每日安全简讯(20161104)

1、安全厂商发布Linux恶意代码Moose分析报告
2、针对欧美银行的安卓木马伪装Flash应用传播
3、Belkin WeMo物联网设备被发现代码执行漏洞
4、MySQL等多数据库被发现代码执行高危漏洞
5、Wix云主机平台存在XSS漏洞，影响百万网站
6、安全团队发布瑞典OMX 30企业信息泄露调查

【安天】搜集整理（来源：welivesecurity、ibtimes、securityweek、easyaq、threatpost、anomali）

1、安全厂商发布Linux恶意代码Moose分析报告
标题：Linux/Moose: Still breathing

作者：2 NOV 2016 01:20PM By Welivesecurity

//BEGIN
What is a Moose – Introduction

Linux/Moose is a malware family that primarily targets Linux-based consumer routers but that can also infect other Linux-based embedded systems in its path. The compromised devices are used to steal unencrypted network traffic and offer proxying services to the botnet operator. In practice, these capabilities are used to steal HTTP Cookies on popular social network sites and perform fraudulent actions such as non-legitimate “follows”, “views” and “likes”.
这是一个感染物联网设备：家用路由器的恶意代码家族，其名字是Linux/Moose(内存驻留型的恶意代码，重启设备将会导致其失去作用。)，当然在其感染的过程中，也感染其经过的其他Linux嵌入式系统。被感染的设备都被用来盗取非加密通信流量以及被僵尸网络充当代理服务器。而实际上这些都能被用来盗取HTTP网络通讯的Cookies，有了这些后，才可以发起欺诈活动：比如一些僵尸粉，这些可以用来增加某些社交媒体的数量：follows==转发数；views==浏览数；likes==点赞数。

//END
Linux/Moose’s authors have clearly done a lot of work to stay under the radar with the new version by hiding its C&C server location more effectively and changing the network protocol. By doing this, Moose avoids the Indicators of Compromise (IoCs) released with ESET’s 2015 whitepaper. Shortening the whitelist and password list shows a more delicate approach with Moose. Still, some misleading traces are inside the binary like the fake domain www.challpok.cn found in cleartext in the list of strings or even filenames that can correspond to bitcoinminer or DDoS malware. Linux/Moose stays exclusively a memory-resident threat; rebooting the embedded device will end its execution.
该恶意代码的作者显然做足了功课：巧妙地隐藏了C2的服务器地址并修改了网络通讯协议，这样做的目的就是避免再次被发现。

点评：IoT设备安全续....

2、针对欧美银行的安卓木马伪装Flash应用传播
标题：Android Trojan posing as Flash Player targets over 90 major banks across US and Europe
The malware has the ability to bypass SMS-based two-factor authentication.
The banking Trojan also comes with the ability to target some of the more popular social media apps

作者：November 3, 2016 04:56 GMT By India Ashok

//BEGIN
A new Android banking Trojan, which masquerades as a Flash Player app, targeting customers of at least 90 major banks across the US and Europe has been uncovered. The malware can be considered to be highly advanced and dangerous, especially given its ability to bypass SMS-based two-factor authentication.
一个伪装成Flash播放器的Android平台下的网银木马最近被发现，其目标对象是欧洲和美国的94家主要的网上银行。这些国家包括：美国、德国、法国、澳大利亚、土耳其、波兰以及奥地利等。除了网上银行的APP应用，感染对象还包括流行的社交应用APP：Google Play、Calculator、Facebook、Facebook Messenger、Whatsapp、Snapchat、Twitter、Viber、Instagram以及Snapchat等等。

//END
It is still unclear as to how many victims the malware has already infected. It is unknown as to where the malicious app was found and most downloaded by users. Those who suspect that their device may have been infected, especially in the event that payment card details were shared, would be best served to contact their bank to revoke/reissue new cards.
目前还不清楚究竟有多少用户已经被感染，也不清楚其真实的来源以及哪里的用户下载的量最大。如果客户怀疑其被感染，建议最好和发卡行机构联系，并更换新卡。

点评：Android APP安全找AVL Pro....

3、Belkin WeMo物联网设备被发现代码执行漏洞
标题：Belkin WeMo Devices Expose Smartphones to Attacks

作者：By Eduard Kovacs on November 02, 2016

//BEGIN
Researchers Find Vulnerabilities in Belkin WeMo Home Automation Products

Researchers from Invincea have identified serious vulnerabilities in Belkin WeMo home automation devices and their associated Android application. The vendor has fixed the mobile app and will soon release firmware updates to patch the device flaws.
安全研究人员最近在智能家居中发现了安全漏洞，并将其通知给厂商。厂商很快就会发布固件升级补丁，同时升级其Android应用。

//END
In addition to disclosing these vulnerabilities, Invincea discovered a hardware authentication bypass technique. Experts believe this and the method used to exploit the SQL injection flaw for arbitrary code execution could apply to other products as well.
除了发布这些漏洞补丁，安全公司还发现了一种硬件认证逃逸技术，专家们相信这种技术和利用SQL注入数据库导致任意代码执行的漏洞相结合也可以在其他产品使用。

点评：智能家居安全.....

