Hackin9

Reader Kevin wrote in to alert us of an interesting discovery regarding Sendori. Kevin stated that two of his clients were treated to malware via the auto-update system for Sendori.  In particular, they had grabbed Sendori-Client-Win32/2.0.15 from 54.230.5.180 which is truly an IP attributed to Sendori via lookup results. Sendori's reputation is already a bit sketchy; search results for Sendori give immediate pause but this download in particular goes beyond the pale. With claims that "As of October 2012, Sendori has over 1,000,000 active users" this download is alarming and indicates something else is likely afoot with Sendori's site and/or updater process.

The URL path (to be considered hostile) is: hxxp://upgrade.sendori.com/upgrade/2_0_16/sendori-win-upgrader.exe.
MD5 hash:  9CBBAE007AC9BD4A6ACEE192175811F4
For those of you who may block or monitor for this, the updater request data follows:
GET /upgrade/2_0_16/sendori-win-upgrader.exe HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent: Sendori-Client-Win32/2.0.15
Host: upgrade.sendori.com
 
VirusTotal results currently nine malware hits (9/46).
Malwr results are rather damning, and as Kevin stated, Zeus-like. In particular the mutexes are very reminiscent. 
CTF.TimListCache.FMPDefaultS-1-5-21-1547161642-507921405-839522115-1004MUTEX.DefaultS-1-5-21-1547161642-507921405-839522115-1004
_!MSFTHISTORY!_
c:!documents and settings!user!local settings!temporary internet files!content.ie5!
c:!documents and settings!user!cookies!
c:!documents and settings!user!local settings!history!history.ie5!
WininetStartupMutex
WininetConnectionMutex
WininetProxyRegistryMutex
 
Other filenames for this sample as seen in the wild:
sendori-win-upgrader.exe
SendoriSetup-2.0.15.exe
update_flash_player.exe
14542884
output.14542884.txt
Update_flash_player.exe
 
Password and credential stealing are definitely in play and I experienced ransomware activity in my sandbox; it hijacked my VM with the "This is the FBI, you have been blocked warning." Awesome.
It is recommended that, should you allow Sendori at all in your environments that you block update.sendori.com via web filtering for the time being.
 
Sendori replied to Kevin's notification with; they are engaged and investigating:
Hi Kevin, we have engaged our network and security team. They will analyze and take appropriate action to resolve this issue. They will contact if they need any additional information from you.
Thanks again for bringing this to our notice.
Thanks
Sendori Support team
 
Thanks for sharing, Kevin. 
Readers, if you spot similar or variations on the theme, please feel free to let us know.
 
Russ McRee | @holisticinfosec
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Gartner's vision of infosec 2019: four scenarios, all bad
CSO Magazine
Will it be the total surveillance society and internet licenses? A breakdown of authority, with e-militias fighting extreme anarcho-hactivists? Or one of the other two? Global research and advisory firms are meant to give you the big picture. That's ...

 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
389 Directory Server CVE-2013-4283 Denial of Service Vulnerability
 
In partnership with social media networks and the U.S. Department of Veteran Affairs, a nonprofit research project is seeking to show that predictive analytics can identify U.S. veterans of Iraq and Afghanistan who are suicidal and need help.
 

Researchers have made it easier to exploit a five-month-old security flaw that allows penetration testers and less-ethical hackers to gain nearly unfettered "root" access to Macs over which they already have limited control.

The authentication bypass vulnerability was reported in March and resides in a Unix component known as sudo. While the program is designed to require a password before granting "super user" privileges such as access to other users' files, the bug makes it possible to obtain that sensitive access by resetting the computer clock to January 1, 1970. That date is known in computing circles as the Unix epoch, and it represents the beginning of time as measured by the operating system and most of the applications that run on it. By invoking the sudo command and then resetting the date, computers can be tricked into turning over root privileges without a password.

Developers of Metasploit, an open-source software framework that streamlines the exploitation of vulnerabilities in a wide array of operating systems and applications, recently added a module that makes it easier to exploit the sudo vulnerability on Macs. The addition capitalizes on the fact that all versions of OS X from 10.7 through the current 10.8.4 remain vulnerable. While the bug also affected many Linux distributions, most of those require a root password to change the computer clock. Macs impose no such restrictions on clock changes thanks to the systemsetup binary.

Read 3 remaining paragraphs | Comments


    






 
Multiple Asterisk Products Invalid SDP Denial of Service Vulnerability
 
Multiple Asterisk Products SIP ACK With SDP Denial of Service Vulnerability
 
New cloud-based software lets employees register, secure, and manage their personal devices without IT department involvement. And a simplified Web interface automates a lot of management tasks.
 
