每日安全简讯(20161103)

1、微软称谷歌发现漏洞被俄方APT组织利用
2、微软IE 0day曾被用于AdGholas攻击活动
3、谷歌AdWords可向Mac用户传播恶意代码
4、安全团队发布九头虫病毒技术分析报告
5、SAP已修复漏洞仍会影响全球941个系统
6、研究人员发现施耐德工控套件严重漏洞

【安天】搜集整理（来源：threatpost、trendmicro、theregister、freebuf、securityweek、securityaffairs）

1、微软称谷歌发现漏洞被俄方APT组织利用
标题：MICROSOFT SAYS RUSSIAN APT GROUP BEHIND ZERO-DAY ATTACKS

作者信息：November 1, 2016 , 5:50 pm by Michael Mimoso

//BEGIN
Microsoft has singled out Sofacy, an APT group long thought to have ties to Russia’s military intelligence arm GRU, as the entity behind targeted attacks leveraging Windows kernel and Adobe Flash zero days in targeted attacks.
微软称最新被Google披露的2个0day漏洞后面有一个APT组织在利用，这个APT组织似乎与俄罗斯的秘密军事情报组织相关联，据称被用来采取定向攻击，分别利用Windows内核的0day漏洞1个以及Adobe的Flash的0day漏洞1个。

//END
Yesterday’s abrupt disclosure by Google was in accordance with its internal policies, which gives vendors 60 days to patch critical vulnerabilities, or notify users about the risk and any workarounds or temporary mitigations, and seven days to at a minimum report on critical flaws under active exploitation. “Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information,” Google said in 2013 upon publicizing its disclosure policy.
Google在昨天“突然”公开这2个0day漏洞的被利用的消息使得微软和Adobe多少有些措不及防，微软并称这种方式并不合适，“我们的责任是保护我们的用户的资产安全”。但是Google声称它是按照该公司自身的漏洞披露策略：通报给厂商后，给其60天的修补时间或者通知用户风险的存在，并建议用户的临时防护策略。对正在被利用的严重级别的漏洞则只给7天的时间。“七天虽然比较短，但是给用户发布临时避险措施和方法还是足够的：比如可以暂停某些服务、限制某些访问策略以及直接联系开发商等等”以上这是Google在2013年公布的其漏洞发布策略。

点评：MS，谷歌，俄罗斯的所谓APT组织都是大角色。

2、微软IE 0day曾被用于AdGholas攻击活动
标题：CVE-2016-3298: Microsoft Puts the Lid on Another IE Zero-day Used in AdGholas Campaign

作者信息：October 31, 2016 9:00 am  By Author: Henry Li

//BEGIN
Microsoft’s Patch Tuesday for October fixed another previous zero-day vulnerability in Internet Explorer (IE) via MS16-118 and MS16-126: CVE-2016-3298. Before the lid was put on it, the security flaw was employed alongside CVE-2016-3351 by operators of the AdGholas malvertising campaign, analysis and disclosure of which were made with our collaboration with Proofpoint’s @kafeine last July 2016. The campaign was notable for the economies of scale and scope it achieved in its heyday until its operations were stymied. As shared by @kafeine, it was even integrated in Neutrino exploit kit’s malvertising chain as a malicious JavaScript.
CVE-2016-3298：微软的编号是MS16-118 和 MS16-126。其漏洞是在IE浏览器中，10月份的例行漏洞补丁日，微软已经发布了这个0day的补丁。在发布补丁前，该漏洞与CVE-2016-3351漏洞一起被恶意广告AdGholas组织联合使用。AdGholas主要被用来获取经济利益，同时波及的面比较广。甚至还利用了其他的恶意Javascript脚本在Neutrino漏洞利用工具包中。


//END
Patching CVE-2016-3298
Microsoft’s cumulative update, rolled out on October 11, covered Internet Explorer 9 to 11 on Windows clients and servers, and was accompanied with a patch for Vista, Server 2008 (SP2 and R2 SP1) and Windows 7 (SP1). The patches addressed the vulnerability by changing how the Microsoft Internet Messaging API (inetcomm.dll) handles objects in memory—inetcomm.dll’s patched version is 6.1.7601.23548; if unpatched, it’s 6.1.7601.17514.
微软10月11日发布了升级补丁集，覆盖了IE9到IE11，包含Windows的客户端和服务器端，当然也包括Vista，Server2008(sp2 和R2 SP1） 以及Windows 7 （SP1）。补丁主要修补了inetcomm.dll如何在内存中处理对象：修补后的文件版本号是：6.1.7601.23548；未修补时的版本是6.1.7601.17514。

点评：恶意广告采用0day推广？

3、谷歌AdWords可向Mac用户传播恶意代码
标题：Apple fans using Chrome on alert for Mac malware
Google AdWords has been spewing software nasties

作者信息：1 Nov 2016 at 16:22 By Iain Thomson

//BEGIN
Security researchers at Cylance have uncovered a malware-spreading campaign that uses Google AdWords to pump out rogue code to macOS users.
安全团队成员发现谷歌AdWords可向Mac用户传播恶意代码，而且恶意代码安装包的HASH值每次下载都不一样，这样使得检测和拦截变得比较困难。

