Enlarge (credit: MGM)

Open-source developers who use Github are in the cross-hairs of advanced malware that can steal passwords, download sensitive files, take screenshots, and self-destruct when necessary.

Dimnie, as the reconnaissance and espionage trojan is known, has largely flown under the radar for the past three years. It mostly targeted Russians until early this year, when a new campaign took aim at multiple owners of Github repositories. One commenter in this thread reported the initial infection e-mail was sent to an address that was used solely for Github, and researchers with Palo Alto Networks, the firm that reported the campaign on Tuesday, told Ars they have no evidence it targeted anyone other than Github developers.

"Both messages appearing to be hand-crafted, and the reference to today's data in the attachment file name IMHO hint at a focused campaign explicitly targeting targets perceived as 'high return investments,' such as developers (possibly working on popular/open-source projects,)" someone who received two separate infection e-mails reported in the thread.

Read 4 remaining paragraphs | Comments

 
Exponent CMS CVE-2016-7783 SQL Injection Vulnerability
 
GNU Binutils CVE-2017-7300 Remote Heap Buffer Overflow Vulnerability
 
GNU Binutils 'aout_link_add_symbols()' Function Remote Denial of Service Vulnerability
 
GNU Binutils CVE-2017-7299 Remote Denial of Service Vulnerability
 
GNU Binutils 'swap_std_reloc_out()' Function Remote Denial of Service Vulnerability
 
Exponent CMS CVE-2016-7782 SQL Injection Vulnerability
 
GNU Binutils CVE-2017-7304 Remote Denial of Service Vulnerability
 
ESA-2017-013: RSA ArcherĀ® GRC Security Operations Management Sensitive Information Disclosure Vulnerability
 
ESA-2017-028: EMC Isilon OneFS Path Traversal Vulnerability
 
[SECURITY] [DSA 3824-1] firebird2.5 security update
 
LibTIFF CVE-2016-10269 Heap Based Buffer Overflow Vulnerability
 
Multiple F5 BIG-IP CVE-2016-7474 Local Information Disclosure Vulnerability
 
CMS Made Simple CVE-2017-7256 Cross-Site Scripting Vulnerability
 
LibTIFF CVE-2016-10272 Heap Based Buffer Overflow Vulnerability
 
LibTIFF CVE-2016-10270 Heap Based Buffer Overflow Vulnerability
 
Allwinner Linux kernel 'sunxi-debug.c' Local Privilege Escalation Vulnerability
 
Subrion CMS CVE-2017-6069 Cross Site Request Forgery Vulnerability
 
Eclipse tinydtls CVE-2017-7243 Denial of Service Vulnerability
 
cloudflare-scrape CVE-2017-7235 Remote Code Execution Vulnerability
 
Disk Sorter Enterprise CVE-2017-7230 Buffer Overflow Vulnerability
 
Symphony CMS CVE-2017-6006 Cross Site Scripting Vulnerability
 
cURL/libcURL Incomplete Fix CVE-2017-2628 Remote Security Bypass Vulnerability
 
Eview EV-07S GPS Tracker Buffer Overflow and Information Disclosure Vulnerabilities
 
audiofile CVE-2017-6829 Buffer Overflow Vulnerability
 
Linux Kernel CVE-2017-7273 Local Denial of Service Vulnerability
 
Irssi CVE-2017-7191 Denial of Service Vulnerability
 
Eview EV-07S GPS Tracker CVE-2017-5237 Security Bypass Vulnerability
 
Apache Ambari CVE-2016-6807 Remote Command Execution Vulnerability
 
[SECURITY] [DSA 3798-2] tnef regression update
 
Yii framework CVE-2017-7271 Cross Site Scripting Vulnerability
 
Eject dmcrypt-get-device CVE-2017-6964 Local Code Execution Vulnerability
 
QEMU VGA Module CVE-2016-3712 Multiple Denial of Service Vulnerabilities
 
ImageMagick Incomplete Fix CVE-2017-7275 Memory Corruption Vulnerability
 

VMware released a security bulletin[1] with moderate to critical vulnerabilities. The following products are affected:

  • ESXi
  • Workstation
  • Fusion

The vulnerabilities may allow a guest to execute code on the host, may lead to a DDoS or information leakage (depending on the product and version). Patches are available.

[1]https://www.vmware.com/security/advisories/VMSA-2017-0006.html

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Multiple Bitdefender Products CVE-2017-6186 DLL Loading Local Code Injection Vulnerability
 

Today, I would like to review an example how we can improve our daily security operations or, for our users, how to help in detecting suspicious content. Last week, I received the following email in my corporate mailbox. The mail is written in French but easy to understand: It is a notification regarding a failed delivery (they pretended that nobody was present at the delivery address to pick up the goods).

To be honest, I hesitated a few seconds about the legitimacy of this message. For the following reasons:

  • Im doing a lot of online shopping and deliver at my company address
  • The email address used was a corporate address that Im protecting and not using outside contacting my customers.
  • My name, company name, address were correct
  • The mail was in good French, no typo
  • There are plenty of companies busy in this field, you do not know in advance which company will deliver your packet

The reflex is to visit the website but I got width:800px" />

The first thoughtwas that the website was indeed compromised and the owner closed it temporary. But the malicious Office document referenced in the mail was still available! So, the website was not cleaned yet. I tried to find a contact in the company to report the problem. Google did not know Duprat Logistics in Belgium. If its unknown to Google, it padding:5px 10px"> Domain Name: dupratlogistics.com Registry Domain ID: Registrar WHOIS Server: whois.regtons.com Registrar URL: http://regtons.com Updated Date: Creation Date: 2017-03-17T00:00:00Z Registrar Registration Expiration Date: 2018-03-17T00:00:00Z Registrar: GRANSY S.R.O D/B/A SUBREG.CZ Registrar IANA ID: 1505 Registrar Abuse Contact Email: [email protected] Registrar Abuse Contact Phone: +420.734463373 Reseller: ??????? ?????? ????????? Registry Registrant ID: G-987982 Registrant Name: Jarred Ewing Registrant Organization: Registrant Street: Smaratun 60 Registrant City: Vik Registrant State/Province: Vik Registrant Postal Code: 870 Registrant Country: IS Registrant Phone: +354.4701571 Registrant Phone Ext: None Registrant Fax: Registrant Fax Ext: Registrant Email: [email protected] Registry Admin ID: G-987982

The domain has been registered the 17th of March! Have a look at the email address (mail2tor.com). The reseller field contains Cyrillic characters.

But the mail claimed that they visited my place the 21st of March at 11:32. Unfortunately for them, I width:600px" />

The rest of story is classic. As you can imagine, the document was malicious (MD5:9a9f84d7ade2e2802c1b2b584b668046).The macro downloaded a PE file from width:800px" />

Im not aware of other companies targeted by the same email in Belgium but this was a very nice attempt. To conclude, there are many ways to defeat such phishing attempts by correlating information from multiple sources (logical and physical). Its time consuming but here are a few examples:

  • Check the domain name registration details (via a whois[1] server)
  • Search for addresses, names on Google
  • Geolocate IP address of the fake website
  • Cross check activities with CCTV, badge readers, etc.

Stay safe!

[1]https://www.whois.net/

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

 
APPLE-SA-2017-03-28-1 iCloud for Windows 6.2
 
[slackware-security] mariadb (SSA:2017-087-01)
 
Internet Storm Center Infocon Status