NewsBone.com - Barebones News
Tech - Linux/BSD - Apache - Security - Hardware - Gaming - Autos - World - Entertainment - About
+ Janes/IHS ~ CurrentActivityCERT ~ CERT ~ WiredSecurity +

Janes analysts win at the 2020 Defence Media Awards: congratulations Jeremy Binnie and Richard Scott
Janes analysts win at the 2020 Defence Media Awards: congratulations Jeremy Binnie and Richard Scott
Janes news RSS ~Created Tue Oct 20 00:15:02 2020

Janes welcomes Christopher Light as Chief Financial Officer
The trusted global agency for open-source defence intelligence welcomes Christopher Light to lead financial operations globally
Janes news RSS ~Created Tue Oct 20 00:15:02 2020

Janes Expands Leadership Team to Welcome Adam Versteeg as Chief Human Resources Officer
Janes today announced the appointment of Adam Versteeg as Chief Human Resources Officer. Adam will lead human resources for Janes globally as the company continues its transition from its publishing legacy into the leading provider of open-source data, intelligence and analytics.
Janes news RSS ~Created Tue Oct 20 00:15:02 2020

Taiwan increases defence budget by 10%
Taiwan’s new defence budget – amid rising tensions with China – includes nearly USD1 billion for new F-16s from the US.
Janes news RSS ~Created Tue Oct 20 00:15:02 2020

Assessing North Korea’s Nuclear Weapons Capabilities: Janes Develops New Methodology
Groundbreaking analysis from Janes assesses the fissile material requirements of thermonuclear weapons likely to be in North Korea’s nuclear arsenal, providing a new way to assess the overall inventory.
Janes news RSS ~Created Tue Oct 20 00:15:02 2020

China’s Military Aviation Investment Nears USD230 billion, says Janes
In the latest market forecast for the military aviation market, Janes has revised the forecast for China upwards by 12.5%, with total programme spending expected to hit USD228.7 billion between 2020 and 2029.
Janes news RSS ~Created Tue Oct 20 00:15:02 2020

Janes Analysts Shortlisted in the 2020 Aerospace Media Awards

Sam Cranny-Evans, Charles Forrester, Pat Host, Gareth Jennings, and Melanie Rovery are all shortlisted finalists at the 2020 Aerospace Media Awards

LONDON - Janes analysts have been shortlisted nine times in the Aerospace Media Awards 2020, reflecting the continued strength of the trusted global agency for open-source intelligence’s news and insights. The awards celebrate excellence in aerospace journalism, and Janes analysts have received nominations across six categories.

“I’m delighted that Sam Cranny-Evans, Charles Forrester, Pat Host, Gareth Jennings and Melanie Rovery have been shortlisted in the Aerospace Media Awards. I look forward to watching the now-digital event next month,” said Sean Howe, head of research and analysis at Janes. “The Janes stamp of trust is inherent in our analysis, and throughout our continued and ongoing transformation into the leading provider of open-source intelligence, our validated and trusted news is vital to workflows across the defence industry, national security, and government activity.”

Janes analysts have been nominated in the following categories:

Best Propulsion:

  • Charles Forrester, principal analyst, for the executive overview of Janes Aero-Engines
  • Gareth Jennings, aviation editor, for “DoD begins preparing helicopter fleets for ITEP Engine”
Best Unmanned Systems Submission:

Janes news RSS ~Created Tue Oct 20 00:15:02 2020

Russian Military Aviation Market Falls 7%, says Janes
The latest forecast from Janes for the Russian military aircraft market expects it to reach the cumulative value of almost USD80 billion between 2020 –2029.
Janes news RSS ~Created Tue Oct 20 00:15:02 2020

Covid-19 Impact: Defence Spending Down Among NATO’s Top European Spenders, predicts Janes
Janes has revised its forecast for European defence expenditure in 2021 down to USD288.8 billion – a 0.97% decrease on the previous year – after accounting for the economic impact of Covid-19, both in general economic terms and on public spending.
Janes news RSS ~Created Tue Oct 20 00:15:02 2020

More details emerge about detection capabilities of Type 055 destroyer's radar
The radar system on China’s Type 055 (Renhai)-class destroyers has the ability to track satellites in low-Earth orbits, according to a report broadcast on China Central...
Janes news RSS ~Created Tue Oct 20 00:15:02 2020

Assured by Janes: the trusted global agency for open-source defence intelligence reasserts its leading position with a fresh brand and relaunch of Janes.com
Janes today relaunched the Janes brand to coincide with the relaunch of Janes.com, reflecting the company’s continued transformation from its publishing legacy into the leading provider of open-source data, intelligence and analytics.
Janes news RSS ~Created Tue Oct 20 00:15:02 2020

Iranian nuclear ambition unaffected by Covid-19 outbreak, says Janes
Analysis from Janes – the trusted agency for global open-source defence intelligence – reaffirms the continuation of Iranian nuclear activity in spite of the Covid-19 pandemic.
Janes news RSS ~Created Tue Oct 20 00:15:02 2020

Janes, the trusted global agency for open-source defence intelligence, announces the appointment of a new Chief Sales Officer
Janes, the trusted global agency for open-source defence intelligence, today announced the appointment of Susan Michaels as Chief Sales Officer. Susan will be responsible for accelerating the growth and go-to-market strategy for Janes data, open-source intelligence and analytics.
Janes news RSS ~Created Tue Oct 20 00:15:02 2020

Janes and CSIS publish analysis of possible new ballistic missile facility in North Korea
Janes Intelligence Review worked with the Center for Strategic and International Studies (CSIS) to publish analysis of a previously undocumented military facility in North Korea that appears to be related to the country's ballistic missile programme.
Janes news RSS ~Created Tue Oct 20 00:15:02 2020

Trachtenberg tells Janes: “Fireworks” expected between defence spending and other priorities, as supply chain reels from Covid-19 impact
First instalment of Janes Defence Industry Conversations sees Hon. David Trachtenberg discuss the impact of Covid-19 on US defence priorities, while defence budgets data from Janes reflects the likely squeeze on military spending
Janes news RSS ~Created Tue Oct 20 00:15:02 2020

More than 10,000 incidents linking defence and national security to Covid-19, says Janes
Janes data highlights South American countries shifting policy direction and government instability linked to the novel coronavirus, while in Europe Spain relies on its armed forces to treat the pandemic.
Janes news RSS ~Created Tue Oct 20 00:15:02 2020

Janes takes Covid-19 threat intelligence to new heights, as pandemic underpins 8,000 national security incidents
Looking through the lens of the coronavirus pandemic, Janes updated Covid-19 Events Monitor keeps industry, government and national security customers informed about key incidents and threats that are affecting their operations.
Janes news RSS ~Created Tue Oct 20 00:15:02 2020

Covid-19 lockdowns across Asia-Pacific could have major repercussions for defence industry, says Janes
As of early April, the impact of the virus has forced many regional defence firms to halt industrial activities, while companies in East Asia are ramping up work close to pre-pandemic levels. Like in many sectors, working from home has become the norm.
Janes news RSS ~Created Tue Oct 20 00:15:02 2020

Market for military aviation in East Asia valued at USD190 billion across 2020-2029, says Janes
The latest analysis from Janes Markets Forecast predicts the market for military aviation in East Asia (excl. China) will hit USD189.810 billion across 2020-2029 – with approximately 13% in opportunities for fighter aircraft acquisition programmes.
Janes news RSS ~Created Tue Oct 20 00:15:02 2020

Arnold Defense selling land-based 70 mm rocket launchers to Special Forces
US Special Operations Command (USSOCOM) and an undisclosed special mission unit in Europe are set to become the first customers capable of firing 70 mm rockets from...
Janes news RSS ~Created Tue Oct 20 00:15:02 2020

Covid-19 infection impacts Hizbullah reputation and regional operations
Various sources, including within Hizbullah’s military wing, have reported to Janes that the group’s hospitals in Beirut are overwhelmed by members infected with Covid-19.
Janes news RSS ~Created Tue Oct 20 00:15:02 2020

