每日安全简讯(20170225)
1、安全厂商发现针对蒙古政府钓鱼攻击行动2、安全厂商发布2016年Q4医保行业威胁报告
3、调查表明75%黑客可在12小时内突破防护
4、D-Link修复交换机远程劫持设备严重漏洞
5、Cloudbleed漏洞泄露近百万网站敏感数据
6、谷歌宣布对SHA-1哈希算法碰撞攻击成功
【安天】搜集整理(来源:fireeye、fortinet、darkreading、securityweek、securityaffairs、solidot) 1、安全厂商发现针对蒙古政府钓鱼攻击行动
标题:Spear Phishing Techniques Used in Attacks Targeting the Mongolian Government
作者信息:February 22, 2017By Ankit Anubhav , Dhanesh Kizhakkinan
//BEGIN
Introduction
FireEye recently observed a sophisticated campaign targeting individuals within the Mongolian government. Targeted individuals that enabled macros in a malicious Microsoft Word document may have been infected with Poison Ivy, a popular remote access tool (RAT) that has been used for nearly a decade for key logging, screen and video capture, file transfers, password theft, system administration, traffic relaying, and more. The threat actors behind this attack demonstrated some interesting techniques, including:
Customized evasion based on victim profile – The campaign used a publicly available technique to evade AppLocker application whitelisting applied to the targeted systems.
Fileless execution and persistence – In targeted campaigns, threat actors often attempt to avoid writing an executable to the disk to avoid detection and forensic examination. The campaign we observed used four stages of PowerShell scripts without writing the the payloads to individual files.
Decoy documents – This campaign used PowerShell to download benign documents from the Internet and launch them in a separate Microsoft Word instance to minimize user suspicion of malicious activity.
鱼叉式钓鱼攻击的目标可以是个人、大国,也可能是一些并不令人注目的“小国”。美国FireEye公司最近公布的一例则是针对蒙古国的定向网络钓鱼行动。它通过邮件的方式进行。主角是远控工具RAT,名字为Poison Ivy。
该攻击采用了多达四步的脚本攻击,并且不在被侵害主机中留下传统的文件信息,主要是在内存中进行,通过注册表、PowerShell等加解密进行RAT的投递过程。作业手法还是挺复杂的。
为了进入用户的主机,最初的攻击采用邮件的方式,传送的是一个DOC文档文件,并采用欺骗的方式诱导用户启用该文档中的宏。一旦用户允许,那么该木马会下载远控木马,企图完成的恶意行为有:键盘记录、截取屏幕、录屏、文件传送、盗取登录密码、系统远程管理、流量转发等等。
比较特殊的技术特点有:
1 根据目标对象的定制化入侵:绕过白名单机制。
2 无实体文件执行与持续化驻留系统。
3 诱饵文档文件:表面打开的是正常的、而且与目标对象有关联的一些“看似有用”的文档。比如目标是蒙古国,文档的语言就是当地的语言。而实际上偷偷的干的则是下载木马行为。
//END
Conclusion
Although Poison Ivy has been a proven threat for some time, the delivery mechanism for this backdoor uses recent publicly available techniques that differ from previously observed campaigns. Through the use of PowerShell and publicly available security control bypasses and scripts, most steps in the attack are performed exclusively in memory and leave few forensic artifacts on a compromised host.
FireEye HX Exploit Guard is a behavior-based solution that is not affected by the tricks used here. It detects and blocks this threat at the initial level of the attack cycle when the malicious macro attempts to invoke the first stage PowerShell payload. HX also contains generic detections for the registry persistence, AppLocker bypasses and subsequent stages of PowerShell abuse used in this attack.
This entry was posted on Wed Feb 22 09:45:00 EST 2017 and filed under Advanced Malware, Ankit Anubhav , Blog, Dhanesh Kizhakkinan, Latest Blog Posts, Spear Phishing and Threat Research.
