This week, we collected intelligence from IntelCrawler of mobile malware targeting Middle Eastern bank clients. Also targeting the Middle East, from Symantec and Fidelis respectively, a new Java RAT and SSTEAM targeted attacks on energy and government sectors. Symantec also reported malware exploiting the most recent vulnerability in IE 10 has evolved from targeted to widespread attacks. For situational awareness, the cream of the reports released this week include: FireEye’s 2014 Annual, Dell SecureWorks Cryptocurrency-stealing Malware Landscape, both Kaspersky’s and Symantec’s reports on Mobile Malware and BAE/Detica’s “Business and the Cyber Threat: The rise of Digital Criminality.” Apple has been excoriated in tech media and the security blogosphere overa bug in the SSL implementation in both iPhones and Macs. Our colleague Bruce Schneier is perhaps the most high-profile security expert to ponder whether the NSA is responsible. For a bug. Also tickling the hype-meter: the “Chameleon” Wi-Fi access point virus. The one made public in a university research paper published last October; the one that is not, and never has been in the wild; the one that only affects access points with security settings essentially turned off and not the way they almost always come out of the box.
Last week it was a zero-day attacks using a vulnerability in Internet Explorer (CVE-2014-0322) that was making headlines. This week it’s a new vulnerability in Flash Player that’s getting all the attention. Researchers from FireEye discovered a strategic web compromise of two non-profit organization’s websites being used to exploit this new vulnerability in Flash Player (CVE-2014-0502). Luckily Adobe is already pushing a patch to plug this hole. As for the Internet Explorer vulnerability from last week, Microsoft finally issued a security advisory confirming IE 9 and 10 are affected and providing a temporary fix-it. No word yet on when a permanent patch will be made available. Noteworthy vulnerabilities and targeted attacks weren’t the only things grabbing headlines this week. The University of Maryland announced it got popped for data on 300,000 people, Kickstarter reported hackers stole e-mail addresses and encrypted passwords belonging to its users and Bank of the West notified former career prospects that attackers may have stolen their personal information. After getting pwned by the Syrian Electronic Army last week Forbes decided to publish an after-action report on what went wrong. Kudos to Forbes for its transparency; the RISK Team hopes this trend continues in the future.
Winter is in full swing and the RISK Team is hard at work gathering, validating, and analyzing data for a variety of projects that we’re working on. One of those is the upcoming quarterly release for the VERIS Community Database.
For those not familiar with the VCDB, every quarter the RISK Team releases raw data regarding information security breaches that have been reported in public channels, like the news or reports to the Attorney General’s office. The basic process is to identify news articles, create issues in github, and then code them up using a web-based application. When it comes time for a release, we export the data and use some python to turn the entries into VERIS schema-compatible JSON objects.
Of course, humans are prone to error and so we have a variety of sanity checks that we run on the data before it gets committed to github. For example, we check each incident to make sure that all the values are actual enumerations from the standard (no incidents that have ‘hakcing’ instead of hacking) and that an integer is present in the data total.
Even with these checks in place, bad data can slip through the cracks, and one great way to detect that is by having some dynamic data visualizations made up that work against your live data. For example, earlier this week I pulled the latest data from our tool, converted it to JSON, validated it, and then put it into a test database. Now what data scientist wouldn’t want to play around with a shiny new data set? So I pulled up a graph of the incidents in each year in the dataset.
Before I updated the data, the graph looked like this:
And after adding the new data I got this:
Well that’s not good. What the heck happened? Turns out that one of the incidents that passed validation had a mistake in the timeline. In that one file, timeline.incident.year was set to 20134. When I generate this particular view of the data I like to fill in any missing years. That way I don’t have 1971 showing up next to 1983 (yes we have some of those in the data set - I just clipped off the graphic so it wouldn’t be huge). So when this view came up, it filled in every year from 20134 down to 2014. All of the years that actually had something were basically printed on top of each other and were very thin.
So even though my data validation script had given the thumbs up to all the data, taking a glance at some simple visualizations alerted me to a problem. It was an easy fix, and after I re-populated my database I got a picture that was much more in line with what I had expected.
