每日安全简讯(20161219)

1、Odinaff木马是土耳其金融攻击幕后黑手
2、Trickbot木马主要针对东南亚部分国家
3、大规模僵尸网络Mirai控制服务器藏身Tor
4、雅虎10亿泄露数据已在暗网找到购买者
5、体育门户网站Bleacher Report数据泄露
6、英国政府发布国家安全战略年度报告

【安天】搜集整理（来源：securityaffairs、securityweek、slashdot、securityaffairs、bleepingcomputer、freebuf）

1、Odinaff木马是土耳其金融攻击幕后黑手
标题：Odinaff Trojan behind financial attacks mostly in Turkey

作者信息：December 17, 2016  By Pierluigi Paganini

//BEGIN
Akbank, one of the largest Turkish banks seems to be the latest victim of the Odinaff trojan, a threat similar to the Carbanak malware.
拥有14000名员工的土耳其著名的最大上市银行之一Akbank最近遭到了Odinaff木马的攻击，其伎俩可能与之前曝光的Carbanak类似。
虽然到目前为止细节尚未公开，但是从仅有的公布细节看，遭受攻击主要原因是其员工遭到了钓鱼邮件的攻击，采用的是传统的DOC文档中嵌入了恶意宏的方式。
到这里为止还没看出什么特别的地方。但是后续的动作有点值得关注了：该木马并没有急于全线开火，而是先用上一些无害或者轻量的武器比如进程查看工具Psexec,网络扫描工具Netscan，免费的远程桌面工具软件Ammyy以及轻量级的Windows系统密码神器Mimikatz等。之所以这样做，就是为了麻痹一些普通的安全防线：因为这些防护系统大多会扫描和检查大多数的未知以及新出现的文件。

//END
The vast majority of Odinaff attacks were against financial targets (34%), experts observed a small number of attacks also against organizations in the
securities, legal, healthcare, and government.
“Around 60 percent of attacks were against targets whose business sector was unknown, but in many cases these were against computers running financial software applications, meaning the attack was likely financially motivated.” explained Symantec.
For further details, including the Indicators of compromise, give a look at the analysis published by Symantec.
该木马大部分的攻击目标是在金融领域，小部分的对象是证券、法律、卫生和健康以及政府部门。

点评：木马的眼里只有钱，不管是哪国的，当然如果能比较容易搞定的，肯定会先行先试。

2、Trickbot木马主要针对东南亚部分国家
标题：Dyre Gang Takes TrickBot Trojan to Asia

作者信息：December 17, 2016 By Ionut Arghire

//BEGIN
TrickBot, the Dyre-linked Trojan that emerged in October 2016, is now targeting users in Singapore, India and Malaysia, IBM X-Force security researchers warn.
木马名称：TrickBot
木马组织：Dyre
最新发现时间：2016年10月
最新的目标国家：新加坡、印度和马来西亚；2014年的目标国家则为新西兰、德国、英国、美国、澳大利亚以及西班牙等。
主要伎俩：设计以假乱真的银行网站，诱导用户输入自己的个人信息、银行相关的认证信息甚至双因子认证信息和数据等。

//END
“This attack is most often identified with the resources and capabilities of organized cybergangs that have in-house developers, such as the Dridex crew,
because of the extra setup, preparation and maintenance of unique site replicas for each target,” the IBM X-Force researchers say.
研究人员称，没有实力是做不了这个木马和网站的，背后必须有不小规模的团队支撑：网站建设需要一个团队来维护，必须计划、准备、设计以及维护这些“银行”网站，而且一个对象需要一套，还不能互相串。

点评：假冒的再像也是假的，用户应该擦亮眼睛。

3、大规模僵尸网络Mirai控制服务器藏身Tor
标题：Massive Mirai Botnet Hides Its Control Servers On Tor

作者信息：Saturday December 17, 2016 06:34PM By the catch-me-if-you-can dept(霸气网名：有本事来抓我)

//BEGIN
"Following a failed takedown attempt, changes made to the Mirai malware variant responsible for building one of today's biggest botnets of IoT devices will make it incredibly harder for authorities and security firms to shut it down," reports Bleeping Computer. An anonymous reader writes:
Level3 and others" have been very close to taking down one of the biggest Mirai botnets around, the same one that attempted to knock the Internet offline in Liberia, and also hijacked 900,000 routers from German ISP Deutsche Telekom.The botnet narrowly escaped due to the fact that its maintainer, a hacker known as BestBuy, had implemented a domain-generation algorithm to generate random domain names where he hosted his servers.
差点被关闭的僵尸网络Mirai的运营者运用DGA随机生成域名的方法使得定位其寄生的域名比较困难。这个Mirai僵尸网络的事迹就不再宣传了。