What will happen to the US defence budget?
The US Department of Defense (DoD’s) USD740.5 billion discretionary defence budget request for fiscal year (FY) 2021 is unlikely to be affected by the outbreak of Covid-19, but responses to the virus and its economic effects are likely to increase US public debt and potentially hit budgets in the longer term.
Janes news RSS ~Created Tue Oct 20 00:15:02 2020

Islamic State: No Longer World’s Deadliest Terror Group, says Janes
The Taliban has overtaken the Islamic State as the world’s deadliest terror group, according to the latest report from  Janes Terrorism and Insurgency Centre (JTIC).
Janes news RSS ~Created Tue Oct 20 00:15:02 2020

Kelvin Wong, unmanned systems editor honoured at Aerospace Media Awards Asia
Congratulations to Janes principal journalist and unmanned systems editor Kelvin Wong for picking up the Aerospace Media Awards Asia award for Best Military Aviation submission.
Janes news RSS ~Created Tue Oct 20 00:15:02 2020

Terror Attacks Double in Myanmar, says Janes
Janes Terrorism and Insurgency Centre (JTIC) recorded 246 attacks by non-state armed groups (NSAGs) in Myanmar in 2019, up 98.4% from 124 attacks in 2018.
Janes news RSS ~Created Tue Oct 20 00:15:02 2020

NewsBone.com
Suggest a feed to syndicate here, or check out what I'm doing over at freshtao.
~Created Tue Oct 20 00:15:02 2020

Microsoft Releases Security Updates to Address Remote Code Execution Vulnerabilities
Original release date: October 16, 2020
Microsoft has released security updates to address remote code execution vulnerabilities affecting Windows Codecs Library and Visual Studio Code. An attacker could exploit these vulnerabilities to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Microsoft security advisories for CVE-2020-17022 and CVE-2020-17023 and apply the necessary updates.   policy.

CISA Current Activity ~Created Tue Oct 20 01:24:17 2020

NCSC Releases Alert on Microsoft SharePoint Vulnerability
Original release date: October 16, 2020
The United Kingdom (UK) National Cyber Security Centre (NCSC) has released an Alert to address a vulnerability—CVE-2020-16952—affecting Microsoft SharePoint server. An attacker could exploit this vulnerability to take control of an affected system. Applying patches from Microsoft’s October 2020 Security Advisory for CVE-2020-16952 can prevent exploitation of this vulnerability. The Cybersecurity and Infrastructure Security Agency (CISA) encourages administrators to review the NCSC Alert and the Microsoft Security Advisory for CVE-2020-16952 for more information.

CISA Current Activity ~Created Tue Oct 20 01:24:17 2020

Adobe Releases Security Updates for Magento
Original release date: October 16, 2020 | Last revised: October 19, 2020
Adobe has released security updates to address vulnerabilities affecting Magento Commerce and Magento Open Source. An attacker could exploit some of these vulnerabilities to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Adobe Security Bulletin APSB20-59 and apply the necessary updates.

CISA Current Activity ~Created Tue Oct 20 01:24:17 2020

Juniper Networks Releases Security Updates for Multiple Products
Original release date: October 15, 2020
Juniper Networks has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Juniper Networks security advisories page and apply the necessary updates.

CISA Current Activity ~Created Tue Oct 20 01:24:17 2020

Microsoft Addresses Windows TCP/IP RCE/DoS Vulnerability
Original release date: October 14, 2020
Microsoft has released a security update to address a protocol vulnerability—CVE-2020-16898—in Windows Transmission Control Protocol (TCP)/IP stack handling of Internet Control Message Protocol version 6 (ICMPv6) Router Advertisement packets. A remote attacker could exploit this vulnerability to take control of an affected system or cause a denial-of-service condition.   The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Microsoft’s Security Advisory for more information, and apply the necessary updates or workaround.   policy.

CISA Current Activity ~Created Tue Oct 20 01:24:17 2020

Adobe Releases Security Updates for Flash Player
Original release date: October 14, 2020 | Last revised: October 15, 2020
Adobe has released security updates to address a vulnerability affecting Flash Player. An attacker could exploit this vulnerability to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Adobe Security Bulletin APSB20-58 and apply the necessary update.

CISA Current Activity ~Created Tue Oct 20 01:24:17 2020

Apache Releases Security Updates for Apache Tomcat
Original release date: October 14, 2020 | Last revised: October 15, 2020

The Apache Software Foundation has released a security advisory to address a vulnerability in Apache Tomcat. An attacker could exploit this vulnerability to obtain sensitive information. 

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Apache Security Advisory for CVE-2020-13943 and upgrade to the appropriate version.
CISA Current Activity ~Created Tue Oct 20 01:24:17 2020

Microsoft Releases October 2020 Security Updates
Original release date: October 13, 2020
Microsoft has released updates to address vulnerabilities in Microsoft software. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Microsoft’s October 2020 Security Update Summary and Deployment Information and apply the necessary updates.

CISA Current Activity ~Created Tue Oct 20 01:24:17 2020

SAP Releases October 2020 Security Updates
Original release date: October 13, 2020
SAP has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. This includes an OS command injection vulnerability (CVE-2020-6364) affecting SAP Solution Manager and SAP Focused Run.   The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the SAP Security Notes for October 2020 and apply the necessary updates. policy.

CISA Current Activity ~Created Tue Oct 20 01:24:17 2020

CISA and FBI Release Joint Advisory Regarding APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations
Original release date: October 9, 2020
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have released a joint cybersecurity advisory regarding advanced persistent threat (APT) actors chaining vulnerabilities—a commonly used tactic exploiting multiple vulnerabilities in the course of a single intrusion—in an attempt to compromise federal and state, local, tribal, and territorial (SLTT) government networks, critical infrastructure, and elections organizations. CISA is aware of some instances where this activity resulted in unauthorized access to elections support systems; however, CISA has no evidence to date that integrity of elections data has been compromised. The joint cybersecurity advisory contains information on exploited vulnerabilities and recommended mitigation actions for affected organizations to pursue.

CISA Current Activity ~Created Tue Oct 20 01:24:17 2020

TA14-300A: Phishing Campaign Linked with “Dyre” Banking Malware
Original release date: October 27, 2014 | Last revised: October 28, 2014

Systems Affected

Microsoft Windows

Overview

Since mid-October 2014, a phishing campaign has targeted a wide variety of recipients while employing the Dyre/Dyreza banking malware. Elements of this phishing campaign vary from target to target including senders, attachments, exploits, themes, and payload(s).[1][2] Although this campaign uses various tactics, the actor’s intent is to entice recipients into opening attachments and downloading malware.

Description

The Dyre banking malware specifically targets sensitive user account credentials. The malware has the ability to capture user login information and send the captured data to malicious actors.[3] Phishing emails used in this campaign often contain a weaponized PDF attachment which attempts to exploit vulnerabilities found in unpatched versions of Adobe Reader.[4][5] After successful exploitation, a user's system will download Dyre banking malware. All of the major anti-virus vendors have successfully detected this malware prior to the release of this alert.[6]

Please note, the below listing of indicators does not represent all characteristics and indicators for this campaign.

Phishing Email Characteristics:

  • Subject: "Unpaid invoic" (Spelling errors in the subject line are a characteristic of this campaign)
  • Attachment: Invoice621785.pdf

System Level Indicators (upon successful exploitation):

  • Copies itself under C:\Windows\[RandomName].exe
  • Created a Service named "Google Update Service" by setting the following registry keys:
    • HKLM\SYSTEM\CurrentControlSet\Services\googleupdate\ImagePath: "C:\WINDOWS\pfdOSwYjERDHrdV.exe"
    • HKLM\SYSTEM\CurrentControlSet\Services\googleupdate\DisplayName: "Google Update Service"[7]

Impact

A system infected with Dyre banking malware will attempt to harvest credentials for online services, including banking services.

