每日安全简讯(20161116)

1、追日团队曝光蔓灵花APT攻击行动
2、Windows 10加入勒索软件防护机制
3、勒索软件CrySis被破解公开主密钥
4、黑客Kapustkiy复出，瞄准使馆高校
5、苹果应用SHAZAM后台监听麦克风
6、Linux LUKS漏洞可被本地远程攻击

【安天】搜集整理（来源：360、windows、threatpost、securityaffairs、com、zdnet）

1、追日团队曝光蔓灵花APT攻击行动
{CHN}
标题：中国再次发现来自海外的黑客攻击：蔓灵花攻击行动

作者信息：2016-11-15 10:06:06 By 360追日团队

//BEGIN
近日，360追日团队发布了蔓灵花攻击行动（简报），披露又一个针对中国政府能源的海外黑客攻击，受影响单位主要是涉及政府、电力和工业相关单位，该组织至今依然处于活跃状态。
从这次攻击事件与近期发布的摩诃草、索伦之眼，以及之前的伊朗核电站、乌克兰电网断电等事件，我们看到网络空间的争夺成为了大国博弈的焦点，APT作为一种行之有效的手段不断在各类对抗中出现。随着APT对抗烈度的增加，跨平台的攻击将会成为主流，而不再聚焦在单一的Windows平台，包括移动设备、智能硬件、工业控制系统、智能汽车等多种平台都会成为攻击者的目标或跳板。面对国家之间的网络安全对抗和日益复杂的攻击事件，单一的安全防护设备不再能够有效的针对攻击进行检测与响应，只有通过协同纵深的防御体系，才能有效应对日益变化的高级威胁。

//END
从更广阔的协同思路上，我们认为协同分为数据协同、智能协同和产业协同三个层面，第一个层面是数据协同，是希望能够打破数据的孤岛和数据的鸿沟,数据的协同和共享，是数据驱动安全体系里最关键性的基石。正如上面所提到的技术方案，多维度数据的关联分析及威胁情报应用是关键。第二个层面是智能协同，这个层面的协同是解决分析能力不足导致的不可做。即使有海量多维度数据，如果没有足够的分析能力，数据的价值无法得到发挥，基于数据的协同分析，可以借助机器与机器的协同、机器与人的协同以及人与人的协同多个方面，最终目的还是为了便于人能够更加有效的分析和处理，提升分析的效率和效果。第三个层面是产业协同。产业协同需要政府和企业共同推进，达成政府间、企业间包括政府和企业间的互信，从而形成更安全的产业生态。

//下载： 蔓灵花-BITTER-APT.pdf (1.52 MB, 下载次数: 52)

2016-11-16 18:09 上传

点击文件名下载附件

文件名：蔓灵花-BITTER-APT.pdf
文件大小：1，598，449 bytes
MD5     : 025C82550045B7A242678E8D836A2B48
备注：相关公司的参考信息

点评：与方程组的跨平台攻击有类似之处。

2、Windows 10加入勒索软件防护机制
标题：Defending against ransomware with Windows 10 Anniversary Update

作者信息：NOVEMBER 11, 2016 9:05 AM By Rob Lefferts

//BEGIN
Ransomware is one of the latest malware threats that is attracting an increasing number of cyber-criminals who are looking to profit from it. In fact, in the last 12 months, the number of ransomware variants have more than doubled. Its premise is deceptively simple: infect users’ devices, and then deny them access to their devices or files unless they pay a ransom. However, the methods and means attackers are using to perpetrate ransomware attacks are increasingly varied, complex and costly.
微软，软件巨人，加入了打击勒索软件的大军中了，而且是拿出了其最新终极武器：Windows 10操作系统（附带其杀毒软件Windows Defender）。
在刚刚过去的一年中，勒索软件的数量已经翻了一倍。其目的无非是：感染用户的终端设备，阻止用户对其电脑、手机等中的数据和数据库的访问，除非支付虚拟货币。随着打击力度的增加，勒索软件的危害手法越来越好样翻新、技术程度也复杂、消除成本也越来越多。