//END
Currently, to avoid further takedown attempts from similar security firms, BestBuy has started moving the botnet's command and control servers to Tor. "It's all good now. We don't need to pay thousands to ISPs and hosting. All we need is one strong server," the hacker said. "Try to shut down .onion 'domains' over Tor," he boasted, knowing that nobody can.
当下，为了进一步逃避安全公司和执法部门的围追堵截，Mirai僵尸网络的运营者打算将其C&C服务器迁移到匿名网络TOR上。这样再要想关闭它就更加困难了。

点评：已经有人撰文称Mirai已死，不过目前看，还会垂死挣扎好一会。

4、雅虎10亿泄露数据已在暗网找到购买者
标题：Yahoo data is for sale on Dark Web, and someone has already bought them

作者信息：December 17, 2016  By Pierluigi Paganini

//BEGIN
According to Andrew Komarov, Chief Intelligence Officer (CIO) at security firm InfoArmor, the Yahoo database was sold for $300,000 on the dark web.
根据安全公司的监测：之前遭泄露的雅虎的10亿数据在暗网上已经以30万美刀成交。不过这之后其交易价格马上降低到2万刀。
泄露的数据包括用户名、地址信息、电话号码、密码的hash值、安全问题及其答案。
安全公司将此信息通报给了世界部分地区的军事和国家执法部门，这些国家包括美国、澳大利亚、加拿大、英国以及欧盟等。但是没有直接通报给事主yahoo公司，原因是其傲慢：对安全公司通过中间人的报告不屑一顾。


//END
The NYT also reported Mr. Komarov’s declaration that highlights the importance of the stolen data in a cyber espionage campaign.
“Personal information and contacts, e-mail messages, objects of interest, calendars and travel plans are key elements for intelligence-gathering in the right hands,” Komarov was quoted as saying. “The difference of Yahoo hack between any other hack is in that it may really destroy your privacy, and potentially have already destroyed it several years ago without your knowledge.”
Yahoo users urge to reset their passwords and changes security questions asap.
雅虎的用户被敦促尽快修改其密码和安全问题的答案，可能长期以来隐私已经被泄露，只是用户浑然不觉。

点评：傲慢往往是一些互联网巨头的通病，但往往会因此付出代价。

5、体育门户网站Bleacher Report数据泄露
标题：Bleacher Reports Suffers Data Breach as "Unauthorized Party" Accesses User Data

作者信息：December 17, 2016 12:35 PM By Catalin Cimpanu

//BEGIN
Sports news portal Bleacher Report announced today a security breach that affected readers that signed up for accounts on the site.
At the time of writing the number of affected users is unknown, and a request for comment from Bleeping Computer was not returned at the time of publishing.
According to an email sent out by the sports news site, "an unauthorized party gained access to certain files containing limited Bleacher Report user
information."
知名体育门户网站Bleacher最近被爆出现安全漏洞，其注册用户的信息可能泄露。但是具体的数量目前未知。


//END
Site asking users to reset passwords
The company is now in the process of notifying users, asking them to reset passwords. If users don't reset passwords on their own, after three days, the Bleacher Report admins will force a password reset for affected accounts automatically.
Password reuse is a problem in our times because users have to manage hundreds of different online identities. Bleacher Report users that reused the same password on other sites are advised to change the passwords on those services as well.
Hacked information often exchanges hands, and unscrupulous parties often attempt to take over other online accounts knowing that the vast majority of users engage in password reuse practices.
网站强烈建议用户赶紧修改密码以保护其安全。作为安全措施之一，如果在三天内还不修改的话，那么以后登录会自动强制用户修改。
但是，对于同一密码多地重复使用的问题，最不好预防，因此建议用户不要在多个网站或者登录处采用同样的密码，不管这个密码多复杂多牢靠。
黑客们会将其发现的这个数据库进行交易，因此其他网站的登录用户可能会因为共享密码库而躺枪。

点评：怎么感觉好像是个水坑攻击？！

6、英国政府发布国家安全战略年度报告
{CHN}
标题：英国发布国家安全战略年度报告，网络安全将成重中之重

作者信息：2016-12-18 By Alpha_h4ck

//BEGIN
根据国外媒体的最新报道，英国政府近日发布了2016年第一份国家安全战略年度报告，并在报告中详细阐述了2015年英国国家安全战略的实施情况。

//END
此次发布的国家网络安全战略报告中还专门对“如何解决网络犯罪”这一话题进行了讨论。执法部门将会与私营企业展开密切合作，并提升政府解决网络犯罪问题的能力，因为英国政府正在试图解决“暗网”的滥用问题。

//下载： national_security_strategy_strategic_defence_security_review_annual_report_2016.pdf (869.15 KB, 下载次数: 39)

2016-12-19 18:13 上传

点击文件名下载附件

文件名：national_security_strategy_strategic_defence_security_review_annual_report_2016.pdf
文件大小：890，012 bytes
MD5     : EEA3F8988ED5371C6BD3018940834F6A

点评：保护普通网民、（脱欧后）延续大英的持续繁荣以及扩大其国际影响力为该报告的三大核心内容，一共89项目具体工作！