每日安全简讯(20161106)

1、研究人员发现商用安卓间谍软件Exaspy
2、日内瓦伊朗核问题谈判地发现间谍软件
3、Sophos安全产品发现远程代码执行漏洞
4、OWA设计缺陷可导致双因子验证被绕过
5、加拿大长达十年“ODAC”监控计划曝光
6、利用DRAM攻击可窃取断网虚拟机数据

【安天】搜集整理（来源：threatpost、securityaffairs、packetstormsecurity、threatpost、easyaq、securityweek）

1、研究人员发现商用安卓间谍软件Exaspy
标题：COMMODITY ‘EXASPY’ SPYWARE FOUND TARGETING HIGH-LEVEL EXECS

作者信息：November 4, 2016 , 4:53 pm by Tom Spring

//BEGIN
Researchers say they have discovered commodity Android spyware called Exaspy being used to spy on executives. The spyware, according to Skycure
Research Labs, is being sold as a $15-a-month turnkey service online and can be used to intercept nearly all phone-based communications including
phone calls, text messages, Skype sessions, photos and much more.
移动平台下的商业间谍软件被发现可以按照月租来在线支付费用，对一些高价值目标进行网上监控：包括其电话记录、短信记录、聊天记录、照相以及视频录像等等。该间谍软件的名字被称为ExaSpy(Ex是Executive的简称，而且该间谍软件得名依赖与其C2的域名为：www.exaspy.com），具体的费用金额是15美元一个月。该间谍软件不通过网上自动传播，只能进行抵近就地安装，可以想见其传播的范围很窄。而且只能在Android平台下运行，安装需要license以及admin管理员权限，被安装过程没有任何显示，安装后其假冒Google Services之名，以防止被一般用户发现。

//END
Skycure Research Labs said avoidance and mitigation efforts should include PIN code or fingerprint authentication for mobile device access, disabling
USB debugging and regularly checking an Android’s Device Administrators list and disable components you don’t trust.
为了避免类似的Android间谍软件的侵害，建议用户设置手机的开机PIN码或者指纹验证，同时取消USB调试选项，并经常查看手机的管理员进程，删除那些可疑的部件。

点评：Android平台建议采用AVL Pro....

2、日内瓦伊朗核问题谈判地发现间谍软件
标题：Malware used to spy Iran’s nuclear negotiations in the Geneve’s venue

作者信息：November 4, 2016  By Pierluigi Paganini

//BEGIN
Switzerland’s attorney general has confirmed to have investigated the presence of spyware in a venue that also hosted talks on Iran’s nuclear
negotiations.
瑞士总检察长称已经开始针对伊核谈判举行地的一个高级酒店的计算机和服务器发现间谍软件一事展开调查。

//END
The Israeli government is one of the main suspects, but it has always denied accusations of cyber espionage despite a Russian-based security firm
speculated the use of a spyware having similarities with the ones used by Israeli cyber spies.
业界普遍怀疑是以色列的情报机构干的，虽然该国的情报机构从来都没承认过，当然这次也不例外。但是有来自俄罗斯的安全企业已经发现部分恶意代码似乎与以色列的网络间谍采用的手法类似。

点评：扑朔迷离，言语不详。

3、Sophos安全产品发现远程代码执行漏洞
标题：Sophos Web Appliance 4.2.1.3 Remote Code Execution

作者信息：Nov 4, 2016 By Matthew Bergin

//BEGIN
KL-001-2016-009 : Sophos Web Appliance Remote Code Execution

Title: Sophos Web Appliance Remote Code Execution
Advisory ID: KL-001-2016-009
Publication Date: 2016.11.03
Publication URL: https://www.korelogic.com/Resour ... KL-001-2016-009.txt


1. Vulnerability Details

     Affected Vendor: Sophos
     Affected Product: Web Apppliance
     Affected Version: v4.2.1.3
     Platform: Embedded Linux
     CWE Classification: CWE-78: Improper Neutralization of Special Elements
                         used in an OS Command ('OS Command Injection'),
                         CWE-88: Argument Injection or Modification
     Impact: Remote Code Execution
     Attack vector: HTTP

//END
7. Proof of Concept

     See 3. Technical Description.


The contents of this advisory are copyright(c) 2016
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLo ... ure-Policy.v2.2.txt

//下载： KL-001-2016-009.rar (2.53 KB, 下载次数: 334)

2016-11-6 20:12 上传

点击文件名下载附件

文件名：KL-001-2016-009.txt
文件大小：5,020 bytes
MD5     : 3ADB9CE7B7B5F3FB4AEAAAE502265D2C

点评：安全软件本来是用来保护用户的，当然安全软件也是软件，也就可能会存在这样那样的漏洞。有时甚至是严重的。

4、OWA设计缺陷可导致双因子验证被绕过
标题：OUTLOOK WEB ACCESS TWO-FACTOR AUTHENTICATION BYPASS EXISTS

作者信息：November 3, 2016 , 3:15 pm by Michael Mimoso

//BEGIN
Enterprises running Exchange Server have been operating under a false sense of security with regard to two-factor authentication implementations on
Outlook Web Access (OWA) adding an extra layer of protection.
运行Exchange邮件服务器的企业可能都会感觉到其企业邮件服务很安全，特别是默认会启用双因子安全认证，同时Outlook通过Web访问邮件OWA好像增加了安全性。但是其实不然，最近安全专家发现了一个微软Exchange设计上的缺陷，导致黑客能轻易规避双因子认证，通过WEB可以轻易的访问企业的邮箱、日程、联系人等等敏感信息。问题出在Exchange的邮件服务EWS与OWA共享一个服务器和端口，同时EWS默认启动2FA但是OWA没有。因此如果黑客能想办法入侵EWS的话，就能顺道访问OWA。因此依托于OWA之上的邮件就会被非授权访问。

