每日安全简讯(20170212)

1、勒索软件CryptoShield利用RIG EK广泛传播
2、勒索软件DynA-Crypt兼具加密勒索窃密功能
3、僵尸网络Kelihos超过Conficker成月度榜首
4、意大利称俄方对其外交部实施网络间谍活动
5、大量网站因未修补WordPress 漏洞遭到攻击
6、钓鱼攻击新套路：自动检查输入信息有效性

【安天】搜集整理（来源：threatpost、bleepingcomputer、securityaffairs、theguardian、threatpost、freebuf）

1、勒索软件CryptoShield利用RIG EK广泛传播
标题：CRYPTOSHIELD INFECTIONS FROM RIG EK PICKING UP

作者信息：February 9, 2017 , 11:06 am By Michael Mimoso

//BEGIN
The RIG Exploit Kit remains fairly active despite an overall decline in such activity, and of late, it’s been spreading a fairly new variant of ransomware called CryptoShield.

EK：Exploit Kits 漏洞利用开发包。 不同的漏洞的开发包可能不同。这里提到的处于活动状态的EK有：RIG,Magnitude,Sundown等。
CryptoShield：一种利用RIG的EK的勒索软件。其是原来的勒索软件CryptoMix的变种。
EITest：一个勒索软件传播活动。这个活动主要采用了勒索软件CryptoShield。
ISC：Internet Storm Center 互联网风暴中心，是SANS对其网络威胁监控中心的称呼。

整体来讲，RIG 漏洞利用包EK的活动有减少的趋势，但是最近发现其在传播勒索软件CryptoShield。


//END
“Rig EK is the most prevalent exploit kits I’m seeing at the moment. It’s definitely not the only one,” Duncan said. “Other exploit kits like Magnitude and Sundown are still active, and I see indicators of those on a daily basis. But volume-wise, I see more indicators for Rig EK. The majority (50 percent or more) of all exploit kit indicators I’m finding are for Rig.”

RIG 漏洞利用包EK是当前最流行的EK之一，当然它不是唯一的一种。其他类似的EK比如Magnitude和Sundown也还是活动之中。通过每天的监控发现，从流量的角度看，超过一半的EK利用的是RIG。

点评：对付勒索软件，建议采用备份备份再备份的3B原则：Backup、Backup、Backup（Beifen、Beifen、Beifen）。

2、勒索软件DynA-Crypt兼具加密勒索窃密功能
标题：DynA-Crypt not only Encrypts Your Files, but Also Steals Your Info

作者信息：February 9, 2017 07:35 PM By Lawrence Abrams

//BEGIN
A new ransomware called DynA-Crypt was discovered by GData malware analyst Karsten Hahn that not only encrypts your data, but also tries to steal a ton of information from a victim's computer. Ransomware and information stealing infections have become all-to-common, but when you combine the two into the complete mess that DynA-Crypt is, you are just left with a big pile of steaming **** that just makes a mess of a victim's programs and data.
德国安全公司GDATA的研究人员最近发现了一种新的勒索软件DynA-Crypt，它不仅能加密用户的有用文件，而且还能盗取被感染机器的敏感和隐私信息：比如桌面截图、系统发出的声音、键盘输入的命令、浏览器Chrome和Firefox的输入、游戏Thunderbird和Minecraft等的各种信息等等。虽然勒索软件和隐私盗取这两者都很流行，但是这两者跨界组合还是比较少见的。因此如果一旦感染，就会给受害者的机器搞得一团糟。

//END
The good news is that this thing can be easily decrypted, so do not for any reason pay the ransom if you are infected with this program. If you need help with this ransomware, just leave a comment and a decryptor will be provided.
不过，有点好的消息是被加密的文件可以解密。因此不必给勒索者付钱。

点评：对付勒索软件，建议采用备份备份再备份的3B原则：Backup、Backup、Backup（Beifen、Beifen、Beifen）。

3、僵尸网络Kelihos超过Conficker成月度榜首
标题：Kelihos becomes January’s Top 10 ‘Most Wanted’ Malware

