Security breach/compromise - 2013

AplusWebMaster

AplusWebMaster

New member
Advisor Team
FYI...

Twitter hacked - 250K pwd's reset
- http://blog.twitter.com/2013/02/keeping-our-users-secure.html
Feb 01, 2013 - "... Within the last two weeks, the New York Times and Wall Street Journal have chronicled breaches of their systems... This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data. We discovered one live attack and were able to shut it down in process moments later. However, our investigation has thus far indicated that the attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users. As a precautionary security measure, we have reset passwords and revoked session tokens for these accounts. If your account was one of them, you will have recently received (or will shortly) an email from us at the address associated with your Twitter account notifying you that you will need to create a new password. Your old password will not work when you try to log in to Twitter... This attack was not the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked. For that reason we felt that it was important to publicize this attack while we still gather information, and we are helping government and federal law enforcement in their effort to find and prosecute these attackers to make the Internet safer for all users..."

- https://isc.sans.edu/diary.html?storyid=15064
Last Updated: 2013-02-02 02:22:50 UTC

:sad: :mad:
 
Fed Reserve hacked by Anonymous

FYI...

Fed Reserve hacked by Anonymous
- http://h-online.com/-1799026
6 Feb 2013 - "Hacktivists affiliated with the Anonymous collective breached an internal web site of the US Federal Reserve, according to a report from Reuters*. A spokesman for the US central bank said: "The Federal Reserve system is aware that information was obtained by exploiting a temporary vulnerability in a website vendor product," adding that the "exposure" was fixed rapidly and "is no longer an issue". The hackers had released a spreadsheet with details of 4000 US bank executives as part of a campaign named "OpLastResort"... but according to a memo sent to members of the Federal Reserve's Emergency Communication System, what had been compromised was mailing address, business phone, mobile phone, business email and fax numbers. The memo said: "Despite claims to the contrary, passwords were not compromised". The Federal Reserve's Emergency Communication System (ECS) is designed to help the Fed estimate how much damage a natural disaster may have done by allowing bank executives to send them updates if their operations have been affected. It appears that the contact information for this system is what was taken and published. The Federal Reserve says that all the individuals affected by the breach have been contacted."
* http://www.reuters.com/article/2013/02/06/net-us-usa-fed-hackers-idUSBRE91501920130206
"... 'Every system is going to have some vulnerability to it. You cannot set up a system that will survive all possible attacks' said Mark Rasch, director of Privacy and security consulting at CSC and a former federal cyber crimes prosecutor. 'You have to defend against every possible vulnerability and the attackers only have to find one way in,' he said."

:sad: :fear: :mad:
 
Last edited:
Facebook hacked ...

FYI...

Facebook hacked...
- http://www.reuters.com/article/2013/02/16/net-us-usa-social-facebook-idUSBRE91E16O20130216
Feb 16, 2013 - "Facebook Inc said on Friday hackers had infiltrated some of its employees' laptops in recent weeks, making the world's No.1 social network the latest victim of a wave of cyber attacks, many of which have been traced to China... Facebook noted in its blog post* that it was not alone in the attack, and that "others were attacked and infiltrated recently as well," although it did not specify who. The Federal Bureau of Investigation declined to comment... In its blog post, Facebook described the attack as a "zero-day" attack, considered to be among the most sophisticated and dangerous types of computer hacks. Zero-day attacks, which are rarely discovered or disclosed by their targets, are costly to launch and often suggest government involvement. While Facebook said no user data was compromised*, the incident could raise consumer concerns about privacy and the vulnerability of personal information stored within the social network... Facebook said it spotted a suspicious file and traced it back to an employee's laptop. After conducting a forensic examination of the laptop, Facebook said it identified a malicious file, then searched company-wide and identified "several other compromised employee laptops". Another person briefed on the matter said the first Facebook employee had been infected via a website where coding strategies were discussed. The company also said it identified a previously unseen attempt to bypass its built-in cyber defenses and that new protections were added on February 1. Because the attack used a third-party website, it might have been an early-stage attempt to penetrate as many companies as possible..."
* https://www.facebook.com/notes/facebook-security/protecting-people-on-facebook/10151249208250766
Feb 15, 2013 - "... we flagged a suspicious domain in our corporate DNS logs and tracked it back to an employee laptop. Upon conducting a forensic examination of that laptop, we identified a malicious file, and then searched company-wide and flagged several other compromised employee laptops. After analyzing the compromised website where the attack originated, we found it was using a "zero-day" (previously unseen) exploit to bypass the Java sandbox (built-in protections) to install the malware. We immediately reported the exploit to Oracle, and they confirmed our findings and provided a patch on February 1, 2013, that addresses this vulnerability..."

