每日安全简讯(20170217)
1、安全厂商曝光针对沙特的魔术犬APT攻击行动2、研究人员发现Remcos 远控木马用于实时攻击
3、研究人员利用JavaScript绕过ASLR安全机制
4、劫持医疗设备恶意代码MEDJACK新变种被发现
5、乌克兰指责俄罗斯新病毒专门针对基础设施
6、俄罗斯黑客入侵美国超六十所高校政府机构
【安天】搜集整理(来源:paloaltonetworks、securityweek、aqniu、darkreading、darkreading、securityaffairs) 1、安全厂商曝光针对沙特的魔术犬APT攻击行动
标题:Magic Hound Campaign Attacks Saudi Targets
作者信息:February 15, 2017 at 9:16 PM By Bryan Lee ,Robert Falcone
//BEGIN
Unit 42 has discovered a persistent attack campaign operating primarily in the Middle East dating back to at least mid-2016 which we have named Magic Hound. This appears to be an attack campaign focused on espionage. Based upon our visibility it has primarily targeted organizations in the energy, government, and technology sectors that are either in in or business interests in Saudi Arabia. The adversaries appear to have evolved their tactics and techniques throughout the tracked time-period, iterating through a diverse toolset across different waves of attacks. Link analysis of infrastructure and tools also revealed a potential relationship between Magic Hound and the adversary group called “Rocket Kitten” (AKA Operation Saffron Rose, Ajax Security Team, Operation Woolen-Goldfish) as well as an older attack campaign called Newscasters. Artifacts of this campaign was also recently published by Secureworks CTU.
美国安全厂商Palo Alto Networks的Unit42分析小组在中东,主要是沙特,发现了APT攻击,这些攻击行动可以追溯到2016年年中,并将此APT行动命名为Magic Hound(译为:魔术犬)。其行动的主要特征是搞间谍侦查活动,针对的主要领域是一些沙特王国的关键的基础设施:能源、政府以及高科技企业等。通过持续的跟踪分析发现,该攻击组织采用技战术随着攻击对象的不同而不断进化和提升,其中也包括变幻采用各种不同的攻击工具。
根据对该攻击采用的工具以及其攻击对象的关联分析发现了一个有趣的现象:这个名为Magic Hound的APT攻击组织与以前的两个APT攻击组织(其中一个还很久远)相关:一个名为Rocket Kitten,而另外一个则是Newscasters。(备注:本附件有专门相关分析报告下载)
除了Palo Alto Networks发布了Magic Hound分析报告外,一个名为Secureworks公司CTU分析小组也发布了类似的分析报告(备注:参考:https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations
Iranian PupyRAT Bites Middle Eastern Organizations
Customized phishing lures distribute PupyRAT malware.
WEDNESDAY, FEBRUARY 15, 2017
BY: COUNTER THREAT UNIT RESEARCH TEAM
)
//END
CONCLUSION
The Magic Hound attack campaign is an active and persistent espionage motivated adversary operating in the Middle East region. Organizations in the government, energy, and technology sectors have been targeted by this adversary, specifically organizations based in or doing business in Saudi Arabia. The toolset used by the Magic Hound campaign was an assortment of custom tools, as well as open sourced tools available to the general public. None of the tools we uncovered were found to be exploit-driven, and relied exclusively on social engineering tactics to compromise targets. While we did discover a potential relationship with the Rocket Kitten adversary group, we cannot confirm the extent of that relationship at this time, although we will continue to monitor the activities of Magic Hound.
通过分析发现该Magic Hound行动并未采用任何漏洞来进行攻击目标,而是采用一些定制的现成工具,关键点是采用一些定向的社工方法来攻击目标系统。虽然发现其与Rocket Kitten行动相关,但是两者在多大程度上存在关联目前还不得而知,安全公司将持续监视这个APT行动组织的动向。
//下载:
文件名:rocket-kitten-report.pdf
文件大小:11,088,279 bytes
MD5 : 86BCA365A493225AB3AA93193B9A7426
文件名:NEWSCASTER-An-Iranian-Threat-Inside-Social-Media-iSIGHT-Partners.pdf`
文件大小:567,936 bytes
MD5 : 59E955CD305AF77ED25B008783EDA052
点评:有另外分析结论将源头指向了伊朗。不过本文好像并未对攻击来源下定论。 2、研究人员发现Remcos 远控木马用于实时攻击
标题:Easy-to-Use Remcos RAT Spotted in Live Attacks
作者信息:February 15, 2017 By Ionut Arghire
//BEGIN
After receiving numerous improvements, a Remote Administration Tool (RAT) that emerged last year on hacking forums was recently observed in live attacks, Fortinet security researchers reveal.