CORE-2013-0808 - EPS Viewer Buffer Overflow Vulnerability
 
[CORE-2013-0805] Aloaha PDF Suite Buffer Overflow Vulnerability
 
Red Hat Enterprise Virtualization Hypervisor Incomplete Fix Denial of Service Vulnerability
 
RoundCube Webmail Multiple HTML-injection Vulnerabilities
 
30C3 Call for Participation
 
CORE-2013-0726 - AVTECH DVR multiple vulnerabilities
 
Some analysts have rethought their expectations on the price of Apple's expected lower-end iPhone 5C, and now believe the company will play defense by charging as much as $450 for the new plastic smartphone.
 
A powerful Delta IV Heavy rocket launched a classified reconnaissance satellite into space from Vandenberg Air Force Base in California on Wednesday.
 
Twitter is updating its site and mobile apps to make it easier for users to carry out conversations on the site and share them with others outside of Twitter.
 
What do bitcoin, emoji and selfies have in common? They're all now official words, at least according to the Oxford dictionary.
 
Developers who were able to bypass Dropbox's security by reverse-engineering Python applications -- the language used by the cloud storage provider -- described their technique in a published paper.
 

Last month Microsoft patched a pretty nasty vulnerability in DirectShow. Microsoft DirectShow is an API that comes with Windows and that allows applications to display all sorts of graphics files as well as to play streaming media.

The MS13-056 vulnerability was privately reported to Microsoft – it is a remote code execution vulnerability that allows an attacker to craft a malicious GIF file which will exploit the vulnerability. Since the vulnerability allows the attacker to overwrite arbitrary memory it can lead to remote code execution.

It is clear that this is a very serious vulnerability. Initially there were no public exploits however later after the patch was released a proof of concept GIF image which triggers the vulnerability has been published.
All Windows versions are affected (Windows XP/Vista/7/8) so make sure that you have patched your systems against it if you haven't already – the vulnerability can be theoretically easily turned into a drive by exploit.

Now, one of our readers, Sean, reported that his IPS started firing up alerts and detecting MS13-056. Sean captured network traffic and, luckily, the GIF files were benign so these were false positive alerts (which can be annoying too – depending on the number).

We were wondering if anyone else is seeing a lot of such alerts? Any real attacks in the wild? Suspicious traffic? Let us know!

--
Bojan
@bojanz

INFIGO IS

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Cisco Security Advisory: Cisco Secure Access Control Server Remote Command Execution Vulnerability
 
Infor has unveiled a new version of Inforce, a product that connects Salesforce.com's popular cloud-based CRM (customer relationship management) software with its own.
 
The jam-packed VMworld show this week in San Francisco has been VMware's launchpad for flights deeper into storage, an area that the company thinks is due for more virtualization.
 

A Pennsylvania man has pleaded guilty to charges stemming from a scheme to hack in to sensitive computer networks operated by the University of Massachusetts-Amherst and other sensitive organizations and then sell "magic passwords" providing backdoor access to others.

Andrew James Miller, 23, of Devon, Pennsylvania, pleaded guilty to one count of conspiracy and two counts of computer intrusion, a press release issued Tuesday by the Justice Department said. Court records show a plea agreement in the case was entered on July 15. He faces a maximum penalty of 20 years in prison at sentencing, which is scheduled for November 19.

According to an indictment filed in Massachusetts federal court in June 2012, Miller and other members of a hacking group called the Underground Intelligence Agency hacked into networks and installed backdoors that provided almost unfettered "root" access to anyone who possessed the "magic passwords." He then sold access to the magic passwords and advice on how intruders could avoid being detected. In some cases he also sold lists containing hundreds of usernames and passwords that provided root access. In addition to the University of Massachusetts, affected organizations included Massachusetts-based RNK Telecommunications and Crispin Porter and Bogusky, an advertising and digital agency in Colorado.

Read 2 remaining paragraphs | Comments


    






 
AirLive WL-2600CAM CVE-2013-3541 Directory Traversal Vulnerability
 
Airlive IP Cameras CVE-2013-3540 Cross Site Request Forgery Vulnerability
 
Wireshark CVE-2013-4080 Denial of Service Vulnerability
 
The cyberattack that resulted in nytimes.com and some other high-profile websites being inaccessible to a large number of users Tuesday started with a targeted phishing attack against a reseller for Melbourne IT, an Australian domain registrar and IT services company.
 
Adding insult to injury after Wall Street boosted Microsoft's stock price when CEO Steve Ballmer announced he would retire, now a U.K. bookmaker is taking bets on Ballmer's replacement.
 
Pirate Bay co-founder Gottfrid Svartholm Warg's appeal of his conviction on charges of data intrusion, attempted aggravated fraud and aggravated fraud started on Wednesday, with arguments centering on the contention that other parties used the defendant's computer by remote control.
 