- http://arstechnica.com/security/2013/02/facebook-computers-compromised-by-zero-day-java-exploit/
Feb 15, 2013

:fear::fear: :mad:
 
Last edited:
Hacks inside Apple, too...

FYI...

Chinese hacks got inside Apple, too
- http://www.theatlanticwire.com/technology/2013/02/chinese-hackers-got-inside-apple-too/62294/
Feb 19, 2013 - "Following a string of disclosures from big tech and media companies that could point to a larger Chinese threat, Apple on Tuesday became the latest to admit that its internal computers had been hacked — and by the same malware malfeasance that got inside Facebook, which, according to Reuters, all trace back to China. An Apple statement, via AllthingsD*, points to the same Java script malware that infected Facebook laptops as being the culprit with the attack on some Macs at Apple:
* http://allthingsd.com/20130219/apple-says-it-too-attacked-by-hackers/
'... Apple has identified malware which infected a limited number of Mac systems through a vulnerability in the Java plug-in for browsers. The malware was employed in an attack against Apple and other companies, and was spread through a website for software developers. We identified a small number of systems within Apple that were infected and isolated them from our network...'
... No user information was compromised in the breach, as with the Facebook hack. Also like the Facebook hack, there's no official sign that the tech-company hacks are connected to a larger Chinese cyber-espionage campaign against the U.S. government, its companies, its infrastructure, and many organizations — a campaign that has now been tied to the Chinese People's Liberation Army. But even the most secretive and high-security American technology companies aren't safe, and now everyone's coming clean..."
> http://www.reuters.com/article/2013/02/19/us-apple-hackers-idUSBRE91I10920130219

- http://h-online.com/-1806158
19 Feb 2013

Facebook, Twitter, Apple hack sprung from iPhone developer forum
The site, iphonedevsdk .com, could still be hosting exploit attacks.
- http://arstechnica.com/security/201...velopers-hosted-malware-that-hacked-facebook/
Feb 19, 2013 9:52 pm UTC

Unusually detailed report links Chinese military to hacks against US
Chinese intrusions are increasingly targeting critical industrial systems.
- http://arstechnica.com/security/201...t-links-chinese-military-to-hacks-against-us/
Feb 19, 2013 9:30 pm UTC

Dev site behind Apple, Facebook hacks didn't know it was booby-trapped
iPhoneDevSDK says it wasn't contacted by the companies or law enforcement.
- http://arstechnica.com/security/201...cebook-hacks-didnt-know-it-was-booby-trapped/
Feb 20, 2013

:fear::fear::mad:
 
Last edited:
NBC.com redirects to Exploit kit ...

FYI...

NBC.com redirects to Exploit kit ...
> http://www.malwaredomains.com/?p=3082

> https://isc.sans.edu/diary.html?storyid=15223
Last Updated: 2013-02-21 19:36:19 UTC - "... redirecting to malicious websites that contains exploitkit. At this point it seems like most of the pages contains an iframe that is redirecting to the first stage of the RedKit exploit kit... Some of bad iframes public known are:
hxxp ://www.jaylenosgarage [.]com/trucks/PHP/google.php
hxxp ://toplineops [.]com/mtnk.html
hxxp ://jaylenosgarage [.]com
The Redkit exploit kit will deploy the banking trojan Citadel..."