Another example is seeing enumerations in a graphic that simply don’t belong there. Take a look at this graph of actor varieties in the VCDB.
One of the actor varieties is motive, which is not a valid enumeration in VERIS for actor variety (motive is a different variable to describe an actor). Looking in the data set I was able to find an incident that had been coded wrong and fix it even though it had slipped past our other checks.
FireEye has reported “Operation SnowMan” a watering hole attack that was added to the U.S. Veterans of Foreign Wars association web site. Websense reports a similar attack on users with affinity to the French aerospace association, GIFAS. On Monday, Cloudflare reported an NTP amplification DDoS attack that peaked at 400Gbps. Kaspersky and Symantec have provided intel on the “Mask” or “Careto” APT campaign. Multinational retailer Tesco is investigating indications of a data breach. Yet another Point of Sale (POS) Trojan, JackPOS, has been reported by IntelCrawler infecting mostly, systems in Canada. SecureWorks published an excellent report on financial fraud botnets. Dan Goodin at Ars Technica provided a concise summary of “TheMoon” worm first reported by SANS. After an NBC report that visitors to Sochi face an “Internet Minefield”, Trend Micro’s Kyle Wilhoit provided details. Bottom lines: what was demonstrated could happen exactly as portrayed to a user with very poor judgment at a Starbucks in Copacabana, Rio De Janeiro or on 14th Street NW in Washington D.C. Protect what you connect or you’ll prove true John Wayne’s, perhaps apocryphal quote, “Life’s hard, but it’s harder if you’re stupid.” If you’re reading this, you almost certainly have far too much clue to be at risk.
The Syrian Electronic Army was up to no good again this week. Over the weekend they managed to hijack UK, French and Indian domains belonging to eBay and PayPal. They also claimed to intercept e-mails sent by eBay security staff responding to the situation. But their antics don’t stop there. On Wednesday they also attempted to hijack Facebook’s domain through the company’s DNS provider. Luckily the provider, MarkMonitor, stopped the SEA before they caused any real problems. Unfortunately the SEA wasn’t the only hacking crew causing trouble this week. NullCrew took responsibility for stealing Bell Canada customer data that was stored on a third-party’s server. They also managed to breach Comcast by exploiting a file inclusion vulnerability and posted their spoils to Pastebin. French telecom Orange was also breached this week much to the chagrin of its 800,000 affected customers. The website of Aftonbladet, Sweden’s largest newspaper, was discovered to be serving up a Fake AV malware called “tritax,” reported by Kaspersky, Bart Blaze and 0x3a. Elsewhere, Adobe pushed a patch for a Flash Player vulnerability (CVE-2014-0497) that’s being actively exploited in the wild and Microsoft announced it will issue five bulletins for February’s Patch Tuesday. Unfortunately there wasn’t a lot of good news that made up this week’s intel collections so I’ll leave you with an article discussing slang used in the Russian Underground.
There were unsuccessful attempts to push retailer breaches out of the, pardon the pun, bull’s-eye. Seculert reported an XtremeRAT attack in the Israeli Defense Ministry. Bank of America and JP Morgan Chase were the victims of DDoS attacks on Tuesday, but the RISK Team is skeptical of claims of responsibility from a Twitter account for the “European Cyber Army.” So the DDoS mitigation world will be watching for an Operation Ababil announcement next Tuesday. But the majority of intelligence collected this week did focus on retailers that are the victims of payment card fraud operations. Gary Warner at Malcovery presented a scenario that Target’s attackers used SQL injection to gain access. In a competing hypothesis, Brian Krebs, leveraging a report from Dell, presented a step-through of a scenario that the attackers may have used systems management software to gain access. Krebs’ scenario is the closer fit to what Target provided to the Wall Street Journal, “the intruder stole a vendor's credentials.” The Neiman Marcus breach expanded and they told Sen. Richard Blumenthal two different infections contributed to the breach. Michaels stores reported a data breach (also reported by Krebs). With POS malware and RAM scraping being a hot-topic, again, Kaspersky, Seculert, RSA and General Dynamics each published assessments of related malware. And it appears someone forgot to reset the annual, global (hype) alarm for Super Bowl badness; don’t be surprised if that pops in the next 48 hours.
