View Full Version : Security breach/compromise - 2013

2013-02-02, 13:20

Twitter hacked - 250K pwd's reset
- http://blog.twitter.com/2013/02/keeping-our-users-secure.html
Feb 01, 2013 - "... Within the last two weeks, the New York Times and Wall Street Journal have chronicled breaches of their systems... This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data. We discovered one live attack and were able to shut it down in process moments later. However, our investigation has thus far indicated that the attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users. As a precautionary security measure, we have reset passwords and revoked session tokens for these accounts. If your account was one of them, you will have recently received (or will shortly) an email from us at the address associated with your Twitter account notifying you that you will need to create a new password. Your old password will not work when you try to log in to Twitter... This attack was not the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked. For that reason we felt that it was important to publicize this attack while we still gather information, and we are helping government and federal law enforcement in their effort to find and prosecute these attackers to make the Internet safer for all users..."

- https://isc.sans.edu/diary.html?storyid=15064
Last Updated: 2013-02-02 02:22:50 UTC

:sad: :mad:

2013-02-06, 20:24

Fed Reserve hacked by Anonymous
- http://h-online.com/-1799026
6 Feb 2013 - "Hacktivists affiliated with the Anonymous collective breached an internal web site of the US Federal Reserve, according to a report from Reuters*. A spokesman for the US central bank said: "The Federal Reserve system is aware that information was obtained by exploiting a temporary vulnerability in a website vendor product," adding that the "exposure" was fixed rapidly and "is no longer an issue". The hackers had released a spreadsheet with details of 4000 US bank executives as part of a campaign named "OpLastResort"... but according to a memo sent to members of the Federal Reserve's Emergency Communication System, what had been compromised was mailing address, business phone, mobile phone, business email and fax numbers. The memo said: "Despite claims to the contrary, passwords were not compromised". The Federal Reserve's Emergency Communication System (ECS) is designed to help the Fed estimate how much damage a natural disaster may have done by allowing bank executives to send them updates if their operations have been affected. It appears that the contact information for this system is what was taken and published. The Federal Reserve says that all the individuals affected by the breach have been contacted."
* http://www.reuters.com/article/2013/02/06/net-us-usa-fed-hackers-idUSBRE91501920130206
"... 'Every system is going to have some vulnerability to it. You cannot set up a system that will survive all possible attacks' said Mark Rasch, director of Privacy and security consulting at CSC and a former federal cyber crimes prosecutor. 'You have to defend against every possible vulnerability and the attackers only have to find one way in,' he said."

:sad: :fear: :mad:

2013-02-16, 12:52

Facebook hacked...
- http://www.reuters.com/article/2013/02/16/net-us-usa-social-facebook-idUSBRE91E16O20130216
Feb 16, 2013 - "Facebook Inc said on Friday hackers had infiltrated some of its employees' laptops in recent weeks, making the world's No.1 social network the latest victim of a wave of cyber attacks, many of which have been traced to China... Facebook noted in its blog post* that it was not alone in the attack, and that "others were attacked and infiltrated recently as well," although it did not specify who. The Federal Bureau of Investigation declined to comment... In its blog post, Facebook described the attack as a "zero-day" attack, considered to be among the most sophisticated and dangerous types of computer hacks. Zero-day attacks, which are rarely discovered or disclosed by their targets, are costly to launch and often suggest government involvement. While Facebook said no user data was compromised*, the incident could raise consumer concerns about privacy and the vulnerability of personal information stored within the social network... Facebook said it spotted a suspicious file and traced it back to an employee's laptop. After conducting a forensic examination of the laptop, Facebook said it identified a malicious file, then searched company-wide and identified "several other compromised employee laptops". Another person briefed on the matter said the first Facebook employee had been infected via a website where coding strategies were discussed. The company also said it identified a previously unseen attempt to bypass its built-in cyber defenses and that new protections were added on February 1. Because the attack used a third-party website, it might have been an early-stage attempt to penetrate as many companies as possible..."
* https://www.facebook.com/notes/facebook-security/protecting-people-on-facebook/10151249208250766
Feb 15, 2013 - "... we flagged a suspicious domain in our corporate DNS logs and tracked it back to an employee laptop. Upon conducting a forensic examination of that laptop, we identified a malicious file, and then searched company-wide and flagged several other compromised employee laptops. After analyzing the compromised website where the attack originated, we found it was using a "zero-day" (previously unseen) exploit to bypass the Java sandbox (built-in protections) to install the malware. We immediately reported the exploit to Oracle, and they confirmed our findings and provided a patch on February 1, 2013, that addresses this vulnerability..."

- http://arstechnica.com/security/2013/02/facebook-computers-compromised-by-zero-day-java-exploit/
Feb 15, 2013

:fear::fear: :mad:

2013-02-19, 20:49

Chinese hacks got inside Apple, too
- http://www.theatlanticwire.com/technology/2013/02/chinese-hackers-got-inside-apple-too/62294/
Feb 19, 2013 - "Following a string of disclosures from big tech and media companies that could point to a larger Chinese threat, Apple on Tuesday became the latest to admit that its internal computers had been hacked — and by the same malware malfeasance that got inside Facebook, which, according to Reuters, all trace back to China. An Apple statement, via AllthingsD*, points to the same Java script malware that infected Facebook laptops as being the culprit with the attack on some Macs at Apple:
* http://allthingsd.com/20130219/apple-says-it-too-attacked-by-hackers/
'... Apple has identified malware which infected a limited number of Mac systems through a vulnerability in the Java plug-in for browsers. The malware was employed in an attack against Apple and other companies, and was spread through a website for software developers. We identified a small number of systems within Apple that were infected and isolated them from our network...'
... No user information was compromised in the breach, as with the Facebook hack. Also like the Facebook hack, there's no official sign that the tech-company hacks are connected to a larger Chinese cyber-espionage campaign against the U.S. government, its companies, its infrastructure, and many organizations — a campaign that has now been tied to the Chinese People's Liberation Army. But even the most secretive and high-security American technology companies aren't safe, and now everyone's coming clean..."
> http://www.reuters.com/article/2013/02/19/us-apple-hackers-idUSBRE91I10920130219

- http://h-online.com/-1806158
19 Feb 2013

Facebook, Twitter, Apple hack sprung from iPhone developer forum
The site, iphonedevsdk .com, could still be hosting exploit attacks.
- http://arstechnica.com/security/2013/02/web-forum-for-iphone-developers-hosted-malware-that-hacked-facebook/
Feb 19, 2013 9:52 pm UTC

Unusually detailed report links Chinese military to hacks against US
Chinese intrusions are increasingly targeting critical industrial systems.
- http://arstechnica.com/security/2013/02/unusually-detailed-report-links-chinese-military-to-hacks-against-us/
Feb 19, 2013 9:30 pm UTC

Dev site behind Apple, Facebook hacks didn't know it was booby-trapped
iPhoneDevSDK says it wasn't contacted by the companies or law enforcement.
- http://arstechnica.com/security/2013/02/dev-site-behind-apple-facebook-hacks-didnt-know-it-was-booby-trapped/
Feb 20, 2013


2013-02-21, 21:25

NBC.com redirects to Exploit kit ...
> http://www.malwaredomains.com/?p=3082

> https://isc.sans.edu/diary.html?storyid=15223
Last Updated: 2013-02-21 19:36:19 UTC - "... redirecting to malicious websites that contains exploitkit. At this point it seems like most of the pages contains an iframe that is redirecting to the first stage of the RedKit exploit kit... Some of bad iframes public known are:
hxxp ://www.jaylenosgarage [.]com/trucks/PHP/google.php
hxxp ://toplineops [.]com/mtnk.html
hxxp ://jaylenosgarage [.]com
The Redkit exploit kit will deploy the banking trojan Citadel..."