- https://www.google.com/safebrowsing/diagnostic?site=nbc.com/

- http://community.websense.com/blogs/securitylabs/archive/2013/02/21/nbc-com-compromise.aspx

- http://ddanchev.blogspot.com/2013/02/dissecting-nbcs-exploits-and-malware.html

NBC says NBC.com site is now safe to visit
- http://www.reuters.com/article/2013/02/21/us-nbc-virus-idUSBRE91K1DQ20130221
Feb 21, 2013 4:54pm EST - "... 'A problem was identified and it has been fixed,' an NBC Universal spokeswoman told Reuters. She declined to elaborate on the nature of the problem... NBC is controlled by Comcast Inc..."
___

Fake Mandiant APT Report Used as Malware Lure
- https://isc.sans.edu/diary.html?storyid=15226
Last Updated: 2013-02-21 20:50:39 UTC

SSHD rootkit in the wild
- https://isc.sans.edu/diary.html?storyid=15229
Last Updated: 2013-02-21 21:08:34 UTC

:mad::fear:
 
Last edited:
MS hacked ...

FYI...

Attack Traffic Overiew
- http://www.akamai.com/html/technology/dataviz1.html
Feb 24, 2013 - 07:43AM est
89.38% above normal

- http://www.akamai.com/html/technology/realtime_web_methodology.html
"Attack Traffic: Akamai measures attack traffic in real time across the Internet with our diverse network deployments. We collect data on the number of connections that are attempted, the source IP address, the destination IP address and the source and destination ports in real time. The packets captured are generally from automated scanning trojans and worms looking to infect new computers scanning randomly generated IP addresses. The attack traffic depicts the total number of attacks over the last twenty-four hours. Values are measured in attacks per 24 hours (attacks/24hrs). Regions are displayed as countries or states."
___

MS hacked ...
- https://blogs.technet.com/b/msrc/archive/2013/02/22/recent-cyberattacks.aspx?Redirected=true
22 Feb 2013 - "As reported by Facebook and Apple, Microsoft can confirm that we also recently experienced a similar security intrusion. Consistent with our security response practices, we chose not to make a statement during the initial information gathering process. During our investigation, we found a small number of computers, including some in our Mac business unit, that were infected by malicious software using techniques similar to those documented by other organizations. We have no evidence of customer data being affected and our investigation is ongoing. This type of cyberattack is no surprise to Microsoft and other companies that must grapple with determined and persistent adversaries. We continually re-evaluate our security posture and deploy additional people, processes, and technologies as necessary to help prevent future unauthorized access to our networks."
___

Zendesk... breach compromised email addresses
- https://www.computerworld.com/s/article/9237047/Zendesk_says_breach_compromised_email_addresses
Feb 22, 2013 - "... Pinterest and Tumblr was also affected..."

:mad::fear:
 
Last edited:
Evernote Security Issue

FYI...

Evernote Security Issue
- https://isc.sans.edu/diary.html?storyid=15313
Last Updated: 2013-03-02 18:02:10 - "Evernote, a popular app for note taking and archiving, reported that they had a security incident*. As a part of their incident response and operational security monitoring, their staff noted that the compromise had occured and that the attackers were actively attempting to access secured areas of their system. While they did not have evidence of sensitive data being compromised, user profile data (passwords, email addresses and similar) has likely been. In response, they are forcing all user credentials to be changed..."
* http://evernote.com/corp/news/password_reset.php

Evernote Forces Password Reset for 50M Users
- https://krebsonsecurity.com/2013/03/evernote-forces-password-reset-for-50m-users/
Mar 2, 2013

:fear::fear:
 
U.S. NVD infected

FYI...

U.S. NVD infected...
- http://www.theregister.co.uk/2013/03/14/us_malware_catalogue_hacked/
14 March 2013 - "The US government's online catalog of cyber-vulnerabilities has been taken offline – ironically, due to a software vulnerability. The National Institute of Standards and Technology's National Vulnerability Database's (NVD) public-facing website and other services have been offline since Friday due to a malware infection on two web servers..."