//END
We have made significant improvements in protecting customers from ransomware in the Windows 10 Anniversary Update. To help protect against ransomware and other types of cyber threats, we suggest you:
Update to the Windows 10 Anniversary Update and accept the default security settings within Windows 10.
Keep machines up to date with the very latest updates.
Ensure that a comprehensive backup strategy is implemented and followed.
The Block at First Sight cloud protection feature in Windows Defender is enabled by default. For IT Pros, if it was turned off we recommend turning it back on, and we also recommend incorporating another layer of defense through Windows Defender ATP and Office 365 ATP.  For more information about each of these technologies and techniques and how they work, please download our white paper Ransomware Protection in Windows 10 Anniversary Update.
Cyber threats won’t stop, and neither will we. As long as ransomware remains a threat, we will continue to enhance our defenses to better protect your Windows 10 devices.
微软在其操作系统Windows 10的年度更新升级包中增加了对勒索软件的防护手段。具体的措施可以包括：
1 升级Windows 10操作系统到年度最新版，并接受系统的默认设置（难道默认只采用其Defender？）
2 保持在线更新
3 确认备份策略的正确性以及有效执行
4 默认情况下，Windows Defender的防护设置是打开的，这个设置选项是The Block at First Sight cloud protection.如果不小心关闭了，建议打开。

点评：楼上有APT:高级持续性威胁；此处有ATP:高级威胁防护。另外想起了KB的质疑（详见：20161114 3、俄罗斯调查Windows 10防毒软件垄断问题 http://arstechnica.com/informati ... ntivirus-software/?）

3、勒索软件CrySis被破解公开主密钥
标题：CRYSIS RANSOMWARE MASTER DECRYPTION KEYS RELEASED

作者信息：November 14, 2016 , 2:20 pm by Michael Mimoso

//BEGIN
The threat posed by a ransomware family known as CrySis was diminished considerably on Sunday when the master decryption keys were released to the public. Researchers at Kaspersky Lab said they have already folded the keys into the company’s Rakhni decryptor and victims of CrySis versions 2 and 3 now have a means of recovering their lost files.
The key was posted at 1 a.m. Eastern time to the BleepingComputer.com forums by a user known only as crss7777, said founder Lawrence Abrams. Abrams speculates that it could have been the ransomware developer who posted the key on the site’s CrySis support forum page; the post included a Pastebin link to a header file written in C that contains the master decryption keys and instructions on how to use them.
勒索软件的一个变种CrySis的主解密钥匙被公布了，而且是通过一个专注安全的专业网站BleepingComputer.com的论坛中(注册名为crss7777)。受此影响，该勒索软件导致的威胁迅速降低。从公开的形式看，该公布者很可能就是勒索软件的开发者：一段可以采用的C头文件以及注释如何使用。

//END
In the meantime, the FBI put out a number of warnings about ransomware, urging businesses to be vigilant about patching software that could be targeted by exploit kits spreading the malware, or about email campaigns spreading these infections. “The inability to access the important data these kinds of organizations keep can be catastrophic in terms of the loss of sensitive or proprietary information, the disruption to regular operations, financial losses incurred to restore systems and files, and the potential harm to an organization’s reputation,” the FBI said in May. In September, the FBI made a public plea to organizations that have been ransomware victims to share incident reports, looking for details on how the infection happened, any losses incurred, the attackers’ Bitcoin wallet address and more.
FBI对各大企业可能存在的被勒索的风险也给与了提醒，特别是对于那些可能被利用来进行勒索软件传播的软件应该及时修复其存在的漏洞；另外对于勒索软件最常采用的邮件途径要加强警惕，特别是一些不明邮件要格外小心。而如果一旦中招，要及时报告发生的具体情况、损失情况、事情的经过以及比特币的支付地址等等，以协助追查。

//下载： CrySis-master decryption keys.rar (78.43 KB, 下载次数: 45)

2016-11-16 18:15 上传

点击文件名下载附件

文件名：CrySis-master decryption keys.rar
文件大小：80，310 bytes
MD5     : D243894DDB2B42579BCC069231F86EEB
备注：文本key

点评：宣传还是很有力量的，勒索者迫于压力公开了解密方法！继续！ 不过，对付勒索软件还得未雨绸缪：备份备份再备份。

4、黑客Kapustkiy复出，瞄准使馆高校
标题：The hacker Kapustkiy continues to target embassies and universities

作者信息：November 14, 2016  By Pierluigi Paganini

//BEGIN
The hacker Kapustkiy is back and breached another embassy and two universities. He leaked data on Pastebin.
黑客K以泄露一家大使馆和两家大学的信息的方式复出，并将这些含有敏感信息的文件公开在网络上，所有知道的人都可以下载浏览。

//END
Records belonging to the hacked embassy include also phone numbers, let me highlight once again that such kind of information is a precious commodity for nation-state hackers that intend to launch a spear phishing campaign against diplomats.
Kapustkiy explained to have leaked the data because the administrators of the targeted entities ignore his warning via email.
It is likely Kapustkiy exploited SQli injection flaws in the last string of data breaches.
Who is the next one?
这些被泄露的信息含有这些被黑大使馆的工作人员的基本信息：姓名、电话号码、电子邮件等等，这些信息对于一些别用用心的国家的某些人员特别有用，他们可以用它来发起钓鱼攻击等。黑客K说他之所以公布这些的原因在于这些单位的管理人员对他的提醒与建议的漠视：之前他已经通过电子提醒过这些相关网站的管理人员和维护人员。而他只是采用了简单的SQL注入的方式就成功得手。
下一个会是谁？

