每日安全简讯(20161221)

1、乌克兰再次因黑客攻击电力中断
2、影子经纪人泄露代码来自NSA内部
3、多家工厂遭鱼叉式钓鱼邮件攻击
4、安卓银行木马加入勒索软件特性
5、仿冒超级玛丽近七成有恶意行为
6、娱乐系统安全漏洞可使飞机受控

【安天】搜集整理（来源：softpedia、threatpost、kaspersky、bleepingcomputer、trendmicro、softpedia）

1、乌克兰再次因黑客攻击电力中断
标题：Hackers Might Have Turned Off the Lights in Ukraine for the Second Time
New power outage experienced in Ukraine due to possible hack
作者信息：Dec 20, 2016 08:49 GMT By Bogdan Popa

//BEGIN
Ukraine experienced a new power outage during the weekend, and it’s believed that hackers are once again responsible, after they previously breached energy companies in 2015.
2015年乌克兰的停电事故上周末疑似重演：黑客攻击了电力系统的自动控制系统，电力控制部门不得不转向手动模式才得以恢复，过程持续了大约30分钟。而2015年的停电事故的恢复大约花费了6个小时之久。

//END
Also last year, it was revealed that energy and utility companies in Ukraine were under heavy attacks from foreign hackers, but most of these attempts were successfully blocked by the country’s IT security team.
除了电力系统，去年的一些其他电力相关应用部门也遭到了来自乌克兰境外的网络攻击。当然其中的大多数由于应对得力，没有造成大的影响。

点评：胡汉三又回来了？回头看还是很厉害的，不得不防。

2、影子经纪人泄露代码来自NSA内部
标题：SHADOWBROKERS DUMP CAME FROM INTERNAL CODE REPOSITORY, INSIDER

作者信息：December 19, 2016 , 4:43 pm by Michael Mimoso

//BEGIN
Update An analysis of the latest ShadowBrokers dump of alleged NSA spy tools points to an insider with access to a code repository belonging to the intelligence agency, experts said.
影子经纪人最新泄露的信息，从结构上看更像是真的来源于其内部。是一个完整的代码存储组织架构的样子。当然这个本来只是给该情报部门自己使用的。

//END
“For the NSA this is definitely a gut punch. There is a lot of operational detail and lessons that are exposed in this (and the earlier Shadow Brokers dump). The upshot is that a lot of it looks pretty old. So this might be ‘of historic interest only,'” the Grugq said. “I would expect that a lot of the tools and exploits here are no longer the state of the art for NSA, and so their ability to do their mission will not be negatively impacted by this release. Still, damn, that’s gotta hurt.”
当然出现这些泄露情况，NSA肯定是肠子都悔青了。不过这些数据和结构本身都比较成旧，作为一个“泄露事件”的标本还是很有意义的。其实这些已不再是NSA当下操作的主要手法了。泄露的主要是在Linux和UNIX平台下，没有Windows平台下的。因此从这个角度看，这个泄露事件并不会影响到NSA当下的各种出牌动作。

点评：很多重要的数据只有消费掉其使用价值后，才会拿出来给媒体和看客们消费一下。

3、多家工厂遭鱼叉式钓鱼邮件攻击
标题：Spear phishing attack hits industrial companies

作者信息：2016-12-2 By Kaspersky Lab

//BEGIN
Kaspersky Lab ICS CERT detected a targeted attack aimed at industrial organizations which began in August 2016 and is currently ongoing. The worst affected were companies in the smelting, electric power generation and transmission, construction, and engineering industries. Most of the organizations attacked were vendors of industrial automation solutions and system support contractors. In other words, the attack targeted organizations that design, build and support industrial
solutions for critical infrastructure. Based on the data we have acquired since October 2016, about 500 organizations from 50 countries were affected by the attack.
俄罗斯的安全公司Kaspersky的工控CERT响应部门监测到了针对工控部门的黑客攻击，这些攻击发起的时间是今年的8月份，一直持续至今。针对的部门有冶炼、电力系统的发电部门、输变电部门、工程安装部门。受到影响最大的是工控自动化解决方案的公司以及系统支持的合同供应商。基于近期的研究成果，发现大约50个国家的近500个组织和机构的部门受到了攻击。

