每日安全简讯(20161126)

1、安卓银行木马Gugi以社工技巧获取权限
2、移动应用漏洞可供黑客解锁和盗取汽车
3、两黑客宣称出租40万节点Mirai僵尸网络
4、研究者对俄罗斯银行DDoS事件展开分析
5、黑客对欧盟委员会发动大规模网络攻击
6、以色列公司演示在数秒内窃取手机数据

【安天】搜集整理（来源：comodo、softpedia、ibtimes、securelist、express、solidot）

1、安卓银行木马Gugi以社工技巧获取权限
标题：Comodo Detects New Family of Sophisticated Financial Malware

作者信息：November 22, 2016 By Comodo

//BEGIN
Comodo Threat Research Labs (CTRL) has announced that it has detected a new family of financial malware dubbed as “Gugi/Fanta/Lime”. It is a sophisticated Banking Trojan that can bypass the standard security protocols of an Android operating system (version 6), and take over the operating system. The financial malware seeks system privileges and user credentials, and once it gains them it acquires complete control of the Android device.
安全公司最近发现了一个在Android系统中流行的网银新木马，并命名为：Gugi/Fanta/Lime。该木马设计比较复杂，能够穿越最新版的Android操作系统的安全机制，成功后还能接管操作系统的运行，也就是获得系统控制权和盗取用户的网银登录认证信息，进而完全控制用户的手机。

//END
The Trojan sends an SMS to a Command and Control (CnC) server to establish contact. It uses the WebSocket protocol for interacting with its CnC servers. The malware now overlays authentic app screens with phishing windows and steals all information that is entered on the screens – this includes login credentials and card details.
The “Gugi/Fanta/Lime” Trojan has been mainly used to attack users in Russia till now, and considering its potency, it can be expected to be used worldwide in the future.
网银木马获取的手机信息含有： 设备识别码IMEI (International Mobile Equipment Identity）, 用户识别码IMSI (International Mobile Subscriber identity), 用户ID SubscriberId, SIM卡运营商号码SimOperatorName 以及SIM的国家代码 SimCountryIso. 网银木马通过社工和钓鱼邮件对潜在目标发起攻击，一旦用户点击，它会伪装成正规的APP的运行界面或者是正规网上银行APP的界面，并截获用户输入的敏感信息。有个这些信息后，该网银木马会通过短信SMS给C2控制服务器发送信息来建立联系。采用的协议是WebSocket。该网银目前主要是在俄罗斯流行，但是也许不久的将来会逐步传播到世界其他地
区。

点评：Android下的安全推荐AVL Pro!

2、移动应用漏洞可供黑客解锁和盗取汽车
标题：Hackers Can Steal Tesla Cars Using Android App
Security researchers demonstrate new vulnerabilities

作者信息：Nov 24, 2016 09:17 GMT By Bogdan Popa

//BEGIN
Hacking a Tesla is a thing we’ve seen before, but this time a team of security researchers at a company called Promon managed to locate, unlock, and steal a car using just an Android app.
黑一辆最新款的Tesla智能汽车已经不是新闻了,但是安全专家最新发现了仅仅通过一个Android的APP应用程序就可以定位、解锁进而盗取Tesla汽车。

//END
What’s also important to note is that this isn’t a vulnerability in Tesla cars themselves, but a glitch in mobile apps that could be used by attackers to
steal the vehicles. Researchers explain that this only shows the risks of having objects controlled by smartphone apps, and recommend users to update their systems and apps and to always, but always, avoid downloading apps coming from untrusted sources.
需要指出的是这里提到的并不是Tesla汽车的漏洞，而是管理该汽车的Android移动APP应用出现的问题，并被黑客们截获和利用，才导致的。需要提醒Tesla汽车用户的是：当在一些固定点的充电站充电时，如果发现一些免费的WIFI，并弹出一些免费的广告安装APP，这个时候特别要注意！不要安装来历不明的APP，因为这些很可能是恶意的，它们能盗取您管理Tesla汽车的OAuth认证信息：用户名和密码。一旦被成功利用就不仅仅是用户名和密码被盗这么简单，您的整个Tesla汽车就都可能成为黑客们的座驾啦。