> http://nvd.nist.gov/
"The NIST National Vulnerability Database (NVD) has experienced an issue with its Web Services and is currently not available. We are working to restore service as quickly as possible. We will provide updates as soon as new information is available."

:fear::fear::mad:
___

NVD appears to be restored
- https://web.nvd.nist.gov/view/vuln/search
March 15, 2013

;-)
 
Last edited:
Seagate blog malware ...

FYI...

Seagate blog malware ...
- http://nakedsecurity.sophos.com/2013/03/14/seagate-rogue-apache-modules/
March 14, 2013 - "SophosLabs has been tracking an infection of Mal/Iframe-AL* on Seagate's blog since late February. SophosLabs informed Seagate of the issue back in February, but at the time of writing the site remains infected..."
* http://www.sophos.com/en-us/threat-...-spyware/Mal~Iframe-AL/detailed-analysis.aspx
"... legitimate sites are compromised by attackers in order to drive user traffic to sites hosting an exploit kit known as Blackhole... A malicious iframe is injected into the page with CSS to render it invisible to the user..."

:mad::fear:
 
Last edited:
Apache “Darkleech” Compromises ...

FYI...

Apache “Darkleech” Compromises ...
- http://blogs.cisco.com/security/apache-darkleech-compromises/
Apr 2, 2013 - "Dan Goodin, editor at Ars Technica, has been tracking and compiling info on an elusive series of website compromises that could be impacting tens of thousands of otherwise perfectly legitimate sites. While various researchers have reported various segments of the attacks, until Dan’s article*, no one had connected the dots and linked them all together.
Dubbed “Darkleech,” thousands of Web servers across the globe running Apache 2.2.2 and above are infected with an SSHD backdoor that allows remote attackers to upload and configure malicious Apache modules. These modules are then used to turn hosted sites into attack sites, dynamically injecting iframes in real-time, only at the moment of visit. Because the iframes are dynamically injected only when the pages are accessed, this makes discovery and remediation particularly difficult. Further, the attackers employ a sophisticated array of conditional criteria to avoid detection:
- Checking IP addresses and blacklisting security researchers, site owners, and the compromised hosting providers;
- Checking User Agents to target specific operating systems (to date, Windows systems);
- Blacklisting search engine spiders;
- Checking cookies to “wait list” recent visitors;
- Checking referrer URLs to ensure visitor is coming in via valid search engine results.
When the iframe is injected on the page, the convention used for the reference link in the injected iframe is IP/hex/q.php. For example:
129.121.179.168/d42ee14e4af7a0a7b1033b8f8f1eb18a/q.php
The nature of the compromise coupled with the sophisticated conditional criteria presents several challenges:
- Website owners/operators will not be able to detect or clean the compromise as (a) it is not actually on their website, and (b) most will not have root-level access to the webserver;
- Even if website owners/operators suspect the host server may be the source, they would still need to convince the hosting provider, who may discount their report;
- Even if the hosting provider is responsive, the malicious Apache modules and associated SSHD backdoor may be difficult to ferret out, and the exact method will vary depending on server configuration;
Since SSHD is compromised, remediation of the attack and preventing further occurrences may require considerable procedural changes that, if not carried out properly, could cause a privilege lockout for valid administrators or be ineffective and lead to continued compromise. The magnitude of the problem becomes clear when one considers how widespread these attacks are. The following chart illustrates the geographic location of infected host servers observed from February 1–March 15, 2013:
> http://blogs.cisco.com/wp-content/uploads/Apache_injection_attacks-550x533.png
Apache_injection_attacks: For additional info and links to specific remediation advice, see:
Ongoing malware attack targeting Apache hijacks 20,000 sites
* http://arstechnica.com/security/201...-attack-targeting-apache-hijacks-20000-sites/
Apr 2, 2013

- http://h-online.com/-1834311
3 April 2013

- https://www.net-security.org/malware_news.php?id=2454
3 April 2013

:sad: :fear: :mad:
 
Last edited:
Multiple major hacks - 2013.04.04 ...

FYI...