作者信息：February 11, 2017  By Pierluigi Paganini

//BEGIN
The infamous Kelihos botnet climbed to the top position, while the Conficker worm dropped to fourth on the chart of malware.
2017年第一个月的月度恶意代码排行座次发生了改变！僵尸网络Kelihos超过Conficker成月度榜首，而后者掉到了第4。这是安全公司CheckPoint发布的消息。

//END
Below the January’s Top 10 ‘Most Wanted’ Malware published by CheckPoint Security
1 Kelihos – Botnet mainly involved in bitcoin theft and spamming. It utilizes peer-to-peer communications, enabling each individual node to
act as a Command & Control server
2 HackerDefender – User-mode Rootkit for Windows, can be used to hide files, processes and registry keys, and also implements a backdoor and
port redirector that operates through TCP ports opened by existing services. This means it is not possible to find the hidden backdoor through
traditional means.
3 Cryptowall – Ransomware that started as a Cryptolocker doppelgänger, but eventually surpassed it. After the takedown of Cryptolocker,
Cryptowall became one of the most prominent ransomwares to date. Cryptowall is known for its use of AES encryption and for conducting its C&C
communications over the Tor anonymous network. It is widely distributed via exploit kits, malvertising and phishing campaigns.
4 Conficker – Worm that allows remote operations and malware download. The infected machine is controlled by a botnet, which contacts its
Command & Control server to receive instructions.
5 Nemucod – JavaScript or VBScript downloader which is commonly used to download ransomware variants or other malicious payloads.
6 RookieUA – Info Stealer designed to extract user account information such as logins and passwords and send them to a remote server.
7 Nivdort – Multipurpose bot, also known as Bayrob, that is used to collect passwords, modify system settings and download additional
malware. It is usually spread via spam emails with the recipient address encoded in the binary, thus making each file unique.
8 Zeus – Banking Trojan that uses man-in-the-browser keystroke logging and form grabbing in order to steal banking information.
9 Ramnit – Banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data.
10 Necurs – Botnet used to spread malware by spam emails, mainly Ransomware and Banking Trojans.

Below the Top 3 ‘Most Wanted’ mobile malware:
1 Triada – Modular Backdoor for Android which grants super-user privileges to downloaded malware, as helps it to get embedded into system
processes. Triada has also been seen spoofing URLs loaded in the browser.
2 Hummingbad – Android malware that establishes a persistent rootkit on the device, installs fraudulent applications, and with slight modifications could enable additional malicious activity such as installing a key-logger, stealing credentials and bypassing encrypted email containers used by enterprises.
3 Hiddad – Android malware which repackages legitimate apps and then released them to a third-party store. Its main function is displaying ads, however it is also able to gain access to key security details built into the OS, allowing an attacker to obtain sensitive user data.
传播恶意代码的前10名分别是：Kelihos，HackerDefender，Cryptowall，Conficker，Nemucod，RookieUA，Nivdort，Zeus，Ramnit以及Necurs。
僵尸网络的重要一个目的是传播勒索软件。
而移动前三名则分别是：Triada，Hummingbad和Haddad。

点评：对付勒索软件，建议采用备份备份再备份的3B原则：Backup、Backup、Backup（Beifen、Beifen、Beifen）。

4、意大利称俄方对其外交部实施网络间谍活动
标题：Russia suspected over hacking attack on Italian foreign ministry
Exclusive: Italian government official says no classified emails were compromised in attack believed to have lasted more than four months last
year

作者信息：Friday 10 February 2017 12.56 GMT By Stephanie Kirchgaessner

//BEGIN
Russia is suspected by Italian officials of being behind a sustained hacking attack against the Italian foreign ministry last year that compromised email communications and lasted for many months before it was detected, according to people familiar with the matter.
据消息灵通人士透露，意大利官方最近怀疑俄罗斯从去年春天开始就入侵了其外交部的邮件通信系统，时间长达数月，直到最近被发现才被迫终止。不过被用来传送机密系统的系统被未被攻破。目前的意大利的首相，在该攻击发生期间正任外交部部长，并未受到影响。原因是他并不使用邮件系统。但是外交部驻外各大大使馆以及工作人员给首都的汇报文件都通过该邮件系统进行，这些人都遭到了入侵。不过，官方一再强调：机密信息未受到攻击和影响。意大利官方其实并未确认这些攻击背后就是俄罗斯。


