每日安全简讯(20161017)

1、猎豹移动发布GhostPush木马家族分析报告
2、美中情局将对俄发动“前所未有”网络攻击
3、安全专家称亚太地区在线金融威胁增加
4、思科会议服务器漏洞允许假冒合法用户
5、澳大利亚活动策划公司Pont3遭数据泄露
6、黑客仿冒Gmail安全更新入侵DNC邮件系统

【安天】搜集整理（来源：cmcm、hackernews、bizhub、securityaffairs、softpedia、buzzfeed）

1、猎豹移动发布GhostPush木马家族分析报告

标题：Analysis on the Sources of Mobile Trojans

作者信息：Oct 14, 2016 By Cheetah Mobile

//BEGIN
How many applications are installed on users’ phones every day?
When users download a new app, Clean Master will scan the APK file to see whether it is safe or not. According to the scanning data from Clean Master,  
tens of millions of applications are being installed to users’ mobile phones every day.
每天用户的手机中会安装多少新的应用APP？每当用户下载一个新的APP时，猎豹的清理大师Clean Master将会扫描该APK安装文件，以确认其是否安全。按照当前猎豹统计的数
据：每天会有成百上千万的APP会安装到用户的手机中。

//END
Summary
The amount of malware account for at least 1% of the total amount of applications installed every day. The actual amount of malware is far more than this
The malware are mainly installed by root Trojans or downloaded from malicious webpages
The main sources of Trojans are pornographic websites, short links and ad links
The Trojans are mainly spreading through pornographic websites, deceptive advertising and other third-party webpages. Currently, almost all Android  
versions except Android 6.0 are at risk of being rooted.
Users should avoid clicking unknown third-party links and only download applications from reputable app stores. If the phones become infected via root  
Trojans, users can remove the Trojans with Trojan Killer or just flash their phones. Another solution is to update the device to Android 6.0.
总结起来，从整体上讲，每天所有安装到用户的APP中，大约会有1%的是恶意的，当然实际的数据可能会更高，恶意安装的途径主要是采用Root权限或者从恶意网站下载。
主要的来源是色情网站、短网址以及广告链接。
木马主要通过色情网站、广告网站以及一些其他不正规的网站传播。从Android手机的移动操作系统而言，除了6.0版本外，其余的都有被Root风险，进而会被感染木马。
给用户的建议是：应该避免从不正规的网站下载移动应用。万一被Root而感染恶意木马的话，建议采用Trojan Killer清除或者重新刷机，另外就是升级更新Android系统到最新
的6.0版。
恶意软件的来源统计图：

图

点评：好长篇的英文报告...

2、美中情局将对俄发动“前所未有”网络攻击
{CHN}
标题 网络世界大战一触即发？美中情局将对俄发动“前所未有”的网络攻击

作者信息：2016-10-16 By 作者: 狐狸酱

//BEGIN
NBC 当地时间 14 日报道， 据美国情报官员透露，奥巴马政府正酝酿对俄罗斯进行隐匿性网络攻击行动，以报复其干涉美国总统大选。中情局要求众专家提供“秘密”网络攻
击方案势必要让克里姆林宫“难堪”。消息人士并未透露详细计划内容，但表示，该机构已经开始选择目标、并准备相关措施。而前情报官员也称，中情局或许会选用让俄罗斯
总统普京最厌恶的战术。此次行动将由奥巴马做出最终决定是否授权中央情报局操作。目前美国政府高层意见并未统一。

//END
开始就是结束。

//原文链接： http://www.nbcnews.com/news/us-n ... inst-russia-n666636

点评：这是网络炫舞技还是网络宣战？

3、安全专家称亚太地区在线金融威胁增加
标题 Online financial threats increase in Asia-Pacific

作者信息：Friday, Oct 14, 2016 12:06 PM  By VNS

//BEGIN
HCM CITY (Biz Hub) — Online financial threats are on the rise globally and starting to penetrate the Asia-Pacific region, including Viet Nam, according  
to IT security experts.
安全专家警告说，全球的在线金融威胁正在增加，并开始特别针对亚太地区，包括越南在内。

//END
According to Kaspersky Security Network data, Russia and Sri Lanka had the largest number of victims in the third quarter of this year and Viet Nam and  
India in the second.
"Spam, phishing and banking Trojans are among the most widespread financial threats," Kamluk said.
"So users should be attentive to fake web pages and unexpected e-mails asking to provide financial information, and secure their mobile devices if  
transactions are made from them.
"Organisations should also regularly check their IT infrastructure and especially computers from which financial transactions are made."
按照来自俄罗斯安全公司卡巴斯基的统计，今年的第三季度，在线金融威胁重灾区的是俄罗斯和斯里兰卡；其次是印度和越南。这些威胁中最大的是三类：垃圾邮件、钓鱼邮件以及网银木马。对于用户来说，最佳的途径是在进行网上交易或者访问相关金融网站时，要特别注意。同时如果通过手机进行交易的话，要留意手机中的安全风险。而对于企业用户而言，应例行对其关键的设备和设施进行安全检查，特别是那些能从事金融交易的机器和设备。

点评：中国的在线金融风险也非常大。

4、思科会议服务器漏洞允许假冒合法用户
标题 Cisco Meeting Server – CVE-2016-6445 flaw allows to impersonate legitimate users

