每日安全简讯(20161112)

1、谷歌和亚马逊云服务平台发现隐藏恶意软件
2、Tesco银行仅为恶意软件Retefe攻击名单之一
3、APT29在特朗普当选后发动鱼叉式钓鱼攻击
4、美国麦迪逊县计算机系统遭受勒索软件攻击
5、低带宽BlackNurse DDoS攻击可致防火墙中断
6、加拿大赌场系统遭黑客入侵，顾客资料被盗

【安天】搜集整理（来源：easyaq、welivesecurity、techtimes、securityweek、securityweek、securityweek）

1、谷歌和亚马逊云服务平台发现隐藏恶意软件
{CHN}
标题：云安全危机：谷歌和亚马逊的云服务平台发现隐藏恶意软件

作者信息：2016-11-11 17:13 By E安全

//BEGIN
E安全11月11日讯 最近一份研究发现，600多个云存储库将恶意软件和其它活动托管在大型知名云平台，包括Amazon、Google、Groupon和数千个其它网站。一份标题为“潜伏在云服务中的恶行：理解并检测云存储即恶意服务”的报告指出，美国乔治亚理工学院、印第安纳大学布卢明顿分校和加州大学圣芭芭拉分校的研究人员扫描了20个主要云托管服务上超过14万个网站，结果发现10%的存储库牵扯其中。

//END
攻击者有时会开通廉价账户托管软件，同时将其它隐藏恶意内容的软件托管在知名云服务上，混杂在无害内容中，从而防止恶意软件被列入黑名单。
Beyah表示，受隐私保护和道德约束的服务提供商倾向于未经客户同意，避免检查客户的存储库。就算他们愿意检查，但发现恶意内容的难度较大。
研究人员表示，公开研究之前，已将其结果通报给了云托管企业。但目前尚不清楚恶意存储库的数量。目前为止，只有Groupon承认研究结果的重要性，并对研究人员的帮助表示感谢。

点评：安全的云的确刻不容缓.

2、Tesco银行仅为恶意软件Retefe攻击名单之一
标题：Tesco Bank not alone in being targeted by Retefe malware

作者信息：10 NOV 2016 - 11:00AM BY PETER STANCIK

//BEGIN
Update (November 11th): For clarification, this article is focused on providing information on the increased activity of the Retefe banking trojan, which has been targeting various banks, mostly in Switzerland, Austria, and the UK. While this is happening at the same time as news breaking that Tesco Bank suffered a major cyberattack, there is no concrete evidence that Retefe is behind this.
Tesco Bank, which recently saw thousands of its customers lose funds to cybercriminals, has been found on the target list of the so-called Retefe malware. This trojan horse goes after users’ online banking credentials, which can be then misused to conduct fraudulent transactions. Many more thousands might be at risk as the malware’s target list contains several other banks.
根据最新的研究信息显示，Retefe网银木马的目标用户分布在瑞士、奥地利以及英国，它的出现与前几天的Tesco银行遭遇网络攻击时间交叉。但是目前没有证据表明Retefe网银木马参与了这次针对Tesco银行的攻击。
就在前几天（安天每日简讯）已经有报道指出Tesco银行遭遇了网络攻击，导致很多用户的网银在周末出现被盗刷的现象。