//END
“This does not affect Office 365 with multi-factor authentication (MFA) fully enabled. What the blog describes is not a software vulnerability and
does not work without user account credentials/stolen passwords,” a Microsoft spokesperson told Threatpost. “I think in the end, the best solution
would be to re-architect it,” Bullock said. “In the short term, how hard would it be for Microsoft to disable it by default and if an organization
actually needed to use EWS for a thick client, then they could enable it. They’re trying to keep all the protocols open and make it easier for
deployment.”
也许是因为修补的工作量太大，微软并不认账，并称如果MFA多因子认证设置好，则不影响Office 365。但是安全专家称短时间内，微软全面修复此问题的可能性很小。

//
OWA: Outlook Web Access
MFA: multi-factor authentication
2FA: two-factor authentication
EWS: Exchange Web Services
RDP: Remote Desktop Protocol
SMB: Server Message Block

点评：从US大选的剧情大家都已经了解：邮件的安全不可忽视。

5、加拿大长达十年“ODAC”监控计划曝光
{CHN}
标题：加拿大情报机构“ODAC”计划曝光 已非法保留十年的元数据

作者信息：2016-11-05 11:45 By E安全

//BEGIN
E安全11月5日讯 周四公开的联邦法庭裁决让人震惊不已，加拿大安全情报局（Canadian Security Intelligence Service，CSIS，相当于中情局）执行秘密收集和保留元数据的计划长达十年。直到这项法庭裁决后，操作数据分析中心（The Operational Data Analysis Centre，ODAC）才为众人所知是加拿大安全情报局的监控计划，而ODAC自2006年就开始运作。联邦法庭发现，CSIS直到今年才让法院知道ODAC的存在。法院判决称，“这种做法违反了机构的诚实操守。”

//END
此外，六名记者证实，魁北克警方也在实施监视行为。
加拿大自由党政府目前引发对加拿大国家安全协商的批评，批评家认为是推动新间谍权力，而非冷静评估加拿大的监控权力。

点评：不会只有加拿大一个国家这样做。

6、利用DRAM攻击可窃取断网虚拟机数据
标题：JavaScript-Based DRAM Attack Allows Covert Data Theft

作者信息：November 05, 2016 By Eduard Kovacs

//BEGIN
LONDON - BLACK HAT EUROPE - A new dynamic random-access memory (DRAM) attack method disclosed by researchers on Friday can allow malicious actors to steal sensitive data from a virtual machine, through a covert channel, using JavaScript.
安全专家发布了最新的研究成果：针对动态随机存储器DRAM内存条的攻击方法：利用该硬件设计漏洞，在JavaScript的帮助下，可以从虚拟机中盗取用户的敏感信息。整个过程不需要运行任何程序或者利用其它的软件漏洞。

//END
Since these attacks are possible due to the way DRAM is designed and works, the researchers believe there are no easy mitigations. However, they
noted that while the vulnerability is serious, it’s unlikely that we will see any attacks in the wild in the next few years. The goal of this research is to raise awareness and demonstrate that hardware needs to be secure as well — software is not the only problem.
由于以上描述的攻击过程是针对DRAM硬件设计框架以及其运行机制的，因此要想规避还是比较困难的。但是，虽然这个漏洞非常严重，近几年之内要想利用还是比较困难的，之所以公开本漏洞的原因是提醒硬件设计者像软件设计者一样注重设计过程，避免出现漏洞。

点评：硬件设计漏洞....

//下载： eu-16-Schwarz-How-Your-DRAM-Becomes-A-Security-Problem-wp.pdf (1.41 MB, 下载次数: 421)

2016-11-6 20:15 上传

点击文件名下载附件

文件名：eu-16-Schwarz-How-Your-DRAM-Becomes-A-Security-Problem-wp.pdf
文件大小：1，477，799 bytes
MD5     : 3B010F7C5339955918C6CA73705EF25E
备注1:85页的博士论文

下载： eu-16-Schwarz-How-Your-DRAM-Becomes-A-Security-Problem.pdf (3.66 MB, 下载次数: 417)

2016-11-6 20:16 上传

点击文件名下载附件

文件名：eu-16-Schwarz-How-Your-DRAM-Becomes-A-Security-Problem.pdf
文件大小：3，841，414 bytes
MD5     : 3A15B5AC294820345A8DB36502B684E1
备注2：欧洲黑客大会时的论文，近200页....

下载： RR-5881.pdf (302.96 KB, 下载次数: 336)

2016-11-6 20:16 上传

点击文件名下载附件

文件名：RR-5881.pdf`
文件大小：310，231 bytes
MD5     : 355E22A8B2E85E8455319C59CDF64C56
备注3：Cache攻击概述

下载： sec16_paper_pessl.pdf (2.21 MB, 下载次数: 403)

2016-11-6 20:16 上传

点击文件名下载附件

文件名：sec16_paper_pessl.pdf
文件大小：2，316，838 bytes
MD5     : 7C79D50302B04B3B15B1649430B516DD
备注4：跨CPU下的DRAM攻击概述