点评：这个说到底还是APP的安全，Android下的安全推荐AVL Pro!能买得起Tesla就千万不要连接啥免费的WIFI了，特别是在充电桩附近时^^

3、两黑客宣称出租40万节点Mirai僵尸网络
标题：DDoS-for-hire service now advertising renting out a 400,000 bot-strong Mirai botnet
Security researchers believe that the hackers most likely are operators of the largest known Mirai botnet.

作者信息：November 25, 2016 04:14 GMT By India Ashok

//BEGIN
The two hackers claimed that they had access to Mirai’s source code much before a hacker going by the pseudonym Anna_Senpai, made its source code public.A DDoS-for-hire service, run by two hackers going by the pseudonyms Popopret and BestBuy, is now reportedly advertising a Mirai botnet up for rent. The Mirai botnet allegedly comprises of over 400,000 infected bots and may have been sired from the original Mirai source code.
租用这个Mirai僵尸网络的两个黑客很可能与编写Mirai的源作者相关。这两个黑客都以化名出现。DDOS的租用服务还有门槛呢：2周起租，而且价格不低。租户可以选择租用的数量、攻击时长、攻击间隔等参数。一个典型的报价：5万个节点的僵尸网络发动持续1小时的攻击，同时间隔5-10分钟，价格是每2周3000-4000美元。

//END
Popopret and BestBuy allegedly refrained from providing evidence of their botnet's capabilities, in efforts to avoid detection. However, the two hackers
claimed that they had access to Mirai's source code much before a hacker going by the pseudonym Anna_Senpai, made its source code public. The hackers' claims indicate that the duo may be possibly linked to Anna_Senpai, who is also believed to be Mirai's creator.
目前的分析表明，这两个出面出租Mirai僵尸网络的黑客很可能与Mirai僵尸网络的作者关系密切。

点评： 又见未来Mirai.....

4、研究者对俄罗斯银行DDoS事件展开分析
标题：DDoS attack on the Russian banks: what the traffic data showed

作者信息：November 24, 2016. 8:57 am By Alexander Khalimonenko

//BEGIN
From November 8 to 12, websites of some of the largest Russian banks fell victim to heavy DDoS attacks. Initially, it was no indication of anything unusual – all well-known banks get attacked from time to time – but further developments have evolved in the manner that allowed us to suggest a high level of organization in regards to the series of attacks.
从本月8号到12号，一些大型的俄罗斯银行遭受到严重的DDOS网络攻击。一开始其实没什么症状，实际上任何大型的目标都可能成为攻击的目标。但是后来的发展表明，这个攻击的背后有更高级的手法和始作俑者。

//END
To a certain extent, our findings correlate with the reports that appeared in the press referring to the attacks being ordered from a certain DDoS service.
According to its owner, the persons who ordered the attacks were unhappy with the influence that Russia allegedly had on the US Presidential election and the websites of major Russian banks were selected as high-profile targets whose operational difficulties would definitely be noticed.
在某种程度上讲，这里的发现与以前发布的报道有关，攻击者很可能是订购了某种DDOS服务（比如Mirai）而发起的，目的可能是与对俄罗斯对美大选发起攻击不满引起。攻击银行是因为这样的影响面很很大，而且能广为人知，以扩大其影响力。

点评：美国声称大选遭到俄罗斯的网络攻击，欧洲也称怀疑是俄罗斯政府支持对其发送了网络攻击；这下俄罗斯的关键基础设施：银行也遭受大规模攻击，显然也是受害者；中国也经常遭受大规模网络攻击。这些种种表明了啥？

5、黑客对欧盟委员会发动大规模网络攻击
标题：EU CYBER ATTACK: Hackers launch huge raid on European Commission computers
HACKERS have launched a ‘large-scale’ cyber attack on the European Commission computer networks, according to reports.

