每日安全简讯(20170129)
1、安全厂商解析Shamoon攻击组织完整作业过程2、Dridex银行木马回归,新变种可绕过UAC机制
3、恶意代码伪造银行邮件传播盗取密码和比特币
4、安全厂商发现IBM大数据存储分析平台XSS漏洞
5、美国杨百翰大学语料库网站部分用户身份泄露
6、Google计划脱离中介成为独立根证书颁发机构
【安天】搜集整理(来源:mcafee、threatpost、cyren、fortinet、byu、bleepingcomputer) 1、安全厂商解析Shamoon攻击组织完整作业过程
标题:Spotlight on Shamoon
作者信息:Jan 27, 2017 By Christiaan Beek ,Raj Samani
//BEGIN
Our analysis this month has pointed to Shamoon emerging in the Middle East. We have recently seen a number of similarities that we had highlighted in our earlier blogs (on mcafee.com). The campaign continues to target organizations in the Middle East from a variety of verticals. Reports suggest that a further 15 disk-wiping Shamoon incidents have occurred in public and private sectors.
安全厂商McAfee的研究人员继续跟踪Shamoon攻击组织,该组织主要的攻击对象依然是中东地区。虽然表现出了一些新的特性,但是与之前发布过的报告还是有相似性,这显示出该组织的一贯作业手法:攻击对象选取的是某一个垂直领域的组织。本报告显示一共有15家公共以及私人部门的磁盘被破坏。
//END
Our analysis of the execution of this attack tells a story about the actors capability and skills. Their attack precision is very good; they know whom and what to attack, in this case to disrupt and leave a statement. Their focus is on Windows and they use well-known practices to gather information and credentials, with no zero days. From a coding perspective, many security industry colleagues have already commented on the sloppy coding practices. From an operations security perspective—how well are the actors able to hide details that could lead to them?—we noticed that quite a few details are available: email addresses, program database paths, and Yemeni Arabic as the language identifier of almost all the samples, although we discovered one sample with a different language identifier. Was that on purpose, or a slip by the actor because this was a large campaign?
攻击者的作业手法显示其具有超强的能力以及技巧,其攻击对象选取非常精准,他们并不贪图大规模的传播和感染,他们知道其目标是谁以及针对的对象的具体位置。其目的就是要使得目标暂时停止运行,同时给受害者一些“声明文字”,以表达其诉求。目标对象的操作系统为Windows,但是并不采用0day漏洞,而是采用通常用的方法来搜集用户信息以及登录凭证。从编程的角度讲,很多的业内专家都认为其编程并不严谨;从其操作安全的角度:该组织的作者如何隐藏自身的一些信息,以避免被定位?但是至少从安全人员的分析的角度看,发现了其邮件地址、数据库的路径、语言区域设置(当然有一个不属于这同一类)。不过,我们想知道的是这些是故意为之,还是由于工程太大,攻击者的一时疏忽导致的,目前还不得而知。
//下载
文件名:Spotlight on Shamoon.pdf
文件大小:468,873 bytes
MD5 : 7AE41E9E50AB30B236006A5A674F140D
点评:貌似APT攻击。 2、Dridex银行木马回归,新变种可绕过UAC机制
标题:DRIDEX RETURNS WITH WINDOWS UAC BYPASS METHOD
作者信息:January 27, 2017 , 1:56 pm By Tom Spring
//BEGIN
After a six-month hiatus, the Dridex banking malware is back and targeting large financial institutions in the U.K with a new technique that can bypass Windows User Account Control (UAC).
在沉寂了近半年后,银行木马Dridex再度出现在人们的视线中。这次复现其目标定位是英国的大型金融机构,从技术层面上讲,能绕过Windows的用户账户控制UAC(User Account Control)机制:通俗的讲就是其运行时,不会出现常见的非Windows程序运行时提示用户权限的对话框,而会静默运行,这其实是利用了Windows内置的白名单机制。
//END
“Dridex is a very modular Trojan,” Kremez said. “The malware will take advantage of opportunities as they present themselves, like harvesting credentials, cookies and saved passwords. Attackers may also establish a remote desktop protocol module and attempt further network penetration.”