- https://www.google.com/safebrowsing/diagnostic?site=nbc.com/

- http://community.websense.com/blogs/securitylabs/archive/2013/02/21/nbc-com-compromise.aspx

- http://ddanchev.blogspot.com/2013/02/dissecting-nbcs-exploits-and-malware.html

NBC says NBC.com site is now safe to visit
- http://www.reuters.com/article/2013/02/21/us-nbc-virus-idUSBRE91K1DQ20130221
Feb 21, 2013 4:54pm EST - "... 'A problem was identified and it has been fixed,' an NBC Universal spokeswoman told Reuters. She declined to elaborate on the nature of the problem... NBC is controlled by Comcast Inc..."

Fake Mandiant APT Report Used as Malware Lure
- https://isc.sans.edu/diary.html?storyid=15226
Last Updated: 2013-02-21 20:50:39 UTC

SSHD rootkit in the wild
- https://isc.sans.edu/diary.html?storyid=15229
Last Updated: 2013-02-21 21:08:34 UTC


2013-02-23, 01:05

Attack Traffic Overiew
- http://www.akamai.com/html/technology/dataviz1.html
Feb 24, 2013 - 07:43AM est
89.38% above normal

- http://www.akamai.com/html/technology/realtime_web_methodology.html
"Attack Traffic: Akamai measures attack traffic in real time across the Internet with our diverse network deployments. We collect data on the number of connections that are attempted, the source IP address, the destination IP address and the source and destination ports in real time. The packets captured are generally from automated scanning trojans and worms looking to infect new computers scanning randomly generated IP addresses. The attack traffic depicts the total number of attacks over the last twenty-four hours. Values are measured in attacks per 24 hours (attacks/24hrs). Regions are displayed as countries or states."

MS hacked ...
- https://blogs.technet.com/b/msrc/archive/2013/02/22/recent-cyberattacks.aspx?Redirected=true
22 Feb 2013 - "As reported by Facebook and Apple, Microsoft can confirm that we also recently experienced a similar security intrusion. Consistent with our security response practices, we chose not to make a statement during the initial information gathering process. During our investigation, we found a small number of computers, including some in our Mac business unit, that were infected by malicious software using techniques similar to those documented by other organizations. We have no evidence of customer data being affected and our investigation is ongoing. This type of cyberattack is no surprise to Microsoft and other companies that must grapple with determined and persistent adversaries. We continually re-evaluate our security posture and deploy additional people, processes, and technologies as necessary to help prevent future unauthorized access to our networks."

Zendesk... breach compromised email addresses
- https://www.computerworld.com/s/article/9237047/Zendesk_says_breach_compromised_email_addresses
Feb 22, 2013 - "... Pinterest and Tumblr was also affected..."


2013-03-03, 01:57

Evernote Security Issue
- https://isc.sans.edu/diary.html?storyid=15313
Last Updated: 2013-03-02 18:02:10 - "Evernote, a popular app for note taking and archiving, reported that they had a security incident*. As a part of their incident response and operational security monitoring, their staff noted that the compromise had occured and that the attackers were actively attempting to access secured areas of their system. While they did not have evidence of sensitive data being compromised, user profile data (passwords, email addresses and similar) has likely been. In response, they are forcing all user credentials to be changed..."
* http://evernote.com/corp/news/password_reset.php

Evernote Forces Password Reset for 50M Users
- https://krebsonsecurity.com/2013/03/evernote-forces-password-reset-for-50m-users/
Mar 2, 2013


2013-03-14, 14:28

U.S. NVD infected...
- http://www.theregister.co.uk/2013/03/14/us_malware_catalogue_hacked/
14 March 2013 - "The US government's online catalog of cyber-vulnerabilities has been taken offline – ironically, due to a software vulnerability. The National Institute of Standards and Technology's National Vulnerability Database's (NVD) public-facing website and other services have been offline since Friday due to a malware infection on two web servers..."

> http://nvd.nist.gov/
"The NIST National Vulnerability Database (NVD) has experienced an issue with its Web Services and is currently not available. We are working to restore service as quickly as possible. We will provide updates as soon as new information is available."


NVD appears to be restored
- https://web.nvd.nist.gov/view/vuln/search
March 15, 2013


2013-03-19, 13:16

Seagate blog malware ...
- http://nakedsecurity.sophos.com/2013/03/14/seagate-rogue-apache-modules/
March 14, 2013 - "SophosLabs has been tracking an infection of Mal/Iframe-AL* on Seagate's blog since late February. SophosLabs informed Seagate of the issue back in February, but at the time of writing the site remains infected..."
* http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Mal~Iframe-AL/detailed-analysis.aspx
"... legitimate sites are compromised by attackers in order to drive user traffic to sites hosting an exploit kit known as Blackhole... A malicious iframe is injected into the page with CSS to render it invisible to the user..."


2013-04-02, 21:43

Apache “Darkleech” Compromises ...
- http://blogs.cisco.com/security/apache-darkleech-compromises/
Apr 2, 2013 - "Dan Goodin, editor at Ars Technica, has been tracking and compiling info on an elusive series of website compromises that could be impacting tens of thousands of otherwise perfectly legitimate sites. While various researchers have reported various segments of the attacks, until Dan’s article*, no one had connected the dots and linked them all together.
Dubbed “Darkleech,” thousands of Web servers across the globe running Apache 2.2.2 and above are infected with an SSHD backdoor that allows remote attackers to upload and configure malicious Apache modules. These modules are then used to turn hosted sites into attack sites, dynamically injecting iframes in real-time, only at the moment of visit. Because the iframes are dynamically injected only when the pages are accessed, this makes discovery and remediation particularly difficult. Further, the attackers employ a sophisticated array of conditional criteria to avoid detection:
- Checking IP addresses and blacklisting security researchers, site owners, and the compromised hosting providers;
- Checking User Agents to target specific operating systems (to date, Windows systems);
- Blacklisting search engine spiders;
- Checking cookies to “wait list” recent visitors;
- Checking referrer URLs to ensure visitor is coming in via valid search engine results.
When the iframe is injected on the page, the convention used for the reference link in the injected iframe is IP/hex/q.php. For example:
The nature of the compromise coupled with the sophisticated conditional criteria presents several challenges:
- Website owners/operators will not be able to detect or clean the compromise as (a) it is not actually on their website, and (b) most will not have root-level access to the webserver;
- Even if website owners/operators suspect the host server may be the source, they would still need to convince the hosting provider, who may discount their report;
- Even if the hosting provider is responsive, the malicious Apache modules and associated SSHD backdoor may be difficult to ferret out, and the exact method will vary depending on server configuration;
Since SSHD is compromised, remediation of the attack and preventing further occurrences may require considerable procedural changes that, if not carried out properly, could cause a privilege lockout for valid administrators or be ineffective and lead to continued compromise. The magnitude of the problem becomes clear when one considers how widespread these attacks are. The following chart illustrates the geographic location of infected host servers observed from February 1–March 15, 2013:
> http://blogs.cisco.com/wp-content/uploads/Apache_injection_attacks-550x533.png
Apache_injection_attacks: For additional info and links to specific remediation advice, see:
Ongoing malware attack targeting Apache hijacks 20,000 sites
* http://arstechnica.com/security/2013/04/exclusive-ongoing-malware-attack-targeting-apache-hijacks-20000-sites/
Apr 2, 2013

- http://h-online.com/-1834311
3 April 2013

- https://www.net-security.org/malware_news.php?id=2454
3 April 2013

:sad: :fear: :mad:

2013-04-04, 20:23

Japanese web portals hacked, up to 100,000 accounts compromised
- https://www.computerworld.com/s/article/9238123/Japanese_web_portals_hacked_up_to_100_000_accounts_comprimsed
April 4, 2013 - "Two of Japan's major Internet portals were hacked earlier this week, with one warning that as many as 100,000 user accounts were compromised, including financial details. Goo, a Japanese Internet portal owned by network operator NTT, said it had no choice but to lock 100,000 accounts to prevent illicit logins. The company said it had confirmed some of the accounts had been accessed by non-users. The accounts can include financial details such as credit card and bank account information, as well as personal details and email. The Web portal said it detected a series of brute-force attacks late Tuesday evening, with some accounts hit by over 30 login attempts per second. Goo said the attacks came from certain IP addresses, but didn't disclose any more information. Also on Tuesday evening, Yahoo Japan said it discovered a malicious program on company servers. The program had extracted user data for 1.27 million users, but was stopped before it leaked any of the information outside of the company. There was no immediate connection between the two incidents..."

