Security breach/compromise - 2013

[AplusWebMaster]

FYI...

Malware using GoogleCode for distribution
- http://research.zscaler.com/2013/07/...ecode-for.html
July 31, 2013 - "Malware hosting sites rarely stay up for too long. After the first few instances are seen by security vendors, they are added to blacklists which, in turn, are fed into other blacklists throughout the industry. Malware writers are now turning to commercial file hosting sites to peddle their warez. If these legitimate file hosts are not scanning the content they are hosting, it may force network administrators to block the service altogether. The kicker is that this time we see that GoogleCode seems to have swallowed the bad pill.
> https://lh3.ggpht.com/-vDbU-4G4ph8/U...googlecode.png
... We also have reports of this file being downloaded via Dropbox, but it appears to have been taken down at the time of research
> https://lh3.ggpht.com/-F5u9cMXMclM/U...Y/s1600/BA.png
This incident sets a precedent that no file hosting service is beyond reproach. Blind trust of specific domains should not be tolerated from an organizational or personal perspective. So set those security privileges to kill and keep one eye open for shady files coming from even a seemingly trusted location. Other files from this location that were also flagged as malicious as noted below..."
(More detail at the zscaler URL above.)

- http://www.theinquirer.net/inquirer/...spread-malware
Aug 01 2013 - "... Fireeye said the use of developer websites by hackers to spread malware isn't anything new and it expects to see similar attacks in the very near future..."

[AplusWebMaster]

FYI...

BANKER Malware hosted on Google Code
- http://blog.trendmicro.com/trendlabs...n-google-code/
Aug. 8, 2013 - "... we were able to capture a malware written in Java that downloads BANKER malware from a recently created project called “flashplayerwindows”. Of course, this -bogus- project has nothing to do with Adobe. The said file (detected as JAVA_DLOAD.AFJ) is a compiled file that downloads and execute the “AdobeFlashPlayer.exe”, which we have verified to be malicious (detected as TROJ_BANLOAD.JFK). Once executed, this Trojan connects to Google Code to download other files. The people behind this threat may have uploaded these files to the said Google Code page, which notably include BANKER variants. These malware are notorious for stealing banking and email account information. Typically, they perform their data stealing routine by using phishing sites spoofing banking sites to lure users into disclosing information. Once they gather these data, they can use these to initiate unauthorized transactions such as money transfers. Previously, BANKER malware were seen hosted on compromised Brazilian government sites, which affected users from Brazil, the United States, and Angola. Another fraud project containing malware was also discovered, which goes to show that similar threats might still be out there. Besides the danger of the BANKER malware, this use of a well-known site like Google Code provides a good cover-up for cybercriminals. The malware being hosted in an official Google website means that downloading the malware will be encrypted with valid SSL certificates, which can bypass traditional security technologies. Because Google is a legitimate and reputable domain, traditional reputable services may not prevent the downloading. If this threat seems familiar, it’s because this abuse of open-source project sites has been done before... legitimate cloud providers like Google Code are likely to come under attack this year. With services like Google Code are likely to increase traction among users, we can expect that similar cases will appear (and increase) in the coming days... As of this writing, the said files are no longer available on Google Code."

[AplusWebMaster]

FYI...

Adobe network compromised...
- http://blogs.adobe.com/conversations...ouncement.html
Oct 3, 2013 - "... Very recently, Adobe’s security team discovered sophisticated attacks on our network, involving the illegal access of customer information as well as source code for numerous Adobe products. We believe these attacks may be related. Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems. We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders. At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems. We deeply regret that this incident occurred. We’re working diligently internally, as well as with external partners and law enforcement, to address the incident..."
(More detail at the Adobe URL above.)

- https://www.us-cert.gov/ncas/current...de-Compromises
Oct 3, 2013

- http://www.databreaches.net/adobe-wa...-cyber-attack/
3 Oct 2013

- http://www.theguardian.com/technolog...h-cyber-attack
3 Oct 2013 - "... It has reset passwords on customers' accounts and recommended that customers change their passwords on any other website where they used the same code..."
___

- http://blogs.adobe.com/asset/2013/10...urce-code.html
Oct 2, 2013

- https://www.trusteer.com/blog/massiv...o-day-exploits
Oct 04, 2013 - "... The Adobe network breach puts organizations and users at significant risk. If the source code for Adobe Reader or other popular Adobe applications was stolen, it means that cyber-criminals now have the opportunity to search this code for new unknown vulnerabilities, and develop malicious code that exploits these vulnerabilities. You can expect that we will soon have a stream of new, nasty zero-day exploits..."

