每日安全简讯(20170205)

1、安全厂商发布三款勒索软件解密工具
2、研究人员警告SQL Slammer蠕虫回归
3、挪威指控俄罗斯对其进行网络攻击
4、安全厂商揭露PayPal复杂网络钓鱼
5、匿名者组织攻陷五分之一“暗网”
6、澳大利亚核科学技术组织信息遭窃取

【安天】搜集整理（来源：avast、securityweek、securityweek、proofpoint、cnbeta、tuicool）

1、安全厂商发布三款勒索软件解密工具
标题：Avast releases Three more Decryption Tools for Ransomware Victims
Avast now offers ransomware victims 14 decryption tools to help them get their files back.
作者信息：2 February 2017 By Jakub Kroustek

//BEGIN
In 2016, ransomware once again demonstrated that it is the biggest security threat. In the past year more than 200 new strains of ransomware were discovered, it’s growth of in-the-wild samples two-folded, but the good news is that hundreds of millions of Avast and AVG users were protected against this popular threat.
在过去的2016年，勒索软件再一次展示了其当之无愧称成为网络安全最大的威胁之一。仅仅在这一年中，就发现了大约200种勒索软件，相比2015年增长了2倍。但是稍微有点好消息的是，安全厂商，比如AVAST，都摩拳擦掌做好了准备，要与勒索软件战斗到底！以保护他们各自用户的计算机安全。

//END
How to protect yourself from falling victim to ransomware
First and foremost, make sure you have antivirus, like Avast, installed on all of your devices (even smartphones can become infected with ransomware). Antivirus will act like a safety net and block ransomware before it can cause any damage, in case you accidentally try to download it.
The next thing you can do to protect yourself is to be smart and alert. Ransomware distributors often use social engineering tactics to trick people into downloading the ransomware. Be careful which links and attachments you open and what you download on the web. Make sure you verify the source of emails including links and attachments and only download software and visit trusted sites.
Backing up your data properly on a regular basis is also crucial. Be sure to not keep your backups connected to your devices all the time, otherwise, your backups could be held ransom as well.
If you are unlucky and do become infected with ransomware, make sure to check out our ransomware decryptor tools to see if we can help you get your files back!
Special thanks
I would like to once again thank my colleagues Ladislav Zezula and Piotr Szczepanski for preparing these decryptors.
为了预防勒索软件，建议用户至少做到以下三点：
首先也是最重要的一点是：在您使用的所有设备，包括手机、桌面电脑以及笔记本上安装合适的安全软件，比如AVAST等，这些安全软件能在您不经意的时候，时刻保护着您的各种电脑和设备的安全。
其次是作为用户的您，也必须保持高度的警惕和警觉。这些勒索软件通常采用社会工程学的方法来欺骗用户下载勒索软件，特别是要留意在您邮件中的URL链接。不要点击不明邮件的URL或者下载安装来源不明的安装程序。
最后一点也非常重要，那就是例行备份您的重要文档或者资料。另外要注意的是，不要始终将您的备份设备与您使用的设备时刻相连。这是因为有时勒索软件除了加密本机外，还会自动搜索其相连的外部设备或者映射盘中的文档或者资料，一起也会被加密。
当然如果确实被勒索软件侵害，而有没有备份自己重要的资料和文档的话，那么建议您试试安全厂商发布的免费解密工具软件。记住：千万不要向勒索者支付赎金！

//下载： AVAST-14-Ransom-Decryptor-Feb2017-1.rar (5 MB, 下载次数: 748)

2017-2-5 18:55 上传

点击文件名下载附件

AVAST-14-Ransom-Decryptor-Feb2017-2.rar (4.08 MB, 下载次数: 895)

2017-2-5 18:55 上传

点击文件名下载附件

文件名：AVAST-14-Ransom-Decryptor-Feb2017.rar
文件大小：9，520，100 bytes
MD5     : A0D38016927554A3F23EBB25A6916C5D

