每日安全简讯(20161115)

1、勒索软件Locky借OPM泄露事件邮件传播
2、发布Mirai源代码的黑客论坛关闭相应版块
3、VMware修复拖拽触发任意代码执行漏洞
4、成人交友网站被黑，4.12亿用户数据泄露
5、德国设立网络和信息空间参谋部
6、研究人员发现通过WiFi信号监听密码方法

【安天】搜集整理（来源：zdnet、easyaq、securityweek、securityaffairs、easyaq、theregister）

1、勒索软件Locky借OPM泄露事件邮件传播
标题：Locky ransomware campaign exploits fears of data stolen in OPM hack
Emails tell victims they need to download an attachment to view "suspicious activity" - then infects them with ransomware.

作者信息：November 11, 2016 -- 12:24 GMT (20:24 GMT+08:00) By Danny Palmer

//BEGIN
Personal details of more than 22 million government employees were stolen in the OPM data breach.
OPM是US Office of Personnel Management (美国政府人力资源管理办公室)的简称。
In the immediate aftermath of a major data breach, cybercriminals will often look to take advantage of the situation by sending phishing emails warning people their credentials aren't safe and that they must login through a malicious link to ensure they're safe - when clicking through will just add to their problems.
However, it appears that some hackers and cyber thieves are more than happy to play a longer game, with one group seemingly using last year's Office of Personnel Management [OPM] data breach as a platform for launching a new Locky ransomware campaign.
The hack at the federal agency saw the theft of personal details of 22 million people and researchers at PhishMe have spotted hackers playing on fears of victims that they're still at risk of fraud and identity theft - and are using fear in an attemp to trick them into allowing ransomware to encrypt their files.
本次事件源于OPM美国人力资源库的2200万员工的数据被泄露。有黑客利用这个广为人知的信息，冒充OPM的工作人员给潜在的受害者发送邮件，声称监测到该用户的信息可能泄露，并需要打开附件的压缩文档检查！请注意这个附件其实就是勒索软件Locky！
本次事件再次证实了黑客们喜欢借助一些重大事件进行活动的惯例。虽然事件略新，但是基本套路并没有革命性的变化。老司机应该能很快识别出这些雕虫小技。


//END
One infamous example saw Locky ransomware take down the network of a high-profile Los Angeles hospital which paid a ransom of $17,000 to hackers in order to regain access to crucial systems.
But it isn't just large organisations which are targeted by ransomware; small and medium sized businesses are attacked by it too and more so than ever before; figures from Kaspersky Lab, small businesses faced eight times more ransomware attacks during the third quarter of 2016 than they did during the same period last year.
According to the Kaspersky Security Network, 27,471 attempts to block access to corporate data were detected and repelled by Kaspersky software in Q3 2016, compared to 3,224 similar attacks in the same period of 2015.
勒索软件比较青睐对医院发起攻击，去年一家洛杉矶的医院被迫支付相当于17000美元的比特币，以使得其关键系统和数据库恢复正常运行。但是其实并不只是这些大型的企业和单位是勒索软件的目标，中小企业也是黑客们的潜在目标。实际上根据安全公司卡巴的2016年第三季度研究数据显示小企业的勒索风险八倍于大型企业，并拦截了大约3万个攻击，而去年此类攻击数量才3000多个。

点评：组合拳：采用社工手段借助人们摄于重大的数据泄露事件的害怕而传播勒索软件。

2、发布Mirai源代码的黑客论坛关闭相应版块
{CHN}
标题：造成美国断网的“凶手论坛”终于关闭了 DDoS 版块

作者信息：2016-11-14 21:10 By  cnbeta

//BEGIN
就在上个月，美国来了一次史无前例的大断网。智能硬件的生产厂家散落在世界各地（以中国为主），美国难以直接控制；而发起攻击的黑客姓甚名谁，到现在还是未解之谜。于是，愤怒的美国人找到了“背锅侠”——Hack Forums。然而，这次断网的理由却有点无厘头。简单说来，关键的信息如下：
1、大量的智能硬件，尤其是监控设备存在通用漏洞，黑客可以通过代码，同时控制大规模的设备发起DDoS（分布式拒绝服务）攻击。
2、在美国著名的黑客论坛“Hack Forums”上，一位名叫“Anna-Senpai”的用户发布了一个攻击工具“Mirai”的源代码，不需要很高水平的脚本小子都可以通过简单修改代码而发起攻击。
3、果然有人利用这套源代码对 DNS 解析服务商 Dyn 发起了攻击，造成了10月21日美国东西海岸大断网。