[AplusWebMaster]

FYI...

DNS hijack - leaseweb .com website
- http://blog.leaseweb.com/2013/10/06/...b-com-website/
Oct 6, 2013 - "As one of the largest hosting providers in the world, with almost four percent of the entire global IP traffic under our management, LeaseWeb continuously combats cybercrime in its many forms, dealing swiftly and professionally with any detected malicious activity within its network. Last weekend the leaseweb .com website was unfortunately a direct target of cybercriminals itself. For a short period of time some visitors of leaseweb .com were redirected to another, non-LeaseWeb IP address, after the leaseweb .com DNS was -changed- at the registrar. This DNS hijack was quickly detected and rectified by LeaseWeb’s security department. Although it seems to have had only superficial effects, we seriously regret this event from happening. Our security investigation so far shows that no domains other than leaseweb.com were accessed and changed. No internal systems were compromised. One of the security measures we have in place is to store customer data separately from any publicly accessible servers; we have no indication that customer data was compromised as a result of this DNS hijack... The unauthorized name server change for leaseweb.com took place at our registrar on Saturday 5 October, around 19:00 hours CET / 1 PM EST. While the hijack was soon detected and mitigated, it took some time before our adjustments in the DNS cache were propagated across the internet. During this period the following systems and services were affected:
- Some visitors of http ://www.leaseweb .com were redirected to a non-LeaseWeb IP address
- E-mails sent to @ leaseweb .com addresses during the DNS hijack were not received by LeaseWeb
- Domain name registration and server reinstallation via our Self Service Center was disabled
... We sincerely apologize for any inconvenience this unfortunate event might have caused. Security will always be a battle between good and evil, with one trying to outsmart the other in whatever way possible. We will learn from this incident, intensively review our security systems and protocols, and adjust where necessary..."

- http://www.theinquirer.net/inquirer/...-in-dns-hijack
Oct 07 2013 - "... it appears that the hijackers obtained the domain administrator password and used that information to access the registrar. We will continue to investigate this incident thoroughly and take decisive action accordingly."

[AplusWebMaster]

FYI...

Avira homepage defaced
- https://isc.sans.edu/diary.html?storyid=16754
Last Updated: 2013-10-08 12:58:56 UTC - "The home page of anti virus company Avira has been defaced, likely by altering the DNS zone for Avira .com... Once an attacker has control of the NS records, they may also change MX records and redirect e-mail, or in the case of an Antivirus company like Avira change the addresses used to download signature updates. According to domaintools.com, the last address for avira.com was 62.146.210.2 and that address still appears to host Avira's site... The domain is hosted with Network Solutions. At this point, this looks like an isolated incident and not a more wide spread issue with Network Solutions. I hope this will not be considered an "advanced sophisticated highly skilled attack", as the attackers have issues spelling "Palestine" consistently. The content of the defaced site is political and no malware has been spotted on the site so far.
Partial screenshot of the site:
> https://isc.sans.edu/diaryimages/ima...anEsq7RXMY.png
... a screenshot with a similar defacement of Antivirus vendor AVG (avg.com), but the site appears to be back to normal now... Instant messaging software maker Whatsapp was apparently a third victim of this attack."

- http://techblog.avira.com/2013/10/08...-avira-com/en/
Oct 8 2013 - "... It appears that our account used to manage the DNS records registered at Network Solutions has received a fake password-reset request which was honored by the provider. Using the new credentials the cybercriminals have been able to change the entries to point to their DNS servers. Our internal network has not has not been compromised in any way. As a measure of security we have shut down all exterior services until we have all DNS entries in our possession again... We are working with the ISP to receive control on the domain name and only when we have solved the problem we will restore the access to the Avira services..."
Update: October 8th 23:15 CET+2 - "The DNS settings have been restored. We will continue to restore all our services in the next hours."
___

AVG, Avira and WhatsApp - DNS hijack
- http://www.theregister.co.uk/2013/10..._attack_spree/
8 Oct 2013