//END
Google was informed about the scam on October 25 and pulled the AdWord advert immediately, and security vendors have been given signatures for the malware. But if you've been looking for Chrome on your Mac (what, Safari not good enough for you?) then running a scan would be a very smart move.
安全公司10月25日通报了Google相关技术细节，然后Google立即做出反应给安全厂商发布了检测特征。如果您准备在MAC上使用Chrome的话，那么建议还是先查查毒吧。

点评：恶意代码在各种不同平台融合，要求厂商之间也得无缝协作。

4、安全团队发布九头虫病毒技术分析报告
{CHN}
标题：“九头虫”病毒技术分析报告

作者信息：2016-11-02 By 阿里聚安全

//BEGIN
一、背景介绍

近日，阿里移动安全收到多方用户反馈，手机中了一种难以清除的病毒。病毒一旦发作，设备将不断弹出广告，并自动下载、安装、启动恶意应用，最终设备衰竭而死，用户很难通过常规的卸载手段清除病毒。由于该病毒有多个版本演变并有起死回生之术，我们将该病毒命名为“九头虫”。
我们分析发现，“九头虫”病毒利用多家知名root sdk对设备提权，可轻松提权上万总机型，成功提权后获得设备最高权限，随后向系统分区植入多个恶意app，删除设备其他root授权程序、su文件，并替换系统启动脚本文件，实现“起死回生”同时保证病毒具备root权限，将自身插入某杀软白名单中，并禁用掉国内多家知名杀软，致使设备安全防护功能全线瘫痪。
中毒设备将作为“九头虫”病毒的僵尸设备，每天推送上百万广告，其点击率大概15%（主要是病毒自身的模拟点击），也就是说每天广告点击上10万次，再加上静默安装与欺骗安装，每成功安装激活赚取1.5~2元，如此收益不菲！

//END
五、安全建议
“九头虫”病毒直接非法利用知名厂商root sdk，以致轻松入侵上万种机型，对于root厂商，应严格校验root 请求方，对如此危险的提权代码应得到严密保护，对于用户，尽量使用大厂商设备，及时做设备系统升级；日常使用手机过程中，谨慎软件内推送的广告；来源不明的手机软件、文件、视频等不要随意点击；定期使用钱盾等安全软件进行安全扫描。

点评：前有不死鸟，后有九头虫：前赴后继。

5、SAP已修复漏洞仍会影响全球941个系统
标题：Vulnerability Impacts Web-Exposed SAP Systems

作者信息：November 01, 2016 By Ionut Arghire

//BEGIN
A recently detailed 0-day SAP vulnerability that was patched in September impacts over 900 SAP systems that are exposed to the Internet.
SAP的全称是：System Applications and Products。九月份已经发布补丁的SAP系统最近被发现了一个0day漏洞，可以影响互联网上超过900个SAP系统。

//END
In October, SAP issued patches for 48 vulnerabilities in its products, including 25 Implementation Flaws and 12 Missing Authorization checks. As of June 2016, SAP had released over 3,660 Security Notes, but the number of resolved security flaws is much higher, because one security note can patch multiple vulnerabilities.
十月份，SAP修补了其产品的48个漏洞，这其中包含25个实现型漏洞以及12个错误的授权检测。在2016年6月份，SAP已经发布了3660个安全记录。实际解决的安全漏洞更多，因为一个安全记录可以修补很多漏洞。

点评：应用越广泛，漏洞会越多。

6、研究人员发现施耐德工控套件严重漏洞
标题：PanelShock 0-day Vulnerability Puts Thousands of Schneider Electric HMI Panels, Industrial Control Systems and Critical Infrastructure at Risk

作者信息：November 1, 2016  By Pierluigi Paganini

//BEGIN
Security researchers at CRITIFENCE cyber security labs publicly announced this morning (November 1, 2016) major cyber security vulnerabilities affecting one of the world’s largest manufacturers of SCADA and Industrial Control Systems, Schneider Electric.
施耐德电气是SCADA和ICS工控系统的制造商，2016年11月1日被安全厂商发布消息，称在其设备上发现了严重的0day安全漏洞。

//END
“The vast majority of SCADA and ICS devices are based on legacy hardware components, so many devices succumb to vulnerabilities that could be handled easily by more robust hardware. Feeble CPU’s, low memory hardware and outdated operating systems are not uncommon in the field of SCADA and ICS. Yet not many security researchers have access to this kind of devices. While anyone at home can download a web server software and try to find vulnerabilities, not that many people overall have access to a PLC which is not part of a production environment. The elevated security of many common network components is partly a result of the vendors’ work, and partly a result of self-assigned security researchers that find vulnerabilities. Since there’s a low exposure to SCADA and ICS devices to security researchers, the security level relies exclusively on vendors’ efforts”. Says Eyal Benderski, Manager of the Critical Infrastructure and SCADA/ICS Cyber Threats Research Group at CRITIFENCE.
SCADA和ICS工控系统通常比较封闭，系统和组件升级都比较慢，使得攻击他们相对容易：内存少、操作系统过时。同时很多的安全专家并没有多少机会直接接触这些设备，而只是一些操作员们会经常接触，但是这不足以及时发现安全问题。因此通常来说，发现漏洞的事情大部分落在了设备厂家的身上，不过SCADA和ICS的厂家的主动发现意识和能力显然是不够的。

点评：工控安全+0day漏洞，怎么让人联系到了震网？