Neiman Marcus disclosed more details this week regarding the data breach it suffered in 2013. The retailer admitted 1.1 million of its customers were affected by the lengthy compromise. Be sure to add CrowdStrike’s “Global Threats Report: 2013 Year in Review” to your reading list. With threat group names like Energetic Bear (Russian), Magic Kitten (Iranian) and Deadeye Jackal (Syrian Electronic Army) the report makes for an interesting read. Speaking of the Syrian Electronic Army (SEA), the group continued to torment Microsoft this week by hacking its Office blog and publishing a taunting post. Fool me once… The SEA also managed to compromise several of CNN’s social media sites and send out a number tweets before the news giant regained control of its accounts. Chinese officials pinned a massive Internet outage that affected millions of customers on a DNS cache poisoning attack and the German government is warning its citizen that botnets under the control of cybercriminals slurped up nearly 16 million usernames and passwords from various sites. And good news from Romania as the hacker Guccifer, known for compromising the e-mail accounts of high-profile individuals, was arrested by law enforcement officials in a joint US-Romanian operation.
Cheers to Brian Krebs, McAfee, Volatility Labs and Cisco who each contributed significantly to our top priorities for intelligence collections this week. Krebs wrote: A First Look at the Target Intrusion, Malware and Part II. McAfee: Analyzing the Target Point-of-Sale Malware. Volatility Labs: Comparing the Dexter and BlackPOS (Target) RAM Scraping Techniques. And Cisco: Detecting Payment Card Data Breaches Today to Avoid Becoming Tomorrow’s Headline. Among our top intelligence gaps to fill now are details on the Neiman-Marcus breach, also reported by Brian Krebs, and the three other retailers Reuters reported. As expected, Microsoft released four security bulletins including MS14-002 addressing the XP/Server 2003 kernel vulnerability. Adobe released security bulletins for Flash Player as well as Adobe Reader/Acrobat. Given the propensity for criminals to attack those Adobe products, we’re recommending Verizon Enterprise clients give them priority update status. Oracle release a CPU on Tuesday, so add to the priority list: Java. Also up for accelerated updates are Oracle Financial Services Software and MySQL, if deployed with Apache Struts. The new year is already fulfilling the proverb/curse about “interesting times.”
The theme behind some of this week’s most useful intelligence collections can be easily summed up in one word: malvertising. The week kicked off with Fox-IT reporting that Yahoo’s ad service was serving malicious advertisements on Yahoo’s sites, which ultimately redirected unsuspecting users to the Magnitude exploit kit and a bevy of nasty malware. Later in the week, Malwarebytes reported the website of The Moscow Times has been serving up malvertisements for at least 3 months, an issue which still has yet to be resolved. And the last malvertising report comes from Blue Coat, which indicated the website of South Africa’s Mail and Guardian paper was distributing ads that redirected visitors to Fake-AV download pages. Microsoft is taking it easy to start off the New Year as it pre-announced only four bulletins for January’s Patch Tuesday. One of the bulletins patches the Windows Kernel vulnerability (CVE-2013-5065) in XP and Server 2003 that’s being used in a limited number of targeted attacks. Adobe and Oracle also issued prenotifications for their products for next Tuesday. And finally, Sophos published more evidence to support Microsoft’s successful takedown of the ZeroAccess botnet. Good riddance!
The home site for OpenSSL experienced a data breach last weekend. Since then we've collected from reliable sources conflicting descriptions of the cause of the breach; these remain unresolved. OpenSSL stated "more details to follow." The largest data breach reported this week was revelation the user name and phone numbers of at least 4.6 million Snapchat users was posted to the Internet. Graham Cluley assessed the Skype blog and Twitter were likely compromised by a targeted phishing attack. The national information protection agencies of both Japan and the United Kingdom have recently published advice and guidance for mitigating the risk from spear phishing attacks. Several online game sites have suffered from DoS attacks this week including World of Warcraft, DOTA2, Steam and League of Legends. Andre M. DiMino and "Malware Must Die" each expanded our intelligence on ELF binaries used for DDoS attacks. A rather inauspicious kickoff for 2014, but it certainly could have been worse.