Japanese web portals hacked, up to 100,000 accounts compromised
- https://www.computerworld.com/s/art...tals_hacked_up_to_100_000_accounts_comprimsed
April 4, 2013 - "Two of Japan's major Internet portals were hacked earlier this week, with one warning that as many as 100,000 user accounts were compromised, including financial details. Goo, a Japanese Internet portal owned by network operator NTT, said it had no choice but to lock 100,000 accounts to prevent illicit logins. The company said it had confirmed some of the accounts had been accessed by non-users. The accounts can include financial details such as credit card and bank account information, as well as personal details and email. The Web portal said it detected a series of brute-force attacks late Tuesday evening, with some accounts hit by over 30 login attempts per second. Goo said the attacks came from certain IP addresses, but didn't disclose any more information. Also on Tuesday evening, Yahoo Japan said it discovered a malicious program on company servers. The program had extracted user data for 1.27 million users, but was stopped before it leaked any of the information outside of the company. There was no immediate connection between the two incidents..."

Bitcoin storage service, Instawallet, suffers database attack
- https://www.computerworld.com/s/art...e_service_Instawallet_suffers_database_attack
April 4, 2013 - "An online bitcoin storage service, Instawallet, said Wednesday it is accepting claims for stolen bitcoins after the company's database was fraudulently accessed. Instawallet didn't say in a notice* on its website how many bitcoins were stolen. The virtual currency has surged in value in the past couple of months due to rising interest. At one point Wednesday, a bitcoin sold for more than US$140. Bitcoin is a virtual currency that uses a peer-to-peer system to confirm transactions through public key cryptography. The method for confirming transactions is highly secure, but bitcoins can be stolen if hackers can gain access to the private key for a bitcoin that authorizes a transaction. Secure storage of bitcoins remains a challenge.
Instawallet said its service is "suspended indefinitely" until it can develop an alternative architecture. Instawallet apparently assigned an ostensibly secret URL that allowed users to access their accounts without a login or password. The company said in the next few days it will begin accepting claims for individual wallets. Wallets containing fewer than 50 bitcoins will be refunded. Fifty bitcoins was worth about US$6,000 on Thursday morning, according to Mt. Gox, the largest bitcoin exchange, based in Japan. Claims for online wallets holding more than 50 bitcoins "will be processed on a case by case and best efforts basis," Instawallet said. Other bitcoin exchanges and so-called online wallet services have suffered losses due to hackers. These have included BitFloor, Mt. Gox and Bitcoinica..."
* http://www.instawallet.org/
___

- https://www.net-security.org/secworld.php?id=14706
4 April 2013

:mad::mad:
 
Last edited:
Scribd compromise ...

FYI...

Scribd compromise ...
- http://support.scribd.com/entries/23519663-Important-Security-Announcement
Apr 03, 2013 - "Earlier this week, Scribd's Operations team discovered and blocked suspicious activity on Scribd's network that appears to have been a deliberate attempt to access the email addresses and passwords of registered Scribd users. Because of the way Scribd securely stores passwords, we believe that the passwords of less than 1% of our users were potentially compromised by this attack. We have now emailed every user whose password was potentially compromised with details of the situation and instructions for resetting their password. Therefore, if you did not receive an email from us, you are most likely unaffected. If you wish to check, you can use this web tool that we built to determine if your account was among those affected:
- http://www.scribd.com/password/check
Our investigation indicates that no content, payment and sales-related data, or other information were accessed or compromised. We believe the information accessed was limited to general user information, which includes usernames, emails, and encrypted passwords..."

- http://h-online.com/-1836241

- http://nakedsecurity.sophos.com/201...-admits-to-network-intrusion-password-breach/

:fear::fear:
 
Attackers gain access to Linode ...

FYI...

