每日安全简讯(20170227)

1、研究者发现hwp格式文档被用于针对性网络攻击
2、安全团队揭示恶意软件Shamoon 2攻击技术细节
3、WebKit版本控制系统成SHA1碰撞攻击首个受害者
4、信用卡论坛声称掌握1.5亿CloudBleed泄露数据
5、黑客组织NHA攻击英国托管公司影响六百余网站
6、调查显示七成人认为网络威胁严重影响工控安全

【安天】搜集整理（来源：securityweek、securityaffairs、solidot、csoonline、bleepingcomputer、securityaffairs）

1、研究者发现hwp格式文档被用于针对性网络攻击
标题：Targeted Malware Campaign Uses HWP Documents

作者信息：February 25, 2017 By Ionut Arghire

//BEGIN
A recently observed targeted malware campaign against South Korean users was using Hangul Word Processor (HWP) documents as the infection vector, Talos researchers reveal.

HWP的全称是：Hangul Word Processor 韩文字处理软件的文档文件扩展名。

最近被安全人员发现了一种专门针对HWP文档的网络攻击，最主要的特点是发送的文档是hwp格式的，这种格式只在朝鲜半岛广泛使用。

//END
Responding to a SecurityWeek inquiry via email, a Talos representative said they couldn’t attribute the attacks to a specific actor: “The attackers had access to native Korean speakers and have a high degree of sophistication. However, any conjecture about what specific group or nation state might be behind the attack is pure speculation as the patterns are consistent with a few groups”.
很多人可能已经在猜想谁是幕后的真凶。不过安全研究人员称，这个恶意代码很复杂，现在就归因于某个特定组织，可能还为时尚早。

点评：有没有利用wps格式文档的攻击？

2、安全团队揭示恶意软件Shamoon 2攻击技术细节
标题：Shamoon 2 malware, ASERT has shed light on the C2 and the infection process

作者信息：February 26, 2017  By Pierluigi Paganini

//BEGIN
The analysis conducted by Arbor Networks on the Shamoon 2 malware has shed light on the control infrastructure and the infection process.
Security researchers from Arbor Networks’ Security Engineering and Response Team (ASERT) have conducted a new analysis of the Shamoon 2 malware discovering further details on the tools and techniques used by the threat actor.
安全公司Arbor Networks发现了恶意代码Shamoon的变种Shamoon 2，并发布了详细的分析报告，揭示其C2服务构架以及感染全过程，对其采用的工具以及技术进行新的揭示。这个新变种Shamoon 2 恶意代码是在去年的11月份被首次发现的。而另外一家安全公司Palo Alto Networks在今年的一月份发现了该恶意代码的另外一个变种，该变种能攻击虚拟机产品。这个Shamoon恶意代码其实从2012年开始就露头了，它还有一个名字Disttrack，最开始其目标对象是沙特阿拉伯的石油巨头 Saudi Aramco。那时该恶意代码的最显著的特征是能直接彻底删除被感染系统的硬盘的数据。据说当时造成了约3万台电脑的数据被毁，该恶意代码还修改了被感染机器启动过程，一启动被感染机器就会显示一副燃烧的美国国旗的图像。
本次报告分析的变种Shamoon 2的感染对象则是石油化工企业以及沙特的中央银行。
该恶意代码的投递过程依然是经典的借助DOC文档作为掩护，当用户打开文档后，诱使用户启用该文档中的宏。一旦启动，就是借助PowerShell下载真正的恶意代码Shamoon 2。

//END
Another evidence that links Shammon 2 malware to Iranian hackers was a “sloo.exe” file dumped by the malicious code in a targeted PC’s Temp folder.
“Unlike newer samples, this one created a unique file ‘sloo.exe’. The file was created at C:\Documents and Settings\Admin\Local Settings\Temp\sloo.exe. In addition to this file, the sample also contacted 104.238.184[.]252 for the PowerShell executable.” reads the technical analysis published by Arbor Networks.
根据Arbor Networks公司的安全研究人员的分析，该Shamoon 2 恶意代码的幕后真凶是来自伊朗的黑客团队。一个文件例证是名为sloo.exe的文件被发现保存在临时目录下：C:\Documents and Settings\Admin\Local Settings\Temp\sloo.exe. 除了这个文件外，该样本还链接到一个IP为104.238.184.252的服务器。