点评：对付勒索软件，建议采用备份备份再备份的3B原则：Backup、Backup、Backup（Beifen、Beifen、Beifen）。

2、研究人员警告SQL Slammer蠕虫回归
标题：SQL Slammer Worm Crawls Back

作者信息：February 03, 2017 By Ionut Arghire

//BEGIN
SQL Slammer, a tiny worm that managed to wreak havoc across the Internet on January 25, 2003, appears to have recommenced activity, Check Point security researchers warn.
The computer worm was first spotted on the day it caused a denial of service condition on tens of thousands of servers worldwide by overloading Internet objects such as servers and routers with a massive number of network packets. Within 10 minutes of its first emergence, SQL Slammer had managed to infect most of its roughly 75,000 victims.
SQL Slammer，这个曾在2003年1月25日对互联网造成巨大震动的小小蠕虫似乎在悄然回归。此消息的发布者是美国的网络安全公司CheckPoint。这个小小的SQL Slammer蠕虫在其出现的最初10分钟内，就导致了大约75000台服务器和路由器的网络负载过载，进而引起互联网的惊慌。

//END
“To summarize, although the Slammer worm was primarily spread during 2003, and has barely been observed in the wild over the last decade, the massive spike in propagation attempts that was observed in our data leads us to wonder – is the worm trying to make a comeback?” Check Point concludes.
总的来说，虽然这个小小的SQL Slammer蠕虫是2003年就出现了，而且在这近十多年的过程中，少有活动迹象。不过最近安全公司监控到其活跃的迹象，这是否意味着其将强势回归？

点评：这都2003年1月份的事了：http://www.arpun.com/soft/13899.html 。Antiy SqlPatchCheck1.0
有多少记忆可以重来？

3、挪威指控俄罗斯对其进行网络攻击
标题：Norway Accuses Russia of Cyberattack

作者信息：February 03, 2017 By AFP

//BEGIN
Oslo - Norway's foreign ministry, army and other institutions were targeted in a recent cyberattack by a group suspected of ties to Russian authorities, Norwegian intelligence -- which was among the targets -- said Friday.
来自北约成员国挪威首都奥斯陆情报部门的消息称：该国的外交部、军队部门以及其他一些政府机构最近遭到了据称来自俄罗斯的网络攻击，情报部门本身也未能幸免。挪威方面称该黑客攻击组织就是APT29，该组织也曾经被指控干扰了去年的美国总统大选。

//END
Russia said the visa refusal was a reaction to Norway's participation in EU economic sanctions against it over the Ukraine crisis.
Moscow was also angered by the recent deployment of some 300 US soldiers on Norwegian soil.
俄罗斯方面称：报复挪威是因为其在乌克兰危机后加入了欧盟对俄的经济制裁行动，这就是：拒绝给两位挪威高级立法者进入该国的签证。另外还对最近挪威首次允许300名美国特种兵进入该国进行军事训练恼怒不已，毕竟挪威和俄罗斯传统上还是相当友好的。

点评：911当天挪威选举？

4、安全厂商揭露PayPal复杂网络钓鱼
标题：Hook, line, and sinker - A closer look at a sophisticated phishing kit

作者信息：FEBRUARY 02, 2017 By Proofpoint Staff

//BEGIN
Overview

While many financial phishing schemes require development of bank- and region-specific phishing pages, PayPal's international reach and widespread popularity mean that attackers can develop phishing pages once and attack in multiple regions. Proofpoint researchers recently encountered a phishing email message that led to what appeared to be a benign PayPal login page. Analysis quickly determined that the login page was in reality a very well-crafted phishing page, but the real innovations of this campaign were revealed in the clever workings of the landing and the campaign’s sophisticated administrative backend.
一般而言，网银木马都带有明显的区域特性。但是这里讲的PayPal以极其广泛而深入的国际化使得攻击者只需要开发一次页面，就能在很多区域中使用。安全公司Proofpoint的研究人员最近发现了一个钓鱼邮件，经过初步观察，看起来很像是一个没啥危害的PayPal登录页面。但是仔细分析后发现原来该登录页面是一个经过巧妙伪装的，其背后有一个功能强大、复杂的管理后台支撑着。

