每日安全简讯(20170111)

1、勒索软件“圣诞快乐”通过恶意代码窃取信息
2、勒索软件Kraken感染2.8万台MongoDB服务器
3、安全厂商发现Shamoon2变种针对虚拟化产品
4、土耳其能源部长称停电事故与网络攻击有关
5、Hello Kitty母公司被黑330万用户数据泄露
6、专家警告：剪刀手拍照可能被黑客盗取指纹

【安天】搜集整理（来源：bleepingcomputer、bleepingcomputer、securityweek、securityaffairs、threatpost、cnbeta）

1、勒索软件“圣诞快乐”通过恶意代码窃取信息
标题："Merry Christmas" Ransomware Now Steals User Private Data via DiamondFox Malware

作者信息：January 9, 2017 02:05 PM By Catalin Cimpanu

//BEGIN
Recent variants of the "Merry Christmas" ransomware, also known as Merry X-Mas, are also dropping the DiamondFox malware on infected computers, which is used by the ransomware's operators to collect data from infected hosts, such as passwords, sensitive files, and others.
勒索软件也会看人下菜碟了：如果你是有钱人，那么勒索的赎金会高一些；但如果你只是貌似有钱的屌丝，那么赎金会比较低：勒索软件Merry Christmas圣诞快乐出现变种了，他们会先释放一个木马程序（是一种在暗网上出售的商业木马，售价370刀）进入用户的电脑，在将该电脑变成僵尸网络的同时，还会偷取用户的登录账号和密码等，同时查看用户的金融账户信息。
本来人们普遍认为既然是圣诞题材的勒索软件，那么也许会昙花一现。但是显然当下的进展让人刮目相看，该勒索软件不断变换花招，以至于存活至今：当下已经变换成了“法院传票”以恐吓用户打开含有勒索软件的垃圾邮件附件。


//END
The Merry Christmas family is not the first ransomware threat to add secondary malware payloads to its normal attack routine. In the summer of 2016, security researchers from Kaspersky discovered versions of the Shade (Troldesh) ransomware that downloaded the Teamspy RAT in order to determine and evaluate the type of computer they infected, and decide if to charge a higher sum to unlock files.
其实这个带有木马的勒索软件不是第一次出现了。2016年夏天已经有安全公司的研究者发现过了类似的勒索软件。那时的木马就有了评估用户的支付能力的功能了：有钱出列，没钱的就先靠边站。^^^

点评：对付勒索软件，建议采用备份备份再备份的3B原则：Backup、Backup、Backup（Beifen、Beifen、Beifen）。

2、勒索软件Kraken感染2.8万台MongoDB服务器
标题：MongoDB Apocalypse: Professional Ransomware Group Gets Involved, Infections Reach 28K Servers

作者信息：January 9, 2017 11:18 AM By Catalin Cimpanu

//BEGIN
The number of hijacked MongoDB servers held for ransom has skyrocketed in the past two days from 10,500 to over 28,200, thanks in large part to the involvement of a professional ransomware group known as Kraken.
用疯狂来形容勒索组织Kraken在过去几天的行动一点都不过分！
仅仅2天的时间，感染勒索软件的MongoDB服务器的数量从1万多台猛增到近3万台（实际上一周前的感染数量才不到2000台，一周内就达到了近3万台），火箭般的速度呀。勒索软件当下表现得越来越职业化倾向。
实际上，根据统计一共有12个黑客团体在盯着MongoDB服务器的数据库，这么多的“团体”盯着这个的原因很简单，就是这些数据库几乎就是明文暴露在互联网上，系统管理员都没设置任何密码，相当于裸奔。

//END
As we concluded in our previous piece on this MongoDB debacle, these attacks might end up being a turning point in MongoDB's history, being hard to imagine that database administrators might expose their MongoDB instances online after these high-profile ransom attacks.
即使支付了赎金，也有相当一部分的用户未能成功找回其数据库。
按照MongoDB数据库当下被攻击勒索的势头发展，其最终的命运还有待观察，让我们拭目以待吧。如此大规模的勒索事件已经发生，而管理员还无动于衷，那结局也许是可以预期的。

点评：对付勒索软件，建议采用备份备份再备份的3B原则：Backup、Backup、Backup（Beifen、Beifen、Beifen）。

3、安全厂商发现Shamoon2变种针对虚拟化产品
标题：Shamoon 2 Variant Targets Virtualization Products

作者信息：January 10, 2017 By Eduard Kovacs

//BEGIN
A second variant of the Shamoon 2 malware discovered by researchers at Palo Alto Networks has been set up to target virtualization products, likely in an effort to increase the impact of the attack and make recovery more difficult for targeted organizations.
Shamoon, aka Disttrack, is a disk-wiping malware that became widely known in 2012, when it damaged 35,000 computers belonging to Saudi Arabian petroleum and natural gas company Saudi Aramco. A newer version of the threat, dubbed Shamoon 2, was recently used to target various organizations in the Persian Gulf, including Saudi Arabia’s General Authority of Civil Aviation (GACA), which has downplayed the impact of the attack.
彻底删除虚拟化产品的硬盘数据的恶意木马Shamoon2出现变种了，这些删除动作是直接针对磁盘级别，使得受侵害目标恢复其系统变得更难，影响更深远。其实从2012年就已经开始流行了，当时主要针对的就是沙特的石油和天然气公司的35000台计算机。新版本的变种则是该国的另外一个部门：民航总局。

