每日安全简讯(20161225)

1、攻击者在钓鱼活动中使用类似恶意软件分发策略
2、研究人员警告假日主题垃圾邮件活动呈上升趋势
3、黑客组织欲在圣诞节向PSN XBOX服务器发动DDoS
4、瑞士破解DGA算法，关闭僵尸网络Tofsee五百域名
5、Signal利用域名欺骗技术规避政府审查和限制措施
6、华盛顿健康计划组织被黑，成员个人信息遭泄露

【安天】搜集整理（来源：securityweek、securityweek、softpedia、securityweek、securityaffairs、softpedia）

1、攻击者在钓鱼活动中使用类似恶意软件分发策略
标题：Phishers Adopt Malware Distribution-Like Tactics

作者信息：December 23, 2016 By Ionut Arghire

//BEGIN
A recently detected phishing campaign designed to steal credit card information employed a series of attack tactics previously associated with malware distribution, Proofpoint security researchers reveal.
从事钓鱼活动的攻击者采用类似恶意软件的分发策略：钓鱼虽然依然通过邮件发送，但是邮件的附件是加密的，通过附带采用JavaScript变形加密的脚本HTML文件。密码就在邮件正文中。普通用户会感觉很“正规”、很“重要”、很“紧急”，马上打开盒子，一看原来是潘多拉牌子的......

//END
“Credential and credit card phishing are nearly as old as cybercrime itself. This hasn't stopped phishing actors from innovating, exploring new approaches to convincing users to divulge personal, banking, and financial information. In this case, we observed threat actors taking a cue from malware distributors, using password protected document attachments to bypass anti-malware technologies and give recipients a false sense of security,” Proofpoint researchers note.
一旦采用加密手段（虽然只是一个异或XOR），那么传统的检测和过滤手段将变得很困难；何况是混杂在成千上万的正常邮件中。再加上攻击者设计得如此精巧，以至于看上去很真实。

点评：加密的密码是infected?

2、研究人员警告假日主题垃圾邮件活动呈上升趋势
标题：Holiday-Themed Spam Campaigns Ramp Up

作者信息：December 23, 2016 By Ionut Arghire

//BEGIN
This time of the year, spam campaigns are increasingly adopting holiday themes to improve their malware distribution rate and steal users’ banking information or to trick victims into accessing fake online stores, security researchers warn.
Arghire先生节日很忙：这篇文章重点是提醒那些经常上网血拼一族要警惕假借节日（特别是圣诞和新年）名义的垃圾邮件欺诈活动，垃圾邮件们的可没闲心祝愿您圣诞新年快乐，它们盯着的只是用户的信用卡号！采用的伎俩有什么发票呀、订单确认啥的。不一而足。

//END
To avoid falling victim to attacks carried out via spam, users should stay away from emails coming from unknown sources, especially those that arrive during the holiday season with alleged invoices or order confirmations attached to them. The phishing traffic for store-related scams has increased as well over the past weeks, and users should always make sure that they visit legitimate websites when looking to make a purchase.
“It's the time of year when we all get to celebrate with our families. For some of us, though, this will mean online shopping with all its potential pitfalls. And for some it will mean new devices and appliances to connect — with oblique instructions and undoubtedly some questions. Here are some tips to help keep you and yours safe and secure through the holidays and into the New Year,” the security researchers note.
传统的垃圾邮件欺诈方法不怎么奏效，于是欺诈者就想了新办法：通过发送一个貌似正常的WORD文件，而其中隐藏着恶意的宏，一旦用户开启这个宏，那么恶意代码就会在后台下载各种勒索软件、恶意软件等等，逼迫用户就范！
用户要特别留意邮件的来源！当然这说起来简单，但是实际做起来还是有些难度：每天我们的邮箱都可能被各种正规的商业广告充斥着！

点评：岁末年初，无论是剁手族还是平时连冰棍都不舍得MAI的一定都得小心，这可不分国内国外！骗子都一样哈。

3、黑客组织欲在圣诞节向PSN XBOX服务器发动DDoS
标题：Hackers Threaten to Take Down PSN and Xbox Live on Christmas Day
R.I.U. Star Patrol says it plans new DDoS attacks on Dec 25
作者信息：Dec 24, 2016 07:24 GMT  By Bogdan Popa

//BEGIN
Hacking group R.I.U. Star Patrol managed to take down Tumblr earlier this week and keep it offline for almost two hours, and now it’s planning on launching another large-scale DDoS attack that’s likely to impact many more users.
黑客们也过节：圣诞节。专挑这个日子专黑索尼和微软的经典游戏:索尼的PSN和微软的XBOX.
去年的这个时候，这两家巨头曾经发布消息称将联手抗击黑客们的DDOS攻击，保证用户能正常玩游戏。不过今年黑客们如期而至，倒是两个巨头没啥反应。让我们期待看看结果吧。
应该不用等太长时间就知道答案了。