- http://atlas.arbor.net/briefs/index#1211343777
Hijacking of AV firms websites may be linked to hack on Network Solutions ...
Elevated Severity
October 11, 2013 00:53
Several high profile sites, including two anti-virus vendors, were hijacked at the DNS level recently. DNS resource records are a significant target for attackers and should be carefully protected.
Analysis: While a full sense of the damage is not known by this author, the apparent defacement of a public website - and the tainting of traffic destinations- through DNS re-direction is an old trick that is still bearing fruit. In this case, it appears that credentials have been obtained via a bogus password reset phishing e-mail sent to the authoritative registrar. If this is the actual attack vector, then security awareness training needs to increase at the affected organization. Organizations that protect DNS resource records need to understand that they are a target, and that anyone can become a target. Not only will HTTP traffic redirect to the wrong location, but attackers can and have used this technique to install malware from sites that would normally be trusted and appear to be legitimate to the end user. Additionally, if other RR's such as MX records were modified, then attackers could obtain a significant amount of e-mail. The triggering of password reset functionality associated with any of those domains would then return the password reset process into the hands of the attackers. This is just one possible example of the risks inherent in such an attack. DNS providers need to ensure that security is improved and that such attacks become much more difficult to implement and that they are caught proactively.
Source: http://arstechnica.com/security/2013...ork-solutions/

[AplusWebMaster]

FYI...

Compromised Turkish Gov't Web site leads to malware
- http://www.webroot.com/blog/2013/10/...leads-malware/
Oct 10th, 2013 - "... Web server belonging to the Turkish government, where the cybercriminals behind the campaign have uploaded a malware-serving fake ‘DivX plug-in Required!” Facebook-themed Web page. Once socially engineered users execute the malware variant, their PCs automatically join the botnet operated by the cybercriminals behind the campaign.
Sample screenshot of the fake DivX, Facebook-themed page uploaded on the compromised Web server:
> https://www.webroot.com/blog/wp-cont...e-1024x682.png
Compromised URL: hxxp ://www.manisahem .gov .tr/giorgia.html
The malware’s download URL: hxxp ://hyfcst.best.volyn .ua:80/dlimage11.php – 103.246.115.238
Detection rate for the malicious variant: MD5: adc9cafbd4e2aa91e4aa75e10a948213 * Heuristic.LooksLike.Win32.Suspicious.J!89
... malicious sub-domains are also known to have responded to the same IP (103.246.115.238)
... malicious subdomains are also known to have responded to... IP (103.9.150.244)..."
* https://www.virustotal.com/en/file/9...e7f5/analysis/
File name: vti-rescan

- https://www.virustotal.com/en-gb/ip-...8/information/

- https://www.virustotal.com/en-gb/ip-...4/information/

[AplusWebMaster]

FYI...

Trove of Adobe user data found on Web after breach
- http://www.reuters.com/article/2013/...9A61D220131107
Nov 7, 2013 - "A computer security firm has uncovered data it says belongs to some 152 million Adobe Systems Inc user accounts, suggesting that a breach reported a month ago is far bigger than Adobe has so far disclosed and is one of the largest on record. LastPass, a password security firm, said on Thursday that it has found email addresses, encrypted passwords and password hints stored in clear text from Adobe user accounts on an underground website frequented by cyber criminals. Adobe said last week that attackers had stolen data on more than 38 million customer accounts, on top of the theft of information on nearly 3 million accounts that it disclosed nearly a month earlier... Because the passwords were not salted, Siegrist said he was able to identify the most frequently used password in the group, which was used 1.9 million times. The database has 108 million email addresses with passwords -shared- in multiple accounts... The number of records stolen appears to be the largest taken in any publicly disclosed cyber attack to date... the attack was a strong reminder that consumers and businesses need to be vigilant about making sure they do -not- reuse passwords..."
___

- http://atlas.arbor.net/briefs/index#1886717424
7 Nov 2013 21:27:07 +0000
When it comes to protecting sensitive information, Implementation is key. An improper implementation can lead to weaknesses that can result in data compromise.
Source: http://nakedsecurity.sophos.com/2013...aphic-blunder/

- http://atlas.arbor.net/briefs/index#124925286
Elevated Severity
7 Nov 2013 21:27:07 +0000
After becoming available, credential leaks from the Adobe breach are being analyzed. Predictably, many users password choices are poor. Analysis and password-cracking efforts are well underway.
Source: http://www.welivesecurity.com/2013/1...n-used-123456/

[AplusWebMaster]

FYI...

GitHub - Weak passwords brute forced
- https://github.com/blog/1698-weak-pa...s-brute-forced
Nov 19, 2013 - "Some GitHub user accounts with weak passwords were recently compromised due to a brute force password-guessing attack... We sent an email to users with compromised accounts letting them know what to do. Their passwords have been reset and personal access tokens, OAuth authorizations, and SSH keys have all been revoked. Affected users will need to create a new, strong password and review their account for any suspicious activity. This investigation is ongoing and we will notify you if at any point we discover unauthorized activity relating to source code or sensitive account information. Out of an abundance of caution, some user accounts may have been reset even if a strong password was being used. Activity on these accounts showed logins from IP addresses involved in this incident..."