Bitcoin storage service, Instawallet, suffers database attack
- https://www.computerworld.com/s/article/9238114/Bitcoin_storage_service_Instawallet_suffers_database_attack
April 4, 2013 - "An online bitcoin storage service, Instawallet, said Wednesday it is accepting claims for stolen bitcoins after the company's database was fraudulently accessed. Instawallet didn't say in a notice* on its website how many bitcoins were stolen. The virtual currency has surged in value in the past couple of months due to rising interest. At one point Wednesday, a bitcoin sold for more than US$140. Bitcoin is a virtual currency that uses a peer-to-peer system to confirm transactions through public key cryptography. The method for confirming transactions is highly secure, but bitcoins can be stolen if hackers can gain access to the private key for a bitcoin that authorizes a transaction. Secure storage of bitcoins remains a challenge.
Instawallet said its service is "suspended indefinitely" until it can develop an alternative architecture. Instawallet apparently assigned an ostensibly secret URL that allowed users to access their accounts without a login or password. The company said in the next few days it will begin accepting claims for individual wallets. Wallets containing fewer than 50 bitcoins will be refunded. Fifty bitcoins was worth about US$6,000 on Thursday morning, according to Mt. Gox, the largest bitcoin exchange, based in Japan. Claims for online wallets holding more than 50 bitcoins "will be processed on a case by case and best efforts basis," Instawallet said. Other bitcoin exchanges and so-called online wallet services have suffered losses due to hackers. These have included BitFloor, Mt. Gox and Bitcoinica..."
* http://www.instawallet.org/

- https://www.net-security.org/secworld.php?id=14706
4 April 2013


2013-04-06, 00:15

Scribd compromise ...
- http://support.scribd.com/entries/23519663-Important-Security-Announcement
Apr 03, 2013 - "Earlier this week, Scribd's Operations team discovered and blocked suspicious activity on Scribd's network that appears to have been a deliberate attempt to access the email addresses and passwords of registered Scribd users. Because of the way Scribd securely stores passwords, we believe that the passwords of less than 1% of our users were potentially compromised by this attack. We have now emailed every user whose password was potentially compromised with details of the situation and instructions for resetting their password. Therefore, if you did not receive an email from us, you are most likely unaffected. If you wish to check, you can use this web tool that we built to determine if your account was among those affected:
- http://www.scribd.com/password/check
Our investigation indicates that no content, payment and sales-related data, or other information were accessed or compromised. We believe the information accessed was limited to general user information, which includes usernames, emails, and encrypted passwords..."

- http://h-online.com/-1836241

- http://nakedsecurity.sophos.com/2013/04/05/scribd-worlds-largest-online-library-admits-to-network-intrusion-password-breach/


2013-04-16, 14:33

Attackers gain access to Linode customer data
- http://h-online.com/-1842777
16 April 2013 - "Hosting company Linode has published details* on an attack on their servers that saw unknown hackers penetrate the company's network and access customer information including credit card data. The company had said on Friday that attackers had compromised the account of one of its customers but has now clarified that the attackers gained access to one of its web servers and in the process to part of its backend code and the customer database. The company says that according to its investigation of the matter, the attackers did not have access to any other parts of its infrastructure, including host machines or other infrastructure servers. Despite the fact that customer passwords for the server management application are stored salted and cryptographically hashed, the company forced a reset on all passwords on Friday and says it has informed all of its customers of the problem. The database that the attackers had access to also included the credit card information of all of Linode's customers. The company says this data was also encrypted and secured with a pass phrase that was not stored electronically. The last four digits of the credit card number were stored in clear text to identify the credit cards... The attackers gained access to Linode's systems through a vulnerability in ColdFusion. This security problem was fixed by Adobe as part of its Patch Tuesday fixes on 9 April**. Adobe has not yet published details on the problem.."
* http://blog.linode.com/2013/04/16/security-incident-update/

** http://www.adobe.com/support/security/bulletins/apsb13-10.html

:mad: :fear:

2013-04-23, 13:57

2013 Verizon Data Breach Investigations Report
- http://www.verizonenterprise.com/security/blog/index.xml?id=1&postid=1658
April 23, 2013 - "... Motives for these attacks appear equally diverse. Money- minded miscreants continued to cash in on low-hanging fruit from any tree within reach. Bolder bandits took aim at better-defended targets in hopes of bigger hauls. Activist groups DoS’d and hacked under the very different—and sometimes blurred—banners of personal ideology and just-for-the-fun-of-it lulz. And, as a growing list of victims shared their stories, clandestine activity attributed to state-affiliated actors stirred international intrigue... access the full report here*."
* http://www.verizonenterprise.com/DBIR/2013/

Executive Summary
- http://www.verizonenterprise.com/resources/reports/es_data-breach-investigations-report-2013_en_xg.pdf
47,000+ Security Incidents Analyzed.
621 Confirmed Data Breaches Studied.
19 International Contributors...


2013-04-24, 11:02

Another Twitter hack ...
- http://blog.trendmicro.com/trendlabs-security-intelligence/another-day-another-twitter-hack/
Apr 23, 2013 - "There’s a saying in journalism: report the news, don’t be the news. Unfortunately today the Associated Press (AP) ran afoul of that rule by having their Twitter account hijacked. In good journalistic fashion, they’re telling their own story quickly and with as much facts as possible. It sounds that they saw a phishing attack against their network just before the account was hijacked. While they don’t connect the two, it’s certainly a possibility that this is how the attackers got control of AP’s credentials. Once the attackers had control, they used it to send a bogus tweet out claiming there had been explosions at the White House that injured President Barack Obama. Proving that hacking has real-world consequences, the Dow Jones average dropped 143 points on the news (but later recovered). The account and other AP accounts have been suspended while AP works with Twitter to verify they have control of the accounts. This isn’t the first time we’ve seen news organizations’ online presences hijacked. And this certainly isn’t the first time that we’ve seen a Twitter handle hijacked. Unfortunately, unlike other platforms like Facebook and Google, Twitter still hasn’t implemented two factor authentication. Until Twitter implements that, you can continue to expect to see high profile accounts be hijacked with some regularity. In the meantime, if you manage a Twitter handle, this underscores the importance of using a strong password, running up-to-date security software, not clicking on links, and being very, very cautious when working with Twitter credentials..."

- http://arstechnica.com/security/2013/04/hacked-ap-twitter-feed-rocks-market-after-sending-false-news-flash/
Apr 23, 2013 - "... In a testament to the power that social media has on real-world finances, the Dow Jones Industrial Average fell 150 points, or about 1 percent, immediately following the tweet, with other indexes reacting similarly. The Dow quickly regained the lost ground about seven minutes after the sell-off began, when the AP confirmed that the report was false..."

:sad: :fear:

2013-04-29, 14:21

LivingSocial hacked - 50 million advised to change pwds...
- http://www.theregister.co.uk/2013/04/26/livingsocial_hacking_attack/
26 April 2013 - "Up to 50 million customers of the Amazon-funded daily deals site LivingSocial are getting an apologetic email from CEO Tim O'Shaughnessy explaining that their information may have been stolen. "LivingSocial recently experienced a cyber-attack on our computer systems that resulted in unauthorized access to some customer data from our servers. We are actively working with law enforcement to investigate this issue," he writes in an email... "The information accessed includes names, email addresses, date of birth for some users, and encrypted passwords – technically 'hashed' and 'salted' passwords. We never store passwords in plain text." At this stage, the company is saying that all credit card details for customers, and the financial accounts of operators that LivingSocial does deals with, are stored on a separate database and that this hasn't been hacked. Users are being asked to change their passwords and to ignore any emails claiming to be from LivingSocial that ask for financial information. Although the email doesn’t mention it, if your LivingSocial password was used for any other online accounts, then you'd be advised to change those, too..."