美国安全公司Fortinet的研究人员发现去年出现的一个远控木马(英文简称RAT)最近出现在很多实时的攻击行动当中。这个RAT的名字为Remcos。它最大的特点是使用非常简单,而且明码标价销售,当前价格还在飙升:从去年的58美元到现在的389美元,当然配置、使用时间、用户数不同价格也不同。当前的最新版本是1.7.3.
基本传播方式是通过邮件,载体是两个Office文档,它们是Quotation.xls和Quotation.doc。
//END
Fortinet also points out that this RAT once again shows that one doesn’t have to be an expert to launch fairly sophisticated malware attacks: “More and more applications like Remcos are being released publicly, luring new perpetrators with their easy usage. And all it takes to be infected by one are a few clicks.”
Remcos’ author supposedly attempts to discourage malicious usage of the tool by means of license bans, but only if such misuse is reported.
According to Fortinet, such claims are often “nothing but a false shield” that RAT authors use to protect themselves from liability when the application is exposed as a full-blown malware builder.
通过对这个远控木马Remcos的详细分析发现,远控木马的使用门槛越来越低,不需要专门的技术背景,所需要只是一些小伎俩,哪怕是欺骗对方运行即可。而这个运行的后果是一堆复杂的攻击链条等待着。
为了给自己留后路,这些公开销售的远控木马,如果被发现“滥用”,那么其渠道销售就会禁用这些被滥用的License,这其实是一种规避责任的方式,他们是为了防止万一该工具一旦成气候,广为流传,那么这个禁用License的行为可以给自己免责。
点评:万马奔腾的时代...... 3、研究人员利用JavaScript绕过ASLR安全机制
{CHN}
标题:ASLR遭破解:这可能是最难修复的大规模漏洞
作者信息:2017年2月16日 By nana
//BEGIN
过去10年,想要侵入计算机的黑客面临一个艰巨的任务:即便已经让恶意代码运行在目标计算机上,他们也不得不找出代码究竟运行在内存的哪个位置。这是因为Windows、安卓和其他每个现代操作系统,都会采用随机化进程内存位置的安全保护措施。这让数字(备注:原文如此)侵入过程变得好像是在完全黑暗的环境里尝试抢劫民居一样。
//END
然而,微软和英特尔指出仅击败ASLR黑不进操作系统,并没有让人多放心一些。ASLR被攻破,黑客就能重用回那些被ASLR挡住的常见内存泄露漏洞了。老旧漏洞焕发新生的节奏。
如果科技公司不认真重视ASLR攻击,其结果,可能会是一大批新方法的出现,上百万误入错误网页的无辜用户坐等被黑。“攻击者一直走在变得更聪明的路上。如果计算机越来越笨,优势无疑会在攻击者一方。”
点评:相关链接出现在四个月前的去年10月份每日安全简讯中....
6、研究人员发现利用硬件漏洞绕过ASLR方法
http://www.securityweek.com/researchers-bypass-aslr-hardware-vulnerability 4、劫持医疗设备恶意代码MEDJACK新变种被发现
标题:MEDJACK.3 Poses Advanced Threat To Hospital Devices
作者信息:2/16/201709:00 By AMKelly Sheridan
//BEGIN
A newly discovered version of the "medical device hijack" attack targets older operating systems to bypass security measures and steal patient data.
Researchers have discovered a new version of medical device hijack (MEDJACK), which is leaving medical devices like x-ray machines and MRI scanners vulnerable to cybercriminals. MEDJACK.3 is a sophisticated zero-day attack through which hackers steal patient data.
研究人员发现医疗设备由于安装的操作系统比较陈旧,而容易受到攻击,并被盗取患者的各种健康敏感数据。这个恶意代码的名称为MedJack。其实也不是最新出现,差不多2年前就有出现,目前已经是第三代了:MedJack.3。针对的医疗设备有X光机、MRI扫描仪等。而这个最新的MedJack.3还采用了复杂的0day漏洞。
//END
"It's one of the glaringly obvious things," he says. For example, make devices separate in design so the x-ray doesn't connect to the nurses' station; this could prevent the spread of an attack.