名为Poison Ivy的RAT远控工具可能有时为一个实体文件,而该后门的传送机制采用的是公开技术,与以前的有些区别。采用PowerShell技术以及公开的安全控制规避方法与脚本,大部分这些的攻击都是在内存中进行,从而导致攻击痕迹很少以及取证相对困难。
FireEye采用的是行为监控技术,足以对付以上的这些伎俩。这是因为行为监控能在最初的阶段拦截其可疑行为:下载一个带有恶意宏的文档文件。对于一些极度可疑的行为应加强监控和审计:注册表修改以驻留、AppLocker白名单绕过以及PowerShell连续滥用等等。
//下载:
文件名:Spear Phishing Targeting the Mongolian Government.pdf
文件大小:764,401 bytes
MD5 : 29D097CF319B74C620787368575C38CB
点评:黑山、蒙古等小国也逐步浮出水面,不再是单调的美俄模式。 2、安全厂商发布2016年Q4医保行业威胁报告
标题:FortiGuard Labs - Global Healthcare Threat Telemetry for Q4 2016
作者信息:Feb 21, 2017 By Gavin Chow
//BEGIN
This Global Healthcare Threat Telemetry report examines the threat landscape of the global healthcare industry in Q4 2016. It is based on threat telemetry obtained by FortiGuard Labs’ research group from sensors located at 454 healthcare companies located in 50 countries around the globe.
FortiGuard Labs, and its more than 200 researchers and analysts located around the world, logs over 400,000 hours of threat research every year by monitoring and analyzing threat telemetry gathered from over two million sensors. The resulting threat intelligence allows us to maintain accurate visibility into current and detect emerging threats, which we use improve our detection and prevention technologies, provide near-real time, actionable threat intelligence to over 300,000 customers
worldwide. On average, we block 180,000 malicious websites, 220,000 Botnet attempts, and 733,000 network intrusion attempts per minute. We have also set the industry record of 339 zero day threats discovered to date.
In addition, this threat telemetry data allows us to work with international law enforcement to track and apprehend cybercriminals, develop valuable research into threat characteristics and threat actors, and produce reports on the state of cyberthreats across a wide number of industries and regions.
In the following report we look at the top 5 malware, ransomware, mobile malware, IPS events, botnets, and exploit kits detected by FortiGuard Labs during the last quarter of 2016 targeting the global healthcare industry.
美国Forinet网络安全公司公布了2016年第四季度的医保行业威胁报告,相关数字:
报告覆盖国家和地区:50个
报告监测客户数:454家
覆盖客户:30万+/全球
安全公司投入分析师:200+
探针数量:200万+
log记录总时长:40万小时+/年
拦截恶意网站:18万个/分钟
拦截僵尸网络:22万个/分钟
拦截网络入侵:73万次/分钟
发现0day攻击:339例
本报告归纳出六大类安全威胁:恶意代码、勒索软件、移动恶意代码、IPS事件、僵尸网络、漏洞利用包,每类列出了TOP 5。
恶意代码TOP5:VBS/AGENT.LKYITR;RISKWARE/ASPARNET;VBS/AGENT.976EITR;JS/NEMUCOD.BQMITR;JS/NEMUCOD.76CDITR.DLD
勒索软件TOP5:CRYPTOWALL;CERBER;TORRENTLOCKER;TESLACRYPT;LOCKY
移动恶意代码TOP5:ANDROID/QYSLY.BITR;ANDROID/GENERIC.Z.2E72;ANDROID/QYSLY.SITR;ANDROID/GENERIC.Z.2E6A;ADWARE/AIRPUSHIANDROID
IPS事件TOP5:VXWORKS.WDB.AGENT.DEBU..;WEB.SERVER.ETC.PASSWD;HTTP.URL.SQL.INJECTION;NETCORE.NETIS.DEVICES;BASH.FUNCTION.DEFINITI
僵尸网络TOP5:ANDROMEDA;H-WORM;NECURS;CONFICKER;PUSHDO
漏洞利用包TOP5:RIG;CK;ANGLER;NEUTRINO;others
//END
Summary
From the threat telemetry results above, we can see that the healthcare industry faces more or less the same threats as the larger IT industry. From a malware perspective, the majority of infections are ransomware-based due to the higher probability of collecting ransom when sensitive healthcare data is encrypted. We also saw that CryptoWall was the most prevalent ransomware in the healthcare industry for Q4 2016, and that Android-based malware took the top 5 mobile malware spots.
Interestingly, we also saw that attacks on a 6-year old VxWorks vulnerability was the top IPS event detected, which may indicate that threat actors are trying their luck on probing for and exploiting unpatched medical devices running VxWorks embedded systems. Andromeda was the top botnet detected. It has been resilient enough to still be in the wild since 2011. Finally, the top 5 exploit kits detected are known to distribute ransomware.