4、MySQL等多数据库被发现代码执行高危漏洞
{CHN}
标题：【漏洞预警】MySQL、MariaDB以及PerconaDB中存在高危安全漏洞

作者：2016-11-03 18:58 By E安全

//BEGIN
E安全11月3日讯 安全专家Dawid Golunski发现MySQL、MariaDB以及PerconaDB中存在的高危安全漏洞可能引发服务器遭受全面入侵。

//END
此项漏洞源自相关数据库内的错误日志及其它文件管理方式，其中error.log文件所采取的非安全文件执行方式可被攻击者所利用，进而利用任意系统文件对其加以替换。
关于两项安全漏洞的概念验证视频将很快通过以下链接发布：
https://legalhackers.com/videos/ ... -5617-Exploits.html


点评：快打补丁....

5、Wix云主机平台存在XSS漏洞，影响百万网站
标题：UNPATCHED VULNERABILITY ON WIX.COM PUTS MILLIONS OF SITES AT RISK

作者： November 2, 2016 , 5:36 pm by Tom Spring

//BEGIN
Update Cloud-based web host Wix.com is vulnerable to a DOM-based cross-site scripting vulnerability that can give attackers control over any of the millions of websites hosted on the platform.
Wix.com云主机存在DOM的跨站脚本漏洞，黑客们可以利用该漏洞攻击该平台上的成千上万网站。

//END
“If the MySpace worm is any guide, taking over all the millions of websites hosted at Wix wouldn’t take very long,” Austin said.
如果蠕虫MySpace在这个平台上感染的话，那么感染成千上万网站其实不需要太长时间。

点评：云安全之平台的安全.

6、安全团队发布瑞典OMX 30企业信息泄露调查
标题：The OMX 30: Targeted Brand Attacks and Mass Credential Exposures

作者：          By Anomali Labs Report

//BEGIN
Overview
A company’s brand is a source of value and a target for cyber attackers. The brand represents the trust the
company has invested in and developed with its customers. Exploiting trust or “hacking the human” is an essential
part of the initial attacker activities. These involve getting the human to do something that might be against
their best interests. These activities are represented as the initial steps in a chain of events known as the Cyber
Kill Chain1 (see Figure 1). The first phase of the Cyber Kill Chain, initial reconnaissance, is often problematic for
organizations that don’t know where to start to collect information about registrations of malicious domains
and monitor company email address / plain text password combinations found in the dark web or places such as
Pastebin.

研究对象OMX 30:瑞典30家最大的公开上市企业Swedish OMX largest 30 publicly traded companies (OMX 30)
一个公司的品牌对于公司的价值不言而喻，而这也是网络攻击的首要目标。攻击者往往会利用普通人对于这些商标的信任作为攻击的第一步。
在著名的攻击链模式中，攻击链的第一条就是搜集信息阶段。而对于防御方来说到哪里去搜集一些恶意域名的注册信息都是有些困难。同时进一步监控公司的相关资产信息比如邮件地址以及明文的密码在暗网中或者在分享网站传播有时也会显得力不从心。


//END
At least one third of the OMX-30 had credentials compromised by the Pony Password Stealer, amounting to
31 credentials stolen. Additionally, half of all OMX-30 had compromised credentials exposed via Pastebin,
amounting to 183 credentials exposed. Employees need to be reminded of the dangers of using corporate email
addresses and passwords to access personal websites which may weigh heavily on these statistics. Companies
should monitor for compromised employee credentials so they can force reset accounts and gather metrics about
how often employees are using their work email addresses for access to non-work related websites.
Understanding the importance of monitoring domain registrations can’t be overstated. This is your window into
how your business might be targeted and by whom. A good threat intelligence platform will help you find out
what new domains related to your business might be suspicious. The registrant email address can be used to
see what other domains the registrant might have created and all the IPs associated with each domain. The IPs
and Domains can be fed to network security gateways to keep inbound and outbound communication to these
domains from occurring.
至少有三分之一的OMX-30企业的认证信息被Pony 密码窃取程序盗取，一共有31个认证信息被盗。另外就是有一半的OMX-30的企业的认证信息通过分享网站分享，直接导致183个认证信息泄露。作为一个企业，应该教育员工不要在非工作场合使用工作用的邮箱和登录密码，而且企业也应该采用一些技术手段来监控哪些邮箱被控制或者感染，从而采取进一步的措施来预防：比如必须重置密码等。
监控域名的注册服务器的重要性再怎么强调也不过分，这是一个对外的窗口。一个好的威胁情报分析平台会帮助您发现哪些新的域名可能对您的商业活动造成威胁。顺着邮件地址以及对应的IP地址域名等信息可以关联出很多其他关键信息。


//下载： OMX-30Targeted Brand Attacks and Mass Credential Exposures.pdf (561.51 KB, 下载次数: 370)

2016-11-4 23:21 上传

点击文件名下载附件

文件名：OMX-30Targeted Brand Attacks and Mass Credential Exposures.pdf
文件大小：574，985 bytes
MD5    : 4631DD59976E74DD22A58F8159246A55

点评：合理用好企业（工作）邮箱很重要。