//END
Hack Forums 的服务器压力测试版块】
安全公司 Flashpoint 发表了一份报告，怀疑攻击的幕后黑手，就隐藏在 Hack Forums 论坛背后。当然，这种指控很难坐实，而 Hack Forums 也难以自证清白。实际上，发布 Mirai 攻击程序源代码的板块并不叫做“DDoS 版块"，而是叫做 Server Stress Test（服务器压力测试）版块。没错，所有的攻击都是对服务器的压力测试，这两种正义和邪恶的理解方式，指向的完全是一回事。
但是，顶不住舆论的压力，眼看就要被警方抄家的 Hack Forums 论坛还是宣布，关闭服务器压力测试版块。论坛管理员 Omniscient 发表了一份“血泪”声明.

点评：又见Mirai（未来）.....

3、VMware修复拖拽触发任意代码执行漏洞
标题：Hackers Find Code Execution Flaw in VMware Workstation

作者信息：November 14, 2016 By Eduard Kovacs

//BEGIN
VMware informed customers on Sunday that it has patched a critical out-of-bounds memory access vulnerability affecting its Workstation and Fusion products.
The flaw, tracked as CVE-2016-7461, affects the drag-and-drop function and it can be exploited from the guest to execute arbitrary code on the host operating system running Fusion or Workstation.
The security hole affects Workstation Player and Pro 12.x, and Fusion (Pro) 8.x. The issue has been patched with the release of versions 12.5.2 and 8.5.2, respectively. ESXi is not impacted.
According to VMware, the vulnerability cannot be exploited against Workstation Pro or Fusion if both the drag-and-drop and copy-and-paste functions are disabled. This workaround does not work on Workstation Player.
虚拟机厂家VMWARE上周日通报其用户，例外发布补丁，修复了一个关键的漏洞。该漏洞的编号是CVE-2016-7461，影响虚拟机和主机之间的拖拽功能，利用该漏洞，通过虚拟机可以执行主机上的任意命令。部分VMWARE的产品受到影响。当然如果禁止了拖拽或者粘贴复制功能的话，那么该漏洞将不会起作用。

//END
The vulnerability was disclosed recently at PwnFest, a hacking competition that took place in South Korea at the 2016 Power Of Community (POC) security conference.
VMware has credited Qinghao Tang and Xinlei Ying from Qihoo 360’s Marvel Team and JungHoon Lee (lokihardt) for finding the flaw. The reward for hacking VMware Workstation Pro 12 on Windows 10 at PwnFest was $150,000. PwnFest participants earned hundreds of thousands of dollars for hacking products from Microsoft, Google, Adobe, VMware and Apple.
The virtualization giant informed customers last week that several of its products are affected by the recently disclosed Linux kernel vulnerability dubbed “Dirty COW” (CVE-2016-5195). The impacted products include Identity Manager, vRealize Automation and vRealize Operations.
The vendor has started releasing software updates to address the local privilege escalation flaw. Patches for Identity Manager, vRealize Automation and version 5.x of vRealize Operations are still pending.
该漏洞由在韩国举行的黑客大赛爆出，发现者是来自中国的360公司的Marvel团队（发现的OS平台是最新的Windows 10,VMWARE的版本是Workstation Pro12），VMWARE公司奖励了发现者15万美金。当然该大赛提供的总奖金额上百万美元，这些奖金来源是平时大家耳熟能详的漏洞窟窿大家：微软、苹果、谷歌、Adobe以及VMWARE等等。
其实上周VMWARE刚刚发布过一个很严重的漏洞，还起了一个酷的名字：脏牛Dirty COW，漏洞编号是CVE-2016-5195，而当时影响的产品类型包括的是Identity Manager,vRealize Automation以及vRealize Operations.

点评：数字挖洞能力挺强呀....