[security bulletin] HPSBHF02888 rev.3 - HP Network Products including H3C and 3COM Routers and Switches, Remote Information Disclosure and Code Execution
 
Sales of so-called 'smartwatches' will surge from 1 million to 36 million in five years, according to a speculative new report from Juniper Research. But whether that defines 'success' remains an open question.
 

-- Bojan INFIGO IS

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
As 'social sensing' analytics give HR departments reams of new employee data, IT partnerships are a key ingredient for success, says Maryfran Johnson
 
Two Instagram Android App Security Vulnerabilities
 
Google has cut the price of the Nexus 4 in handful of countries including the U.K. and the U.S., where the smartphone now costs from $199. The aggressive drop signals Google wanting to preempt the arrival of a cheaper iPhone.
 
A 110-core chip has been developed by Massachusetts Institute of Technology as it looks for power-efficient ways to boost performance in mobile devices, PCs and servers.
 
On the surface, Bitcoin seems to be a great way to hide cash. Actually, it's a terrible way to launder money.
 
The server business continued to slide in the second quarter with worldwide revenue and unit sales down, IDC said Tuesday.
 
It's the curse of the connected car a once it's linked to the Internet, it's, well, on the Internet. In the case of the Tesla Model S, this means that malicious hackers could, in theory, control some functions of the vehicle and even track it without the owner's knowledge.
 
Oracle's database and high-performance workloads will run faster with the company's latest SPARC M6 chip, which has been tuned specially for the Oracle products.
 
Canonical is in talks with Dell on making a version of Ubuntu supported by the Chinese government available as a pre-installed OS on the PC maker's upcoming products destined for the Chinese market.
 
Intel is expected to announce availability next week of a low-power Atom server chip code-named Avoton, which is likely to appear soon in systems such as Hewlett-Packard's Moonshot.
 
A team of scientists off the coast of Cape Cod has been catching, then tagging great white sharks with wireless transmitters to learn more about their behavior -- and where they go.
 

Posted by InfoSec News on Aug 28

http://www.forbes.com/sites/gregorymcneal/2013/08/26/cybersecurity-and-privacy-specialists-in-short-supply/

By Greg McNeal
Forbes.com
8/26/2013

A cover story in the Los Angeles Daily Journal (subscription required)
reported that the need for privacy and cybersecurity legal specialists has
exploded in California, yet general counsel say there is a shortage of
qualified practitioners who can do the job. LinkedIn Corp.’s General
Counsel...
 

Posted by InfoSec News on Aug 28

http://www.nytimes.com/2013/08/28/business/media/hacking-attack-is-suspected-on-times-web-site.html

By CHRISTINE HAUGHNEY and NICOLE PERLROTH
The New York Times
August 27, 2013

The New York Times Web site was unavailable to readers on Tuesday
afternoon after an online attack on the company’s domain name registrar.
The attack also forced employees of The Times to take care in sending
e-mails.

The hacking was just the latest of a major...
 

Posted by InfoSec News on Aug 28

http://www.nextgov.com/cybersecurity/2013/08/twitter-breach-hits-cyber-education-director-who-ran-federal-e-gov-office/69470/

By Aliya Sternstein
Nextgov
August 27, 2013

This story has been updated with a response from the victim, Karen Evans.

Hackers apparently have overtaken the Twitter account of a former top
White House technology official who now runs a cyber education campaign.

On Tuesday morning, the account of Karen Evans, who held...
 

Posted by InfoSec News on Aug 28

http://www.wired.com/threatlevel/2013/08/hacker-super-computer-access/

By David Kravets
Threat Level
Wired.com
08.27.13

A 24-year-old Pennsylvania hacker pleaded guilty today to accusations he
tried to sell access to Energy Department supercomputers he unlawfully
accessed.

The defendant, who remains free pending a November sentencing date, faces
as much as 18 months behind bars under a plea deal (.pdf) with
Massachusetts federal...
 

Posted by InfoSec News on Aug 28

http://www.darkreading.com/vulnerability/getting-the-most-out-of-a-security-red-t/240160471

By Ericka Chickowski
Dark Reading
August 27, 2013

When used effectively, a working red team doesn't just help IT security
organizations find vulnerabilities in their environments. Red teams can
also help organizations prove the need for increased budget in focused
areas, substantiate claims of security improvements, and generally sharpen
the...
 
IBM Lotus iNotes 8.5.x cross-site scripting vulnerabilities
 
AST-2013-005: Remote Crash when Invalid SDP is sent in SIP Request
 
AST-2013-004: Remote Crash From Late Arriving SIP ACK With SDP
 
Internet Storm Center Infocon Status