点评：这个Shamoon恶代被持续关注：
部分相关链接：
[20170201] 1、安全厂商发现恶意代码Shamoon针对沙特组织
[20170129] 1、安全厂商解析Shamoon攻击组织完整作业过程
[20170126] 4、Shamoon所用被盗证书疑由GreenBug组织提供
[20170111] 3、安全厂商发现Shamoon2变种针对虚拟化产品
[20161206] 2、安全厂商发布Shamoon 2恶意代码分析报告
[20161203] 3、Shamoon组织使用恶意代码擦除目标主机

3、WebKit版本控制系统成SHA1碰撞攻击首个受害者
{CHN}
标题：SHA1 碰撞攻击的第一位受害者：WebKit 版本控制系统

作者信息：2017年02月26日 15时11分 星期日 By pigsrollaroundinthem

//BEGIN
SHA1 碰撞攻击出现了第一位受害者：WebKit 项目使用的开源版本控制系统 Apache SVN（或 SVN）。在某人上传 Google 公布的两个 SHA1 值相同但内容不同的 PDF 文件后，版本控制系统出现严重问题。SVN 使用 SHA1 去跟踪和合并重复的文件。SVN 维护者已经释出了一个脚本工具拒绝 SHA1 碰撞攻击所生成的 PDF 文件。与此同时，版本控制系统 Git 的作者 Linus Torvalds 在其 Google+ 账号上称，天没有塌下来，Git 确实需要替换 SHA1，这需要时间，并不需要现在就去做。

//END
Watershed SHA1 collision just broke the WebKit repository, others may follow
"Please exercise care" with colliding PDFs, researchers advise software developers.
DAN GOODIN - 2/25/2017, 4:28 AM
https://arstechnica.com/security ... -others-may-follow/
Thursday's watershed attack on the widely used SHA1 hashing function has claimed its first casualty: the version control system used by the WebKit browser engine, which became completely corrupted after someone uploaded two proof-of-concept PDF files that have identical message digests.
The bug resides in Apache SVN, an open source version control system that WebKit and other large software development organizations use to keep track of code submitted by individual members. Often abbreviated as SVN, Subversion uses SHA1 to track and merge duplicate files. Somehow, SVN systems can experience a severe glitch when they encounter the two PDF files published Thursday, proving that real-world collisions on SHA1 are now practical.


点评：SHA1事件真的是分水岭？

4、信用卡论坛声称掌握1.5亿CloudBleed泄露数据
标题：Carders capitalize on Cloudflare problems, claim 150 million logins for sale
Filed under proof or it didn't happen… but we still don't know the full impact of Cloudflare's incident

作者信息：FEB 25, 2017 12:25 AM PT By Steve Ragan

//BEGIN
A carder forum is advertising a special deal to VIP members. The website claims to possess more than 150 million logins, from a number of services including Netflix and Uber. The source of this data collection are the accounts exposed due to a recent problem on Cloudflare's infrastructure.
CloudBleed is the name given to a flaw created by a faulty HTML parser chain that's responsible for dumping sensitive information from a number of Cloudflare customers across the web.
The flaw was accidentally discovered last week by Google researcher Tavis Ormandy. The incident impacted several large brands, including Uber, OKCupid, and Fitbit.
在一个关于信用卡的论坛上，有人专门针对其VIP会员兜售1.5亿CloudBleed遭泄露数据，这些数据的范围包括Netflix和Uber。但是奇怪的是，这个Netflix公司并不是Cloudflare公司的客户。

//END
CVV2Finder lists Netflix, Dominos, several "People Meet" dating websites, Tidal, CBS, Bitdefender, Origin, Dell, UPS, HBO Now, Spotify, and DirecTV accounts in their database as available to purchase. However, there are only 2,300 accounts, a far cry from the 150 million they are promising.
Again, if the offer is legit, that's bad news for a lot of people and several big brands. But from the looks of things, this is likely a hoax, or a website boasting in order to get more users.
We'll update this article if there is more information.
一个网站CVV2Finder列出了各种网站的数据包含其中。榜上有名的：Netflix，Dominos，各种约会网站，Tidal，CBS，Bitdefender（一个安全公司），Origin，DELL，UPS，HBO Now，Spotify，DirecTV等等。总数2300个，这与宣传的1.5亿相去甚远。
即便是这样，如果这些数据是真的话，那么对于我们很多人以及各大品牌的公司而言，将是一个梦魇。目前目测来看，很像是借这个云出血CloudBleed题材的谎言。不然不会这么凑巧。