Also see:
- https://www.net-security.org/secworld.php?id=14833
29 April 2013
- http://h-online.com/-1851667
29 April 2013

Apache systems using cPanel compromised
- http://h-online.com/-1851442
29 April 2013 - "Researchers at web security firm Sucuri* have discovered modified binaries in the open source Apache web server. The binaries will load malicious code or other web content without any user interaction. Only files that were installed using the cPanel administration tool are currently thought to be affected. ESET says** that several hundred web servers have been compromised. The attack has been named Linux/Cdorked.A and is difficult to detect.."
* http://blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html
April 26, 2013
** http://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/
April 26, 2013
- https://www.net-security.org/secworld.php?id=14836
29 April 2013

Apache binary backdoor adds malicious redirect to Blackhole
- https://isc.sans.edu/diary.html?storyid=15710
Last Updated: 2013-04-30

> https://www.virustotal.com/en/file/7b3cd8c1bd0249df458084f28d91648ad14e1baf455fdd53b174481d540070c6/analysis/
File name: cdorked.a.httpd
Detection ratio: 13/44
Analysis date: 2013-04-30

:sad: :mad: :fear:

2013-05-07, 16:13

Media sites - mass compromise
- http://research.zscaler.com/2013/05/popular-media-sites-involved-in-mass.html
May 6, 2013 - "... Zscaler identified yet another mass website compromise, this one impacting a number of popular media sites, including two radio stations in Washington, DC - Federal News Radio and WTOP. It's not clear if all of the sites impacted were leveraging a common backend platform that may have led to the compromise... Attacks targeting end users generally involve some form of social engineering whereby the potential victim must be convinced to visit a site, download a file, etc. Attackers will therefore write a script designed to comb the web looking for popular sites exposing a common flaw and when identified, inject a single line of malicious code into the sites. In that way, any user visiting the otherwise legitimate (but now infected) site, can become a victim. This particular threat also displays another common trait - being dynamic in nature and only delivering content if the victim browser exhibits certain attributes. In this case, the injected content is only displayed when the browser's User Agent string reveals that Internet Explorer (IE) is being used... obfuscated JavaScript decodes to reveal an iFrame pointing to sites hosted at Dynamic DNS (DynDNS) hosting providers. Thus far, we have identified two DynDNS providers (myftp .biz and hopto .org) involved... Thus far, Zscaler has identified the following compromised sites:
Media Sites:
WTOP Radio (Washington, DC) - wtop .com
Federal News Radio (Washington, DC) - federalnewsradio .com
The Christian Post - christianpost .com
Real Clear Science - realclearscience .com
Real Clear Policy - realclearpolicy .com
scubaboard .com
mrsec .com
menupix .com
xaxor .com
gvovideo .com
At the time of posting, these compromised sites were still offering up malicious content."

- https://www.net-security.org/malware_news.php?id=2485
May 7, 2013 - "... This particular mass compromise is targeting only Internet Explorer users, probably because the attackers are using exploits only for that particular software. Users who surf to the sites using any other browser don't trigger the redirection chain..."

The Onion/Twitter compromise...
- http://h-online.com/-1859850
9 May 2013

:mad: :mad:

2013-05-09, 23:39

Name.com hacked...
- https://www.computerworld.com/s/article/9239050/Name.com_forces_customers_to_reset_passwords_following_security_breach
May 9, 2013 - "Domain registrar Name.com forced its customers to reset their account passwords on Wednesday following a security breach on the company's servers that might have resulted in customer information being compromised. Hackers might have gained access to usernames, email addresses, encrypted passwords as well as encrypted credit card information, the company said in an email message sent to customers that was later posted online by users. The credit card information was encrypted with private keys stored in a separate location that wasn't compromised, Name.com said in the email. The company did not specify the type of encryption used, but referred to it as being "strong." The alert email instructed recipients to click on a link in order to perform a password reset, a method that was criticized by some users and security researchers, because it resembles that used in phishing attacks... A hacker group called Hack the Planet (HTP) claimed earlier this week that they compromised Name.com in their attempt to hack into Linode, a virtual private server hosting firm. In a recently published "hacker zine," HTP said that they managed to acquire the domain login for Linode, as well as for Stack Overflow, DeviantArt and others from Name.com. Name.com did not immediately respond to an inquiry seeking confirmation of HTP's claims and other information about the attack..."

- http://www.welivesecurity.com/2013/05/09/name-com-warns-customers-and-resets-passwords-after-breach/
9 May 2013

:fear: :mad:

2013-05-10, 12:19

Cdorked.A malware redirection spreads ...
- https://atlas.arbor.net/briefs/index#-69874705
May 09, 2013 - "The previously reported Cdorked / Darkleech attack campaign, previously observed affecting Apache servers, has been observed to infect other webservers. The attack has been associated with the delivery of malware.
Analysis: Nginx and Lighttpd have also been seen to be infected as part of this campaign. Original exploitation vectors are not yet well known but past experience suggests that weak passwords and vulnerable web applications could be likely vectors.
ESET offers a tool to detect in-memory traces of this malware - please see: http://www.welivesecurity.com/wp-content/uploads/2013/04/dump_cdorked_config.c
Source: http://www.theregister.co.uk/2013/05/08/cdorked_latest_details/

- http://www.welivesecurity.com/2013/05/07/linuxcdorked-malware-lighttpd-and-nginx-web-servers-also-affected/
7 May 2013 - "... We have observed more than 400 webservers infected with Linux/Cdorked.A. Out of these, 50 are ranked in Alexa’s top 100,000 most popular websites... In a typical attack scenario, victims are redirected to a malicious web server hosting a Blackhole exploit kit. We have discovered that this malicious infrastructure uses compromised DNS servers, something that is out of the ordinary... one point needs to be clear about Linux/Cdorked.A. We still don’t know for sure how this malicious software was deployed on the web servers. We believe the infection vector is not unique. It cannot be attributed solely to installations of cPanel because only a fraction of the infected servers are using this management software. One thing is clear, this malware does not propagate by itself and it does not exploit a vulnerability in a specific software. Linux/Cdorked.A is a backdoor, used by the malicious actor to serve malicious content from legitimate websites... we recommend keeping browsers, browser extensions, operating systems, and third party software like Java, PDF readers and Flash players fully up-to-date to avoid being infected by this on-going campaign. Use of an antivirus program is also recommended..."


2013-05-30, 13:19

Drupal.org & group.drupal.org password disclosure
- https://isc.sans.edu/diary.html?storyid=15905
Last Updated: 2013-05-30 04:12:54 UTC - "The Drupal security teams have identified a breach in the environment that has disclosed passwords. As their notification here*, states most of the passwords were salted and hashed, older passwords were not (although common practice is to store the salt value in the same table as the password, so that might not actually help much). According to the update they are still investigating what else may have been accessed. If you have one of those accounts happy password changing. If you use that password anywhere else (and of course you don't) you might want to change that while you are at it..."
* https://drupal.org/news/130529SecurityUpdate
"The Drupal.org Security Team and Infrastructure Team has discovered unauthorized access to account information on Drupal.org and groups.drupal.org. This access was accomplished via third-party software installed on the Drupal.org server infrastructure, and was not the result of a vulnerability within Drupal itself. This notice applies specifically to user account data stored on Drupal.org and groups.drupal.org, and not to sites running Drupal generally. Information exposed includes usernames, email addresses, and country information, as well as hashed passwords. However, we are still investigating the incident and may learn about other types of information compromised, in which case we will notify you accordingly. As a precautionary measure, we've reset all Drupal.org account holder passwords and are requiring users to reset their passwords at their next login attempt..."

