每日安全简讯(20161028)

1、APT组织Moonlight瞄准中东和非洲国家
2、日本成为BLACKGEAR间谍行动新目标
3、攻击者滥用LDAP服务器放大DDoS攻击
4、新加坡也被IoT设备僵尸网络DDoS攻击
5、美国互联网瘫痪背后为10万物联网设备
6、以色列手机司法取证公司所用固件泄露

【安天】搜集整理（来源：softpedia、trendmicro、computerworld、softpedia、softpedia、securityaffairs）

1、APT组织Moonlight瞄准中东和非洲国家
标题：Moonlight APT Uses H-Worm Backdoor to Spy on Middle Eastern Targets
Experts say group may have ties to Hamas

作者：Oct 26, 2016 14:00 GMT By Catalin Cimpanu

//BEGIN
An APT group operating out of the Middle East, and most likely out of Palestine, has been engaged in a cyber-espionage campaign that has taken aim at various Middle Eastern and African countries in the Mediterranean Basin.
最近发现一个可能来自巴勒斯坦并持续多年运行的APT组织，它有多种称呼，传播较广的是“月光”Moonlight。其目标对象就是在网络上对中东或者地中海沿岸的非洲国家（具体包括巴勒斯坦、埃及、美国、约旦、利比亚、伊朗、以色列和中国）从事间谍活动。其实严格来讲，其并不Advanced，因此它攻击主要的手段就一种：社会工程学。并不像其他的所谓APT攻击采用0day漏洞或者通过某些漏洞进入目标系统。

//END
"Vectra believe the victims from the United States and China are outliers. These infected machines were primarily from university networks and were likely either security researchers sandboxing malware or overseas students targeted for links to their homeland," Doman adds.
中美的受害者不是主流，更像是这些目标国家在中美的留学生或者安全研究人员。因此我们还是可以判断这个APT组织的目标。

点评：当今社会，政治诉求都会反应到网络上来，不管有人没人、有钱没钱。

2、日本成为BLACKGEAR间谍行动新目标
标题：BLACKGEAR Espionage Campaign Evolves, Adds Japan To Target List

作者：October 27, 2016 1:00 am By Joey Chen 和 MingYen Hsieh

//BEGIN
BLACKGEAR is an espionage campaign which has targeted users in Taiwan for many years. Multiple papers and talks have been released covering this campaign, which used the ELIRKS backdoor when it was first discovered in 2012. It is known for taking using blogs and microblogging services to hide the location of its actual command-and-control (C&C) servers. This allows an attacker to change the C&C server used quickly by changing the information in these posts.
本来这个BLACKGEAR是一个针对台湾多年的间谍攻击软件。实际上以前有不少论文和演讲都提到了，不过2012年被发现时，其被称呼为ELIRKS后门。它采用常见的社交网站来隐藏其C2地址，这种隐藏方式对攻击者来说比较有利，原因在于其可以多变：利于隐藏同时又难以追查。之所以我们这里认为其针对的目标是日本，原因有2个：首先其采用的攻击文档是用日文书写的；其次其隐藏的社交网站是日文的。

//END
Malware threats need to evolve or otherwise become non-threats. Similarly, to stay relevant, BLACKGEAR has evolved with both new tools and new targets, and will continue to be a threat for the foreseeable future. We will continue to monitor its activities in order to protect our customers.
就像很多其他恶意代码一样，这个BLACKGEAR会进一步进化，同时开发出新的攻击目标来，需要安全工作者密切监视其发展态势，并针对性的给出解决方案。

//3级4步图：


点评：化整为零，持续攻击，很是APT呀。

3、攻击者滥用LDAP服务器放大DDoS攻击
标题：Attackers abuse exposed LDAP servers to amplify DDoS attacks
LDAP is added to the arsenal of DDoS reflection and amplification techniques that can generate massive attacks

作者：Oct 26, 2016 10:43 AM PT By Lucian Constantin

//BEGIN
Attackers are abusing yet another widely used protocol in order to amplify distributed denial-of-service attacks: the Lightweight Directory Access Protocol (LDAP), which is used for directory services on corporate networks.
原本是在企业网络中使用的目录服务LDAP，最近被用来发起DDOS攻击。其最显著的特点是LDAP能将攻击源放大50倍左右。

//END
Corero's Larson said that increasing numbers of insecure IoT devices combined with new amplification vectors could lead to multiterabit attacks over the next year and even attacks that reach 10Tbps in the future.
研究人员称逐步增长的物联网IoT设备以及具有放大效果的新攻击手法，使得未来攻击会更加频繁和猛烈，甚至可以达到10T的规模，这个规模的攻击估计很多国家都扛不住。

//LDAPightweight Directory Access Protocol 轻量目录寻址协议

点评：如之奈何？

4、新加坡也被IoT设备僵尸网络DDoS攻击
标题：Singapore Telco Blames Recent DDoS Attacks on Compromised IoT Devices
DDoS attacks targeted Singapore's StarHub ISP

作者：Oct 26, 2016 18:00 GMT By Catalin Cimpanu

//BEGIN
StarHub, Singapore's biggest telecommunications provider, said today that two recent DDoS attacks that have targeted its DNS infrastructure had been carried out using botnets of compromised  broadband routers and webcams.
500万人口的亚洲四小龙之一的新加坡的最大的电信运营商StarHub最近遭到了DDOS攻击，攻击的目标就是其提供域名服务的DNS服务器。据称利用的是类似Mirai被感染的宽带路由器和网络摄像头等物联网设备。