//END
It remains to be seen if DDoS attacks will indeed be launched against PSN and Xbox, and if they are, to find out how Sony and Microsoft could reduce the impact on network performance.
要问这些黑客们为啥要这样做，他们的理由太简单，而且看上去也有几分天真：我们能做到，因此我们就要这样去做！与钱一毛关系都木有！

点评：明（每）年圣诞还要来搞呀？

4、瑞士破解DGA算法，关闭僵尸网络Tofsee五百域名
标题：Switzerland's GovCERT Cracks DGA and Blocks 500 Domains Used by Tofsee Botnet

作者信息：December 23, 2016 By Kevin Townsend

//BEGIN
Following a successful analysis of the domain generation algorithm used by the Tofsee botnet, the Swiss domain registry (SWITCH) has temporarily suspended around 520 possible .ch domain names -- seriously weakening if not neutralizing the botnet.
瑞士的域名注册机构SWITCH成功提前破解了Tofsee的僵尸网络的DGA域名算法，因此公布了其发现的520个即将使用的域名。弥补了过往的被动挨打的尴尬局面，算是在与僵尸网络这个顽固的敌人的战争中赢回一局！由于已经将这些域名暂停注册，因此该僵尸网络利用ch顶级域名的企图将宣告失败。

//END
Overall, Sullivan does not believe this action will have much effect on spam and malware levels on the internet, but "it is an excellent way for a national CERT to run its TLD. Switzerland will end up running cleaner networks and will be the source of less malware. And that's good for the reputation of both the country and its networks."
It also demonstrates the continuous cat and mouse nature of the ongoing battle between security defenders and malicious attackers.
安全人员在称赞此举动的同时也表示这个发现并不能通用：甚至一点都不能减少垃圾邮件和恶意代码的数量。不过对于瑞士本身国家的互联网的净化能起到较好的作用。僵尸网络的战斗永远会持续下去，这就像日常生活中的猫和老鼠、警察和小偷的游戏一样。


//下载： Tofsee僵尸网络DGA算法解密.pdf (339.55 KB, 下载次数: 42)

2016-12-25 18:04 上传

点击文件名下载附件

文件名：Tofsee僵尸网络DGA算法解密.pdf
文件大小：347，695 bytes
MD5     : 41725653991E96F1D3CCD4626D5391A4

点评：Tofsee由于这520个ch域名的提前成功破解而暂告一段落，但对抗远未结束。

5、Signal利用域名欺骗技术规避政府审查和限制措施
标题：Signal implements ‘domain fronting’ technique to bypass censorship

作者信息：December 23, 2016  By Pierluigi Paganini

//BEGIN
The latest update of Signal introduces the ‘domain fronting’ technique that has been implemented to circumvent censorship.
Signal号称最安全的即时通讯APP，采用端对端加密的方式等来保障用户的通信隐私。
不过最近在埃及和阿联酋遇到点麻烦，因此增加了所谓domain fronting的技术（这里翻译为域名欺骗技术）以躲避政府审查。
目前只是在Android上应用。虽然这项技术的增加需要增加不少成本。因此目前该设置并非所有版本都默认开启。
https://whispersystems.org/ Open Whisper Systems 公司名还是有点意思：公开说悄悄话。

//END
Marlinspike confirmed that an iOS version of Signal that supports domain fronting is expected soon, meantime it is available a beta version.
苹果版的增加Domain Fronting版本可能还需些时日。

点评：个人隐私与整体的公共安全在某些时候可能会是矛盾的，片面强调任何一方好像都不是十分可取。

6、华盛顿健康计划组织被黑，成员个人信息遭泄露
标题：Washington Health Plan Hacked, Personal Info and Social Security Numbers Exposed
Organization now notifying users about breach
作者信息：Dec 23, 2016 12:34 GMT   By Bogdan Popa

//BEGIN
The Community Health Plan of Washington (CHPW) confirmed that it was affected by a breach on November 7 that exposed the personal details of its members.
CHPW确认其在11月7日，其拥有的个人健康数据库被泄露：这其中有姓名、电话、住址、社保账号等等。但是没有信用卡等信息。即便如此，该组织将为所有的客户提供长达1年的信用卡使用监控计划，以切实避免由于本次泄露可能造成用户的财产损失。目前的工作是逐一通报所有可能受到影响的客户。

//END
Justin Shafer (@JShafer817) says he is the one who found the flaw and reported it to CHPW, adding that it wasn't a hack, but a public FTP exposed.
但是据称发现该“漏洞”的人声称其实这个事件并不是什么攻击事件，而只是发现了一个文件服务器的公开泄露，自己只是不经意发现了而已。

点评：无论如何，个人信息还是多加保护为上。