Solution

Users and administrators are recommended to take the following preventive measures to protect their computer networks from phishing campaigns:

US-CERT collects phishing email messages and website locations so that we can help people avoid becoming victims of phishing scams.

You can report phishing to us by sending email to phishing-report@us-cert.gov.

References

Revision History

  • October 27, 2014: Initial Release
  • October 28, 2014: Added Reference 7 in Description Section

This product is provided subject to this Notification and this Privacy & Use policy.



US-CERT Alerts ~Created Sat Nov 1 13:21:58 2014

TA14-295A: Crypto Ransomware
Original release date: October 22, 2014 | Last revised: October 24, 2014

Systems Affected

Microsoft Windows

Overview

Ransomware is a type of malicious software (malware) that infects a computer and restricts access to it until a ransom is paid to unlock it. This Alert is the result of Canadian Cyber Incident Response Centre (CCIRC) analysis in coordination with the United States Department of Homeland Security (DHS) to provide further information about crypto ransomware, specifically to:

  • Present its main characteristics, explain the prevalence of ransomware, and the proliferation of crypto ransomware variants; and
  • Provide prevention and mitigation information.

Description

WHAT IS RANSOMWARE?

Ransomware is a type of malware that infects a computer and restricts a user’s access to the infected computer. This type of malware, which has now been observed for several years, attempts to extort money from victims by displaying an on-screen alert. These alerts often state that their computer has been locked or that all of their files have been encrypted, and demand that a ransom is paid to restore access. This ransom is typically in the range of $100–$300 dollars, and is sometimes demanded in virtual currency, such as Bitcoin.

Ransomware is typically spread through phishing emails that contain malicious attachments and drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and malware is downloaded and installed without their knowledge. Crypto ransomware, a variant that encrypts files, is typically spread through similar methods, and has been spread through Web-based instant messaging applications.

WHY IS IT SO EFFECTIVE?

The authors of ransomware instill fear and panic into their victims, causing them to click on a link or pay a ransom, and inevitably become infected with additional malware, including messages similar to those below:

  • “Your computer has been infected with a virus. Click here to resolve the issue.”
  • “Your computer was used to visit websites with illegal content. To unlock your computer, you must pay a $100 fine.”
  • “All files on your computer have been encrypted. You must pay this ransom within 72 hours to regain access to your data.”

PROLIFERATION OF VARIANTS

In 2012, Symantec, using data from a command and control (C2) server of 5,700 computers compromised in one day, estimated that approximately 2.9 percent of those compromised users paid the ransom. With an average ransom of $200, this meant malicious actors profited $33,600 per day, or $394,400 per month, from a single C2 server. These rough estimates demonstrate how profitable ransomware can be for malicious actors.

This financial success has likely led to a proliferation of ransomware variants. In 2013, more destructive and lucrative ransomware variants were introduced including Xorist, CryptorBit, and CryptoLocker. Some variants encrypt not just the files on the infected device but also the contents of shared or networked drives. These variants are considered destructive because they encrypt user’s and organization’s files, and render them useless until criminals receive a ransom.

Additional variants observed in 2014 included CryptoDefense and Cryptowall, which are also considered destructive. Reports indicate that CryptoDefense and Cryptowall share the same code, and that only the name of malware itself is different. Similar to CryptoLocker, these variants also encrypt files on the local computer, shared network files, and removable media.

LINKS TO OTHER TYPES OF MALWARE

Systems infected with ransomware are also often infected with other malware. In the case of CryptoLocker, a user typically becomes infected by opening a malicious attachment from an email. This malicious attachment contains Upatre, a downloader, which infects the user with GameOver Zeus. GameOver Zeus is a variant of the Zeus Trojan that steals banking information and is also used to steal other types of data. Once a system is infected with GameOver Zeus, Upatre will also download CryptoLocker. Finally, CryptoLocker encrypts files on the infected system, and requests that a ransom be paid.

The close ties between ransomware and other types of malware were demonstrated through the recent botnet disruption operation against GameOver Zeus, which also proved effective against CryptoLocker. In June 2014, an international law enforcement operation successfully weakened the infrastructure of both GameOver Zeus and CryptoLocker.

Impact

Ransomware doesn’t only target home users; businesses can also become infected with ransomware, which can have negative consequences, including:

  • Temporary or permanent loss of sensitive or proprietary information;
  • Disruption to regular operations;
  • Financial losses incurred to restore systems and files; and
  • Potential harm to an organization’s reputation.

Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.

Solution

Infections can be devastating to an individual or organization, and recovery can be a difficult process that may require the services of a reputable data recovery specialist.

US-CERT and CCIRC recommend users and administrators take the following preventive measures to protect their computer networks from ransomware infection:

  • Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
  • Maintain up-to-date anti-virus software.
  • Keep your operating system and software up-to-date with the latest patches.
  • Do not follow unsolicited web links in email. Refer to the Security Tip Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
  • Use caution when opening email attachments. For information on safely handling email attachments, see Recognizing and Avoiding Email Scams.
  • Follow safe practices when browsing the web. See Good Security Habits and Safeguarding Your Data for additional details.

Individuals or organizations are not encouraged to pay the ransom, as this does not guarantee files will be released. Report instances of fraud to the FBI at the Internet Crime Complaint Center or contact the CCIRC .

References

Revision History

  • October 22, 2014: Initial Release
  • October 24, 2014: Minor edit to the reference section

This product is provided subject to this Notification and this Privacy & Use policy.



US-CERT Alerts ~Created Sat Nov 1 13:21:58 2014

TA14-290A: SSL 3.0 Protocol Vulnerability and POODLE Attack
Original release date: October 17, 2014 | Last revised: October 20, 2014

Systems Affected

All systems and applications utilizing the Secure Socket Layer (SSL) 3.0 with cipher-block chaining (CBC) mode ciphers may be vulnerable. However, the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack demonstrates this vulnerability using web browsers and web servers, which is one of the most likely exploitation scenarios.

Overview

US-CERT is aware of a design vulnerability found in the way SSL 3.0 handles block cipher mode padding. The POODLE attack demonstrates how an attacker can exploit this vulnerability to decrypt and extract information from inside an encrypted transaction.

Description

The SSL 3.0 vulnerability stems from the way blocks of data are encrypted under a specific type of encryption algorithm within the SSL protocol. The POODLE attack takes advantage of the protocol version negotiation feature built into SSL/TLS to force the use of SSL 3.0 and then leverages this new vulnerability to decrypt select content within the SSL session. The decryption is done byte by byte and will generate a large number of connections between the client and server.

While SSL 3.0 is an old encryption standard and has generally been replaced by Transport Layer Security (TLS) (which is not vulnerable in this way), most SSL/TLS implementations remain backwards compatible with SSL 3.0 to interoperate with legacy systems in the interest of a smooth user experience. Even if a client and server both support a version of TLS the SSL/TLS protocol suite allows for protocol version negotiation (being referred to as the “downgrade dance” in other reporting). The POODLE attack leverages the fact that when a secure connection attempt fails, servers will fall back to older protocols such as SSL 3.0. An attacker who can trigger a connection failure can then force the use of SSL 3.0 and attempt the new attack. [1]

Two other conditions must be met to successfully execute the POODLE attack: 1) the attacker must be able to control portions of the client side of the SSL connection (varying the length of the input) and 2) the attacker must have visibility of the resulting ciphertext. The most common way to achieve these conditions would be to act as Man-in-the-Middle (MITM), requiring a whole separate form of attack to establish that level of access.

These conditions make successful exploitation somewhat difficult. Environments that are already at above-average risk for MITM attacks (such as public WiFi) remove some of those challenges.

Impact

The POODLE attack can be used against any system or application that supports SSL 3.0 with CBC mode ciphers. This affects most current browsers and websites, but also includes any software that either references a vulnerable SSL/TLS library (e.g. OpenSSL) or implements the SSL/TLS protocol suite itself. By exploiting this vulnerability in a likely web-based scenario, an attacker can gain access to sensitive data passed within the encrypted web session, such as passwords, cookies and other authentication tokens that can then be used to gain more complete access to a website (impersonating that user, accessing database content, etc.).