4、成人交友网站被黑，4.12亿用户数据泄露
标题：AdultFriendFinder company data breach exposes 412 million accounts

作者信息：November 13, 2016  By Pierluigi Paganini

//BEGIN
The company that owns AdultFriendFinder and other adult websites has been hacked, data breach exposes 412 million accounts making this the largest 2016 hack Almost every account password was cracked, thanks to the company’s poor security practices. Even “deleted” accounts were found in the breach.
A new massive data breach is in the headlines, the victim is the adult dating and entertainment website Friend Finder Network. The data breach has exposed more than 412 million accounts, 339 million of which from the AdultFriendFinder.com and over 15 million “deleted” accounts that were still present in the database.
成人交友网站的数据继去年5月泄露后，最近再一次被泄露。不过这次泄露的数据比上次还多。上次是400万，这次是4亿多。而且这次泄露的数据还包括那些已经删除了账户的信息。这可能会是2016年最大的一次数据泄露事件。泄露的原因是该网站的安全防范措施不到位。


//END
Friend Finder Network Inc is a company that operates a wide range of 18+ services and was hacked in October of 2016 for over 400 million accounts representing 20 years of customer data which makes it by far the largest breach we have ever seen — MySpace gets 2nd place at 360 million. This event also marks the second time Friend Finder has been breached in two years, the first being around May of 2015.” reads the post published by LeakedSource.
被泄露的电子邮件中竟然还有.gov和.mil,数量也还不小：5650个gov域名的电子邮件和78301个.mil个邮件地址。

点评：交友不慎会误事。

5、德国设立网络和信息空间参谋部
{CHN}
标题：德国设立网络和信息空间参谋部 附完整细节

作者信息：2016-11-14 15:20 By 搜狐军事

//BEGIN
联邦国防军也应加强其在德国安全体系结构中的贡献，以适应来自于网络和信息空间的新威胁。从简单的病毒，到复杂、难以察觉的攻击（高级持续性威胁），技术的发展使得威胁的级别得到了质的飞越。对国家以及关键基础设施的网络攻击很久以前就已经不再是科幻小说而是现实。发生在伙伴国以及其军队的诸多案例，已经在近几年证明了这一点。因此，建立网络方面能力可以在广义上为政府安防做出重要贡献，并且在预防冲突和危机管理中，为应对多重威胁提供额外的解决方案。 所以，作为一个日益数字化的大型组织，联邦国防军必须建立相应的组织架构，以应对数字化中的机遇与威胁。

//END
CIT和CIR两个领域由一位领导（B7级）协同自己的高层参谋部进行领导。现在暂由主管IT的国务秘书Suder博士负责。主管领导负责内部外部沟通，即本国国民与利益相关者（议会部门，协会，行业，国际合作和联盟伙伴），协调CIT和CIR指挥部。

//参考资料：6年前的德国网络安全战略
下载： Cyber_Security_Strategy_for_Germany.pdf (2.4 MB, 下载次数: 51)

2016-11-15 15:42 上传

点击文件名下载附件

文件名：Cyber_Security_Strategy_for_Germany.pdf
文件大小：2，518，928 bytes
MD5     : 16DF678A7C061DA8B0C812A81CD8EEAB

点评：如今各国都很重视了.

6、研究人员发现通过WiFi信号监听密码方法
标题：Your body reveals your password by interfering with Wi-Fi
Wave goodbye to security if crims can pop a MIMO router

作者信息：13 Nov 2016 at 21:30 By  Richard Chirgwin

//BEGIN
Modern Wi-Fi doesn't just give you fast browsing, it also imprints some of your finger movements – swipes, passwords and PINs – onto the radio signal.
Wi-Fi信号在提供用户快速的上网体验的同时，您用手机上网时的刷卡、输入密码和信用卡号码时的手指动作都可能被它转换成无线信号，进而被破解。

//END
The researchers note that there's a simple way to block WindTalker: companies crafting payment apps should randomise their keypad layouts. The attacker can still infer the finger's position – but won't know what key was pressed.
研究人员提出了一个简单的解决办法来防止隔墙有耳：建议APP支付等与用户钱财相关的厂家应随机生成键盘布局，而不要一成不变，这样即使被黑客通过WI-Fi破译了手指的动作，但是它依然不知道您输入了的是什么。

//下载： When CSI Meets Public WiFi Inferring Your Mobile Phone Password via WiFi Signals.pdf (4.07 MB, 下载次数: 51)

2016-11-15 15:45 上传

点击文件名下载附件

文件名：When CSI Meets Public WiFi Inferring Your Mobile Phone Password via WiFi Signals.pdf
文件大小：4，264，260 bytes
MD5     : 95B219AB42648299DC144563D585E010

点评：泄密机会无处不在。