//END
List of targets

*.facebook.com
*.bankaustria.at
*.bawag.com
*.bawagpsk.com
*.bekb.ch
*.bkb.ch
*.clientis.ch
*.credit-suisse.com
*.easybank.at
*.eek.ch
*.gmx.at
*.gmx.ch
*.gmx.com
*.gmx.de
*.gmx.net
*.if.com
*.lukb.ch
*.onba.ch
*.paypal.com
*.raiffeisen.at
*.raiffeisen.ch
*.static-ubs.com
*.ubs.com
*.ukb.ch
*.urkb.ch
*.zkb.ch
*abs.ch
*baloise.ch
*barclays.co.uk
*bcf.ch
*bcj.ch
*bcn.ch
*bcv.ch
*bcvs.ch
*blkb.ch
*business.hsbc.co.uk
*cahoot.com
*cash.ch
*cic.ch
*co-operativebank.co.uk
*glkb.ch
*halifax-online.co.uk
*halifax.co.uk
*juliusbaer.com
*lloydsbank.co.uk
*lloydstsb.com
*natwest.com
*nkb.ch
*nwolb.com
*oberbank.at
*owkb.ch
*postfinance.ch
*rbsdigital.com
*sainsburysbank.co.uk
*santander.co.uk
*shkb.ch
*smile.co.uk
*szkb.ch
*tescobank.com
*ulsterbankanytimebanking.co.uk
*valiant.ch
*wir.ch
*zuercherlandbank.ch
accounts.google.com
clientis.ch
cs.directnet.com
e-banking.gkb.ch
eb.akb.ch
ebanking.raiffeisen.ch
hsbc.co.uk
login.live.com
login.yahoo.com
mail.google.com
netbanking.bcge.ch
onlinebusiness.lloydsbank.co.uk
tb.raiffeisendirect.ch
uko.ukking.co.uk
urkb.ch
www.banking.co.at
www.hsbc.co.uk
www.oberbank-banking.at
wwwsec.ebanking.zugerkb.ch
以上为网银攻击目标列表。

点评：不论此马还是彼马都是害群之马....

3、APT29在特朗普当选后发动鱼叉式钓鱼攻击(似乎主题串行了？)
标题：Capgemini Leaks Data of Recruitment Firm PageGroup

作者信息：November 11, 2016 By Eduard Kovacs

//BEGIN
Job-related information belonging to hundreds of thousands of individuals was exposed online after Capgemini inadvertently made public a database of Michael Page, a brand of UK-based global recruitment company PageGroup.
France-based Capgemini, which last year had a revenue of nearly 12 billion euros, specializes in consulting, technology and outsourcing services. The company, contracted by the recruitment giant for IT services, unintentionally exposed a Michael Page backup database containing an estimated 30 Gb of SQL files that could have been accessed by anyone who knew what to look for.
角色Capgemini：法国的一个专注于咨询、技术服务、外包服务的公司，去年的营业额为120亿欧元。
角色PageGroup：英国的全球招聘公司，拥有的一个品牌为Michael Page。
Capgemini不小心泄露了其客户PageGroup的一个30G的SQL数据库的文件，任何人知道如何去搜索的话，就会能找到它的任何内容。SQL数据库中包含了求职者的各种个人敏感信息，数量可达成千上万。Capgemini主要为IT巨头提供外包招聘人才服务。


//END
Hunt pointed out that organizations of all sizes can be affected by serious vulnerabilities. The expert believes companies could avoid such incidents by running bug bounty programs, which have been increasingly popular among both public and private organizations.
“These were such low-hanging vulnerabilities that had there been even the slightest inkling of incentivisation, they would have been found very quickly and reported ethically via a channel that researches could trust,” Hunt commented.
安全专家指出，公司无论大小都会出现各种各样的漏洞，为了避免出现一些低级的漏洞，建议厂商开展一个bug奖励计划：给那些为自己公司发现漏洞的人员提供奖励。其实本文提到的这个漏洞就完全可以通过这类奖励计划发现。

点评：30G的SQL数据库该有多少个人信息?