All of the threats above can be mitigated when a multi-layered security approach is properly planned and executed. Fortinet provides a comprehensive multi-layered security approach through the Fortinet Security Fabric [ https://www.fortinet.com/corporate/about-us/why-fortinet.html ] where security solutions for network, endpoint, application, data center, cloud, and access are designed to work together as an integrated and collaborative security fabric. This translates to a powerful, integrated end-to-end security solution across the entire attack surface, with threat mitigation delivered along any point along the kill chain.
Sign up for weekly Fortinet FortiGuard Labs Threat Intelligence Briefs and stay on top of the newest emerging threats.
从以上分析可以看到,该行业的威胁态势与一般大型IT公司面临的威胁基本相同。从恶意代码的角度,由于该行业的用户数据的特殊性,勒索软件占据了大多数。因为一旦加密,用户基本都会乖乖支付赎金,而且大多不会声张。在所有的勒索软件类别中,CryptoWall这个勒索软件在去年最后的一个季度最流行;而移动恶意代码的排行中,前五位的都是Android平台的;比较有意思的是在IPS事件中,一个有着6年历史的VxWorks漏洞占据榜首,这显示了攻击者一直坚持不懈的寻找各种机会,对该行业普遍存在的医疗设备进行探测,这些设备大多运行着VxWorks嵌入式系统。同样还有韧性的还有僵尸网络Andromeda,该僵尸网络从2011年起一直未曾绝迹。而最后的五种漏洞利用包EK都是用来传送勒索软件的。
从以上分析来看,针对该行业的攻击面是很宽的、攻击链也很长。威胁存在于网络侧、终端侧、应用侧、数据中心、云、访问侧等等。
//下载:
文件名:FortiGuard Labs - Global Healthcare Threat Telemetry for Q4 2016.pdf
文件大小:483,890 bytes
MD5 : EC40E3807B1FB0B0A857DA11B59A38AB
点评:对付勒索软件,建议采用备份备份再备份的3B原则:Backup、Backup、Backup(Beifen、Beifen、Beifen)。 3、调查表明75%黑客可在12小时内突破防护
标题:Survey: Most Attackers Need Less Than 12 Hours To Break In
作者信息:2/23/2017 04:30 PM By Jai Vijayan
//BEGIN
A Nuix study of DEFCON pen testers shows that the usual security controls are of little use against a determined intruder
If the methods used by penetration testers to break into a network are any indication, a majority of malicious attackers require less than 12 hours to compromise a target. Four in ten can do it in barely six hours.
一个名为Nuix的安全公司北美分部,在去年Defcon大会期间对70名黑客做了访谈,近日发布了对这些访谈的总结报告。报告内容显示:对于一些意志坚定的攻击者来说,常规的安全防护作用有限。大部分的普通安全防护措施在12小时内都会被黑客攻破,但有的黑客声称只需要6小时,甚至还有的说2小时就够。该报告总结了黑客的攻击方法、最常利用的漏洞、揭示了哪些防护手段最难攻破以及哪些最容易绕过等等。有三成的黑客声称他们的远程渗透行为从未被发现过,即使他们已经成功攻入用户的客户端并拿到了客户端的重要数据;当然也有三成左右的声称他们的攻击行为差不多三次能被发现一次。
//END
The message for defenders is that threats are not static and they need to be prepared for and able to detect the different methods criminals can employ to break in, he says.
“If an organization cannot detect a multitude of attack patterns, some of which they have likely never seen before, they are already lagging several paces behind their adversaries.”
对于防御方来说,必须要明白的是威胁是动态,而不是静态的。用户必须随时更新其防护策略,以跟上攻击者的脚步。如果不能这样做的话,那么就会陷入被动的境地:四处救火,四处着火的尴尬。
//下载:
文件名:The BLACK_report.pdf
文件大小:1,184,571 bytes
MD5 : ADEAC26FFD45BA40C2DCD9658EB01F1A
点评:是谁说的:当前只有2类网站:一类是已经被攻破的;另外一类是即将被攻破的? 4、D-Link修复交换机远程劫持设备严重漏洞
标题:D-Link Patches Serious Flaws in DGS-1510 Switches
作者信息:February 24, 2017 By Eduard Kovacs
//BEGIN
D-Link has released firmware updates for the company’s DGS-1510 stackable managed switches to address serious vulnerabilities that can be exploited remotely to hijack the devices.