//下载： EmbassyUniversity.rar (13.21 KB, 下载次数: 57)

2016-11-16 18:18 上传

点击文件名下载附件

文件名：EmbassyUniversity.rar
文件大小：13，527 bytes
MD5     : 6DEC76BC42C79517F7A1AEA52392AEF2
备注：已经被泄露的使馆和高校信息一览

点评：怎么看着像Kaspersky，是不是该换副眼镜了？

5、苹果应用SHAZAM后台监听麦克风
标题：Shazam app on Apple Computers is always listening, even when turned off

作者信息：November 15, 2016 9:50am By Matthew Dunn

//BEGIN
SHAZAM is a godsend when wanting to instantly identify that unknown song playing in the background, but it has a very creepy secret.
When looking at Shazam on Apple computers, a security researcher discovered the microphone remains on in the background even when the application is turned off.
Patrick Wardle discovered the issue after reverse engineering the Shazam app after receiving an email from a source.
“I’m conflicted on whether or not this is a big deal. On one hand, even when you click ‘OFF’ Shazam continues to consume audio off the internal microphone. On the other hand, they don’t appear to process or use this data in any way,” he wrote in a blog.
安全专家在苹果的音乐辨识应用Shazam中发现了其比较特殊的一面：即使用户关闭了麦克风，但是该应用依然还会在后台悄悄打开。安全人员认为这可能有问题而且可能被恶意利用。

//END
“Since there is no bug and no privacy issue associated with the current functionality, we do not have reasons to change the existing behaviour.”
While claiming this configuration of the Mac app gives users the best experience and doesn’t pose a security risk, Mr Wardle tells a different story.
“Due to their actions, we could get creative and easily design a piece of malware that steals this recording without having to initiate a recording itself,” he said.
So with Shazam saying it is not going to change the existing behaviour, it might be worth removing the app if you are concerned.
但是Shazam应用的开发商并不同意一些安全专家的意见，声称他们这样做是为了更好的用户体验，而且因为不是bug也不会侵害用户的隐私，所以也不会进行修正。如果担心安全问题，一些专家就建议不要使用这款APP.

点评：好经也可能被念歪.

6、Linux LUKS漏洞可被本地远程攻击
标题：Major Linux security hole gapes open
An old Linux security 'feature' script, which activates LUKS disk encryption, has been hiding a major security hole in plain sight.

作者信息：November 15, 2016 -- 01:50 GMT (09:50 GMT+08:00) By Steven J. Vaughan-Nichols  

//BEGIN
Sometimes Linux users can be smug about their system's security. And sometimes a major hole that's been hiding in Linux since about version 2.6 opens up and in you fall.
The security hole this time is with how almost all Linux distributions implement Linux Unified Key Setup-on-disk-format (LUKS). LUKS is the standard mechanism for implementing Linux hard disk encryption. LUKS is often put into action with Cryptsetup. It's in Cryptsetup default configuration file that the problem lies and it's a nasty one. Known Linux distributions with this bug include Debian, Ubuntu, Fedora, Red Hat Enterpise Linux (RHEL), and SUSE Linux Enterprise Server (SLES).
LUKS:是Linux Unified Key Setup-on-disk-format的缩写。
漏洞就出现在这个几乎所有的Linux版本都会采用的硬盘加密机制中，它常常和Cryptsetup配合使用，漏洞的利用就出现在Cryptsetup的默认配置文件中。受影响的操作系统包括：Debian, Ubuntu, Fedora, Red Hat Enterpise Linux (RHEL)和SUSE Linux Enterprise Server (SLES)等。

//END
The Linux distributors will soon have this fixed. But, in the meantime, we've got another security headache. Savvy Linux administrators shouldn't wait. They should patch the configuration file.
The hole was found by Hector Marco Gisbert, a computer science lecturer at the University of the West of Scotland. He presented a speech, "Abusing LUKS to Hack the System" at the DeepSec 2016 security conference.
补丁很快就会推出的。但是几乎同时可能又会出现另外一个严重的安全漏洞，维护人员应该及时给组态文件打补丁。该漏洞是由一个西苏格兰大学的计算机教授发现的，并在今年的安全大会上发表过演讲，题目就是利用LUKS攻击系统 Abusing LUKS to Hack the System。

点评：多平台攻击已然成风。