每日安全简讯(20161109)

1、猎豹移动揭露席卷全球的“霸屏”手机勒索软件
2、安全厂商警告勒索软件Cerber开始加密数据库
3、Bopup商用通讯服务器存在远程代码执行漏洞
4、台湾Moxa科技公司工业以太网产品发现漏洞
5、思科招聘网站移动版漏洞导致求职者信息泄露
6、FBI越权使用恶意代码调查暗网TorMail使用者

【安天】搜集整理（来源：freebuf、itproportal、securityweek、securityweek、securityaffairs、rt）

1、猎豹移动揭露席卷全球的“霸屏”手机勒索软件
{CHN}
标题：席卷全球的“霸屏”病毒：技术分析与处理

作者信息：2016-11-08 By 猎豹移动安全实验室

//BEGIN
根据猎豹移动针对全球手机用户的数据统计，霸屏类病毒在最近两个月有蔓延的势头，尤其在俄罗斯、墨西哥等一些国家，危害极其严重。全球每天的感染手机在3万台以上。  

//END
处理：
1、  手机如果开启了USB调试，可在电脑上执行如下命令卸载
pm list packages -3找出病毒的包名
pm uninstall ‘pkg’ 来卸载
2、  重启进入recovery，利用第三方recovery的文件管理功能来删除/data/app/’pkg’里的apk文件
3、  如果激活了设备管理器，打开了USB调试并且手机已经root可以强制删除病毒程序及存储锁屏密码的文件达到清除的目的
a)        su
b)        rm –r /data/app/’pkg’目录
c)        rm /data/system/password.key
d)        rm /data/system/gesture.key
e)        reboot

点评：对付勒索软件，建议备份备份再备份。

2、安全厂商警告勒索软件Cerber开始加密数据库
标题：Cerber ransomware has begun to target databases

作者信息：2016-11-07 By Anthony Spadafora

//BEGIN
McAfee has warned that the Cerber ransomware is now being used to encrypt company databases.
McAfee has warned that the cybercriminals behind the Cerber ransomware have begun to target businesses as well as individuals by encrypting their databases until payment is received.
During July, those responsible for Cerber launched over 160 campaigns at 150,000 users. These attacks generated $195,000 during that month of which the developer behind the ransomware received $78,000. Overall it is estimated that creating and using ransomware to launch cyberattacks earns the creators of the malware and those who employ it in their attacks around $1 million to $2.5 million a year.  The infosec firm Trustwave noted in 2015 that a ransomware creator could earn up to $84,000 a month just by selling their malware on the dark web.
勒索软件已经不满足与个人客户的小钱包了，它们将目标开始转向了企业的核心资源：数据库。有安全公司发布消息称2015年勒索软件作者一个月的收入可以达到84000美元，这些钱可以通过暗网售卖勒索软件获取。今年的7月份，Cerber勒索软件发起了160次攻击，袭击了大约15万用户，一共出现的资金数目大约20万，而落到勒索软件开发者口袋的约8万美金多。大致统计起来，一年的时间这个勒索行业有100万到250万美金的流水，这些资金被那些开发者以及传播者分享。

//END
In order to stay alert regarding Cerber, Rosenquist recommends keeping an eye on databases that stop abruptly, as this may be an indication that Cerber has begun to encrypt the database.
Currently, there is no way to decrypt files that have been encrypted by Cerber so businesses and individuals should take extra precautions to avoid being
infected with the malware.
为了加密企业数据库，就必须首先停止其运行才能得逞，因此企业的数据库运行维护人员应该特别注意其数据库的意外终止等情况，确认其是否遭到了勒索软件的攻击。因为一旦被加密攻击成功，目前很难找到一种不支付赎金，就能解密的办法。加密算法对企业和个人都是一样。

点评：对付勒索软件，建议备份备份再备份。同时千万注意备份的数据库的有效性。

3、Bopup商用通讯服务器存在远程代码执行漏洞
标题：RCE Flaw Found in Bopup Enterprise Messaging Tool

作者信息：November 07, 2016 By Eduard Kovacs

//BEGIN
Trustwave has disclosed an unpatched remote code execution (RCE) vulnerability affecting Bopup Communication Server, a solution that allows enterprises to manage and control their IM communications.
一个远程代码执行RCE（Remote Code Execute）的漏洞在商用即时通讯Bopup的通讯服务器中被发现，目前该漏洞还未被修补；虽然有安全公司在7月中旬就通报了细节给该公司。Bopup是一种可以用来管理企业级的即时通讯的解决方案。

//END
Trustwave said the vulnerability affects Bopup Communication Server version 4.5.3.13001 and earlier. B-Labs was notified about the issue in mid-July, but the vendor has been unresponsive and the flaw remains unpatched. SecurityWeek has reached out to B-Labs for comment and will update this article if the company responds.
Until a patch becomes available, Bopup Communication Server users can protect themselves against potential attacks by using intrusion prevention and
intrusion detection systems, Trustwave said.
由于暂时没有补丁可用，Bopup的用户只能采用入侵防御系统IPS和入侵检测系统IDS来保护自身的安全。

点评：漏洞4个月还未修补....