//END
The Twitter account @MiraiAttacks, which keeps track of DDoS attacks originating from several (not all) Mirai-powered botnets, did not pick up any attacks aimed against Singaporean IPs for the aforementioned two days.
虽然很像Mirai的手法，但是根据有关跟踪该僵尸网络的专家介绍，这两者之间似乎并无直接联系。

//下载： Starhub Status Report.rar (11.34 KB, 下载次数: 382)

2016-10-28 18:57 上传

点击文件名下载附件

文件名：StarHub Status Report.docx
文件大小：14，229 bytes
MD5     : 0559292E093D4ECD18E516E6DEDB3DD4

点评：IoT安全....

5、美国互联网瘫痪背后为10万物联网设备
标题：Botnet of 100,000 IoT Devices Behind Dyn DDoS Attack
Much smaller botnet than the one used against Krebs

作者：Oct 27, 2016 01:05 GMT  By Catalin Cimpanu

//BEGIN
Scott Hilton, EVP of Product for Dyn, issued a statement today disclosing that a botnet of around 100,000 bots, all IoT devices infected with the Mirai malware, had been the predominant force behind the DDoS attacks on his company.
DYN公司执行副总裁今天发表声明称，大约10万台设备组成的僵尸网络参与了本月21日的DDOS攻击事件，导致其DNS服务器停止服务。所有这些僵尸网络全部来自Mirai物联网设备。这个10万台的数值修正了此前公司曾说过的可能有上千万台的说法，尽管这个说法当时就遭到一些专家的质疑。

//END
Dyn had a hard time separating legitimate and fake DNS traffic
According to Dyn, this is also the reason why its managed DNS service failed so miserably, bringing down with it a large part of the Internet, and many websites that used Dyn to manage their DNS servers, such as Reddit, Imgur, Twitter, GitHub, Soundcloud, Spotify, PayPal, and more.
"[T]he impact of the attack generated a storm of legitimate retry activity as recursive servers attempted to refresh their caches, creating 10-20X normal traffic volume across a large number of IP addresses," Hilton explained. "When DNS traffic congestion occurs, legitimate retries can further contribute to traffic volume."
"It appears the malicious attacks were sourced from at least one botnet, with the retry storm providing a false indicator of a significantly larger set of endpoints than we now know it to be," Hilton also added.
The company didn't reveal the actual size of the attack, but there is speculation that this might be even bigger than the DDoS attack on OVH, a French telco, which peaked at 1.1 Tbps, the largest DDoS attack known to date.
Hilton also said that Dyn is currently collaborating in an ongoing law enforcement criminal investigation of the attack.

DYN公司费了很大的劲才分清哪些是合法的DNS请求，哪些是非法的。这就是为什么虽然流量不是特别大、数量也不是特别多，但却导致众多大型网站无法访问的严重后果的原因之一。
恶意攻击导致大量的合法DNS服务器的重试，这些合法的DNS服务器发出了大量的刷新请求，这些因素导致了恶意攻击的流量被放大10-20倍。虽然到目前为止，DYN公司还未公布恶意攻击的具体流量大小，但是有猜测其数量应该比法国电信OVH遭受的峰值（当时是1.1Tbps）大，而这也是目前已知的最大规模的DDOS攻击流量了。
DYN公司目前正在配合国家相关部门进行犯罪线索调查取证。

点评：IoT安全....

6、以色列手机司法取证公司所用固件泄露
标题：Cellebrite digital forensics tools leaked online by a reseller

作者：October 26, 2016  By Pierluigi Paganini

//BEGIN
The firmware used by the Israeli mobile forensic firm Cellebrite was leaked online by one of its resellers, the McSira Professional Solutions.
角色1：以色列移动司法取证公司 Cellebrite
角色2：角色1的代理商 the McSira Professional Solutions ，简称McSira
角色1的工具软件以及固件被角色2放置在网络上供人下载。当然黑客、爱好者以及其竞争对手不会放过这个大礼物的。只是要使用它，必须有License Key.不过这好像难不倒刚提到的那些有心人。

//END
Of course, security experts and mobile forensics investigators have already started examining the leaked software to understand the techniques implemented by Cellebrite for its hacking tools.

Mike Reilly, a representative with Cellebrite, told Motherboard that the McSira website’s links “don’t allow access to any of the solutions without a license key.”

Hackers need a key in order to use the software, but it is likely that soon someone will be able to obtain it by analyzing the leaked applications.

Let’s wait for an official comment from McSira and Cellebrite.
泄露的包括UFED的平板和PC版，利用它可以读取包括苹果、三星、诺基亚、LG等主流手机的敏感信息。利用这些个公开下载的固件版本和软件，相信不久会有人能开发出类似Cellebrite的取证工具软件。截止目前涉事的2个角色都未发表公开评论。

//UFED:Cellebrite’s Universal Forensic Extraction Device是Cellebrite通用取证解压装置，该装置能躲过各种移动设备的安全机制，并获取移动设备中的敏感信息。

//图：

点评：手机取证工具的那个箱子可能值得拥有。不过本文宣称的好像已经不能下载啦？