security
If so, why not drop in and see us at Infosec Europe at Olympia? Get a free show pass on us! The event is open on Tuesday, Wednesday and Thursday (2/3/4 June 2015). Several of the Naked Security team will be there, including our tireless Editor-in-Chief ...

 
Thycotic Password Manager Secret Server iOS Application - MITM SSL Certificate Vulnerability
 
CVE-2015-4084 - WordPress Free Counter Plugin [Stored XSS]
 
[SECURITY] [DSA 3268-2] ntfs-3g security update
 

PCR-online.biz

John McAfee to give talk on hacking scandals at Infosec
PCR-online.biz
Security expert John McAfee will be a guest speaker at this year's Infosecurity Europe's special 20th anniversary event. The event will be held at London's Olympia from June 2nd to the 4th. McAfee will share his insights with attendees on various ...

 

South African security firm Thinkst is hoping to give new life to an old idea—the honeypot—in a bid to help organizations detect security breaches and intruders in their private networks. Thinkst's Canary is a simple network appliance and corresponding online monitoring service that makes it easy to set up juicy-looking targets on the corporate LAN that will sound the alarm if any attempt is made to access them.

One of the consistent features of large hacks, such as the late 2013 Target breach, is that attackers have been able to move around their victims' networks to find systems with interesting or valuable data without being detected. From one point of entry—a compromised Web server, say—the hackers perform what's called "lateral movement;" accessing other systems and computers on the same network, discovering new sets of user credentials to gain further access to their victims, and finding valuable information to steal.

This behavior appears to go undetected, giving the attackers weeks or months to learn about their victims and steal vast quantities of sensitive data. It's this lateral movement that Canary is designed to detect by presenting the hackers with a juicy target that will ring the alarm bell whenever they access it.

Read 8 remaining paragraphs | Comments

 
Internet Storm Center Infocon Status