银行木马Dridex是模块化设计的,它们会利用一切机会搜集用户的登录凭证、Cookie以及保存的密码等,并可能会建立一个远程桌面连接,并试图进一步进行网络注入。
//下载:
文件名:Dridex Banking Trojan Returns, Leverages New UAC Bypass Method.pdf
文件大小:976,296 bytes
MD5 : 2AEDFB511E6A32A596355CA163E82203
点评:万马奔腾的时代,各种马作用各不相同。 3、恶意代码伪造银行邮件传播盗取密码和比特币
标题:FAKE BANK TRANSFER EMAILS STEALING BITCOIN AND PASSWORDS
作者信息:January 25, 2017 By Igor Glik , Magni Reynir Siguresson
//BEGIN
Cyren has discovered an outbreak of malware which is stealing passwords as well as Bitcoin from crypto-currency wallets on PCs. This versatile keylogger malware is being delivered as an attachment to phony bank transfer emails, which inform the recipient that they have received a deposit. The emails are originating primarily from bots in the U.S. and Singapore, and are branded as coming from several different banks, including Emirates NDB and DBS (see example below).
德国安全公司Cyren近期发现了一种恶意代码,其主要特征是盗取用户的各种密码信息,以及盗取被感染机器的虚拟货币。该恶意代码的主要特性还有记录键盘。传播通常是靠传统的邮件来进行,假冒是一封来自银行的转账邮件,假装通报邮件接收者其收到了一笔存款。邮件看起来发自美国或者新加坡的僵尸网络计算机,经过修饰后,邮件看起来更像是来自世界各地不
同的大银行机构。
//END
The malware also searches the computer for crypto-currency wallets to steal.Among the wallets it tries to find:Anoncoin, BBQcoin, Bitcoin, Bytecoin, Craftcoin, Devcoin, Digitalcoin, Fastcoin, Feathercoin, Florincoin, Freicoin, I0coin, Infinitecoin, Ixcoin, Junkcoin, Litecoin, Luckycoin, Megacoin, Mincoin, Namecoin, Phoenixcoin, Primecoin, Quarkcoin, Tagcoin, Terracoin, Worldcoin, Yacoin, and Zetacoin.The malware creates hooks for both the keyboard and the mouse. The API windows call “GetAsyncKeyState” is called which indicates that the malware is logging every keystroke (Keylogger).
一旦运行,该恶意代码会在被感染的机器中搜索虚拟货币。被盗取的虚拟货币类型近30种:Anoncoin, BBQcoin, Bitcoin, Bytecoin, Craftcoin, Devcoin, Digitalcoin, Fastcoin, Feathercoin, Florincoin, Freicoin, I0coin, Infinitecoin, Ixcoin, Junkcoin, Litecoin, Luckycoin, Megacoin, Mincoin, Namecoin, Phoenixcoin, Primecoin, Quarkcoin, Tagcoin, Terracoin, Worldcoin, Yacoin和Zetacoin.
从其调用Windows的API函数GetAsyncKeyState推断,该恶意代码还记录每次键击。
点评:万马奔腾的时代,各种马作用各不相同。 4、安全厂商发现IBM大数据存储分析平台XSS漏洞
标题:Multiple XSS Vulnerabilities Discovered In IBM Infosphere BigInsights
作者信息:Jan 27, 2017 ByHonggang Ren
//BEGIN
Summary
Last year, I discovered and reported two Cross-Site Scripting (XSS) vulnerabilities in IBM’s Infosphere BigInsights. This week, IBM released a security bulletin which contains the fix for these vulnerabilities. CVE numbers CVE-2016-2924 and CVE-2016-2992 are assigned to them respectively.
InfoSphere BigInsights is an analytics platform for analyzing massive volumes of unconventional data in its native format. The software enables advanced analysis and modeling of diverse data, and supports structured, semi-structured, and unstructured content to provide maximum flexibility.
