Weekly Threat Trends March 11-18 2013

Vulnerabilities, Tools, and Tactics

Android app developer licenses being sold in malware black market for $100 each, providing buyers “unfettered access to the official Google Play app store.” At least one purchase, accredited to a banking Trojan author has been leaked. http://t.co/o7nAiecghy

Malware authors using fictitious business created legally in Brazil to generate application certificates, using them to sign malware to evade detection. http://t.co/U1gBpwXI5a

According to a report by Websense, 85% of websites used in attacks during 2012 were “legitimate sites.”

Related: Israeli website for “international institute for counter-terrorism used in wateringhole attack to deliver malware. http://bit.ly/X4TZ1p

Seagate blog website used to serve malware http://bit.ly/ZsiEii

Fake Bank of America Online Digital Certificate themed emails used in phishing attack. http://bit.ly/WkYSGc

Travnet Trojan implicated in APT campaign http://bit.ly/10WKoei

Blackhole, Sweet Orange, and Cool exploit kits named top weapons for cyber crooks http://bit.ly/10WJRyi

ArchiveLock Trojan used in France and Spain targeted attacks to encrypt the files of users, demanding $5,000 ransom http://bit.ly/100CZ07

Adversary Activity & Campaigns

Decoy ICS/SCADA Water Utility Networks hit by attacks http://ubm.io/ZOplV1

Warning of vulnerabilities among California energy providers http://bit.ly/XiuzNK

US Department of State and Pentagon’s Army National Guard websites hacked through SQL injection and XSS scripting attacks by Tunisian Cyber Army with assistance from Al Qaida Electronic Army. Purpose appears to be to gain information for upcoming OpBlackSummer, which the attackers claim us being coordinated with Chinese hackers. http://t.co/Axd3ylFYQc

APT1 Watch: Royal Bank of Australia (RBA), documents released in 2012 acknowledge victim status of at least two breaches in 2011 with close connections to APT1. http://t.co/YtN2Z0KI6k

ADP Package Delivery Notification phishing attack directs victims to Blackhole Exploit Kit websites http://bit.ly/ZOqnFZZ

Cyber Attack heads-up: campaign announced to “wipe Israel from the Internet on April 7, 2013.

Bank watch: JP Morgan Chase website taken down through denial-of-service http://cnet.co/ZM57UH

US NIST National Vulnerability Database hacked and taken offline for days http://bit.ly/16umBld

Continued in reports of hacktivism

42 Russian websites hacked by SiR Abdou  http://t.co/5K2OzhXvd4

Celebrity financial information and social security numbers leaked following hack of free credit report provider http://bit.ly/15KAbpl

OpBlackSummer: US Govnerment sites hacked http://bit.ly/Z1DmWJ - Possible preparation for larger event

Toshiba Turkey Website defaced by reMin hacker http://bit.ly/Z1DiWZ

Anonymous takes down political party website in Italy http://bit.ly/Z1E2vw

Indian Hacker “Godzilla” infiltrates Pakistan government websites and leaks information http://bit.ly/YkHykr

Service Center Website of Acer Thailand defaced by Turkish hacker http://bit.ly/YtNynP

Anonymous attacks Philippines President and related government websites http://bit.ly/YtNNzu

Poland Sergianist hackers destroy popular Traditionalist website http://bit.ly/Zsiojc

Syrian Cyber Eagles defaces Saudi General Authority for Tourism and Antiquities website http://bit.ly/Zkfmyi

Anonymous defaces Philippines National Telecommunications Commission website http://bit.ly/Z97Wuu

152 Spanish websites hacked in protest against the deaths of 7 Moroccan immigrants http://bit.ly/107uw1z    

Defense and Response News

Pentagon creating new teams to launch cyberattacks http://wapo.st/Y9GNbC

UK develops global cyber security capacity, supported by the ICSPA http://bit.ly/;Z1DVQo

HBGary releases virtual classroom for incident response professional http://bit.ly/Zsibwp

Cyber-attacks eclipse terrorism in impact according to US leaders http://bit.ly/15SWHwx

Weekly Threat Trends March 3-11 2013

Vulnerabilities, Tools, and Tactics

Rogue Apache modules appear to be the source of a surge in iFrame injection attacks targeting legitimate websites like those used in the NBC.com compromise, to drive traffic to the Blackhole exploit kit. How the rogue modules are being injected is still unknown: http://t.co/29C1kXMLmA

Malicious Java applet uses certificate stolen from Clearesult Consulting to exploit trust and install automatically: http://www.net-security.org/secworld.php?id=14557

A report released from Cenzic claims 99% of web applications remain vulnerable to attacks, calling for increased emphasis on mitigation: http://www.net-security.org/secworld.php?id=14556

Free malicious Java applet generating tool discovered in the wild. The tool can clone a legitimate website, creates a malicious java applet, then redirect victims to a site of the attackers choice: http://t.co/4oDZsDdAL5

Web browser proxy auto-configuration tactic used in recent banking campaigns in Brazil to capture and redirect certain user traffic, expected to increase in use globally. http://t.co/V1s2TB2lCL

Example of Android mobile malware commoditization found in an ad for the tool “perkele lite,” used to intercept and forward SMS messages. http://t.co/10o3vJmrXj

Adversary Activity & Campaigns

Bank DDoS attacks resume: Izz ad-Din al-Qassam, believed to be directly supported by the Iranian government, announced and began execution of a new phase of attacks targeting US banks. http://t.co/E1UVVqamX0 , http://t.co/3oGt2BKE6A

