每日安全简讯(20161209)

1、统计表明美国感染勒索软件全球居首
2、勒索软件Petya新变种更名“黄金眼”
3、无文件实体窃密木马August近期活跃
4、开源Web邮件RoundCube发现严重漏洞
5、漏洞预警：ImageMagick远程代码执行
6、阿根廷工业部网站被黑导致数据泄露

【安天】搜集整理（来源：darkreading、securityweek、proofpoint、securityweek、darkzome、softpedia）

1、统计表明美国感染勒索软件全球居首
标题：Las Vegas, Rust Belt, Hit Hardest By Ransomware

作者信息：12/8/2016  08:00 AM By Steve Zurier

//BEGIN
New study by Malwarebytes finds that the US has the most ransomware incidents worldwide.
Turns out you're most likely to get shaken down by ransomware in the Las Vegas/Henderson area, which in the US has the largest number of overall ransomware detections, the most detections per individual machine, and the most detections per population, according to a new study by Malwarebytes.
安全公司发现美国遭受勒索软件的侵害最为严重。具体的地理位置就是拉斯维加斯地区，该地区的总感染数、平均每台机器的感染数以及按照人头计算的感染率等三项指标均高居美国国内榜首。采样数据当然是来自全球所有的国家和地区，时间跨度是今年的7月1日到10月15日这不到3个月的时间内，大约200多个国家和地区就发现了超过40万个勒索软件侵害事件，其中美国作为国家单位占据26%，也就是发生的勒索事件数为：40万*26%=10.4万起。拉斯维加斯地区好像正在成为一个勒索软件的感染温床。原因大致可能有：首先那里的人们即使在工作状态也看起来像是在度假，警惕性好像永远也提不起来，而且大部分都是采用无任何安全防护的WiFi来上网。另外一个原因是该地区的网络安全教育水平相对较低。再加上传统制造业的衰落导致失业率居高不下，很多人无所事事，于是就上网想歪心思。这样就很容易给勒索软件创造极其有利的泛滥条件。


//END
Locky, which was released in February of this year, has risen to become one of the most prolific ransomware attacks of this year, the study says. The rapid increase of Locky’s global footprint so soon after it was released makes it especially scary. On day one of its detection, Locky had already spread to 18 countries. By day two, Locky was in 61 countries, and by day three, 85 countries. After the first month, Locky had spread to 161 countries and right now, Locky has been detected in nearly 200 different countries.
窥一斑而知全豹。这里以勒索软件的典型代表Locky为例，说明其流传的猖狂程度。
勒索软件Locky是今年2月份被发现的，发现的当日感染的国家数量是18个；到了第二天感染的数量就增加到61个；第三天增加到85个；第一个月就已经增加到161个；而当前的国家数量已经几乎遍布全球200多个不同国家和地区。由此可见勒索软件的传播速度之快以及传播范围之广。

//下载： Ransomware detections soar in the United States.pdf (516.53 KB, 下载次数: 791)

2016-12-9 23:43 上传

点击文件名下载附件

文件名：Ransomware detections soar in the United States.pdf
文件大小：528，928 bytes
MD5     : E3AF9C7345E10B6F05EFDB5BBC8D0C4A

点评：对付勒索软件，建议备份备份再备份。

2、勒索软件Petya新变种更名“黄金眼”
标题：Petya Variant Goldeneye Emerges

作者信息：December 08, 2016 By Ionut Arghire

//BEGIN
A variant of the Petya ransomware has emerged recently, which has been renamed to Goldeneye, but shows almost no differences when compared to the original, security researchers warn.
安全专家最近发现了以前的勒索软件Petya的变种，其名称为Goldeneye,但是其实换汤不换药，这两者之间没有大的差别。

//END
The ransom screen displayed by the new variant is almost identical to that used by Petya, with only one change made to it: the word “files” has been
replaced with “harddisks,” Avira reveals. The text color was modified to yellow, after being red in the initial version and green after Mischa came into
play. Goldeneye asks victims to pay a $1,000 ransom and directs users to a Dark Web portal that also includes a support area.
连最后索求赎金的页面也与Petya类似，只是在单词上有所变化：从files（文件）改成了harddisks(硬盘)。当然显示文本的颜色上也有改变：由以前的红色、绿色变成了现在的黄色。赎金1000美元，链接地址指向一个暗网的地址。

点评：对付勒索软件，建议备份备份再备份。

3、无文件实体窃密木马August近期活跃
标题：August in November: New Information Stealer Hits the Scene

作者信息：ECEMBER 07, 2016 By Proofpoint Staff

//BEGIN
Overview
During the month of November, Proofpoint observed multiple campaigns from TA530 - an actor we have noted for their highly personalized campaigns [6] - targeting customer service and managerial staff at retailers. These campaigns utilized “fileless” loading of a relatively new malware called August through the use of Word macros and PowerShell. August contains stealing functionality targeting credentials and sensitive documents from the infected computer.
最近安全专家发现了一个被称为August八月的无实体文件型木马程序，该木马被一个名为TA530的组织所利用，其目标对象就是一些零售商店的个人客户以及其管理人员。该木马想尽一切办法给客户发送带宏的Word文件，并采用Powershell实现无文件自动运行木马主体，该木马运行后，能盗取客户的一些认证信息并盗取客户的重要文档和资料文件。