He also recommends healthcare organizations regularly update devices with new software and patches as often as they can. This isn't very different from standard IT infrastructure, but healthcare institutions often don't have the mentality that devices are all on the same network. These devices are viewed as industrial machines, but they can be breach points.
TrapX will discuss the details of MEDJACK.3 and strategies healthcare institutions can implement to protect themselves from this threat and future MEDJACK attacks./
合理划分网络区间是预防类似攻击的关键:比如X光机的网络与护士站的网络处于不同的网段,这样即使X机遭到攻击,也不至于很快蔓延到护士站。
另外,及时升级这些医疗设备的补丁也是非常关键的和有效的,尽管这并不容易,因为很多人会将这些医疗设备等同于工控设备,而且都放在同一网段上,因此更容易成为攻击的源头。
点评:
前年的6月份就有相关的报道:http://www.darkreading.com/vulnerabilities---threats/hospital-medical-devices-used-as-weapons-in-cyberattacks/d/d-id/1320751
Hospital Medical Devices Used As Weapons In Cyberattacks
5、乌克兰指责俄罗斯新病毒专门针对基础设施
标题:Ukraine Blames Russia For New Virus Targeting Infrastructure
作者信息:2/16/2017 09:40 AM
//BEGIN
The Russian security service, software firms, and criminal hackers are accused of orchestrating cyberattacks on Ukraine's infrastructure.
Ukraine has accused the Russian security service of attacking the country's infrastructure using a new virus designed to render industrial equipment non-functional, Reuters reports. At a recent press conference, Ukraine's security service chief of staff Oleksandr Tkachuk stated the attacks appear to come from the creators of malware BlackEnergy; the same people were allegedly responsible for cyberattacks on the country's energy industry since December 2015.
原文:http://www.reuters.com/article/us-ukraine-crisis-cyber-idUSKBN15U2CN
根据路透社的消息称:乌克兰宣传其国家的关键基础设施遭到了来自俄罗斯的全方位攻击,这些攻击来自俄国的安全服务机构、软件企业以及犯罪团伙等等。这次的发现表明俄方采用了一种新型的计算机病毒,该病毒能导致其工业设施停止工作。乌克兰安全部门的官员称这些攻击似乎与2015年12月对该国电网攻击的“黑手能量”组织相关:攻击工具以及人员的操作手法类似。
//END
Another cybersecurity company, CyberX, claims to have unearthed an espionage scheme in Ukraine targeting 60 victims. It fears this could be a launching pad for further attacks.
一个名为CyberX的安全公司还发布了一个报告,宣传在乌克兰发现了60多例间谍行动,当然这些都可能是更猛烈攻击的前奏。
点评:黑色能量第二季? 6、俄罗斯黑客入侵美国超六十所高校政府机构
标题:Russian hacker Rasputin breaches over 60 Universities and Government Agencies
作者信息:February 15, 2017By Pierluigi Paganini
//BEGIN
The Russian-speaking black hat hacker Rasputin, hacked systems of more than 60 universities and U.S. government agencies.
According to the threat intelligence firm Recorded Future, a Russian-speaking black hat hacker, known as ‘Rasputin‘, hacked systems of more than 60 universities and U.S. Government agencies.
一个名为Rasputin的说俄语的黑客黑了超过60家美国和英国的大学以及政府机构。这是安全公司Recorded Future发布的消息。该黑客采用是非常流行的SQL注入的方法,其实采用该方法有很多免费的工具,但是这个黑客Rasputin并不采用这些公开的工具,而是自己编写工具,这样除了很难防范外,他的攻击还容易得手。
//END
“SQLi vulnerabilities are simple to prevent through coding best practices. Over 15 years of high-profile data breaches have done little to prevent poorly programmed web applications and/or third-party software from being used by government, enterprises, and academia.” continues the analysis. “Some of the most publicized data breaches were the result of SQLi including large corporations like Heartland Payment Systems, HBGary Federal, Yahoo!, Linkedin, etc.”
其实通过严谨的编程技术,完全可以预防类似SQL注入的漏洞。但是往往由于历史的原因,修补这个漏洞却并非件容易的事。特别是大学或者政府机构,一般他们较少进行例行安全更新或者检查,使得很老的漏洞都可能出现在其系统中。因此SQL导致的数据泄露一直很严重,这其中的泄露的数据甚至还包括一些大型的企业和商业公司。
点评:网络攻击似乎成为常态了。
页:
[1]