每日安全简讯(20161206)

1、安全厂商发布勒索软件Cerber5新变种分析
2、安全厂商发布Shamoon 2恶意代码分析报告
3、研究人员发现比Mirai更危险的新僵尸网络
4、Titathink修复IoT摄像机缓冲区溢出漏洞
5、Kapustkiy利用SQLi入侵厄瓜多尔国民议会
6、奥巴马总统委员会发布网络安全建议报告

【安天】搜集整理（来源：fortinet、codeandsec、securityaffairs、theregister、securityaffairs、easyaq）

1、安全厂商发布勒索软件Cerber5新变种分析
标题：Cerber 5.0.1 Arrives with New Multithreading Method

作者信息：Dec 02, 2016 by  RSS Sarah Wu, Jacob Leong

//BEGIN
Introduction
A new update of Cerber Ransomware, Cerber 5.0.1, has just arrived, appearing shortly after Cerber 5.0.0. had been released. Cerber 5.0.1 handles
multithreading differently when it comes to encrypting files, probably aiming for better performance. It also changes the instruction file name from
“README.hta” to “_README_.hta”.  The intention of this might be to avoid simple AV detection, such as checking instruction file names. The major updates in the new version are described in the following sections.
Cerber的最新版本为5.0.1，与5.0.0相比没有特别大的变化，只是在组态文件的一个变量发生变化：去掉了multithread多线程这一个变量；另外一个变化是指令文件从README变化为_README_，也就是文件名从README.hta变化为_README_.hta。这两个版本的Cerber勒索软件推出的时间间隔还很短。

//END
Conclusion
We have observed a lot of different versions of Cerber variant in these two months. Although Cerber updates its version quite frequently, there was no
significant update until version 5. We will continue to track this family and share any new updates with our readers. Stay tuned!
近两个月来，勒索软件Cerber推出了很多不同的版本，虽然升级很频繁，但是直到5.0版以后，才有显著的变化。

点评：对付勒索软件，建议还是备份备份再备份。

2、安全厂商发布Shamoon 2恶意代码分析报告
标题："Sophisticated" and "Genius" Shamoon 2.0 Malware Analysis

作者信息：3 December 2016 By siteadm

//BEGIN
After reading headlines like this, I decided to take a look at this "most damaging cyberweapon the world has ever seen". Seriously CNN?
Seems like this not-sophisticated-at-all malware called Shamoon 2.0/Disttrack caused lots of damage across multiple government networks in Saudi Arabia. I don't have a saying on the network breach and the initial breach method since I never had chance to analyze the evidence files. But I decided to take a look at the malware itself and dissect its components and classify skills of the attackers behind it, rest is already done by other analysts and they've published their findings online. Executive summary of my findings points to only one thing, that the developers behind it definitely are not skilled C++ developers and (highly likely) they don't have any experience in windows kernel development. They also lack basic understanding of C++ data-types. In addition to that (possibly intentionally) hackers left some clues in resources section, pointing to Yemen. As I said multiple times before, these signatures are too easy to manipulate and anyone with a little bit of Googling skills can alter the language identifier of the resources in PE files. But definitely "Yemen" is left there as political message to Saudi Arabia. Go figure.
被以“严肃和严谨”著称的CNN近日对Shamoon 2恶意代码贴了个标签：最危险的网络战攻击武器。因此安全专家们决定一探究竟。
其实这个被命名为Shamoon 2.0/Disttrack的恶意代码并不复杂，但是还是导致了沙特不少政府部门的很大的损害。以前没有认真分析过该恶意代码，看到这个报道后，决定仔细分析一下.其实在这以前，网络上已经有些技术分析报告出来了。但是根据安全专家的分析报告指出，该恶意代码的开发者既对编程语言C++不精通，同时也对Windows的内核开发无成熟的经验可言。连C++的基本的数据类型都不明白。在其数据的资源文件类型中，将其作者指向了也门，看样子是故意这么做的。当然稍有经验的编程人员都可以这样做，之所以这样很可能是有背后的政治原因。

//END
So dear CNN and other bloggers, please do more research before panicking and calling vulnerabilities or a piece of malware big names. "Most destructive
cyberweapon" takes much more skill...
经过安全研究人员的详细分析后，建议CNN以及一些其他严肃媒体不要夸大其词，动不动就将恶意代码冠以“最具破坏性的网络攻击武器”的标签。当然如果非要用这个称呼，最好还是有严密的数据和技术分析报告做支撑。但是这里提到的Shamoon 2恶意代码显然不是这样的。

点评：网络安全相关的恶意代码问题从来都不是一个单纯的技术问题。

3、研究人员发现比Mirai更危险的新僵尸网络
标题：Experts from CloudFlare spotted a new dangerous botnet