//END
Conclusion
August is a new information stealer currently being distributed by threat actor TA530 through socially engineered emails with attached malicious documents.
While this actor is largely targeting retailers and manufacturers with large B2C sales operations, August could be used to steal credentials and files in a
wide range of scenarios. The malware itself is obfuscated while the macro used in these distribution campaigns employs a number of evasion techniques and a fileless approach to load the malware via PowerShell. All of these factors increase the difficulty of detection, both at the gateway and the endpoint. As email lures become increasingly sophisticated and personalized, organizations need to rely more heavily on email gateways capable of detecting macros with sandbox evasion built in as well as user education that addresses emails that do not initially look suspicious.
通过社工的方法来传播，吸引不明真相的客户点击附件的可疑文件。不管是在网关级别还是在终端级别检测以上提到这个无文件木马都是比较困难的，原因在于其无穷的变化形式。因为通过邮件引诱客户来点击运行，有时候是利用人的脆弱的心理因素，因此防范几乎不能保证做到100%。但是可以加强对全员的安全教育，而作为企业管理员则更多的需要借助沙箱技术的支撑才能早日发现异常。

点评：终端防护推荐智甲系列。

4、开源Web邮件RoundCube发现严重漏洞
标题：Hackers Can Exploit Roundcube Flaw by Sending an Email

作者信息：December 07, 2016 By Eduard Kovacs

//BEGIN
Researchers discovered that the open source webmail software Roundcube is affected by a critical vulnerability that can be used to execute arbitrary commands on the system simply by sending an email.
开源WEBMAIL软件Roundcube被发现了严重的安全漏洞：只需要发送一个特制邮件，就能在被接受的机器上执行任意命令。

//END
RIPS noted that it had identified dozens of security holes in Roundcube, including code execution, cross-site scripting (XSS), file manipulation, path
traversal, SQL injection, and PHP object injections. However, experts said many of these flaws are less severe as they affect the installation module or dead legacy code.
安全专家在该WEBMAIL平台上发现了多种安全漏洞，包括代码执行、跨站脚本、文件处理、路径回归、SQL注入以及PHP目标注入等等漏洞。但是很多漏洞的级别不像刚才描述的那个那么高。

点评：已经有补丁了，如果用RoundCube就赶紧修补吧。

5、漏洞预警：ImageMagick远程代码执行
{CHN}
标题：【漏洞预警】ImageMagick 远程代码执行 CVE-2016-8707

作者信息：2016年12月6日 By darkzome

//BEGIN
ImageMagick简介
ImageMagick是一套功能强大、稳定而且开源的工具集和开发包，可以用来读、写和处理超过89种基本格式的图片文件，包括流行的TIFF、JPEG、GIF、 PNG、PDF以及PhotoCD等格式。利用ImageMagick，你可以根据web应用程序的需要动态生成图片, 还可以对一个（或一组）图片进行改变大小、旋转、锐化、减色或增加特效等操作，并将操作的结果以相同格式或其它格式保存，对图片的操作，即可以通过命令行进行，也可以用C/C++、Perl、Java、PHP、Python或Ruby编程来完成。同时ImageMagick提供了一个高质量的2D工具包，部分支持SVG。ImageMagic的主要精力集中在性能，减少bug以及提供稳定的API和ABI上。

//END
此漏洞存在于与ImageMagick捆绑的转换实用程序中，它是一个非常受欢迎的软件。 因此，许多web应用程序使用它来解析和转换图像格式。 当尝试缩小Adobe Deflate压缩过的Tiff图像时会出现此漏洞。
该漏洞产生于ImageMagick处理图像内部的压缩数据的方式。保存解压缩所需的数据大小是经过计算，然后传递到 LibTiff 中的，但不足以容纳解压缩流。http://www.talosintelligence.com/reports/TALOS-2016-0216/

点评：补丁好像没有？

6、阿根廷工业部网站被黑导致数据泄露
标题：Argentinian Government Site Suffers Major Breach, Personal Information Exposed UPDATED
Website hacked due to unexpectedly easy-to-guess password

作者信息：Dec 7, 2016 08:10 GMT By Bogdan Popa

//BEGIN
The official website of the Argentinian Ministry of Industry (Ministerio de Produccion) suffered a major breach that exposed not only private documents but also personal information and contact details of a big number of individuals.
又见Kapustkiy黑客！但是对象却变成了阿根廷工业部门的官方网站。该网站的数据已经泄露：私人文档、个人信息以及很多人的联系方式等等。黑客并不是像以前的那样采用SQL注入的方式获得这些数据，而仅仅是猜测出了管理员的账号密码（本文的作者都不好意思公布，怕的是被别用用心的人疯狂利用）！

//END
For the moment, the website is still up and running, but expect IT admins to take it down in the coming days when they acknowledge the breach. Kapustkiy said he was able to download all files they had on their servers after accessing the admin panel, so it’s very clear that site admins need to deal with this as soon as possible.
UPDATE, December 9: It looks like the login link is down, so the site's security team is most likely working to fix the breach. There's still no response
from the administration team, but there's a good chance that they're already aware of the hack and they're now trying to address it either by taking down the admin panel or by using IP filters that block access from outside the country.
截止发稿为止，该涉事网站似乎已经下线，显然管理者们可能发现了蛛丝马迹。但是对黑客的询问还是置若罔闻。希望网站管理者能加强其安全措施：至少管理员的密码应该足够复杂并定期更换，同时也可以设置防火墙策略，以禁止管理员从其境外访问。

点评：Administrator账号的密码也设成Administrator或者123456，就相当于未设置密码！