Solution

There is currently no fix for the vulnerability SSL 3.0 itself, as the issue is fundamental to the protocol; however, disabling SSL 3.0 support in system/application configurations is the most viable solution currently available.

Some of the same researchers that discovered the vulnerability also developed a fix for one of the prerequisite conditions; TLS_FALLBACK_SCSV is a protocol extension that prevents MITM attackers from being able to force a protocol downgrade. OpenSSL has added support for TLS_FALLBACK_SCSV to their latest versions and recommend the following upgrades: [2]

  • OpenSSL 1.0.1 users should upgrade to 1.0.1j.
  • OpenSSL 1.0.0 users should upgrade to 1.0.0o.
  • OpenSSL 0.9.8 users should upgrade to 0.9.8zc.

Both clients and servers need to support TLS_FALLBACK_SCSV to prevent downgrade attacks.

Other SSL 3.0 implementations are most likely also affected by POODLE. Contact your vendor for details. Additional vendor information may be available in the National Vulnerability Database (NVD) entry for CVE-2014-3566 [3] or in CERT Vulnerability Note VU#577193. [4]

References

Revision History

  • October 17, 2014 Initial Release
  • October 20, 2014 Added CERT Vulnerability Note VU#577193 to the Solution section

This product is provided subject to this Notification and this Privacy & Use policy.



US-CERT Alerts ~Created Sat Nov 1 13:21:58 2014

TA14-268A: GNU Bourne-Again Shell (Bash) ‘Shellshock’ Vulnerability (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277 and CVE 2014-6278)
Original release date: September 25, 2014 | Last revised: September 30, 2014

Systems Affected

  • GNU Bash through 4.3.
  • Linux and Mac OS X systems, on which Bash is part of the base operating system.
  • Any BSD or UNIX system on which GNU Bash has been installed as an add-on.
  • Any UNIX-like operating system on which the /bin/sh interface is implemented as GNU Bash.

Overview

A critical vulnerability has been reported in the GNU Bourne-Again Shell (Bash), the common command-line shell used in many Linux/UNIX operating systems and Apple’s Mac OS X. The flaw could allow an attacker to remotely execute shell commands by attaching malicious code in environment variables used by the operating system [1]. The United States Department of Homeland Security (DHS) is releasing this Technical Alert to provide further information about the GNU Bash vulnerability.

Description

GNU Bash versions 1.14 through 4.3 contain a flaw that processes commands placed after function definitions in the added environment variable, allowing remote attackers to execute arbitrary code via a crafted environment which enables network-based exploitation. [2, 3]

Critical instances where the vulnerability may be exposed include: [4, 5]

  • Apache HTTP Server using mod_cgi or mod_cgid scripts either written in bash, or spawn GNU Bash subshells, or on any system where the /bin/sh interface is implemented using GNU Bash.
  • Override or Bypass ForceCommand feature in OpenSSH sshd and limited protection for some Git and Subversion deployments used to restrict shells and allows arbitrary command execution capabilities. This data path is vulnerable on systems where the /bin/sh interface is implemented using GNU Bash.
  • Allow arbitrary commands to run on a DHCP client machine.

Impact

This vulnerability is classified by industry standards as “High” impact with CVSS Impact Subscore 10 and “Low” on complexity, which means it takes little skill to perform. This flaw allows attackers who can provide specially crafted environment variables containing arbitrary commands to execute on vulnerable systems. It is especially dangerous because of the prevalent use of the Bash shell and its ability to be called by an application in numerous ways.

Solution

Initial solutions for Shellshock do not completely resolve the vulnerability. It is advised to install existing patches and pay attention for updated patches to address CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278. Red Hat has provided a support article [6] with updated information.

Many UNIX-like operating systems, including Linux distributions and Apple Mac OS X include Bash and are likely to be affected. Contact your vendor for updated information. A list of vendors can be found in CERT Vulnerability Note VU#252743 [7].

US-CERT recommends system administrators review the vendor patches and the NIST Vulnerability Summaries for CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277 and CVE-2014-6278 to mitigate damage caused by the exploit.

References

Revision History

  • September 25, 2014 - Initial Release
  • September 26, 2014 - Minor Revisions
  • September 30, 2014 - Update to include additional CVE information

This product is provided subject to this Notification and this Privacy & Use policy.



US-CERT Alerts ~Created Sat Nov 1 13:21:58 2014

TA14-212A: Backoff Point-of-Sale Malware
Original release date: July 31, 2014 | Last revised: August 27, 2014

Systems Affected

Point-of-Sale Systems

 

Overview

This advisory was prepared in collaboration with the National Cybersecurity and Communications Integration Center (NCCIC), United States Secret Service (USSS), Financial Sector Information Sharing and Analysis Center (FS-ISAC), and Trustwave Spiderlabs, a trusted partner under contract with the USSS.  The purpose of this release is to provide relevant and actionable technical indicators for network defense against the PoS malware dubbed "Backoff" which has been discovered exploiting businesses' administrator accounts remotely and exfiltrating consumer payment data.

Over the past year, the Secret Service has responded to network intrusions at numerous businesses throughout the United States that have been impacted by the “Backoff” malware. Seven PoS system providers/vendors have confirmed that they have had multiple clients affected. Reporting continues on additional compromised locations, involving private sector entities of all sizes, and the Secret Service currently estimates that over 1,000 U.S. businesses are affected.

Recent investigations revealed that malicious actors are using publicly available tools to locate businesses that use remote desktop applications. Remote desktop solutions like Microsoft's Remote Desktop [1], Apple Remote Desktop [2], Chrome Remote Desktop [3], Splashtop 2 [4], and LogMeIn [5] offer the convenience and efficiency of connecting to a computer from a remote location. Once these applications are located, the suspects attempted to brute force the login feature of the remote desktop solution. After gaining access to what was often administrator or privileged access accounts, the suspects were then able to deploy the point-of-sale (PoS) malware and subsequently exfiltrate consumer payment data via an encrypted POST request.

Organizations that believe they have been impacted should contact their local Secret Service field office and may contact the NCCIC for additional information.

Description

“Backoff” is a family of PoS malware and has been discovered recently. The malware family has been witnessed on at least three separate forensic investigations. Researchers have identified three primary variants to the “Backoff” malware including 1.4, 1.55 (“backoff”, “goo”, “MAY”, “net”), and 1.56 (“LAST”).

These variations have been seen as far back as October 2013 and continue to operate as of July 2014. In total, the malware typically consists of the following four capabilities. An exception is the earliest witnessed variant (1.4) which does not include keylogging functionality. Additionally, 1.55 ‘net’ removed the explorer.exe injection component:

  • Scraping memory for track data
  • Logging keystrokes
  • Command & control (C2) communication
  • Injecting malicious stub into explorer.exe

The malicious stub that is injected into explorer.exe is responsible for persistence in the event the malicious executable crashes or is forcefully stopped. The malware is responsible for scraping memory from running processes on the victim machine and searching for track data. Keylogging functionality is also present in most recent variants of “Backoff”. Additionally, the malware has a C2 component that is responsible for uploading discovered data, updating the malware, downloading/executing further malware, and uninstalling the malware.

Variants

Based on compiled timestamps and versioning information witnessed in the C2 HTTP POST requests, “Backoff” variants were analyzed over a seven month period. The five variants witnessed in the “Backoff” malware family have notable modifications, to include:

1.55 “backoff”

  • Added Local.dat temporary storage for discovered track data
  • Added keylogging functionality
  • Added “gr” POST parameter to include variant name
  • Added ability to exfiltrate keylog data
  • Supports multiple exfiltration domains
  • Changed install path
  • Changed User-Agent

1.55 “goo”

  • Attempts to remove prior version of malware
  • Uses 8.8.8.8 as resolver

1.55 “MAY”

  • No significant updates other than changes to the URI and version name

1.55 “net”

  • Removed the explorer.exe injection component

1.56 “LAST”

  • Re-added the explorer.exe injection component
  • Support for multiple domain/URI/port configurations
  • Modified code responsible for creating exfiltration thread(s)
  • Added persistence techniques

Command & Control Communication

All C2 communication for “Backoff” takes place via HTTP POST requests. A number of POST parameters are included when this malware makes a request to the C&C server.