Emerging phishing campaigns, exploiting payroll and banking trustADP TotalSource Payroll Invoice: http://t.co/5n8QilMqqM Bank of America: http://t.co/YlRBbncKJS

Targeted attack against Australia’s central bank, Reserve Bank of Australia (RBA) succeeded in compromising at least one system. Target of the attack was information which included Group of 20 negotiations. China is implicated. http://t.co/iHxZwwwp0W

Kaspersky discovers AlbaBotnet being used to target Chilean banks in an emerging campaign. http://www.securitybistro.com/blog/?p=5524

APT-1: Industry reporting attribution of past campaigns to APT-1, including US, Japan, and India victims, thanks to indicators from Mandiant’s report. One example: http://threatpost.com/en_us/blogs/apt1-themed-spear-phishing-campaign-linked-china-030613 , http://t.co/iQ4DrbJkn0 ,

Surge in reports of hacktivism

Czech central bank, stock exchange, banks hacked: http://t.co/WCA5c3yodYNullcrew defaces Time Warner Cable: http://t.co/yPJ4aK2e1TArabian Gulf Oil Company (Agoco) by QuisterTow: http://t.co/bDCrpnRKQBSaudi Aramco Twitter account hacked: http://t.co/RmQxB532aa54 Israeli sites hacked and defaced: http://t.co/YySGtJhf0GOver 180 Egypt sites hacked by P@khTuN: http://t.co/SJkUTcjq3u

Defense and Response News

China, in response to Mandiant and related APT-1 claims, begins a response campaign claiming they are the victim of repeated US sourced intrusions, calls for new international agreements on cyber: http://t.co/HO1NvvvZ6l , http://t.co/YmGGkZI2QW

Deutsche Telekom unveils real-time map of global cyber-attacks detected on their global infrastructure: http://t.co/We0TJJ6YOk

Microsoft launches new Cybercrime Center to combat piracy and malware: http://t.co/wllk2eJ0cw

New cyber security, forensics center formed by UMASS to advance research on cyber security and forensics theory: http://www.uml.edu/News/stories/2013/Cyber-forensics-center.aspx

Prolexic successfully defends against large scale DDoS against utility: http://t.co/yg6iU0Sx7g

Weekly Open Source Threat Report - 2/26/2013 - 3/3/2013

Vulnerabilities, Tools, and Tactics

MiniDuke malware discovered by Kaspersky and CrySys, has infected government computers from numerous nations. The malware was delivered through PDFs containing exploits written for Adobe Reader versions 9, 10, and 11. Researchers have not revealed the nature or mission of the malware yet. http://www.esecurityplanet.com/network-security/kaspersky-crysys-warn-of-miniduke-malware.html

Multiple Java 0-Days released last week with ties to Bit9 hack from the previous week. Articles from FireEye reference the malware as McRAT. http://www.infoworld.com/d/security/researchers-link-latest-java-zero-day-exploit-bit9-hack-213798

Adversary Activity & Campaigns

Chinese attackers from Mandiant’s APT1 targeted 23 US energy infrastructure companies during a 2011-2012 campaign, exfiltrating data which would allow them to access and control oil and natural gas industrial-control systems. http://www.ibtimes.co.uk/articles/441095/20130301/energy-infrastructure-targeted-chinese-hackers.htm.

Anonymous gained access to and published email communications between a contractor and Bank of America security staff exposing a monitoring program intended to keep tabs on the hacktivist group. The “hack” wasn’t a breach of BofA systems as Anonymous reported the server they obtained the emails from was open to external access and controlled by the security researcher.

Evernote hacked, data on 50 million users exposed including usernames and passwords. Change your password now!

Crescent healthcare confirms breach of patient records and social security numbers. Breach occurred on December 28, 2012, however Crescent will not release information on how it happened. http://www.esecurityplanet.com/network-security/crescent-healthcare-acknowledges-security-breach.html

Sabah land dispute conflict transitions from physical to cyber as forces from Malaysia and the Philippines target each other’s government websites. http://www.zdnet.com/ph/hackers-take-sabah-conflict-to-cyberspace-7000012061/

Team Cymru uncovers a state-controlled cyber campaign leaking 1 Terabyte of data every day from US based systems to foreign countries. Report is currently private, details to follow. http://www.theverge.com/2013/2/27/4035378/new-report-finds-hackers-stealing-terabyte-daily

Defense and Response News

Offensive security group CrowdStrike takes over and shuts down the Kelihos botnet with 110,000 infected nodes. CrowdStrike used a DNS injection attack to redirect the command and control channels used by infected systems, notified all the victims, and shut down the botnet in an offensive campaign. http://www.scmagazine.com/new-version-of-kelihos-botnet-with-110k-nodes-cut-down/article/234036/

Increased calls from public for improved collaboration between government, private, and public cyber security organizations to defend against adversaries like Mandiant’s APT1.

IDF defines Cyber Warfare as the 5^th realm of warfare and established Cyber Command, bridging forces from the Intelligence and Teleprocessing branches. http://www.haaretz.com/news/diplomacy-defense/idf-forms-new-force-to-combat-cyber-warfare.premium-1.506979?block=true

Australia joins the Council of Europe Convention on Cybercrime following the passing of the Cybercrime Legislation Amendment Bill 2011. Among other empowerments, the legislation requires ISPs to store data on persons deemed under suspicion by law-enforcement. http://www.zdnet.com/australia-joins-convention-on-cybercrime-treaty-7000012071/