4、美国麦迪逊县计算机系统遭受勒索软件攻击
标题：Insurance Firm Directs Response in Madison County Ransomware Attack

作者信息：November 10, 2016 By Kevin Townsend

//BEGIN
Madison County, Indiana, was the victim of ransomware last week. There is no public information on what malware was used, how the authority was infected, nor how much was demanded by the attackers -- but it does seem as if the ransom has been paid, and systems are now coming back on line.
美国印第安纳州的Madison县遭遇到勒索软件的袭击。目前没有公开的信息报道究竟是什么恶意软件导致的以及如何导致的，而且赎金的数量未知。不过目前根据种种迹象显示赎金已经支付而且被感染的系统正在恢复中。

//END
The key question is unclear. Can the insurer insist rather than advise that the insured pays the ransom in order to minimize its own future liability to repair damage? "I have not seen a clause that explicitly allows the insurer to do this," said Litt, adding, that's "not to say it doesn't exist. An insurer can accomplish this indirectly. For example, a policy might provide coverage for an extortion payment in an amount that does not exceed the covered damages and claims expenses that would have been incurred had the extortion payment not been made."
The reality is that we do not know exactly what happened at Madison County. The indication, however, is that its insurer recommended and may even have insisted on payment. And the implication of this is that there may be an unknown number of ransomware victims who have simply paid the ransom, funded by the insurance, with little fuss or publicity.
支付赎金的原因可能是保险公司的主意，同时一些其他的勒索案例的支付也许是类似的情况，只不过是未公开。

点评：对付勒索软件建议备份备份再备份。

5、低带宽BlackNurse DDoS攻击可致防火墙中断
标题：Low-Bandwidth "BlackNurse" DDoS Attacks Can Disrupt Firewalls

作者信息：November 11, 2016 By Eduard Kovacs

//BEGIN
Researchers warn that certain types of low bandwidth distributed denial-of-service (DDoS) attacks can cause some widely used enterprise firewalls to enter a temporary DoS condition.
安全研究人员警告说，特定类型的低带宽DDOS（分布式拒绝服务攻击）攻击可能会使得部分企业级的防火墙进入临时的DoS（拒绝服务攻击）状态。

//END
In the case of Cisco ASA firewalls, TDC recommends denying ICMP Type 3 messages sent to the product’s WAN interface or upgrading to more high-end ASA firewalls that have multiple CPU cores as BlackNurse attacks are not as effective against these types of systems. Attacks can also be mitigated using professional anti-DDoS services.
企业级的防火墙产品CISCO：其ASA系列的预防策略可以是(1)采用抗DOS服务，(2)或者升级到最新版ASA防火墙，(3)或者临时禁止ICMP的Type 3的信息发送到其WAN接口。

点评：DDOS攻击是个普遍的问题.....

6、加拿大赌场系统遭黑客入侵，顾客资料被盗
标题：Hackers Pillage Systems at Casino Rama Resort

作者信息：November 10, 2016 By Mike Lennon

//BEGIN
Canada based Casino Rama Resort said that a hacker broke into its internal computer systems and accessed detailed company, customer, employee and vendor information.
一家加拿大的赌场被黑客入侵，导致其公司、客户、员工以及其供应商的信息被非授权访问。

//END
The company did not say if a ransom was demanded in order to prevent the publishing of the stolen data.
Contacted by SecurityWeek, a company spokesperson said, "Casino Rama Resort is working with the authorities to determine the exact nature and reason for the cyberattack. Obviously, while there is an ongoing investigation we are limited in how much detail we can provide."
The gaming and resort operator said it is working with the Ontario Provincial Police (OPP), the Royal Canadian Mounted Police (RCMP), the Ontario Lottery and Gaming Corporation (OLG) and the Alcohol and Gaming Commission of Ontario (AGCO), and has alerted the Office of the Privacy Commissioner of Canada (OPC) and the Information and Privacy Commissioner of Ontario (IPC).

Casino Rama Resort is operated by Penn National Gaming, Inc.
公司没有说明是否受到勒索，以避免黑客们公开这些盗取的数据。该赌场已经将事件报告给了相关政府机构，并配合展开调查，以查清具体的事件的性质以及导致攻击的原因是什么。

点评：黑客的入侵行动就像是在赌博。

Wenster 发表于 2016-11-12 19:28
3、APT29在特朗普当选后发动鱼叉式钓鱼攻击(似乎主题串行了？)
标题：Capgemini Leaks Data of Recruitmen ...

修正主题........