  • op : Static value of ‘1’
  • id : randomly generated 7 character string
  • ui : Victim username/hostname
  • wv : Version of Microsoft Windows
  • gr (Not seen in version 1.4) : Malware-specific identifier
  • bv : Malware version
  • data (optional) : Base64-encoded/RC4-encrypted data

The ‘id’ parameter is stored in the following location, to ensure it is consistent across requests:

  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier

If this key doesn’t exist, the string will be generated and stored. Data is encrypted using RC4 prior to being encoded with Base64. The password for RC4 is generated from the ‘id’ parameter, a static string of ‘jhgtsd7fjmytkr’, and the ‘ui’ parameter. These values are concatenated together and then hashed using the MD5 algorithm to form the RC4 password. In the above example, the RC4 password would be ‘56E15A1B3CB7116CAB0268AC8A2CD943 (The MD5 hash of ‘vxeyHkSjhgtsd7fjmytkrJosh @ PC123456).

File Indicators:

The following is a list of the Indicators of Compromise (IOCs) that should be added to the network security to search to see if these indicators are on their network.

1.4

Packed MD5: 927AE15DBF549BD60EDCDEAFB49B829E

Unpacked MD5: 6A0E49C5E332DF3AF78823CA4A655AE8

Install Path: %APPDATA%\AdobeFlashPlayer\mswinsvc.exe

Mutexes:

uhYtntr56uisGst

uyhnJmkuTgD

Files Written:

%APPDATA%\mskrnl

%APPDATA%\winserv.exe

%APPDATA%\AdobeFlashPlayer\mswinsvc.exe

Static String (POST Request): zXqW9JdWLM4urgjRkX

Registry Keys:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier

HKCU\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service

User-Agent: Mozilla/4.0

URI(s): /aircanada/dark.php

1.55 “backoff”

Packed MD5: F5B4786C28CCF43E569CB21A6122A97E

Unpacked MD5: CA4D58C61D463F35576C58F25916F258

Install Path: %APPDATA%\AdobeFlashPlayer\mswinhost.exe

Mutexes:

Undsa8301nskal

uyhnJmkuTgD

Files Written:

%APPDATA%\mskrnl

%APPDATA%\winserv.exe

%APPDATA%\AdobeFlashPlayer\mswinhost.exe

%APPDATA%\AdobeFlashPlayer\Local.dat

%APPDATA%\AdobeFlashPlayer\Log.txt

Static String (POST Request): ihasd3jasdhkas

Registry Keys:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier

HKCU\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service

User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0

URI(s): /aero2/fly.php

1.55 “goo”

Pa  cked MD5: 17E1173F6FC7E920405F8DBDE8C9ECAC

Unpacked MD5: D397D2CC9DE41FB5B5D897D1E665C549

Install Path: %APPDATA%\OracleJava\javaw.exe

Mutexes:

nUndsa8301nskal

nuyhnJmkuTgD

Files Written:

%APPDATA%\nsskrnl

%APPDATA%\winserv.exe

%APPDATA%\OracleJava\javaw.exe

%APPDATA%\OracleJava\Local.dat

%APPDATA%\OracleJava\Log.txt

Static String (POST Request): jhgtsd7fjmytkr

Registry Keys:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier

HKCU\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service

User-Agent:

URI(s): /windows/updcheck.php

1.55 “MAY”

Packed MD5: 21E61EB9F5C1E1226F9D69CBFD1BF61B

Unpacked MD5: CA608E7996DED0E5009DB6CC54E08749

Install Path: %APPDATA%\OracleJava\javaw.exe

Mutexes:

nUndsa8301nskal

nuyhnJmkuTgD

Files Written:

%APPDATA%\nsskrnl

%APPDATA%\winserv.exe

%APPDATA%\OracleJava\javaw.exe

%APPDATA%\OracleJava\Local.dat

%APPDATA%\OracleJava\Log.txt

Static String (POST Request): jhgtsd7fjmytkr

Registry Keys:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier

HKCU\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service

User-Agent:

URI(s): /windowsxp/updcheck.php

1.55 “net”

Packed MD5: 0607CE9793EEA0A42819957528D92B02

Unpacked MD5: 5C1474EA275A05A2668B823D055858D9

Install Path: %APPDATA%\AdobeFlashPlayer\mswinhost.exe

Mutexes:

nUndsa8301nskal

Files Written:

%APPDATA%\AdobeFlashPlayer\mswinhost.exe

%APPDATA%\AdobeFlashPlayer\Local.dat

%APPDATA%\AdobeFlashPlayer\Log.txt

Static String (POST Request): ihasd3jasdhkas9

Registry Keys:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier

HKCU\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service

User-Agent:

URI(s): /windowsxp/updcheck.php

1.56 “LAST”

Packed MD5: 12C9C0BC18FDF98189457A9D112EEBFC

Unpacked MD5: 205947B57D41145B857DE18E43EFB794

Install Path: %APPDATA%\OracleJava\javaw.exe

Mutexes:

nUndsa8301nskal

nuyhnJmkuTgD

Files Written:

%APPDATA%\nsskrnl

%APPDATA%\winserv.exe

%APPDATA%\OracleJava\javaw.exe

%APPDATA%\OracleJava\Local.dat

%APPDATA%\OracleJava\Log.txt

Static String (POST Request): jhgtsd7fjmytkr

Registry Keys:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier

HKCU\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service

HKLM\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service

HKCU\SOFTWARE\\Microsoft\Active Setup\Installed Components\{B3DB0D62-B481-4929-888B-49F426C1A136}\StubPath

HKLM\SOFTWARE\\Microsoft\Active Setup\Installed Components\{B3DB0D62-B481-4929-888B-49F426C1A136}\StubPath

User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0

URI(s):  /windebug/updcheck.php

Impact

The impact of a compromised PoS system can affect both the businesses and consumer by exposing customer data such as names, mailing addresses, credit/debit card numbers, phone numbers, and e-mail addresses to criminal elements. These breaches can impact a business’ brand and reputation, while consumers’ information can be used to make fraudulent purchases or risk compromise of bank accounts. It is critical to safeguard your corporate networks and web servers to prevent any unnecessary exposure to compromise or to mitigate any damage that could be occurring now.

Solution

At the time this advisory is released, the variants of the “Backoff’ malware family are largely undetected by anti-virus (AV) vendors. However, shortly following the publication of this technical analysis, AV companies will quickly begin detecting the existing variants. It’s important to maintain up‐to‐date AV signatures and engines as new threats such as this are continually being added to your AV solution. Pending AV detection of the malware variants, network defenders can apply indicators of compromise (IOC) to a variety of prevention and detection strategies.[6],[7],[8] IOCs can be found above.

The forensic investigations of compromises of retail IT/payment networks indicate that the network compromises allowed the introduction of memory scraping malware to the payment terminals. Information security professionals recommend a defense in depth approach to mitigating risk to retail payment systems. While some of the risk mitigation recommendations are general in nature, the following strategies provide an approach to minimize the possibility of an attack and mitigate the risk of data compromise:

Remote Desktop Access

  • Configure the account lockout settings to lock a user account after a period of time or a specified number of failed login attempts. This prevents unlimited unauthorized attempts to login whether from an unauthorized user or via automated attack types like brute force.[9]
  • Limit the number of users and workstation who can log in using Remote Desktop.
  • Use firewalls (both software and hardware where available) to restrict access to remote desktop listening ports (default is TCP 3389).[10]
  • Change the default Remote Desktop listening port.
  • Define complex password parameters. Configuring an expiration time and password length and complexity can decrease the amount of time in which a successful attack can occur.[11]
  • Require two-factor authentication (2FA) for remote desktop access.[12]
  • Install a Remote Desktop Gateway to restrict access.[13]
  • Add an extra layer of authentication and encryption by tunneling your Remote Desktop through IPSec, SSH or SSL.[14],[15]
  • Require 2FA when accessing payment processing networks. Even if a virtual private network is used, it is important that 2FA is implemented to help mitigate keylogger or credential dumping attacks.
  • Limit administrative privileges for users and applications.
  • Periodically review systems (local and domain controllers) for unknown and dormant users.