4、台湾Moxa科技公司工业以太网产品发现漏洞
标题：Flaws Found in Moxa Industrial Ethernet Products

作者信息：November 07, 2016 By Eduard Kovacs

//BEGIN
A researcher has discovered a couple of critical and medium severity vulnerabilities affecting various industrial ethernet products from Taiwan-based
industrial networking, computing and automation solutions provider Moxa.
Moxa是一家位于台湾的工业以太网产品供应商，它的主要产品是提供工业级的网络通讯、计算以及自动化产品。最近有安全专家在其产品中发现了几个严重和中等的安全漏洞。这些漏洞中有些需要等到明年的5月或者6月才能修补成功。

//END
Firmware updates that patch these vulnerabilities were released by Moxa on November 1 for OnCell G3470A-LTE and AWK-1131A/3131A/4131A products. Firmware updates for some of the other devices are expected to become available in May and June 2017. Moxa has informed customers that some AWK products and the affected TAP device model are no longer supported and will not receive any updates.
Rupp has identified more than a dozen vulnerabilities in Moxa products over the past months, including in routers, serial device servers and cellular IP
gateways. Others identified serious flaws in Moxa’s factory automation products and MiiNePort embedded serial-to-Ethernet device server modules.
有部分的固件的修复已经在11月1日发布，而其他的可能要等到明年中。而且一些设备不在继续支持之列，因此不会发布补丁。用户只能选择更换产品。过去几个月来，安全专家在Moxa公司的多个产品系列中发现了安全漏洞：包括路由器、串行总线服务器、蜂窝IP网关等。

//漏洞公告：https://ics-cert.us-cert.gov/advisories/ICSA-16-308-01
Advisory (ICSA-16-308-01)
Moxa OnCell Security Vulnerabilities
Original release date: November 03, 2016
公布了受到该漏洞影响的产品列表：
OnCellG3470A-LTE,
AWK-1131A/3131A/4131A Series,
AWK-3191 Series,
AWK-5232/6232 Series,
AWK-1121/1127 Series,
WAC-1001 V2 Series,
WAC-2004 Series,
AWK-3121-M12-RTG Series,
AWK-3131-M12-RCC Series,
AWK-5232-M12-RCC Series,
TAP-6226 Series,
AWK-3121/4121 Series,
AWK-3131/4131 Series, and
AWK-5222/6222 Series.

点评：工控设备的安全....

5、思科招聘网站移动版漏洞导致求职者信息泄露
标题：Cisco data leak – Job applications portal leaked personal information

作者信息：November 7, 2016  By Pierluigi Paganini

//BEGIN
Cisco data leak – Cisco has fixed a security vulnerability in the company Professional Careers portal that exposed personal information of the users.
Cisco data leak – Cisco has fixed a security vulnerability existing in the company Professional Careers portal that may have leaked personal information.
Cisco has notified the issue to the affected users via mail in which it clarifies that just a “limited set of job application related information” was
leaked from the mobile version of the website.
Cisco data leak includes name, username, password, email, address phone number, answers to security questions, education and professional profile, cover letter and resume text, and other personal information.
The incorrect configuration was exposing data from August 2015 to September 2015, and again from July 2016 to August 2016. The issue was discovered by an unnamed researcher that ethically reported it to the company.
思科的数据泄露了！这些泄露是由于一个安全漏洞引起的，它导致了该公司的招聘网站的一个应聘者的个人信息被曝光。目前该漏洞已经被修补，并通过邮件通报给了可能受到影响的用户，通报的内容显示，这些数据泄露只是发生在移动版的招聘网站上，数量有限。遭受泄露的个人信息包括：用户名、姓名、用户名对应的密码、邮件地址、电话号码、安全问题的答案、教育背景以及职业背景等。简历封面以及简历的主要内容等内容也在泄露之列。具体原因是由于第三方运维公司的不合理使用配置文件设置引起的。具体时间段是2015年8月到9月；2016年7月到8月等。该问题是由一个不愿意透露其姓名的人士披露的。

//END
The exposed data could be used for social engineering attacks against the users. Cisco offered free 90-day fraud alerts on their accounts to the affected
users.
泄露的这些信息可以用来进行社工欺骗。思科给所有的这些受害用户90天的免费欺诈邮件提醒服务。

点评：隐私防护.....

6、FBI越权使用恶意代码调查暗网TorMail使用者
标题：FBI may have used mass malware in dark web child porn bust

作者信息：8 Nov, 2016 03:03 By Zachary Fagenson

//BEGIN
The FBI’s prolific 2013 attack on dark web servers that hosted child pornography was seen by many as a win. However, unsealed documents show the FBI may have taken some massive liberties with its warrants for dark web service TorMail.
In 2013, the FBI was given a warrant to hack 300 users of TorMail. The agency used a type of malware known as a network investigative technique (NIT) to exploit a browser flaw and reveal users’ internet protocol (IP) address. As a result, many were arrested for child pornography. But newly unsealed documents show that this may not have been the only result.
The FBI may have used its malware on significantly more than the 300 people the warrant covered, Motherboard found.
美国联邦调查局FBI获得豁免，采用NIT互联网调查技术对300个涉嫌进行儿童网上色情的人士进行调查。这些人都是利用暗网进行通信。这个活动在2013年获得了成功，但是当前解密的文件显示，联邦调查局显然扩大了使用范围，对Tormail暗网的Web服务邮件的很多用户进行了类似的活动。这个NIT技术其实是利用了恶意代码技术，这些恶意代码可以利用浏览器的一些漏洞，从而获取用户的真实的IP地址。虽然FBI调查儿童网络色情的活动获得了成功，但是他们显然越权干了很多不该做的事情。

//END
However, the FBI denies any wrongdoings. FBI spokesman Christopher Allen told Motherboard in an email that, “As a matter of practice the FBI narrowly
tailors warrants, and we do not exceed the scope of those warrants.”
但是FBI否认了其有行为不端的指责，并声称其是严格按照规定行事，没有超出允许的范围。

点评：暗网不暗。