- http://h-online.com/-1873388
30 May 2013


2013-06-07, 17:52

Hetzner web hosting service hacked, customer data copied
- http://h-online.com/-1884574
7 June 2013 - "Web hosting service Hetzner has fallen victim to an attack during which hackers managed to harvest customer data. Among other things, the intruders had access to password hashes and customers' payment information. Apparently, a previously unknown server rootkit was used for the attack. In an email sent to customers on Thursday afternoon, the company said that unknown intruders had compromised several Hetzner systems. Apparently, the incident was discovered at the end of last week... although this data is encrypted asymmetrically, it can't be ruled out at this point that the private crypto keys that are required for decryption were copied as well. The attackers were also able to access customers' credit card data (the last three digits of credit card numbers, the expiry date and the card type) as well as salted SHA256 password hashes... current information suggests that the manipulated Apache instances were not used to deploy malware. It remains unclear who is behind the attack. How the hackers intruded into the server has yet to be established as well. The hosting company said that the German Federal Criminal Police Office (BKA) has been informed."

:fear::fear: :sad:

2013-06-22, 16:10

Facebook - potential leak of User Data
- https://isc.sans.edu/diary.html?storyid=16043
Last Updated: 2013-06-22 - "Facebook recently received a report that may have allowed some user information (email or phone number) to be accessed by people who either had some contact information about that person or some connection to them. Based on their analysis, they estimate that approximately 6 million users had their email addresses or telephone numbers shared. However, they don't have any evidence this bug was exploited because they have not received any user complaints or seen strange activity related to this bug. The complete Facebook message to users is posted here*..."
* https://www.facebook.com/notes/facebook-security/important-message-from-facebooks-white-hat-program/10151437074840766


2013-07-08, 19:11

Mass-login attack hijacks accounts...
- http://arstechnica.com/security/2013/07/mass-login-attack-on-nintendo-fan-site-hijacks-24000-accounts/
July 8 2013 - "Almost 24,000 user accounts on Nintendo's main fan site have been hijacked in a sustained mass-login attack that began early last month, the company said. The wave of attacks on Club Nintendo exposed personal information associated with 23,926 compromised accounts, including users' real names, addresses, phone numbers and e-mail addresses, according to a press release Nintendo issued over the weekend. The campaign began on June 9 and attempted more than 15.5 million logins over the following month. Attackers likely relied on a list of login credentials taken from a site unrelated to Nintendo. Club Nintendo offers rewards to Nintendo customers in exchange for having them register their products, answer surveys, and provide personal data. The site operates internationally and has about four million users in Japan, the primary region of most affected users. Things came to a head on July 2, when the wave of logins crested. By Friday, July 5, Nintendo had reset passwords on the site. "There were scattered illicit attempts to log in since June 9, but we became aware of the issue after the mass attempts on July 2," company spokesman Yasuhiro Minagawa told IDG News.
Other game companies recently hit by security problems include Ubisoft, which last week warned that customer user names, e-mail addresses and cryptographically hashed passwords were illegally accessed from an account database that had been breached. More recently, the alpha launch of a new indie game called Cube World has been reportedly disrupted by denial-of-service attacks."


2013-07-10, 22:40

.NL Registrar compromise
- https://isc.sans.edu/diary.html?storyid=16138
Last Updated: 2013-07-10 20:00:51 UTC - "Based on a note on the website of SIDN [1], an SQL injection vulnerability was used to compromise the site and place malicious files in the document root. SIDN is the registrar for the .NL country level domain (Netherlands). As a result of the breach, updates to the zone file are suspended. There is no word as to any affects to the zone files, or if the attackers where able to manipulate them."

1] Precautionary action taken to ensure security
* https://www.sidn.nl/en/news/news/article/preventieve-maatregelen-genomen-2/
10 July 2013 - "On Tuesday, it came to light that malicious files were present on a number of SIDN websites – files that should not have been there. In order to prevent abuse, SIDN immediately took a number of precautionary measures: the DRS web application was shut down and zone file publication was temporarily suspended. As a result of our precautionary action, some areas of the website that registrars use to download registrarship-related data have been unavailable since Tuesday evening. We believe that the attack began with an SQL injection on the website 25jaarvan .nl. That site is therefore inaccessible for the time being. The precise nature of the vulnerability is currently being investigated. Further information about the security alert will continue to be made available on the site you are now viewing*."

:sad: :fear:

2013-07-17, 15:40

Tumblr critical security update ...
- http://staff.tumblr.com/post/55648373578/important-security-update-for-iphone-ipad-users
July 16, 2013 - "We have just released a very important security update for our iPhone and iPad apps addressing an issue that allowed passwords to be compromised in certain circumstances¹. Please download the update now*. If you’ve been using these apps, you should also update your password on Tumblr and anywhere else you may have been using the same password... Please know that we take your security very seriously and are tremendously sorry for this lapse and inconvenience."
¹ "Sniffed" in transit on certain versions of the app

* https://itunes.apple.com/us/app/tumblr/id305343404?mt=8

- https://secunia.com/advisories/54205/
Release Date: 2013-07-18
Where: From remote
Impact: Exposure of sensitive information
... security issue is reported in versions prior to 3.4.1.
Solution: Update to version 3.4.1.
Original Advisory:


2013-07-17, 18:51

Network Solutions Outage...
- https://isc.sans.edu/diary.html?storyid=16180
Last Updated: 2013-07-17 15:28:23 UTC - "Network Solutions appears to be experiencing an extended outage. Based on a note posted to Facebook, the note indicates that the outage may be related to a larger compromise of customer sites.
"Network Solutions is experiencing a Distributed Denial of Service (DDOS) attack that is impacting our customers as well as the Network Solutions site. Our technology team is working to mitigate the situation... check back for updates." *
The referenced blog website is currently responding slowly as well (it redirects to a networksolutions.com site, which may be affected by the overall outage of "networksolutions.com" ). After a couple minutes, the blog post loaded for me...
"On July 15, some Network Solutions customer sites were compromised. We are investigating the cause of this situation, but our immediate priority is restoring the sites as quickly as possible. If your site has been impacted and you have questions, please call us at 1-866-391-4357."
Various web sites hosting DNS with Network Solutions appear to be down as well as a result. The outage appears to be diminishing over the last 15-30 min or so (4pm GMT) with some affected sites returning back to normal. This outage comes about 3-4 weeks after the bad DDoS mitigation incident that redirected a large number of Network Solution Hosted sites to an IP in Korea**..."

- http://blogs.cisco.com/security/network-solutions-customer-site-compromises-and-ddos/
July 17, 2013 10:03 am PST

* https://www.networksolutions.com/blog/2013/07/notice-to-customers-who-may-be-experiencing-hosting-issues/?channelid=P99C425S627N0B142A1D38E0000V100
July 16, 2013

** http://blogs.cisco.com/security/hijacking-of-dns-records-from-network-solutions/
June 20, 2013


2013-07-21, 18:01

Ubuntu Forums - Security Breach
- https://isc.sans.edu/diary.html?storyid=16201
Last Updated: 2013-07-21 15:28:48 UTC - "Ubuntu forums are currently down because they have been breached. According to their post, "the attackers have gotten -every- user's local username, password, and email address from the Ubuntu Forums database."* They have advised their users that if they are using the same password with other services, to change their password immediately. Other services such as Ubuntu One, Launchpad and other Ubuntu/Canonical services are not affected. Their current announcement is can be read here*."
* http://ubuntuforums.org/announce.html

:fear::fear: :sad:

2013-07-22, 14:58

Apple Developer site Breach
- https://isc.sans.edu/diary.html?storyid=16210
Last Updated: 2013-07-22 10:24:34 UTC - "Apple closed access to it's developer site after learning that it had been compromised and developers personal information had been breached [1]. In the notice posted to the site, Apple explained that some developers personal information like name, e-mail address and mailing address may have been accessed. The note does not mention passwords, or if password hashes were accessed. One threat often forgotten in these breaches is phishing. If an attacker has access to some personal information associated with a site, it is fairly easy to craft a reasonably convincing phishing e-mail using the fact that the site was breached to trick users to reset their password. These e-mail may be more convincing if they include the user's user name, real name or mailing address as stored with the site. A video on YouTube claims to show records obtained in the compromise [2] . The video states that 100,000 accounts were accessed to make Apple aware of the vulnerability in its site and that the data will be deleted."