Network Security

  • Review firewall configurations and ensure that only allowed ports, services and Internet protocol (IP) addresses are communicating with your network. This is especially critical for outbound (e.g., egress) firewall rules in which compromised entities allow ports to communicate to any IP address on the Internet. Hackers leverage this configuration to exfiltrate data to their IP addresses.
  • Segregate payment processing networks from other networks.
  • Apply access control lists (ACLs) on the router configuration to limit unauthorized traffic to payment processing networks.
  • Create strict ACLs segmenting public-facing systems and back-end database systems that house payment card data.
  • Implement data leakage prevention/detection tools to detect and help prevent data exfiltration.
  • Implement tools to detect anomalous network traffic and anomalous behavior by legitimate users (compromised credentials).

Cash Register and PoS Security

  • Implement hardware-based point-to-point encryption. It is recommended that EMV-enabled PIN entry devices or other credit-only accepting devices have Secure Reading and Exchange of Data (SRED) capabilities. SRED-approved devices can be found at the Payment Card Industry Security Standards website.
  • Install Payment Application Data Security Standard-compliant payment applications.
  • Deploy the latest version of an operating system and ensure it is up to date with security patches, anti-virus software, file integrity monitoring and a host-based intrusion-detection system.
  • Assign a strong password to security solutions to prevent application modification. Use two-factor authentication (2FA) where feasible.
  • Perform a binary or checksum comparison to ensure unauthorized files are not installed.
  • Ensure any automatic updates from third parties are validated. This means performing a checksum comparison on the updates prior to deploying them on PoS systems. It is recommended that merchants work with their PoS vendors to obtain signatures and hash values to perform this checksum validation.
  • Disable unnecessary ports and services, null sessions, default users and guests.
  • Enable logging of events and make sure there is a process to monitor logs on a daily basis.
  • Implement least privileges and ACLs on users and applications on the system.

References

Revision History

  • July, 31 2014 - Initial Release
  • August 18, 2014 - Minor revision to remote desktop solutions list
  • August 22, 2014 - Changes to the Overview section
  • August 26, 2014 - Minor revision to remote desktop solutions list

This product is provided subject to this Notification and this Privacy & Use policy.



US-CERT Alerts ~Created Sat Nov 1 13:21:58 2014

TA14-150A: GameOver Zeus P2P Malware
Original release date: June 02, 2014 | Last revised: August 18, 2014

Systems Affected

  • Microsoft Windows 95, 98, Me, 2000, XP, Vista, 7, and 8
  • Microsoft Server 2003, Server 2008, Server 2008 R2, and Server 2012

Overview

GameOver Zeus (GOZ), a peer-to-peer (P2P) variant of the Zeus family of bank credential-stealing malware identified in September 2011, [1] uses a decentralized network infrastructure of compromised personal computers and web servers to execute command-and-control. The United States Department of Homeland Security (DHS), in collaboration with the Federal Bureau of Investigation (FBI) and the Department of Justice (DOJ), is releasing this Technical Alert to provide further information about the GameOver Zeus botnet.

Description

GOZ, which is often propagated through spam and phishing messages, is primarily used by cybercriminals to harvest banking information, such as login credentials, from a victim’s computer. [2] Infected systems can also be used to engage in other malicious activities, such as sending spam or participating in distributed denial-of-service (DDoS) attacks. 

Prior variants of the Zeus malware utilized a centralized command and control (C2) botnet infrastructure to execute commands. Centralized C2 servers are routinely tracked and blocked by the security community. [1] GOZ, however, utilizes a P2P network of infected hosts to communicate and distribute data, and employs encryption to evade detection. These peers act as a massive proxy network that is used to propagate binary updates, distribute configuration files, and to send stolen data. [3] Without a single point of failure, the resiliency of GOZ’s P2P infrastructure makes takedown efforts more difficult. [1]

Impact

A system infected with GOZ may be employed to send spam, participate in DDoS attacks, and harvest users' credentials for online services, including banking services.

Solution

Users are recommended to take the following actions to remediate GOZ infections:

  • Use and maintain anti-virus software - Anti-virus software recognizes and protects your computer against most known viruses. It is important to keep your anti-virus software up-to-date (see Understanding Anti-Virus Software for more information).
  • Change your passwords - Your original passwords may have been compromised during the infection, so you should change them (see Choosing and Protecting Passwords for more information).
  • Keep your operating system and application software up-to-date - Install software patches so that attackers can't take advantage of known problems or vulnerabilities. Many operating systems offer automatic updates. If this option is available, you should enable it (see Understanding Patches for more information).
  • Use anti-malware tools - Using a legitimate program that identifies and removes malware can help eliminate an infection. Users can consider employing a remediation tool (examples below) that will help with the removal of GOZ from your system.

F-Secure       

http://www.f-secure.com/en/web/home_global/online-scanner (Windows Vista, 7 and 8)

http://www.f-secure.com/en/web/labs_global/removal-tools/-/carousel/view/142 (Windows XP)

Heimdal

http://goz.heimdalsecurity.com/ (Microsoft Windows XP, Vista, 7, 8 and 8.1)   

McAfee

www.mcafee.com/stinger (Windows XP SP2, 2003 SP2, Vista SP1, 2008, 7 and 8)

Microsoft

http://www.microsoft.com/security/scanner/en-us/default.aspx (Windows 8.1, Windows 8, Windows 7, Windows Vista, and Windows XP) 

Sophos

http://www.sophos.com/VirusRemoval (Windows XP (SP2) and above) 

Symantec

http://www.symantec.com/connect/blogs/international-takedown-wounds-gameover-zeus-cybercrime-network (Windows XP, Windows Vista and Windows 7)

Trend Micro

http://www.trendmicro.com/threatdetector (Windows XP, Windows Vista, Windows 7, Windows 8/8.1, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2)

FireEye and Fox-IT

www.decryptcryptolocker.com FireEye and Fox-IT have created a web portal claiming to restore/decrypt files of CryptoLocker victims. US-CERT has performed no evaluation of this claim, but is providing a link to enable individuals to make their own determination of suitability for their needs. At present, US-CERT is not aware of any other product that claims similar functionality.

The above are examples only and do not constitute an exhaustive list. The U.S. Government does not endorse or support any particular product or vendor.

 

References

Revision History

  • Initial Publication - June 2, 2014
  • Added McAfee - June 6, 2014
  • Added FireEye and Fox-IT web portal to Solutions section - August 15, 2014

This product is provided subject to this Notification and this Privacy & Use policy.



US-CERT Alerts ~Created Sat Nov 1 13:21:58 2014

TA14-098A: OpenSSL 'Heartbleed' vulnerability (CVE-2014-0160)
Original release date: April 08, 2014

Systems Affected

  • OpenSSL 1.0.1 through 1.0.1f
  • OpenSSL 1.0.2-beta

Overview

A vulnerability in OpenSSL could allow a remote attacker to expose sensitive data, possibly including user authentication credentials and secret keys, through incorrect memory handling in the TLS heartbeat extension.