点评：云出血的意思是每人都有份？

5、黑客组织NHA攻击英国托管公司影响六百余网站
标题：Hacker Group Defaces Hundreds of Websites After Hacking UK Hosting Firm

作者信息：February 25, 2017 06:05 PM By Catalin Cimpanu

//BEGIN
A hacking crew that goes by the name of National Hackers Agency (NHA) has defaced 605 websites in one go after they managed to get access to a server from UK hosting firm DomainMonster.

NHA是National Hackers Agency的缩写，显然抄袭自National Security Agency.

一个自称NHA的黑客组织一口气黑掉了605个网站，所有的这些网站都是托管在一个来自英国的服务商，这个服务商的名字是DomainMonster（主营的业务范围包括域名注册、建设网站以及网站托管等）。这六百多个网站被黑事件发生在上周二，也就是2月21日。被黑的客户当然很生气，官方虽然不很情愿，但是还是勉强确认了此被黑事件，不过声称很快都已经恢复正常访问。截止到目前并未出现新的被黑网站，不知道是真的该公司采取措施、修补了漏洞的结果，还是黑客们自己收手了。一下子拿下了这么多的网站，可以想象很多的隐私数据被盗，估计随后在地下论坛售卖。

//END
During the past month, multiple hacking crews have used a security flaw in the WordPress CMS to deface over 1.5 million web pages, and even escalate their access enough to install backdoors and take over servers.
上个月，多个黑客组织利用WordPress的CMS漏洞黑掉了超过150万个网站，有些网站还被接管，并被安装了后门程序。黑客可以远程控制这些被黑的服务器。

点评：网站被黑何时休！

6、调查显示七成人认为网络威胁严重影响工控安全
标题：US Oil and Gas Industry unprepared to mitigate risks in operational technology (OT) environments

作者信息：February 26, 2017  By Pierluigi Paganini

//BEGIN
A study commissioned by Siemens revealed that US oil and gas industry is unprepared to mitigate cybersecurity risks in operational technology environments.
有份调查报告显示，美国的石油和天然气工业企业并没准备好，以充分应对各种网络安全威胁。该报告是由西门子的安全工程师完成的，主要的对象是OT操作技术环境的网络安全风险。调查对象包括337人，这些人都是负责防范网络威胁的，他们主要是负责OT操作技术环境的。超过7成的受访者承认在过去的一年中至少遭受到一次网络威胁，而且这些威胁还导致了OT操作混乱或者是机密信息的丢失。有4成的受访者表示他们都会连续不断的监控其所有的关键基础设施，以发现潜在的威胁与网络攻击。OT操作技术环境的网络攻击有大约一半是未被发现的，这意味着这些石油和化工企业的安全保障措施需要提升以应对日益严重的安全威胁。有五分之一的受害者相信他们的组织遭受到了复杂的网络攻击，类似Duqu或者火焰Flame等。七成人认为网络威胁严重影响工控安全。

//END
Negligent and malicious or criminal insiders are considered the principal threats to the U.S. oil and gas industry.
“Together negligent and malicious or criminal insiders pose the most serious threat to critical operations. Sixty-five percent of respondents say the top cybersecurity threat is the negligent or careless insider and 15 percent of respondents say it is the malicious or criminal insider.”
Let’s close with a look at the factors that pose the major risks to the organizations. Roughly 60 percent of respondents pointed out outdated and aging control systems or vulnerable IT products used in production environments.
这些石化企业的网络威胁最主要的体现在以下几个方面：内部员工自身的严重失职行为、外部恶意代码威胁以及内鬼等。65%的人认为最主要的安全威胁员工的失职、或者无心的失误；15%的人则认为是恶意代码或者内鬼。另外过期或者老化成旧的工业控制系统、有漏洞的安全产品也是重要的威胁源头。

点评：内部安全包括发现内鬼以及及时阻止那些无意的危险动作，与此同时还要拦截和处置来自外部的各种威胁和攻击。