Attackers gain access to Linode customer data
- http://h-online.com/-1842777
16 April 2013 - "Hosting company Linode has published details* on an attack on their servers that saw unknown hackers penetrate the company's network and access customer information including credit card data. The company had said on Friday that attackers had compromised the account of one of its customers but has now clarified that the attackers gained access to one of its web servers and in the process to part of its backend code and the customer database. The company says that according to its investigation of the matter, the attackers did not have access to any other parts of its infrastructure, including host machines or other infrastructure servers. Despite the fact that customer passwords for the server management application are stored salted and cryptographically hashed, the company forced a reset on all passwords on Friday and says it has informed all of its customers of the problem. The database that the attackers had access to also included the credit card information of all of Linode's customers. The company says this data was also encrypted and secured with a pass phrase that was not stored electronically. The last four digits of the credit card number were stored in clear text to identify the credit cards... The attackers gained access to Linode's systems through a vulnerability in ColdFusion. This security problem was fixed by Adobe as part of its Patch Tuesday fixes on 9 April**. Adobe has not yet published details on the problem.."
* http://blog.linode.com/2013/04/16/security-incident-update/

** http://www.adobe.com/support/security/bulletins/apsb13-10.html

:mad: :fear:
 
2013 Data Breach Investigations Report - Verizon

FYI...

2013 Verizon Data Breach Investigations Report
- http://www.verizonenterprise.com/security/blog/index.xml?id=1&postid=1658
April 23, 2013 - "... Motives for these attacks appear equally diverse. Money- minded miscreants continued to cash in on low-hanging fruit from any tree within reach. Bolder bandits took aim at better-defended targets in hopes of bigger hauls. Activist groups DoS’d and hacked under the very different—and sometimes blurred—banners of personal ideology and just-for-the-fun-of-it lulz. And, as a growing list of victims shared their stories, clandestine activity attributed to state-affiliated actors stirred international intrigue... access the full report here*."
* http://www.verizonenterprise.com/DBIR/2013/

Executive Summary
- http://www.verizonenterprise.com/re...a-breach-investigations-report-2013_en_xg.pdf
47,000+ Security Incidents Analyzed.
621 Confirmed Data Breaches Studied.
19 International Contributors...

:fear::fear:
 
Another Twitter hack ...

FYI...

Another Twitter hack ...
- http://blog.trendmicro.com/trendlabs-security-intelligence/another-day-another-twitter-hack/
Apr 23, 2013 - "There’s a saying in journalism: report the news, don’t be the news. Unfortunately today the Associated Press (AP) ran afoul of that rule by having their Twitter account hijacked. In good journalistic fashion, they’re telling their own story quickly and with as much facts as possible. It sounds that they saw a phishing attack against their network just before the account was hijacked. While they don’t connect the two, it’s certainly a possibility that this is how the attackers got control of AP’s credentials. Once the attackers had control, they used it to send a bogus tweet out claiming there had been explosions at the White House that injured President Barack Obama. Proving that hacking has real-world consequences, the Dow Jones average dropped 143 points on the news (but later recovered). The account and other AP accounts have been suspended while AP works with Twitter to verify they have control of the accounts. This isn’t the first time we’ve seen news organizations’ online presences hijacked. And this certainly isn’t the first time that we’ve seen a Twitter handle hijacked. Unfortunately, unlike other platforms like Facebook and Google, Twitter still hasn’t implemented two factor authentication. Until Twitter implements that, you can continue to expect to see high profile accounts be hijacked with some regularity. In the meantime, if you manage a Twitter handle, this underscores the importance of using a strong password, running up-to-date security software, not clicking on links, and being very, very cautious when working with Twitter credentials..."

- http://arstechnica.com/security/201...-rocks-market-after-sending-false-news-flash/
Apr 23, 2013 - "... In a testament to the power that social media has on real-world finances, the Dow Jones Industrial Average fell 150 points, or about 1 percent, immediately following the tweet, with other indexes reacting similarly. The Dow quickly regained the lost ground about seven minutes after the sell-off began, when the AP confirmed that the report was false..."

:sad: :fear:
 
LivingSocial hacked - 50 million advised to change pwds...

FYI...