Description

OpenSSL versions 1.0.1 through 1.0.1f contain a flaw in its implementation of the TLS/DTLS heartbeat functionality. This flaw allows an attacker to retrieve private memory of an application that uses the vulnerable OpenSSL library in chunks of 64k at a time. Note that an attacker can repeatedly leverage the vulnerability to retrieve as many 64k chunks of memory as are necessary to retrieve the intended secrets. The sensitive information that may be retrieved using this vulnerability include:

  • Primary key material (secret keys)
  • Secondary key material (user names and passwords used by vulnerable services)
  • Protected content (sensitive data used by vulnerable services)
  • Collateral (memory addresses and content that can be leveraged to bypass exploit mitigations)

Exploit code is publicly available for this vulnerability. Additional details may be found in CERT/CC Vulnerability Note VU#720951.

Impact

This flaw allows a remote attacker to retrieve private memory of an application that uses the vulnerable OpenSSL library in chunks of 64k at a time.

Solution

OpenSSL 1.0.1g has been released to address this vulnerability. Any keys generated with a vulnerable version of OpenSSL should be considered compromised and regenerated and deployed after the patch has been applied.

US-CERT recommends system administrators consider implementing Perfect Forward Secrecy to mitigate the damage that may be caused by future private key disclosures.

References

Revision History

  • Initial Publication

This product is provided subject to this Notification and this Privacy & Use policy.



US-CERT Alerts ~Created Sat Nov 1 13:21:58 2014

TA14-069A: Microsoft Ending Support for Windows XP and Office 2003
Original release date: March 10, 2014 | Last revised: June 18, 2014

Systems Affected

  • Microsoft Windows XP with Service Pack 3 (SP3) Operating System
  • Microsoft Office 2003 Products

Overview

Microsoft is ending support for the Windows XP operating system and Office 2003 product line on April 8, 2014. [1] After this date, these products will no longer receive:

  • Security patches which help protect PCs from harmful viruses, spyware, and other malicious software
  • Assisted technical support from Microsoft
  • Software and content updates

Description

All software products have a lifecycle. End of support refers to the date when Microsoft no longer provides automatic fixes, updates, or online technical assistance. [2] As of February 2014, nearly 30 percent of Internet-connected PCs still run Windows XP. [3]

Microsoft will send “End of Support” notifications to users of Windows XP who have elected to receive updates via Windows Update. Users in organizations using Windows Server Update Services (WSUS), System Center Configuration manager, or Windows Intune will not receive the notification. [4]

Impact

Computer systems running unsupported software are exposed to an elevated risk to cybersecurity dangers, such as malicious attacks or electronic data loss.

Users may also encounter problems with software and hardware compatibility since new software applications and hardware devices may not be built for Windows XP or Office 2003.

Organizations that are governed by regulatory obligations may find they are no longer able to satisfy compliance requirements. [4]

Solution

Computers operating Windows XP with SP3 or running Office 2003 products will continue to work after support ends. However, using unsupported software may increase the risk of viruses and other security threats.

Users have the option to upgrade to a currently supported operating system or office productivity suite. The Microsoft “End of Support” pages for Windows XP and Office 2003 offer additional details.

There are software vendors and service providers in the marketplace who offer assistance in migrating from Windows XP or Office 2003 to a currently supported operating system or office productivity suite. US-CERT does not endorse or support any particular product or vendor.

Users who choose to continue using Windows XP after the end of support may mitigate some risks by using a web browser other than Internet Explorer. The Windows XP versions of some alternative browsers will continue to receive support temporarily. Users should consult the support pages of their chosen alternative browser for more details.

References

Revision History

  • March 10, 2014 - Initial Release
  • June 18, 2014 - A spelling correction was made.

This product is provided subject to this Notification and this Privacy & Use policy.



US-CERT Alerts ~Created Sat Nov 1 13:21:58 2014

TA14-017A: UDP-based Amplification Attacks
Original release date: January 17, 2014 | Last revised: March 07, 2014

Systems Affected

Certain UDP protocols have been identified as potential attack vectors:

  • DNS
  • NTP
  • SNMPv2
  • NetBIOS
  • SSDP
  • CharGEN
  • QOTD
  • BitTorrent
  • Kad
  • Quake Network Protocol
  • Steam Protocol

Overview

A Distributed Reflective Denial of Service (DRDoS) attack is an emerging form of Distributed Denial of Service (DDoS) that relies on the use of publicly accessible UDP servers, as well as bandwidth amplification factors, to overwhelm a victim system with UDP traffic.

Description

UDP, by design, is a connection-less protocol that does not validate source IP addresses.  Unless the application-layer protocol uses countermeasures such as session initiation, it is very easy to forge the IP packet datagram to include an arbitrary source IP address [7].  When many UDP packets have their source IP address forged to a single address, the server responds to that victim, creating a reflected Denial of Service (DoS) Attack.

Recently, certain UDP protocols have been found to have particular responses to certain commands that are much larger than the initial request.  Where before, attackers were limited linearly by the number of packets directly sent to the target to conduct a DoS attack, now a single packet can generate tens or hundreds of times the bandwidth in its response.  This is called an amplification attack, and when combined with a reflective DoS attack on a large scale it makes it relatively easy to conduct DDoS attacks.  

To measure the potential effect of an amplification attack, we use a metric called the bandwidth amplification factor (BAF).  BAF can be calculated as the number of UDP payload bytes that an amplifier sends to answer a request, compared to the number of UDP payload bytes of the request [9] [10].

The list of known protocols, and their associated bandwidth amplification factors, is listed below.  US-CERT would like to offer thanks to Christian Rossow for providing this information to us.  For more information on bandwith amplificatication factors, please see Christian's blog and associated research paper.

ProtocolBandwidth Amplification FactorVulnerable Command
DNS28 to 54see: TA13-088A [1]
NTP556.9see: TA14-013A [2]
SNMPv26.3GetBulk request
NetBIOS3.8Name resolution
SSDP30.8SEARCH request
CharGEN358.8Character generation request
QOTD140.3Quote request
BitTorrent3.8File search
Kad16.3Peer list exchange
Quake Network Protocol63.9Server info exchange
Steam Protocol5.5Server info exchange

 

Impact

Attackers can utilize the bandwidth and relative trust of large servers that provide the above UDP protocols to flood victims with unwanted traffic, a DDoS attack.

Solution

DETECTION

Detection of DRDoS attacks is not easy, due to their use of large, trusted servers that provide UDP services.  As a victim, traditional DoS mitigation techniques may apply.

As a network operator of one of these exploitable services, look for abnormally large responses to a particular IP address.  This may indicate that an attacker is using your service to conduct a DRDoS attack.

MITIGATION

Source IP Verification

Because the UDP requests being sent by the attacker-controlled clients must have a source IP address spoofed to appear as the victim’s IP, the first step to reducing the effectiveness of UDP amplification is for Internet Service Providers to reject any UDP traffic with spoofed addresses. The Network Working Group of the Internet Engineering Task Force (IETF) released Best Current Practice 38 document in May 2000 and Best Current Practice 84 in March 2004 that describes how an Internet Service Provider can filter network traffic on their network to reject packets with source addresses not reachable via the actual packet’s path [3][4].  The changes recommended in these documents would cause a routing device to evaluate whether it is possible to reach the source IP address of the packet via the interface that transmitted the packet. If it is not possible, then the packet most likely has a spoofed source IP address. This configuration change would substantially reduce the potential for most popular types of DDoS attacks. As such, we highly recommend to all network operators to perform network ingress filtering if possible.  Note that it will not explicitly protect a UDP service provider from being exploited in a DRDoS (all network providers must use ingress filtering in order to completely eliminate the threat).

To verify your network has implemented ingress filtering, download the open source tools from the Spoofer Project [5].

Traffic Shaping

Limiting responses to UDP requests is another potential mitigation to this issue.  This may require testing to discover the optimal limit that does not interfere with legitimate traffic.  The IETF released Request for Comment 2475 and Request for Comment 3260 that describes some methods to shape and control traffic [6] [8].  Most network devices today provide these functions in their software. 

References

Revision History

  • February 09, 2014 - Initial Release
  • March 07, 2014 - Updated page to include research links

This product is provided subject to this Notification and this Privacy & Use policy.