//END
Conclusion
As attackers continue to turn away from the use of exploits and other means of compromising victim PCs and stealing information via malware, they are developing increasingly sophisticated means of collecting credentials and other data directly through phishing schemes. The use of phishing kits like the one detailed here provides threat actors with ready access to turnkey templates and administrative backends that make harvesting data from unsuspecting victims all too easy. These phishing pages look legitimate and users are already accustomed to "restoring account access" through various verification procedures, many of which are included in this example.
This particular kit also illustrates the advanced state of "crimeware as a service", an inexpensive and straightforward means of conducting phishing scams with low barriers to entry and future possibilities for combining malware distribution with phishing. The presence of an admin panel like that described here is currently quite rare among credential phishing kits, although we have observed such panels associated with APT activities and "white hat" phishing frameworks. However, as tools and approaches in phishing continue to evolve, we expect this to become more common and, understandably, popular with phishing actors.
攻击者们已经腻于利用各种漏洞或者通过各种恶意代码盗取用户的敏感信息，近期发现转而采用高级的钓鱼邮件方式来直接搜集用户的登录凭证以及一些其他的数据。特别是有一些成熟的钓鱼邮件专用开发包，模板功能非常丰富、功能也很强大，这些都使得高级的钓鱼活动既隐蔽，而且获得用户的信息也非常方便。这些页面都非常逼真，用户也习惯与通过各种验证流程来恢复其账户的访问。
这已成为Crimeware as a Service（为网络犯罪提供一条龙服务）：门槛低、价格便宜、使用也方便的钓鱼组件，人们有理由相信在不远的将来会与各种恶意代码相结合，给用户造成更大的伤害。虽然这些钓鱼专用的工具和办法越来越进化，预计它会变得越来越普遍。

点评：网络钓鱼军火！

5、匿名者组织攻陷五分之一“暗网”
{CHN}
标题：匿名者组织攻陷五分之一“暗网”

作者信息：2017-02-04 11:42:29 By cnBeta

//BEGIN
近日，大量基于Tor网络连接的暗网网站被黑客攻击，超过1万个暗网页面被黑客替换成含有警告信息的页面。某隶属于匿名者组织的黑客小组声称对此攻击行为负责，涉及此次攻击的暗网站点采用主流的Tor连接Freedom Hosting II主机服务，Freedom Hosting II主机服务彻底被该黑客组织攻破，据安全专家介绍，涉及站点约占暗网组成的五分之一。

//END
该黑客组织披露，被攻破的这些暗网站点数据中，超过半数涉及儿童色情，还有一些比特币担保交易服务,庞氏骗局信息和黑客论坛。黑客向Freedom Hosting II主机服务提出可用0.1比特币（约为100美元）交换泄露数据。
Freedom Hosting初代主机服务在2013年被执法部门攻破，当时该主机服务组成了半数暗网访问流量，泄露出大量非法儿童色情数据。

点评：一个匿名，一个暗(无天日)，不知道谁黑了谁。

6、澳大利亚核科学技术组织信息遭窃取
标题：Particle accelerator hacked: Boffins' hashed passwords beamed up
The Australian Synchrotron warns it's been wormholed, but not dangerously

作者信息：3 Feb 2017 at 02:41 By Darren Pauli

//BEGIN
UPDATE The Australian Nuclear Science and Technology Organisation (ANSTO) is investigating a computer security breach at the Australian Synchrotron that saw hackers steal scientists' usernames and passwords Friday.
Hackers of as yet unknown origin hit systems hosting the web portal where researchers from ANSTO and third parties can request time to use the Victorian atom-smashing facility. We're told miscreants stole brainiacs' email addresses and scrambled passwords.
粒子加速器被黑：科学家们的hash密码被泄露，但是好在目前情况不是很严重。这是澳大利亚的原子核科学与技术研究院发布的消息，他们正在调查该国核科学技术组织的一起计算机安全泄露事件，在这个事件中，黑客们盗取了科学家们的邮件登录用户名和密码。这些黑客的来源目前尚未得到证实。

//END
If the passwords can be cracked, any eggheads who have reused the same password and email combination on other websites face losing control of those accounts too. ®
UPDATE: A spokesperson for the Synchrotron's been in touch to the hacked network is isolated from the rest of the agency and that ANSTO can rule out other systems beyond the user database having been compromised.
The database is also entirely isolated from the home of Australia's sole nuclear reactor, on ANSTO’s Lucas Heights campus.
“As a precautionary measure, all users have been required to reset their passwords,” the spokesperson said.
一旦邮件密码被窃取，那么如果其他的网站也采用同样的密码的话，就有同时泄露的风险。作为预防措施，最好还是尽快重置密码。

原文：https://www.theregister.co.uk/20 ... utm_medium=referral

点评：任何2个地方都不要采用相同的密码。