//END
The two are still being held in jail. Their lawyers have denied the siblings committed any wrongdoing.
原来是姐弟俩，而不是兄弟俩，被意大利警方逮捕。目前还在监狱中。他们的律师一直否认这两人有任何不良行为。

点评：一个月前的相关报道：[20170113.1 意大利当局逮捕EyePyramid间谍行动嫌疑人]

5、大量网站因未修补WordPress 漏洞遭到攻击
标题：1.5M UNPATCHED WORDPRESS SITES HACKED FOLLOWING VULNERABILITY DISCLOSURE

作者信息：February 10, 2017 , 11:45 am By Chris Brook

//BEGIN
Attackers have taken a liking to a content-injection vulnerability disclosed last week and patched in WordPress 4.7.2 that experts say has been exploited to deface 1.5M sites so far.
到目前为止已经有150万多网站被黑，这些被黑的网站都是采用了WordPress 4.7.2 以前的版本。最可能的原因是上周（1月26日）WordPress发布了其补丁：内容注入漏洞。

//END
“Defacements don’t offer economic returns, so that will likely die soon. What will remain are attempts to execute commands (RCE) as it gives the attackers full control of a site – and offers multiple ways to monetize – and SPAM SEO / affiliate link / ad injections,” Cid wrote Thursday. “We are starting to see them being attempted on a few sites, and that will likely be the direction this vulnerability will be misused in the coming days, weeks and possibly months.”
Both firms are encouraging WordPress users, especially those running the vulnerable 4.7 and 4.7.1 versions, to update to 4.7.2.
安全公司强烈建议用户赶紧升级WordPress到最新版4.7.2.
那些被黑的网站本身不能直接带来经济效益，但是这些被黑的网站可以被用来任意命令，可以用来进行搜索优化排名、发送垃圾邮件、广告插入、推广广告联盟链接。可以预见这个WordPress披露的漏洞可能在接下来的数天、数周甚至数月被这些恶意活动利用。


点评：补快！慢了就会被黑进而并利用。

6、钓鱼攻击新套路：自动检查输入信息有效性
{CHN}
标题：钓鱼新套路：自动检查受害者输入的帐号密码是否真实

作者信息：2017-02-10 By cxt


//BEGIN
美国网络安全服务商Proofpoint近日发现了一种新的针对PayPal用户的钓鱼套路，攻击者在钓鱼过程中利用身份验证机制检查用户提交的账户信息是否真实，以寻求更高效的诈骗。

//END
一点小小的感慨
由于许多网络诈骗者越来越抗拒利用exploits和传统恶意程序来盗取用户信息，这个产业在暗中开发着复杂且功能日趋完备的钓鱼工具。如上文中的例子，这些将多种功能打包成套的钓鱼工具为众多地下产业的从业者提供了一站式模板，受害者也早已习惯了通过多重验证后找回身份认证的程序，而且越来越逼真的钓鱼网站也使得他们难以分辨，种种因素叠加，钓鱼诈骗变得前所未有的轻松。
此类工具的出现同样预示了“犯罪软件即服务”（crimeware as a service，CaaS）的前景：提供一款廉价又简单易上手的工具，用以完成钓鱼诈骗，未来甚至有可能与传统恶意软件相结合。尽管上文中图示的管理员面板在钓鱼工具里还不常见，但我们完全可以想见，随着钓鱼技术的不断发展，此类功能会变得越来越受欢迎。

注：Proofpoint已经将此钓鱼手段告知了PayPal官方。

原文：http://www.securityweek.com/payp ... erifies-credentials

点评：本月相关链接：
[20170202.3 安全厂商发现PayPal用户遭复杂网络钓鱼攻击],
[20170205.4 安全厂商揭露PayPal复杂网络钓鱼]