US-CERT Alerts ~Created Sat Nov 1 13:21:58 2014

TA14-013A: NTP Amplification Attacks Using CVE-2013-5211
Original release date: January 13, 2014 | Last revised: February 05, 2014

Systems Affected

NTP servers

Overview

A Network Time Protocol (NTP) Amplification attack is an emerging form of Distributed Denial of Service (DDoS) that relies on the use of publically accessible NTP servers to overwhelm a victim system with UDP traffic.

Description

The NTP service supports a monitoring service that allows administrators to query the server for traffic counts of connected clients. This information is provided via the “monlist” command. The basic attack technique consists of an attacker sending a "get monlist" request to a vulnerable NTP server, with the source address spoofed to be the victim’s address.

Impact

The attack relies on the exploitation of the 'monlist' feature of NTP, as described in CVE-2013-5211, which is enabled by default on older NTP-capable devices. This command causes a list of the last 600 IP addresses which connected to the NTP server to be sent to the victim. Due to the spoofed source address, when the NTP server sends the response it is sent instead to the victim. Because the size of the response is typically considerably larger than the request, the attacker is able to amplify the volume of traffic directed at the victim. Additionally, because the responses are legitimate data coming from valid servers, it is especially difficult to block these types of attacks. The solution is to disable “monlist” within the NTP server or to upgrade to the latest version of NTP (4.2.7) which disables the “monlist” functionality.

Solution

Detection

On a UNIX-platform, the command “ntpdc” will query existing NTP servers for monitoring data. If the system is vulnerable to exploitation, it will respond to the “monlist” command in interactive mode. By default, most modern UNIX and Linux distributions allow this command to be used from localhost, but not from a remote host. To test for monlist support, execute the following command at the command line:

/usr/sbin/ntpdc <remote server>

monlist

Additionally, the “ntp-monlist” script is available for NMap, which will automatically display the results of the monlist command. If the system does not support the monitor query, and is therefore not vulnerable to this attack type, NMap will return an error type 4 (No Data Available) or no reply at all.

 

Recommended Course of Action

As all versions of ntpd prior to 4.2.7 are vulnerable by default, the simplest recommended course of action is to upgrade all versions of ntpd that are publically accessible to at least 4.2.7. However, in cases where it is not possible to upgrade the version of the service, it is possible to disable the monitor functionality in earlier versions of the software.

To disable “monlist” functionality on a public-facing NTP server that cannot be updated to 4.2.7, add the “noquery” directive to the “restrict default” line in the system’s ntp.conf, as shown below:

restrict default kod nomodify notrap nopeer noquery

restrict -6 default kod nomodify notrap nopeer noquery

References

Revision History

  • January 13, 2014 - Initial Release

This product is provided subject to this Notification and this Privacy & Use policy.



US-CERT Alerts ~Created Sat Nov 1 13:21:58 2014

US Indicts Sandworm, Russia's Most Destructive Cyberwar Unit
The Department of Justice has named and charged six men for allegedly carrying out many of the most costly cyberattacks in history.
Security Latest ~Created Tue Oct 20 01:33:18 2020

A Cut Cable Knocked Out Virginia’s Voter Registration Site
Plus: Barnes and Noble got hacked, Zoom adds real end-to-end encryption, and more of the week’s top security news.
Security Latest ~Created Tue Oct 20 01:33:18 2020

Twitter’s ‘Hacked Materials’ Rule Tries to Thread an Impossible Needle
The company’s flip-flopping on the policy after banning a shady New York Post story highlights the challenges facing social media in 2020.
Security Latest ~Created Tue Oct 20 01:33:18 2020

Fancy Bear Imposters Are on a Hacking Extortion Spree
Nice looking website you've got there. It'd be a shame if someone DDoS'd it.
Security Latest ~Created Tue Oct 20 01:33:18 2020

The Media Just Passed a Test It Failed Four Years Ago
In an interview with WIRED, Columbia Journalism School dean Steve Coll says the media has learned some important lessons since 2016 about covering stolen email leaks.
Security Latest ~Created Tue Oct 20 01:33:18 2020

A Trickbot Assault Shows US Military Hackers' Growing Reach
Despite the operation's short-term effects, it sets new precedents for the scope of Cyber Command's mission.
Security Latest ~Created Tue Oct 20 01:33:18 2020

Internet Freedom Has Taken a Hit During the Covid-19 Pandemic
From surveillance to arrests, governments are using the novel coronavirus as cover for a crackdown on digital liberty.
Security Latest ~Created Tue Oct 20 01:33:18 2020

The Man Who Speaks Softly—and Commands a Big Cyber Army
Meet General Paul Nakasone. He reined in chaos at the NSA and taught the US military how to launch pervasive cyberattacks. And he did it all without you noticing.
Security Latest ~Created Tue Oct 20 01:33:18 2020

Split-Second ‘Phantom’ Images Can Fool Tesla’s Autopilot
Researchers found they could stop a Tesla by flashing a few frames of a stop sign for less than half a second on an internet-connected billboard.
Security Latest ~Created Tue Oct 20 01:33:18 2020

Amazon's Latest Gimmicks Are Pushing the Limits of Privacy
Privacy advocates warn that the Ring Always Home Cam and Amazon One both normalize aggressive new forms of data collection.
Security Latest ~Created Tue Oct 20 01:33:18 2020

Researchers Found 55 Flaws in Apple's Corporate Network
The company has patched the vulnerabilities and paid the team of white-hat hackers $288,000.
Security Latest ~Created Tue Oct 20 01:33:18 2020

The Law Comes for John McAfee
Plus: A buggy chastity lock, Iranian disinformation, and more of the week’s top security news.
Security Latest ~Created Tue Oct 20 01:33:18 2020

Android Ransomware Has Picked Up Some Ominous New Tricks
While it's still far more common on PCs, mobile ransomware has undergone a worrying evolution, new research shows.
Security Latest ~Created Tue Oct 20 01:33:18 2020

Behind Anduril’s Effort to Create an Operating System for War
The company, launched by Oculus cofounder Palmer Luckey, is building software to connect multiple Air Force systems—allowing officers to act more quickly.
Security Latest ~Created Tue Oct 20 01:33:18 2020

How Google's Android Keyboard Keeps ‘Smart Replies’ Private
The latest Gboard feature needs to know as much as possible about your digital life to work—but doesn't share that data with Google.
Security Latest ~Created Tue Oct 20 01:33:18 2020

Apple's T2 Security Chip Has an Unfixable Flaw
The Checkm8 vulnerability that exposed years of iPhones to jailbreaking has finally been exploited in Macs as well.
Security Latest ~Created Tue Oct 20 01:33:18 2020

A Poker Pro Accused of Cheating Wants $330M in Damages
Mike Postle claims he was the victim of an elaborate online campaign to tar him as a fraud—and he's suing a dozen defendants.
Security Latest ~Created Tue Oct 20 01:33:18 2020

A Dangerous Year in America Enters Its Most Dangerous Month
Seven distinct factors between now and the election threaten to combine, compound, and reinforce each other in unpredictable ways.
Security Latest ~Created Tue Oct 20 01:33:18 2020

A China-Linked Group Repurposed Hacking Team’s Stealthy Spyware
The tool attacks a device’s UEFI firmware—which makes it especially hard to detect and destroy.
Security Latest ~Created Tue Oct 20 01:33:18 2020

Paying Evil Corp Ransomware Might Land You a Big Federal Fine
Plus: A Grindr bug, a Joker explosion, and more of the week's top security news.
Security Latest ~Created Tue Oct 20 01:33:18 2020

+ Janes/IHS ~ CurrentActivityCERT ~ CERT ~ WiredSecurity +
Tech - Linux/BSD - Apache - Security - Hardware - Gaming - Autos - World - Entertainment - About
Powered by mod_perl Powered by Pure Perl Valid XHTML
Tuesday, 20-Oct-2020 04:58:47 EDT you asked for http://newsbone.com/security/index.shtml from 3.237.61.235:47784