作者信息：October 14, 2016  By Pierluigi Paganini

//BEGIN
Cisco fixed a critical vulnerability in the Cisco Meeting Server, tracked as CVE-2016-6445,  that allows remote attackers to impersonate legitimate users.
思科公司发布了一个其CMS存在的漏洞，编号为CVE-2016-6445，该漏洞为其自主发现修复，并披露的，目前并未发现有被黑客实际利用的案例被公开。虽然，一旦成功利用该漏洞，可能导致攻击者可以冒充一个合法用户进入该会议服务器系统。

//END
This is the second advisory published by Cisco for Meeting Server, a first one was published in July and it was related to a persistent cross-site  
scripting (XSS) flaw that allowed an unauthenticated attacker to execute arbitrary code in the context of the product’s management interface.
这已经是第二次CMS会议系统发布补丁公告了，上一次是在今年的七月份，当时有研究者称发现有一个跨站漏洞，如果被成功利用的话，则会在其产品的管理页面执行任意代码。

//翻译：XMPP：是Extensible Messaging and Presence Protocol 扩展消息与存在协议的简称
CMS：在这里是Cisco Meeting Server 思科会议服务器的简称，而不是Content Management System。前者比后者更面窄。
XSS：cross-site scripting 跨站脚本的简称。

点评：非OS系统、非流行常规APP（EXE）应用的漏洞只会影响特定厂家和其用户，相对来讲，更多的只能依赖厂家本身的发现能力与披露意志。

5、澳大利亚活动策划公司Pont3遭数据泄露
标题 Event Organizer Suffers Data Breach After Hacker Steals Mailing Lists
No financial data compromised, only personal details

作者信息：Oct 14, 2016 01:30 GMT  By Catalin Cimpanu

//BEGIN
Pont3, an Australian event organizer, revealed yesterday that an unauthorized party had gained access to its mailing list account and downloaded data  
about individuals that subscribed to various events organized by the company in the past.
来自澳大利亚的一个会议公司发现其历史组织的活动的信息被非授权下载：被下载的信息不包含金融信息，但是包含如下邮件列表信息类别：用户名、物理的邮寄地址、电话号码以及电子邮件地址等。

//END
Pont3 said it notified affected users of the intrusion after a week and not immediately at the behest of law enforcement and cyber-security experts  
looking into the matter.
该会议公司并未第一时间，而是在7天后，公开此次攻击事件，原因就在于为安全人员以及政府相关机构开展调查取证工作赢得宝贵的时间窗口。

点评：如果能够的话，攻击后的7天静默期，也许是个调查的Golden Times?

6、黑客仿冒Gmail安全更新入侵DNC邮件系统
标题 Russian Hackers Faked Gmail Password Form To Invade DNC Email System
A new report reveals the method used by Fancy Bear, a Russian government hacking group, to get inside the systems of the DNC and senior Clinton staff.

作者信息：Updated on Oct. 16, 2016, at 1:41 a.m. By Sheera Frenkel

//BEGIN
SAN FRANCISCO — Russian hackers used emails disguised to look as Gmail security updates to hack into the computers of the Democratic National Committee  
(DNC) and members of Hillary Clinton’s top campaign staff, according to a report by the SecureWorks cybersecurity company.
美国的安全公司言之凿凿：来自俄罗斯的黑客们通过邮件给其重要的关注目标发现假装为Gmail的安全更新的邮件，而其实是钓鱼邮件攻击。这些重要的目标是与2016年的美国
大选相关的重要政治人物：民主党全国委员会的成员以及克拉里竞选团队的高级职员。

The emails were sent to 108 members of Democratic presidential nominee Hillary Clinton’s campaign and 20 people clicked on them, at least four people  
clicking more than once, Secureworks’ research found. The emails were sent to another 16 people from the DNC and four people clicked on them, the report  
said.

根据该安全公司的分析结果，这些钓鱼邮件采用213个短连接的方式给民主党竞选团队的108名成员[这其中有66人的邮件地址是从公开渠道获得的，但是另外42人没有公开，应该是从一些特殊的情报渠道获得]发信，而这其中有20人点击了这些邮件，并至少有4个人点击次数超过2次。与此同时，民主党全国委员会的另外16人也收到了该邮件，其中4人点击了该邮件的短网址。

//END
The hacks targeted the Democratic National Committee. A previous version of this article incorrectly identified the Democratic National Convention as the  
target.
一点更正：DNC正确的翻译是民主党全国委员会，因为全称是Democratic National Committee，而不是the Democratic National Convention。

具体的危害体现为钓鱼邮件的危害：
Spearphishing details
The short links in the spearphishing emails redirected victims to a TG-4127-controlled URL that spoofed a legitimate Google domain. A Base64-encoded  
string containing the victim's full email address is passed with this URL, prepopulating a fake Google login page displayed to the victim. If a victim  
enters their credentials, TG-4127 can establish a session with Google and access the victim's account. The threat actors may be able to keep this session  
alive and maintain persistent access.

点评：如果报道属实，的确符合定向Target目标明确的属性，但是好像不够高级Advanced!通过钓鱼邮件，让受害者自己主动提交自己账户的登录密码，看起来方法简单粗暴，
倒是很符合美国人的性格：直接。