(credit: Wikimedia Commons user Tabercil)

A 36-year-old Ryan Collins from Pennsylvania was sentenced to 18 months in prison after pleading guilty to hacking the Apple and Google accounts of more than 100 celebrities, including Jennifer Lawrence, Aubrey Plaza, Rihanna, and Avril Lavigne. Collins stole personal information, including nude photos, from the celebrities.

The photos were famously posted on 4chan and reddit in 2014. Collins pleaded guilty to hacking the celebrities’ accounts in May, but he did not plead guilty to posting the images on the Internet. “Investigators have not uncovered any evidence linking Collins to the actual leaks or that Collins shared or uploaded the information he obtained,” the Department of Justice (DOJ) noted.

According to The Guardian, Collins ran a phishing scheme from November 2012 to September 2014, sending celebrities e-mails that appeared to be from Apple and Google, requesting their user names and passwords.

Read 3 remaining paragraphs | Comments



MRecently a cache of 2,337 e-mails from the office of a high-ranking advisor to Russian president Vladimir Putin was dumped on the Internet after purportedly being obtained by a Ukrainian hacking group calling itself CyberHunta. The cache shows that the Putin government communicated with separatist forces in Eastern Ukraine, receiving lists of casualties and expense reports while even apparently approving government members of the self-proclaimed Donetsk People's Republic. And if one particular document is to be believed, the Putin government was formulating plans to destabilize the Ukrainian government as early as next month in order to force an end to the standoff over the region, known as Donbass.

Based on reporting by the Associated Press's Howard Amos and analysis by the Atlantic Council's Digital Forensic Research Lab, at least some of the e-mails—dumped in a 1-gigabyte Outlook .PST mailbox file—are genuine. Amos showed e-mails in the cache to a Russian journalist, Svetlana Babaeva, who identified e-mails she had sent to Surkov's office. E-mail addresses and phone numbers in some of the e-mails were also confirmed. And among the documents in the trove of e-mails is a scan of Surkov's passport (above), as well as those of his wife and children.

A Kremlin spokesperson denied the legitimacy of the e-mails, saying that Surkov did not have an e-mail address. However, the account appears to have been used by Surkov's assistants, and the dump contains e-mails with reports from Surkov's assistants. The breach, if ultimately proven genuine, would appear to be the first major publicized hack of a Russian political figure. And in that instance, perhaps this could be a response to the hacking of US political figures attributed to Russia.

Read 6 remaining paragraphs | Comments

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
BMC Server Automation RSCD Agent CVE-2016-5063 Authorization Bypass Vulnerability
Citrix NetScaler ADC CVE-2016-9028 Open Redirection Vulnerability
Juniper Junos 'udp6_ctlinput()' Function Denial of Service Vulnerability
Multiple Huawei Products CVE-2016-8768 Local Denial of Service Vulnerability
Huawei USG Products CVE-2016-8798 Security Bypass Vulnerability
Adobe Flash Player CVE-2016-7855 Use After Free Remote Code Execution Vulnerability
Apache CloudStack CVE-2016-6813 Authorization Bypass Vulnerability
Apache Tomcat Security Manager CVE-2016-6796 Security Bypass Vulnerability
Apache Tomcat CVE-2016-6794 Security Bypass Vulnerability
Apache Tomcat CVE-2016-0762 Information Disclosure Vulnerability
Python urllib3 CVE-2016-9015 TLS Certificate Validation Security Bypass Vulnerability
Apache Tomcat CVE-2016-6797 Security Bypass Vulnerability

More bots. Thanks, Internet of Things.

Mirai—the malware responsible for creating a massive "botnet" of hacked Internet-connected cameras, digital video recorders, and other devices that interrupted Internet services for many last week—is still in action, according to data from the network security company Arbor Networks. An ever-shifting army of about 500,000 compromised Internet of Things (IoT) devices is still being controlled by Mirai, based on Arbor's tracking of the malware's communications. And multiple command-and-control networks are still directing those devices to attack websites and service providers across the Internet. But as previously predicted, new and improved versions of the Mirai malware—based on the openly-published source code Mirai's alleged author posted on September 30—are now appearing in the " and wreaking additional havoc.

In a blog post, Roland Dobbins, Principal Engineer on Arbor's ASERT Team, noted that "relatively high concentrations of Mirai nodes have been observed in China, Hong Kong, Macau, Vietnam, Taiwan, South Korea, Thailand, Indonesia, Brazil, and Spain." Devices that are vulnerable to Mirai takeover, he noted, "are typically listening for inbound telnet access on TCP [port] 23 and TCP [port] 2323," and compromised devices communicate via "a remote-control backdoor" that is also present in Mirai, "accessible via TCP/103." Mirai botnets constantly scan the entire Internet for vulnerable devices, so even when a device is rebooted or reset, it can be compromised all over again within 10 minutes.

Dobbins also noted that "multiple threat actor groups are actively working to expand and improve" the attacks that were coded into Mirai, and that "some alterations in the DDoS attack capabilities of at least one Mirai-derived botnet have been observed in the wild."

Read 6 remaining paragraphs | Comments

Cisco ACE CVE-2016-6399 Denial of Service Vulnerability
Huawei Mate 8 CVE-2016-8756 Local Denial of Service Vulnerability
GNU Tar CVE-2016-6321 Security Bypass Vulnerability
Iceni Argus 'ipNameAdd()' Function Remote Stack Buffer Overflow Vulnerability
Long Term Evolution (LTE) Networks Security Bypass Vulnerability
WordPress defa-online-image-protector Plugin 'redirect.php' Cross Site Scripting Vulnerability
WordPress ajax-random-post Plugin 'js.php' Cross Site Scripting Vulnerability

Just as little as yesterdays order that proceeded. It Look like todays ransomware subject is Your Bill is Overdue. But then again, dont bother blocking it. Block ZIPed visual basic scripts. This round of Locky makes blocking a tad harder by using application/octet-stream as a Content-Type instead of application/zip.

(and about 2 hrs after publishing this diary, another small update: the Content-Type now changed to-) )

It may be safe to strip everything with an application/octet-stream attachment.

For the last 30 minutes, I received just about 1,000 attachments like that, and about 4000 total. The first one I received arrived just after 8 am UTC.

Anti-Virus coverage is spotty as usual. Kaspersky and Sophos seem to be doing a rather good job lately detecting the initial downloaders

As usual, Xaviers mime-zip-trojan script does a beautiful job of keeping these attachments out of your inbox:


Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Yandex Browser CVE-2016-8502 Brute Force Authentication Bypass Vulnerability
Yandex Browser CVE-2016-8503 Brute Force Authentication Bypass Vulnerability
Yandex Browser CVE-2016-8501 Man in the Middle Security Bypass Vulnerability
Internet Storm Center Infocon Status