//END
“VDI solutions can provide some protection against a destructive malware like Disttrack through the ability to load snapshots of wiped systems. Also, since FusionCloud systems run a Linux operating system, which would not be susceptible to wiping by the Windows-only Disttrack malware, this could be seen as a reasonable countermeasure against attacks like Shamoon,” Palo Alto Networks’ Robert Falcone wrote in a blog post.
“However, if the attacker was able to log into the VDI management interfaces using the account credentials they could manually carry out destructive activities against the VDI deployment, as well as any snapshot,” Falcone added.
该木马针对的虚拟化产品是来自中国华为公司的虚拟桌面构架产品VDI，其具体是FusionCloud。 由于FusionCloud的构架是基于Linux，而Shamoon 2恶意代码则是针对Windows 系统而言的，因此该因素会天然会有阻力因素。不过，由于虚拟化产品的默认登录口令会被恶意软件作者轻易获取，因此要想达到其破坏目的，这些恶意作者还是有很多招的。


点评：不赶时髦，不勒索，直接格掉硬盘。这个木马危害大呀。

4、土耳其能源部长称停电事故与网络攻击有关
标题：Recent power outages in Turkey were also caused by cyber attacks

作者信息：January 9, 2017  By Pierluigi Paganini

//BEGIN
Turkish Energy Minister Berat Albayrak believes that power outages in Istanbul and other areas in Turkey have also been caused by cyber attacks.
According to Turkish Energy Minister Berat Albayrak, Istanbul and other areas in Turkey have been experiencing power outages since last week. The power outages were caused by sabotage of underground powerlines and cyberattacks originating in the US.
“Yesterday, we faced an intense, US-originated cyber attack. These attacks have been carried out systematically on different parts of the Energy Ministry, but we have repelled them all,” explained the Turkish Energy Minister in an interview with A Haber TV.
土耳其能源部长称上周在该国首都以及其他地区的停电事故与网络攻击有关，而且这些攻击来自美国。这些网络攻击能力很强，而且持续时间长。显然是经过系统准备的，不过这些都被化解！不过，也许是碰巧，该国首都以及部分地区同时遭受了严重的自然灾害：暴雪。

//END
Some prominent experts believe that Turkish authorities are facing with sabotage and problems to legacy infrastructure using “cyber” as a scapegoat for the situation.
一些资深专家称，也可能是网络攻击被当做了替罪羊，其实不过是自然的、糟糕的天气导致了大停电。

点评：天灾和人祸都很要命。不过前者只能预测和减缓，而后者不仅可预测还能预防！

5、Hello Kitty母公司被黑330万用户数据泄露
标题： Hello Kitty Database of 3.3 Million Breached Credentials Surfaces

作者信息：January 9, 2017  2:41 pm By Tom Spring

//BEGIN
A cache of data including 3.3 million user credentials belonging to Hello Kitty parent company Sanrio surfaced over the weekend.
The breach was originally reported in December 2015, but at the time Sanrio denied any data was stolen as part of the breach. The breach was tied to a misconfigured MongoDB installation that was discovered by security researcher Chris Vickery.
著名的Hello Kitty的母公司Sanrio的数据库的330万用户数据泄露了。
实际上这个泄露的报告是2015年12月份就公布了，但是当时Sanrio公司否认该泄露。泄露的数据库是由于MongoDB数据库配置不当导致。

//END
Owners of misconfigured MongoDB have recently been hit hard with a rash of breaches where criminals delete databases and demand a ransom in return for data. Over the last two weeks the number of incidents of MongoDB hijacked for ransom jumped from 200 in December to 2,000 early last week. According to the latest reported by Cisco System’s Continuum blog, the number of hijacked databases reached 27,000 on Monday.
由于配置不当，MongoDB数据库被明文泄露在网上。被拿下的MongoDB数据库数量激增。

点评：与第2条新闻相关,都是MongoDB数据库泄露！

6、专家警告：剪刀手拍照可能被黑客盗取指纹
{CHN}
标题：日本专家提醒：摆V字手势拍照很危险 有可能被盗取指纹

作者信息：2017-01-10 14:15:59 By cnBeta

//BEGIN
据日本媒体报道，日本国立信息学研究所教授日前提醒广大网友，拍照时摆V字手势，很有可能被盗取指纹。报道称，如果在网上发布拍摄有面部和手部的照片，更有可能被锁定指纹的所有者，其中对于照片曝光率较高的名人，指纹信息等被盗取的危险系数更高。

//END
另外，目前除了指纹外，面部以及虹膜识别也被应用于手机认证等。一些行政机关以及企业也在利用这些信息进行出勤管理。此前，要想取得个人的生物信息，需要接近本人进行拍摄。但是，近来一些生物信息被流传到网上，对犯罪者来说门槛大大降低。
国立信息学研究所在实验中，利用一张从三米处拍摄的照片读取到了指纹信息，在拍照时摆V字手势，很容易被盗取。国立信息学研究所教授越前功呼吁：指纹等生物信息是人终生都改变不了的，希望能警示大家进行自我保护。

点评：以后要带面具照相？