作者信息：07:45, Fri, Nov 25, 2016  By SIMON OSBORNE

//BEGIN
Hackers have launched a cyber attack on the European Commission
It is understood cybersecurity systems ensured the attack was thwarted before any breach of data occurred.
A spokesman told politico.eu: “The attack has so far been successfully stopped with no interruption of service, although connection speeds have been
affected for a time. No data breach has occurred.”
The Commission’s IT department later sent out an email which said: “This afternoon, the European Commission was subject to a cyberattack (denial of
service) which resulted in the saturation of our Internet connection.”
Cybersecurity systems kept the hackers at bay
It is still unclear who was trying to hack into the Commission’s system but Russian hackers will be among the chief suspects.
US security chiefs said recent cyber attacks on US interests could be traced back to Russia and in many cases were carried out on the orders of the Kremlin. And Britain is investing ￡1.9billion to improve cyber-defences after MI5 spychief Andrew Parker voiced concerns about the “covert threat” Russia poses to the UK.
根据欧盟的官方称，目前为止该攻击已经被成功阻止，在其获得敏感数据之前被拦截，虽然这个攻击过程导致了网络连接速度的减缓。攻击的手法是DDOS攻击，目前还不清楚谁发起了这个攻击，但是很多怀疑均指向俄罗斯，而且可能是有政府背景，也可能是继攻击美国大选后的行动。作为回应，英国投入了19亿英镑来改进其网络防御技术，也据称是为了抵御来自俄罗斯的网络攻击。

//END
Britain is spending ￡1.9bn upgrading cybersecurity systems
The security chief said: "It is using its whole range of state organs and powers to push its foreign policy abroad in increasingly aggressive ways -
involving propaganda, espionage, subversion and cyber-attacks.
"Russia is at work across Europe and in the UK today. It is MI5's job to get in the way of that."
官方称俄罗斯已经开始针对欧洲行动了，英国人称是该军情五处动手的时候了。

点评：具体手法未披露细节。

6、以色列公司演示在数秒内窃取手机数据
{CHN}
标题：以色列公司演示在数秒内窃取手机数据

作者信息：2016年11月24日 16时16分 星期四 By pigsrollaroundinthem

//BEGIN
以色列公司 Cellebrite 的雇员只要几秒时间就能从一部锁定的手机内窃取数据。该公司曾在今年初被报道向FBI提供技术解锁San Bernardino枪击案枪手的iPhone手机，但后来有报道称该公司并未参与。尽管如此，Cellebrite 的手机取证技术仍然是行业内的佼佼者，它的很多客户是政府机构和执法部门。Cellebrite能从手机上窃取大量私人信息，甚至包括已经删除的短信内容。公司雇员入侵的是一部 LG G4 Android智能手机，该公司的实验室有1.5万部手机，每个月增加150到200部新型号。公司高管Leeor Ben-Peret称，苹果的手机比较难破解，但该公司自信能破解最新款的iPhone。

//END
Israeli firm Cellebrite's technology provides a glimpse of a world of possibilities accessible to security agencies globally that worry privacy advocates.
The company has contracts in more than 115 countries, many with governments, and it shot to global prominence in March when it was reported the FBI used its technology to crack the iPhone of one of the jihadist-inspired killers in San Bernardino, California.
There have since been reports that Cellebrite was in fact not involved, and the company itself refuses to comment.
Regardless, it is recognised as one of the world's leaders in such technology.
It can reportedly take a wide range of information off devices: from the content of text messages to potentially details of where a person was at any given moment.Even messages deleted years before can be potentially retrieved.
"There are many devices that we are the only player in the world that can unlock," Leeor Ben-Peretz, one of the company's top executives, told AFP in
English.But privacy and rights activists worry such powerful technology can wind up in the wrong hands, leading to abuses.
http://phys.org/news/2016-11-israeli-firm-seconds.html

点评：老以的手机取证据说还是很强的。