[1] http://devimages.apple.com/maintenance/
[2] http://www.youtube.com/watch?v=q000_EOWy80

- https://www.sans.org/newsletters/newsbites/newsbites.php?vol=15&issue=59#sID300
July 25, 2013

- https://developer.apple.com/support/system-status/
Jul 29 2013 - Updated 5:13 AM PDT

:sad: :fear:

2013-07-22, 18:30

OVH hacked ...
- http://blog.dynamoo.com/2013/07/ovh-hacked.html
22 July 2013 - "A bad thing to happen, but kudos to OVH for being transparent about this issue* ...":
* http://status.ovh.net/?do=details&id=5070
"... A few days ago, we discovered that the security of our internal network at our offices in Roubaix had been compromised. After internal investigations, it appeared that a hacker was able to obtain access to an email account of one of our system administrators. With this email access, they was able to gain access to the internal VPN of another employee. Then with this VPN access, they was able to compromise the access of one of the system administrators who handles the the internal backoffice...
Immediately following this hack, we changed the internal security rules:
- Passwords of all employees were regenerated for all types of access.
- We set up a new VPN in a secure PCI-DSS room with highly restricted access
- Consulting internal emails is now only possible from the office / VPN
- All those who have critical access now have 3 verification levels:
- Ip source
- Password
- Staff's USB security token (YubiKey)...
The European customer database includes personal customer information such as: surname, first name, nic, address, city, country, telephone, fax and encrypted password.
The encryption password is "Salted" and based on SHA-512, to avoid brute-force attacks. It takes a lot of technical means to find the word password clearly. But it is possible. This is why we advise you to change the password for your user name. An email will be sent today to all our customers explaining these security measures and inviting them to change their password.
No credit card information is stored at OVH. Credit card information was not viewed or copied...
Overall, in the coming months the back office will be under PCI-DSS which will allow us to ensure that the incident related to a specific hack on specific individuals will have no impact on our databases...
We also filed a criminal complaint about this to the judicial authorities. In order not to disrupt the work of investigators, we will not give other details before the final conclusions..."

- https://en.wikipedia.org/wiki/OVH
"OVH is a privately owned web hosting service company in France that provides dedicated servers, mutual hosting, domain names and VOIP telephony services..."

:sad: :fear:

2013-07-23, 19:34

SERT Q2-2013 Threat Report
- http://www.darkreading.com/vulnerability/73-percent-of-opusa-compromised-sites-we/240158750?printer_friendly=this-page
Jul 23, 2013 - "... In addition to OpUSA and PRISM investigations, the SERT Q2 Threat Report summarizes the significant increase in malicious Domain Name System (DNS) requests and denial of service (DoS) activity...
Key Findings:
· 73% of sites -compromised- during OpUSA were hosted on Microsoft IIS web servers
· 17% of the compromised OpUSA targets hosted on Microsoft IIS platforms are running IIS versions 5.0 and 5.1, which are over 10 years old and no longer supported by Microsoft
· 68% of sites compromised by OpUSA attacks were hosted -outside- of the United States
· Increased -malicious- DNS-request traffic was observed originating from global sources
· NSA PRISM has heightened concerns about privacy and data access by the United States Government ..."
* http://www.solutionary.com/research/threat-reports/quarterly-threat-reports/sert-threat-intelligence-report-q2-2013/


2013-08-01, 19:59

Malware using GoogleCode for distribution
- http://research.zscaler.com/2013/07/malware-using-googlecode-for.html
July 31, 2013 - "Malware hosting sites rarely stay up for too long. After the first few instances are seen by security vendors, they are added to blacklists which, in turn, are fed into other blacklists throughout the industry. Malware writers are now turning to commercial file hosting sites to peddle their warez. If these legitimate file hosts are not scanning the content they are hosting, it may force network administrators to block the service altogether. The kicker is that this time we see that GoogleCode seems to have swallowed the bad pill.
> https://lh3.ggpht.com/-vDbU-4G4ph8/UfcFaL-iECI/AAAAAAAAAI4/4IhzD98KVoU/s1600/googlecode.png
... We also have reports of this file being downloaded via Dropbox, but it appears to have been taken down at the time of research
> https://lh3.ggpht.com/-F5u9cMXMclM/UfgKFOOYYDI/AAAAAAAAAJI/Yf7JjGXMjDY/s1600/BA.png
This incident sets a precedent that no file hosting service is beyond reproach. Blind trust of specific domains should not be tolerated from an organizational or personal perspective. So set those security privileges to kill and keep one eye open for shady files coming from even a seemingly trusted location. Other files from this location that were also flagged as malicious as noted below..."
(More detail at the zscaler URL above.)

- http://www.theinquirer.net/inquirer/news/2286378/hackers-target-google-code-developer-website-to-spread-malware
Aug 01 2013 - "... Fireeye said the use of developer websites by hackers to spread malware isn't anything new and it expects to see similar attacks in the very near future..."

:fear: :mad:

2013-08-12, 14:31

BANKER Malware hosted on Google Code
- http://blog.trendmicro.com/trendlabs-security-intelligence/banker-malware-found-hosted-on-google-code/
Aug. 8, 2013 - "... we were able to capture a malware written in Java that downloads BANKER malware from a recently created project called “flashplayerwindows”. Of course, this -bogus- project has nothing to do with Adobe. The said file (detected as JAVA_DLOAD.AFJ) is a compiled file that downloads and execute the “AdobeFlashPlayer.exe”, which we have verified to be malicious (detected as TROJ_BANLOAD.JFK). Once executed, this Trojan connects to Google Code to download other files. The people behind this threat may have uploaded these files to the said Google Code page, which notably include BANKER variants. These malware are notorious for stealing banking and email account information. Typically, they perform their data stealing routine by using phishing sites spoofing banking sites to lure users into disclosing information. Once they gather these data, they can use these to initiate unauthorized transactions such as money transfers. Previously, BANKER malware were seen hosted on compromised Brazilian government sites, which affected users from Brazil, the United States, and Angola. Another fraud project containing malware was also discovered, which goes to show that similar threats might still be out there. Besides the danger of the BANKER malware, this use of a well-known site like Google Code provides a good cover-up for cybercriminals. The malware being hosted in an official Google website means that downloading the malware will be encrypted with valid SSL certificates, which can bypass traditional security technologies. Because Google is a legitimate and reputable domain, traditional reputable services may not prevent the downloading. If this threat seems familiar, it’s because this abuse of open-source project sites has been done before... legitimate cloud providers like Google Code are likely to come under attack this year. With services like Google Code are likely to increase traction among users, we can expect that similar cases will appear (and increase) in the coming days... As of this writing, the said files are no longer available on Google Code."


2013-10-04, 01:11

Adobe network compromised...
- http://blogs.adobe.com/conversations/2013/10/important-customer-security-announcement.html
Oct 3, 2013 - "... Very recently, Adobe’s security team discovered sophisticated attacks on our network, involving the illegal access of customer information as well as source code for numerous Adobe products. We believe these attacks may be related. Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems. We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders. At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems. We deeply regret that this incident occurred. We’re working diligently internally, as well as with external partners and law enforcement, to address the incident..."
(More detail at the Adobe URL above.)

- https://www.us-cert.gov/ncas/current-activity/2013/10/03/Adobe-Customer-Information-and-Source-Code-Compromises
Oct 3, 2013

- http://www.databreaches.net/adobe-warns-2-9-million-customers-of-data-breach-after-cyber-attack/
3 Oct 2013

- http://www.theguardian.com/technology/2013/oct/03/adobe-hacking-data-breach-cyber-attack
3 Oct 2013 - "... It has reset passwords on customers' accounts and recommended that customers change their passwords on any other website where they used the same code..."