- http://www.theregister.co.uk/2013/11...robing_reveal/
Nov 21, 2013 - "... GitHub's recent bout of probing may stem from crackers using the 38 million user details that were sucked out of Adobe recently to check for duplicate logins on other sites. Never use the same password and username combination on other sites..."
___

- https://isc.sans.edu/diary.html?storyid=17087
Last Updated: 2013-11-22 15:45:51 UTC - "... Yesterday I got an email from Evernote telling me that I had used the same password at Evernote that I had used at Adobe. The Evernote account probably got my throwaway password before I realized the value of the Evernote service. I now use Evernote nearly every day from my mobile devices; where I don't get prompted for the credentials; but never log into it over the web, so I didn't remember what the password was set to.
> https://isc.sans.edu/diaryimages/images/ev.jpg
... I quickly changed my Evernote password and enabled Evernote's two-step authentication... this was not your typical brute force employing obvious userids and incredibly inane passwords, but a targeted attack against password reuse... Guess I will be looking at all my passwords again, including the ones used by my mobile devices!"

[AplusWebMaster]

FYI...

2 million Facebook, Gmail and Twitter passwords stolen in massive hack
- http://money.cnn.com/2013/12/04/tech...len/index.html
Dec 4, 2013 - "Hackers have stolen usernames and passwords for nearly two million accounts at Facebook, Google, Twitter, Yahoo and others, according to a report released this week. The massive data breach was a result of keylogging software maliciously installed on an untold number of computers around the world, researchers at cybersecurity firm Trustwave said. The virus was capturing log-in credentials for key websites over the past month and sending those usernames and passwords to a server controlled by the hackers. On Nov. 24, Trustwave researchers tracked that server, located in the Netherlands... Trustwave* notified these companies of the breach. They posted their findings publicly on Tuesday..."
* http://blog.spiderlabs.com/2013/12/l...moar-pony.html
3 Dec 2013 - "... Looking at the domains from which passwords were stolen:
> http://a7.typepad.com/6a0168e94917b4...1aaed57970c-pi
As one might expect, most of the compromised web log-ins belong to popular websites and services such as Facebook, Google, Yahoo, Twitter, LinkedIn, etc...
Geo-Location Statistics:
> http://a3.typepad.com/6a0168e94917b4...1f0eb9b970c-pi
... We looked at the length and complexity of the passwords to get a better idea about the rest of the passwords, and here's what we found:
> http://a0.typepad.com/6a0168e94917b4...1aaee40970c-pi
... Since both the length and type of characters in a password make up its ultimate complexity, we grouped those two characteristics to get an overall impression of how strong the passwords are:
> http://a1.typepad.com/6a0168e94917b4...1aaedd1970c-pi
... Unfortunately, there were more terrible passwords than excellent ones, more bad passwords than good, and the majority, as usual, is somewhere in between in the Medium category..."
(More detail at the spiderlabs URL above.)
___

JPMorgan warns 465,000 card users on data loss after cyber attack
- http://www.reuters.com/article/2013/...9B405R20131205
Dec 5, 2013 - " JPMorgan Chase & Co is warning some 465,000 holders of prepaid cash cards issued by the bank that their personal information may have been accessed by hackers who attacked its network in July. The cards were issued for corporations to pay employees and for government agencies to issue tax refunds, unemployment compensation and other benefits. JPMorgan said on Wednesday it detected that its web servers used by its site www .ucard .chase .com had been breached in the middle of September. It then fixed the issue and reported it to law enforcement. Bank spokesman Michael Fusco said that in the months since the breach was discovered the bank has been investigating to find out exactly which accounts were involved and what pieces of information could have been taken. He declined to discuss how the attackers breached the bank's network. Fusco said the bank is notifying the cardholders, who account for about 2 percent of its roughly 25 million UCard users, about the breach because it cannot rule out the possibility that their personal information was among the data removed from its servers..."

[AplusWebMaster]

FYI...

Cards Stolen in Target Breach Flood Underground Markets
- http://krebsonsecurity.com/2013/12/c...round-markets/
Dec 20, 2013 - "Credit and debit card accounts stolen in a recent data breach at retail giant Target have been flooding underground black markets in recent weeks, selling in batches of one million cards and going for anywhere from $20 to more than $100 per card... At least two sources at major banks said they’d heard from the credit card companies: More than a million of their cards were thought to have been compromised in the Target breach... On Dec. 19, Target would confirm that crooks had stolen 40 million debit and credit cards from stores nationwide in a breach that extended from Nov. 27 to Dec. 15..."
(More detail at the krebsonsecurity URL above.)