中国台湾网络设备生产厂商D-Link由于其交换机存在严重漏洞,最近升级了其相关固件。交换机的型号是DGS-1510;如果被成功利用,则可能被远程利用。
//END
In early January, the U.S. Federal Trade Commission (FTC) filed a lawsuit against the Taiwan-based networking equipment provider, accusing the company of making deceptive claims about the security of its products. D-Link is determined to fight the “unwarranted and baseless” charges.
在今年一月份,美国联邦贸易委员会FTC还对D-link公司发起了一场诉讼,控告该公司对其产品的安全性夸大宣传。D-link方面则声称准备应诉,并称指控“毫无根据而且也完全没有必要”。
点评:漏洞好像遍地都是,大小不同而已。 5、Cloudbleed漏洞泄露近百万网站敏感数据
标题:Cloudbleed flaw exposes sensitive data from millions sites behind CloudFlare
作者信息:February 24, 2017By Pierluigi Paganini
//BEGIN
Cloudflare was leaking a wide range of sensitive information, including authentication cookies and login credentials, the flaw was dubbed Cloudbleed.
The notorious Google security researcher, Tavis Ormandy, recently made and astonishing discovery, Cloudflare was leaking a wide range of sensitive information, including authentication cookies and login credentials, the flaw was dubbed Cloudbleed.
被称为Cloudbleed的漏洞导致了大量用户敏感信息泄露,被泄露的信息包括用户的登录认证信息。该漏洞是Google的安全研究人员发现并公开的。
//END
It is very curious the fact that Cloudflare pointed Ormandy to the company bug bounty programme, offering the expert a reward of a t-shirt instead of financial compensation.
We cannot exclude that a threat actor discovering the Cloudbleed flaw may have been actively exploiting it, but at the time I was writing there is no evidence of such kind of attacks.
搞笑的是,为了奖励这个Google的安全研究人员,该漏洞所在的公司Cloudflare给他奖励了一件体恤衫,一分钱也没给。虽然是这样,但是业界并不能确认在被披露前,是否已经被黑客们利用,虽然还并未见利用报告。
点评:前有心脏出血HeartBleed,今有云出血CloudBleed;明天流血的会是谁WhoBleed? 6、谷歌宣布对SHA-1哈希算法碰撞攻击成功
{CHN}
标题:Google 演示对 SHA-1 的碰撞攻击
作者信息:2017年02月24日 15时34分 星期五 By pigsrollaroundinthem
//BEGIN
Google 宣布了对 SHA-1 哈希算法的首个成功碰撞攻击。所谓碰撞攻击是指两个不同的信息产生了相同的哈希值。作为碰撞成功的证明,Google 发布了两个 PDF 文件,SHA-1 哈希值相同但内容不同。这一成果是 Google 与阿姆斯特丹的 CWI Institute 合作实现的。现在,只要攻击者有充足的计算资源,SHA-1 的碰撞攻击将成为可能。在这项研究中,攻击所需的计算量十分惊
人,用 Google 说法,它用了 6,500 年的 CPU 计算时间去完成了碰撞的第一阶段,然后用了110 年的 GPU 计算时间完成第二阶段。Google 督促仍然使用 SHA-1 的用户迁移到更新的哈希算法如 SHA-256 和 SHA-3。好消息是,目前还没有方法同时找到 MD5和 SHA-1 的碰撞。
//END
Announcing the first SHA1 collision
February 23, 2017
Posted by Marc Stevens (CWI Amsterdam), Elie Bursztein (Google), Pierre Karpman (CWI Amsterdam), Ange Albertini (Google), Yarik Markov (Google), Alex Petit Bianco (Google), Clement Baisse (Google)
Cryptographic hash functions like SHA-1 are a cryptographer’s swiss army knife. You’ll find that hashes play a role in browser security, managing code repositories, or even just detecting duplicate files in storage. Hash functions compress large amounts of data into a small message digest. As a cryptographic requirement for wide-spread use, finding two messages that lead to the same digest should be computationally infeasible. Over time however, this requirement can fail due to attacks on the mathematical underpinnings of hash functions or to increases in computational power.
Today, more than 20 years after of SHA-1 was first introduced, we are announcing the first practical technique for generating a collision. This represents the culmination of two years of research that sprung from a collaboration between the CWI Institute in Amsterdam and Google. We’ve summarized how we went about generating a collision below. As a proof of the attack, we are releasing two PDFs that have identical SHA-1 hashes but different content.
点评:还好不会立即造成实质破坏。
页:
[1]