- http://blogs.adobe.com/asset/2013/10/illegal-access-to-adobe-source-code.html
Oct 2, 2013

- https://www.trusteer.com/blog/massive-adobe-breach-puts-organizations-at-risk-of-zero-day-exploits
Oct 04, 2013 - "... The Adobe network breach puts organizations and users at significant risk. If the source code for Adobe Reader or other popular Adobe applications was stolen, it means that cyber-criminals now have the opportunity to search this code for new unknown vulnerabilities, and develop malicious code that exploits these vulnerabilities. You can expect that we will soon have a stream of new, nasty zero-day exploits..."


2013-10-07, 18:34

DNS hijack - leaseweb .com website
- http://blog.leaseweb.com/2013/10/06/statement-on-dns-hijack-of-leaseweb-com-website/
Oct 6, 2013 - "As one of the largest hosting providers in the world, with almost four percent of the entire global IP traffic under our management, LeaseWeb continuously combats cybercrime in its many forms, dealing swiftly and professionally with any detected malicious activity within its network. Last weekend the leaseweb .com website was unfortunately a direct target of cybercriminals itself. For a short period of time some visitors of leaseweb .com were redirected to another, non-LeaseWeb IP address, after the leaseweb .com DNS was -changed- at the registrar. This DNS hijack was quickly detected and rectified by LeaseWeb’s security department. Although it seems to have had only superficial effects, we seriously regret this event from happening. Our security investigation so far shows that no domains other than leaseweb.com were accessed and changed. No internal systems were compromised. One of the security measures we have in place is to store customer data separately from any publicly accessible servers; we have no indication that customer data was compromised as a result of this DNS hijack... The unauthorized name server change for leaseweb.com took place at our registrar on Saturday 5 October, around 19:00 hours CET / 1 PM EST. While the hijack was soon detected and mitigated, it took some time before our adjustments in the DNS cache were propagated across the internet. During this period the following systems and services were affected:
- Some visitors of http ://www.leaseweb .com were redirected to a non-LeaseWeb IP address
- E-mails sent to @ leaseweb .com addresses during the DNS hijack were not received by LeaseWeb
- Domain name registration and server reinstallation via our Self Service Center was disabled
... We sincerely apologize for any inconvenience this unfortunate event might have caused. Security will always be a battle between good and evil, with one trying to outsmart the other in whatever way possible. We will learn from this incident, intensively review our security systems and protocols, and adjust where necessary..."

- http://www.theinquirer.net/inquirer/news/2299065/leaseweb-says-no-customer-data-was-harmed-in-dns-hijack
Oct 07 2013 - "... it appears that the hijackers obtained the domain administrator password and used that information to access the registrar. We will continue to investigate this incident thoroughly and take decisive action accordingly."

:fear::fear: :sad:

2013-10-08, 16:15

Avira homepage defaced
- https://isc.sans.edu/diary.html?storyid=16754
Last Updated: 2013-10-08 12:58:56 UTC - "The home page of anti virus company Avira has been defaced, likely by altering the DNS zone for Avira .com... Once an attacker has control of the NS records, they may also change MX records and redirect e-mail, or in the case of an Antivirus company like Avira change the addresses used to download signature updates. According to domaintools.com, the last address for avira.com was and that address still appears to host Avira's site... The domain is hosted with Network Solutions. At this point, this looks like an isolated incident and not a more wide spread issue with Network Solutions. I hope this will not be considered an "advanced sophisticated highly skilled attack", as the attackers have issues spelling "Palestine" consistently. The content of the defaced site is political and no malware has been spotted on the site so far.
Partial screenshot of the site:
> https://isc.sans.edu/diaryimages/images/wrisXzjbSsg-O4Red7i0D5ORt4NkqdOrIanEsq7RXMY.png
... a screenshot with a similar defacement of Antivirus vendor AVG (avg.com), but the site appears to be back to normal now... Instant messaging software maker Whatsapp was apparently a third victim of this attack."

- http://techblog.avira.com/2013/10/08/major-dns-hijacking-affecting-major-websites-including-avira-com/en/
Oct 8 2013 - "... It appears that our account used to manage the DNS records registered at Network Solutions has received a fake password-reset request which was honored by the provider. Using the new credentials the cybercriminals have been able to change the entries to point to their DNS servers. Our internal network has not has not been compromised in any way. As a measure of security we have shut down all exterior services until we have all DNS entries in our possession again... We are working with the ISP to receive control on the domain name and only when we have solved the problem we will restore the access to the Avira services..."
Update: October 8th 23:15 CET+2 - "The DNS settings have been restored. We will continue to restore all our services in the next hours."

AVG, Avira and WhatsApp - DNS hijack
- http://www.theregister.co.uk/2013/10/08/dns_hijack_attack_spree/
8 Oct 2013

- http://atlas.arbor.net/briefs/index#1211343777
Hijacking of AV firms websites may be linked to hack on Network Solutions ...
Elevated Severity
October 11, 2013 00:53
Several high profile sites, including two anti-virus vendors, were hijacked at the DNS level recently. DNS resource records are a significant target for attackers and should be carefully protected.
Analysis: While a full sense of the damage is not known by this author, the apparent defacement of a public website - and the tainting of traffic destinations- through DNS re-direction is an old trick that is still bearing fruit. In this case, it appears that credentials have been obtained via a bogus password reset phishing e-mail sent to the authoritative registrar. If this is the actual attack vector, then security awareness training needs to increase at the affected organization. Organizations that protect DNS resource records need to understand that they are a target, and that anyone can become a target. Not only will HTTP traffic redirect to the wrong location, but attackers can and have used this technique to install malware from sites that would normally be trusted and appear to be legitimate to the end user. Additionally, if other RR's such as MX records were modified, then attackers could obtain a significant amount of e-mail. The triggering of password reset functionality associated with any of those domains would then return the password reset process into the hands of the attackers. This is just one possible example of the risks inherent in such an attack. DNS providers need to ensure that security is improved and that such attacks become much more difficult to implement and that they are caught proactively.
Source: http://arstechnica.com/security/2013/10/hijacking-of-av-firms-websites-linked-to-hack-on-network-solutions/

:mad: :sad:

2013-10-10, 14:02

Compromised Turkish Gov't Web site leads to malware
- http://www.webroot.com/blog/2013/10/10/compromised-turkish-government-web-site-leads-malware/
Oct 10th, 2013 - "... Web server belonging to the Turkish government, where the cybercriminals behind the campaign have uploaded a malware-serving fake ‘DivX plug-in Required!” Facebook-themed Web page. Once socially engineered users execute the malware variant, their PCs automatically join the botnet operated by the cybercriminals behind the campaign.
Sample screenshot of the fake DivX, Facebook-themed page uploaded on the compromised Web server:
> https://www.webroot.com/blog/wp-content/uploads/2013/10/Turkish_Government_Web_Site_Compromised_Hacked_Malware-1024x682.png
Compromised URL: hxxp ://www.manisahem .gov .tr/giorgia.html
The malware’s download URL: hxxp ://hyfcst.best.volyn .ua:80/dlimage11.php –
Detection rate for the malicious variant: MD5: adc9cafbd4e2aa91e4aa75e10a948213 * Heuristic.LooksLike.Win32.Suspicious.J!89
... malicious sub-domains are also known to have responded to the same IP (
... malicious subdomains are also known to have responded to... IP ("
* https://www.virustotal.com/en/file/9e49807c60518ae4b16db7552a0cc31940bddf23f8a6a2bc9e43ba5f831fe7f5/analysis/
File name: vti-rescan

- https://www.virustotal.com/en-gb/ip-address/

- https://www.virustotal.com/en-gb/ip-address/

:mad: :fear: :sad:

2013-11-08, 03:06

Trove of Adobe user data found on Web after breach
- http://www.reuters.com/article/2013/11/07/us-adobe-cyberattack-idUSBRE9A61D220131107
Nov 7, 2013 - "A computer security firm has uncovered data it says belongs to some 152 million Adobe Systems Inc user accounts, suggesting that a breach reported a month ago is far bigger than Adobe has so far disclosed and is one of the largest on record. LastPass, a password security firm, said on Thursday that it has found email addresses, encrypted passwords and password hints stored in clear text from Adobe user accounts on an underground website frequented by cyber criminals. Adobe said last week that attackers had stolen data on more than 38 million customer accounts, on top of the theft of information on nearly 3 million accounts that it disclosed nearly a month earlier... Because the passwords were not salted, Siegrist said he was able to identify the most frequently used password in the group, which was used 1.9 million times. The database has 108 million email addresses with passwords -shared- in multiple accounts... The number of records stolen appears to be the largest taken in any publicly disclosed cyber attack to date... the attack was a strong reminder that consumers and businesses need to be vigilant about making sure they do -not- reuse passwords..."