//END
The emails had subject lines that were intended to convince unsuspecting recipients that they were from a legitimate source. Examples included fake commercial suppliers or shipping companies sending an updated price list, banks asking customers to validate banking information, or confirmation of equipment delivery.
Documents attached in the emails are RTF files containing an exploit for the CVE-2015-1641 vulnerability which are detected by Kaspersky Lab security products as Exploit.MSWord.Agent.hp. Also archives of different formats are sent in the attachments that contain executable files. The attachment names examples are:
这些攻击大多采用钓鱼邮件攻击的方式。邮件的主题都使得收件人看起来都是非常正式的、而且与上下文相关。从这一点可以看出来，可能攻击者已经渗透了相当长的时间，其已经掌握了受害者的一些邮件往来信息。
附件是RFT格式，其中含有漏洞，编号为：CVE-2015-1641。当然包装的形式各种各样。

点评：好像比普通的鱼叉式的邮件攻击更进了一步！达到可以乱真的地步是非常可怕的。

4、安卓银行木马加入勒索软件特性
标题：It's Now Commonplace for Android Banking Trojans to Include Ransomware Features

作者信息：December 19, 2016 09:15 AM By Catalin Cimpanu

//BEGIN
The current generation of Android banking trojans are all equipped with ransomware-like features in order to lock the user's device, and in some cases encrypt his data.
移动Android的网银木马已经具备了勒索软件的特性：不但能锁住感染者的手机、还能加密其中的数据，进而索要钱财。

//END
Nevertheless, due to nature of today's mobile OS landscape, mobile ransomware is not as dangerous and efficient as on desktops and laptops.
"We would like to note that file encryption is not that popular with the developers of mobile ransomware (at least currently)," says Unchuk, "which may be because most files stored on a mobile device are copied to the cloud. In other words, demanding a ransom in return for decrypting them is pointless."
由于移动设备，比如智能手机的特性决定，在移动设备上的勒索软件的危害不及在传统计算机和服务器上的，至少目前的一段时间内看是这样的。其主要原因在移动设备的大多数数据在用户的同意下，可以设置为自动同步到云平台上。因此勒索手机上的文件和数据意义不是特别大。

点评：移动勒索还是很危险的。

5、仿冒超级玛丽近七成有恶意行为
标题：Fake Apps Take Advantage of Super Mario Run Release

作者信息：Jordan Pan By December 19, 2016 at 9:18 pm

//BEGIN
Earlier this year, we talked about how cybercriminals took advantage of the popularity of Pokemon Go to launch their own malicious apps. As 2016 comes to a close, we observe the same thing happening to another of Nintendo’s game properties: Super Mario.
今年年初的时候，Pokemon Go火爆了一阵，不过恶意代码也顺势流行起来；2016年快过去了，另外一个模仿任天堂的游戏又出现了：超级玛丽！

//END
Activating an app as a device administrator is required to execute potentially malicious activities such as installing apps secretly, or hiding icons and processes from the user. Therefore, when an app asks you to activate themselves as a device administrator, it should be a red flag. Check whether it is appropriate for the app being installed.
不管是安装Android上的应用，还是iOS的应用都应该从正规的网站上下载app，而不要冒险从一些不正规的第三方渠道安装。
特别是当安装某款应用，出现设备管理员权限需求时，应该特别注意。这可能就是一个危险的信号。

点评：各种Store鱼龙混杂，的确让人目不暇接。

6、娱乐系统安全漏洞可使飞机受控
标题：Security Vulnerability Allows Hackers to Take Control of Airplanes UPDATED
Panasonic flaw exposes aircrafts operated by 13 airlines
作者信息：Dec 20, 2016 10:35 GMT By Bogdan Popa

//BEGIN
A security flaw discovered in an in-flight entertainment system developed by Panasonic could allow a hacker to hijack several flight systems and to even get control of the aircraft, a researcher warns.
一个研究人员称发现了松下的一款机上娱乐系统存在漏洞，成功利用该漏洞可能导致13家商用航空 公司的飞机被劫持、控制。

//END
In today’s report, however, Santamarta says that Panasonic knew about the vulnerabilities since March last year, when the company was first contacted by researchers, but it’s not yet clear if any updates were made to block a potential cyberattack. For the moment, however, it all comes down to airlines to minimize the risks of a hacker gaining full control of an aircraft.
UPDATE, December 21: Panasonic has sent us a statement to explain that IOActive's claims are "inaccurate and inflammatory" and that there is no critical flaw in its products.
开发该机上娱乐系统的松下公司回应称，所谓安全人员的发现是不准确和具有煽动性的，其产品并没有严重的安全漏洞可被利用。

点评：即使没有松下的"回应“”，窃以为飞机的控制系统应该是更严密些和周全些：如果一个机上的娱乐系统的漏洞能导致商用飞机整体被控，那么就相当不娱乐了。