作者信息：December 4, 2016  By Pierluigi Paganini

//BEGIN
Security experts from CloudFlare observed a new botnet that emerged in the wild and it could be dangerous as its predecessor Mirai.
安全公司发现了一个从攻击效果看与Mirai未来类似的僵尸网络（但是属于不同的类型），虽然不及Mirai严重，但是也非常令人关注。其发起攻击的时间节点比较特殊：感恩节的前一天！持续时间达到8小时以上，而且在随后的一周内，几乎在同一时间会再次出现。攻击的峰值为400Gbps。影响的区域是位于美国西部，而不是Mirai的区域：东部。

//END
CloudFlare did not disclose further details of the DDoS attacks, it is not clear if the botnet is composed of IoT devices such as Mirai.
The new botnet will likely continue to grow and most experts fear it could be combined with other malicious infrastructure powering unprecedented DDoS
attacks.
安全公司没有发布更多的技术细节。而且也还不清楚是否由物联网IoT引起。安全专家在密切监视其是否可以与其他的恶意基础设施结合在一起，产生更多的DDoS攻击。

点评：不管相关不相关，IoT安全还是很重要的。

4、Titathink修复IoT摄像机缓冲区溢出漏洞
标题：IoT camera crew Titathink tells Reg it'll patch GET bug in a week
Apologises for 'serious mistake' in older kit, says latest things are secure

作者信息：5 Dec 2016  05:03 By Richard Chirgwin

//BEGIN
Titathink has become the second vendor to respond to the modified firmware that exposed a variety of surveillance cameras to a malicious URL attack.
在Mirai“未来”僵尸网络导致DDoS攻击后，IoT的安全问题引起业内广泛关注。目前至少已经有2家摄像机的公司承诺发布修复固件的公告，以防止恶意URL的攻击。其中一家公司的名字是：Titathink。

//END
Apologising for the inconvenience caused by the “serious mistake”, Titathink e-mailed via a spokesperson that its programmers are now troubleshooting the code.
The bug only affects older platforms, the note said: devices using current firmware and chipsets are not affected. The e-mail promises to post new firmware for affected devices within a week. ®
Titathink公司称非常抱歉由于开发人员的严重失误，导致了严重漏洞。并称开发人员正在努力修复，而且这个严重问题只存在于旧的平台，新平台并不存在类似问题。修复问题的固件程序将在一周内发布。

点评：IoT物联网安全！

5、Kapustkiy利用SQLi入侵厄瓜多尔国民议会
标题：Kapustkiy hacked the National Assembly of Ecuador website

作者信息：December 5, 2016  By Pierluigi Paganini

//BEGIN
Kapustkiy’s has breached the National Assembly of Ecuador and leaked the data via PasteBin. Once again he exploited a SQL injection.
这一次，已经多次出镜的黑客Kapustkiy将目标转向了南美厄瓜多尔的国民议会网站，黑客通过一个简单的SQL数据注入漏洞，就脱了库，并屏蔽了部分敏感信息后发布在共享网站上了。

//END
He also hacked the website at the High Commission of Ghana & Fiji in India and the India Regional Council as well as organizations and embassies across the world.
Recently he hacked the ‘Dipartimento della Funzione Pubblica’ Office of the Italian Government, the Paraguay Embassy of Taiwan (www.embapartwroc.com.tw), and the Indian Embassies in Switzerland, Mali, Romania, Italy, Malawi, and Libya. Kapustkiy.
What’s the next?
黑客Kapustkiy以前的目标包括：印度多个驻外机构、加纳、意大利、我国台湾地区驻外机构。下一个目标会是谁呢？

点评：专给世界各国政府和或者机构代理人找“茬”？

6、奥巴马总统委员会发布网络安全建议报告
{CHN}
标题：奥巴马总统委员会发布网络安全建议报告

作者信息： 2016-12-05 17:30 By E安全

//BEGIN
“E安全12月5日讯 “美国国家网络安全促进委员会”（The US Commission on Enhancing National Cybersecurity）受即将卸任总统奥巴马指示，发布最后一份网络安全建议报告。
网络安全是许多国家议程中的主要问题。美国总统委员会近期发布建议，敦促私营行业与公共部门展开前瞻性合作。合作旨在提升计算机网络安全并阻碍威胁攻击者的行动。美国总统网络安全委员会针对此主题发布了“广泛性报告。”

//END
委员会为下一任政府提出大量建议，包括：
•    整合国际网络安全政策和全球行为规范。
•    采用网络安全“营养标签”公正产品评级。
•    司法部和其它机构应评估不安全联网设备所致安全责任的法律。
•    任命“网络安全大使”，带领美国在相关战略、标准和实践上与与国际社会接触。
•    与其它国家合作制定并推进国际网络安全标准和行为。
•    提高政府和私有部门之间的合作，应对网络安全威胁。
•    国务院、国土安全部及其它机构应在网络安全上支持外国，并倡导和平时代网络安全标准。

点评：网络安全大使?这个职位听起来不错呀^^只是不知道世界其他国家的对口大使会在哪？