In this blog, I want to share the details of these vulnerabilities.
来自Fortinet的安全研究人员去年发现了IBM的Infosphere BigInsights平台存在两个跨站脚本XSS漏洞,编号分别为 CVE-2016-2924 以及CVE-2016-2992 。今年IBM已经修复了这两处漏洞,提醒所有使用该平台的用户尽快升级,以免被攻击者远程恶意利用。IBM的Infosphere BigInsights平台是一个非规则化数据的分析平台,接收的数据格式灵活,可以是结构化、半结构化以及完全非机构化。
这个报告中演示了如何利用这两个漏洞。
//END
Solution
All users of IBM Infosphere BigInsights are encouraged to upgrade to the latest version of the software immediately. Additionally, organizations that have deployed Fortinet IPS solutions are already protected from these vulnerabilities with the signatures IBM.Infosphere.BigInsights.Customalerts.XSS (for CVE-2016-2924) and IBM.Infosphere.BigInsights.Editor.XSS (for CVE-2016-2992.)
提醒相关用户尽快升级,同时更新IPS设备规则,以阻止可能的利用这两个漏洞:CVE-2016-2992和CVE-2016-2994的攻击。
点评:XSS漏洞一直非常流行而且难以杜绝。 5、美国杨百翰大学语料库网站部分用户身份泄露
标题:There has been a data breach for http://corpus.byu.edu
作者信息:27 January 2017 By corpus.byu.edu
//BEGIN
We have been notified that there has been a data breach for http://corpus.byu.edu, and that some emails and passwords that people use to log in to the corpora may have been stolen. We emailed all users of the BYU corpora to let them know about this as soon as we found out, on 27 January 2017.
If the password that you use for the BYU corpora is the same one that you use for other sites (e.g. Gmail or another email provider), we strongly suggest that you change your password for the other sites as soon as possible.
http://corpus.byu.edu的用户信息被泄露,包括用来登录该网站的邮件地址以及其密码。已经通报了所有可能的用户。这些信息都是在2017年1月27日发现并报告的。
特别注意的是:如果http://corpus.byu.edu的登录用户名(邮件地址)以及密码与其他网站的登录密码相同的话,那么建议用户立即同步修改其他网站的登录密码,以免躺枪。
//END
If the password is used only for the BYU corpora, we still suggest that you change your password. If it has not been changed in the last year, you will be asked to change the password the next time you log on to a corpus.
Please be assured that we take the security of your data very seriously, and that we have already implemented (and will continue to implement) additional measures to prevent other such incidents.
如果http://corpus.byu.edu的登录密码是唯一的话,那么依然建议用户立即修改其登录用户密码。当然如果年底前还不主动修改的话,那么系统会自动设置为下次用户登录,强制修改。
点评:数据泄露的又一个例子。90亿条的记录又要增加了不少,只是影响的具体用户数量不详。 6、Google计划脱离中介成为独立根证书颁发机构
标题:Fed up with Intermediaries, Google Becomes Root Certificate Authority
作者信息:January 27, 2017 12:05 PM By Catalin Cimpanu
//BEGIN
Google announced yesterday plans to become a self-standing, certified, and independent Root Certificate Authority, meaning the company would be able to issue its own TLS/SSL certificates for securing its web traffic via HTTPS, and not rely on intermediaries, as it does now.
搜索引擎巨头Google近期宣布计划发行自己的独立根证书,不再依赖第三方。当前的认证依然是有第三方发布的。其名称为Google Internet Authority G2,简称GIAG2。未来的Google的独立根证书的名称将被称为GTS:Google Trust Services.由于更换需要时间,因此在未来的一段时间内,用户可能会看到这两种证书(指GIAG2和GTS)会交叉出现。
//END
More technical information, such as Google's current active root certificates and their https://pki.goog/SHA1 fingerprints are available on the Google Trust Services homepage.
GTS已经建立了网站https://pki.goog/,可以查看更多的技术细节。以及其SHA1指纹文件。
点评:百度何时能发布自身独立的CA证书?
页:
[1]