- http://atlas.arbor.net/briefs/index#1886717424
7 Nov 2013 21:27:07 +0000
When it comes to protecting sensitive information, Implementation is key. An improper implementation can lead to weaknesses that can result in data compromise.
Source: http://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-disaster-adobes-giant-sized-cryptographic-blunder/

- http://atlas.arbor.net/briefs/index#124925286
Elevated Severity
7 Nov 2013 21:27:07 +0000
After becoming available, credential leaks from the Adobe breach are being analyzed. Predictably, many users password choices are poor. Analysis and password-cracking efforts are well underway.
Source: http://www.welivesecurity.com/2013/11/05/adobe-breach-reveals-really-terrible-passwords-are-still-popular-2-million-used-123456/


2013-11-22, 12:58

GitHub - Weak passwords brute forced
- https://github.com/blog/1698-weak-passwords-brute-forced
Nov 19, 2013 - "Some GitHub user accounts with weak passwords were recently compromised due to a brute force password-guessing attack... We sent an email to users with compromised accounts letting them know what to do. Their passwords have been reset and personal access tokens, OAuth authorizations, and SSH keys have all been revoked. Affected users will need to create a new, strong password and review their account for any suspicious activity. This investigation is ongoing and we will notify you if at any point we discover unauthorized activity relating to source code or sensitive account information. Out of an abundance of caution, some user accounts may have been reset even if a strong password was being used. Activity on these accounts showed logins from IP addresses involved in this incident..."

- http://www.theregister.co.uk/2013/11/21/github_password_probing_reveal/
Nov 21, 2013 - "... GitHub's recent bout of probing may stem from crackers using the 38 million user details that were sucked out of Adobe recently to check for duplicate logins on other sites. Never use the same password and username combination on other sites..."

- https://isc.sans.edu/diary.html?storyid=17087
Last Updated: 2013-11-22 15:45:51 UTC - "... Yesterday I got an email from Evernote telling me that I had used the same password at Evernote that I had used at Adobe. The Evernote account probably got my throwaway password before I realized the value of the Evernote service. I now use Evernote nearly every day from my mobile devices; where I don't get prompted for the credentials; but never log into it over the web, so I didn't remember what the password was set to.
> https://isc.sans.edu/diaryimages/images/ev.jpg
... I quickly changed my Evernote password and enabled Evernote's two-step authentication... this was not your typical brute force employing obvious userids and incredibly inane passwords, but a targeted attack against password reuse... Guess I will be looking at all my passwords again, including the ones used by my mobile devices!"

:fear::fear: :sad:

2013-12-05, 02:03

2 million Facebook, Gmail and Twitter passwords stolen in massive hack
- http://money.cnn.com/2013/12/04/technology/security/passwords-stolen/index.html
Dec 4, 2013 - "Hackers have stolen usernames and passwords for nearly two million accounts at Facebook, Google, Twitter, Yahoo and others, according to a report released this week. The massive data breach was a result of keylogging software maliciously installed on an untold number of computers around the world, researchers at cybersecurity firm Trustwave said. The virus was capturing log-in credentials for key websites over the past month and sending those usernames and passwords to a server controlled by the hackers. On Nov. 24, Trustwave researchers tracked that server, located in the Netherlands... Trustwave* notified these companies of the breach. They posted their findings publicly on Tuesday..."
* http://blog.spiderlabs.com/2013/12/look-what-i-found-moar-pony.html
3 Dec 2013 - "... Looking at the domains from which passwords were stolen:
> http://a7.typepad.com/6a0168e94917b4970c019b01aaed57970c-pi
As one might expect, most of the compromised web log-ins belong to popular websites and services such as Facebook, Google, Yahoo, Twitter, LinkedIn, etc...
Geo-Location Statistics:
> http://a3.typepad.com/6a0168e94917b4970c019b01f0eb9b970c-pi
... We looked at the length and complexity of the passwords to get a better idea about the rest of the passwords, and here's what we found:
> http://a0.typepad.com/6a0168e94917b4970c019b01aaee40970c-pi
... Since both the length and type of characters in a password make up its ultimate complexity, we grouped those two characteristics to get an overall impression of how strong the passwords are:
> http://a1.typepad.com/6a0168e94917b4970c019b01aaedd1970c-pi
... Unfortunately, there were more terrible passwords than excellent ones, more bad passwords than good, and the majority, as usual, is somewhere in between in the Medium category..."
(More detail at the spiderlabs URL above.)

JPMorgan warns 465,000 card users on data loss after cyber attack
- http://www.reuters.com/article/2013/12/05/us-jpmorgan-dataexposed-idUSBRE9B405R20131205
Dec 5, 2013 - " JPMorgan Chase & Co is warning some 465,000 holders of prepaid cash cards issued by the bank that their personal information may have been accessed by hackers who attacked its network in July. The cards were issued for corporations to pay employees and for government agencies to issue tax refunds, unemployment compensation and other benefits. JPMorgan said on Wednesday it detected that its web servers used by its site www .ucard .chase .com had been breached in the middle of September. It then fixed the issue and reported it to law enforcement. Bank spokesman Michael Fusco said that in the months since the breach was discovered the bank has been investigating to find out exactly which accounts were involved and what pieces of information could have been taken. He declined to discuss how the attackers breached the bank's network. Fusco said the bank is notifying the cardholders, who account for about 2 percent of its roughly 25 million UCard users, about the breach because it cannot rule out the possibility that their personal information was among the data removed from its servers..."

:mad: :fear::fear:

2013-12-20, 23:45

Cards Stolen in Target Breach Flood Underground Markets
- http://krebsonsecurity.com/2013/12/cards-stolen-in-target-breach-flood-underground-markets/
Dec 20, 2013 - "Credit and debit card accounts stolen in a recent data breach at retail giant Target have been flooding underground black markets in recent weeks, selling in batches of one million cards and going for anywhere from $20 to more than $100 per card... At least two sources at major banks said they’d heard from the credit card companies: More than a million of their cards were thought to have been compromised in the Target breach... On Dec. 19, Target would confirm that crooks had stolen 40 million debit and credit cards from stores nationwide in a breach that extended from Nov. 27 to Dec. 15..."
(More detail at the krebsonsecurity URL above.)

:fear::fear: :mad:

2013-12-30, 13:48

Hack took over BBC server, tried to 'sell' access on Christmas Day
- http://www.reuters.com/article/2013/12/29/us-bbc-cyberattack-idUSBRE9BS06K20131229
Dec 29, 2013 - "A hacker secretly took over a computer server at the BBC, Britain's public broadcaster, and then launched a Christmas Day campaign to convince other cyber criminals to pay him for access to the system. While it is not known if the hacker found any buyers, the BBC's security team responded to the issue on Saturday and believes it has secured the site, according to a person familiar with the cleanup effort. A BBC spokesman declined to discuss the incident. "We do not comment on security issues," he said. Reuters could not determine whether the hackers stole data or caused any damage in the attack, which compromised a server that manages an obscure password-protected website. It was not clear how the BBC, the world's oldest and largest broadcaster, uses that site, ftp.bbc. co .uk, though ftp systems are typically used to manage the transfer of large data files over the Internet. The attack was first identified by Hold Security LLC, a cybersecurity firm in Milwaukee that monitors underground cyber-crime forums in search of stolen information. The firm's researchers observed a notorious Russian hacker known by the monikers "HASH" and "Rev0lver," attempting to sell access to the BBC server on December 25..."
* http://www.holdsecurity.com/#!about/cipy

:fear::fear: :sad: