Weekly Open Source Threat Report - 2/26/2013 - 3/3/2013

Vulnerabilities, Tools, and Tactics

MiniDuke malware discovered by Kaspersky and CrySys, has infected government computers from numerous nations. The malware was delivered through PDFs containing exploits written for Adobe Reader versions 9, 10, and 11. Researchers have not revealed the nature or mission of the malware yet. http://www.esecurityplanet.com/network-security/kaspersky-crysys-warn-of-miniduke-malware.html

Multiple Java 0-Days released last week with ties to Bit9 hack from the previous week. Articles from FireEye reference the malware as McRAT. http://www.infoworld.com/d/security/researchers-link-latest-java-zero-day-exploit-bit9-hack-213798

Adversary Activity & Campaigns

Chinese attackers from Mandiant’s APT1 targeted 23 US energy infrastructure companies during a 2011-2012 campaign, exfiltrating data which would allow them to access and control oil and natural gas industrial-control systems. http://www.ibtimes.co.uk/articles/441095/20130301/energy-infrastructure-targeted-chinese-hackers.htm.

Anonymous gained access to and published email communications between a contractor and Bank of America security staff exposing a monitoring program intended to keep tabs on the hacktivist group. The “hack” wasn’t a breach of BofA systems as Anonymous reported the server they obtained the emails from was open to external access and controlled by the security researcher.

Evernote hacked, data on 50 million users exposed including usernames and passwords. Change your password now!

Crescent healthcare confirms breach of patient records and social security numbers. Breach occurred on December 28, 2012, however Crescent will not release information on how it happened. http://www.esecurityplanet.com/network-security/crescent-healthcare-acknowledges-security-breach.html

Sabah land dispute conflict transitions from physical to cyber as forces from Malaysia and the Philippines target each other’s government websites. http://www.zdnet.com/ph/hackers-take-sabah-conflict-to-cyberspace-7000012061/

Team Cymru uncovers a state-controlled cyber campaign leaking 1 Terabyte of data every day from US based systems to foreign countries. Report is currently private, details to follow. http://www.theverge.com/2013/2/27/4035378/new-report-finds-hackers-stealing-terabyte-daily

Defense and Response News

Offensive security group CrowdStrike takes over and shuts down the Kelihos botnet with 110,000 infected nodes. CrowdStrike used a DNS injection attack to redirect the command and control channels used by infected systems, notified all the victims, and shut down the botnet in an offensive campaign. http://www.scmagazine.com/new-version-of-kelihos-botnet-with-110k-nodes-cut-down/article/234036/

Increased calls from public for improved collaboration between government, private, and public cyber security organizations to defend against adversaries like Mandiant’s APT1.

IDF defines Cyber Warfare as the 5^th realm of warfare and established Cyber Command, bridging forces from the Intelligence and Teleprocessing branches. http://www.haaretz.com/news/diplomacy-defense/idf-forms-new-force-to-combat-cyber-warfare.premium-1.506979?block=true

Australia joins the Council of Europe Convention on Cybercrime following the passing of the Cybercrime Legislation Amendment Bill 2011. Among other empowerments, the legislation requires ISPs to store data on persons deemed under suspicion by law-enforcement. http://www.zdnet.com/australia-joins-convention-on-cybercrime-treaty-7000012071/