LivingSocial hacked - 50 million advised to change pwds...
- http://www.theregister.co.uk/2013/04/26/livingsocial_hacking_attack/
26 April 2013 - "Up to 50 million customers of the Amazon-funded daily deals site LivingSocial are getting an apologetic email from CEO Tim O'Shaughnessy explaining that their information may have been stolen. "LivingSocial recently experienced a cyber-attack on our computer systems that resulted in unauthorized access to some customer data from our servers. We are actively working with law enforcement to investigate this issue," he writes in an email... "The information accessed includes names, email addresses, date of birth for some users, and encrypted passwords – technically 'hashed' and 'salted' passwords. We never store passwords in plain text." At this stage, the company is saying that all credit card details for customers, and the financial accounts of operators that LivingSocial does deals with, are stored on a separate database and that this hasn't been hacked. Users are being asked to change their passwords and to ignore any emails claiming to be from LivingSocial that ask for financial information. Although the email doesn’t mention it, if your LivingSocial password was used for any other online accounts, then you'd be advised to change those, too..."

Also see:
- https://www.net-security.org/secworld.php?id=14833
29 April 2013
- http://h-online.com/-1851667
29 April 2013
___

Apache systems using cPanel compromised
- http://h-online.com/-1851442
29 April 2013 - "Researchers at web security firm Sucuri* have discovered modified binaries in the open source Apache web server. The binaries will load malicious code or other web content without any user interaction. Only files that were installed using the cPanel administration tool are currently thought to be affected. ESET says** that several hundred web servers have been compromised. The attack has been named Linux/Cdorked.A and is difficult to detect.."
* http://blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html
April 26, 2013
** http://www.welivesecurity.com/2013/...apache-backdoor-in-the-wild-serves-blackhole/
April 26, 2013
- https://www.net-security.org/secworld.php?id=14836
29 April 2013

Apache binary backdoor adds malicious redirect to Blackhole
- https://isc.sans.edu/diary.html?storyid=15710
Last Updated: 2013-04-30

> https://www.virustotal.com/en/file/...48ad14e1baf455fdd53b174481d540070c6/analysis/
File name: cdorked.a.httpd
Detection ratio: 13/44
Analysis date: 2013-04-30

:sad: :mad: :fear:
 
Last edited:
Media sites - mass compromise

FYI...

Media sites - mass compromise
- http://research.zscaler.com/2013/05/popular-media-sites-involved-in-mass.html
May 6, 2013 - "... Zscaler identified yet another mass website compromise, this one impacting a number of popular media sites, including two radio stations in Washington, DC - Federal News Radio and WTOP. It's not clear if all of the sites impacted were leveraging a common backend platform that may have led to the compromise... Attacks targeting end users generally involve some form of social engineering whereby the potential victim must be convinced to visit a site, download a file, etc. Attackers will therefore write a script designed to comb the web looking for popular sites exposing a common flaw and when identified, inject a single line of malicious code into the sites. In that way, any user visiting the otherwise legitimate (but now infected) site, can become a victim. This particular threat also displays another common trait - being dynamic in nature and only delivering content if the victim browser exhibits certain attributes. In this case, the injected content is only displayed when the browser's User Agent string reveals that Internet Explorer (IE) is being used... obfuscated JavaScript decodes to reveal an iFrame pointing to sites hosted at Dynamic DNS (DynDNS) hosting providers. Thus far, we have identified two DynDNS providers (myftp .biz and hopto .org) involved... Thus far, Zscaler has identified the following compromised sites:
Media Sites:
WTOP Radio (Washington, DC) - wtop .com
Federal News Radio (Washington, DC) - federalnewsradio .com
The Christian Post - christianpost .com
Real Clear Science - realclearscience .com
Real Clear Policy - realclearpolicy .com
Others:
scubaboard .com
mrsec .com
menupix .com
xaxor .com
gvovideo .com
At the time of posting, these compromised sites were still offering up malicious content."
___

- https://www.net-security.org/malware_news.php?id=2485
May 7, 2013 - "... This particular mass compromise is targeting only Internet Explorer users, probably because the attackers are using exploits only for that particular software. Users who surf to the sites using any other browser don't trigger the redirection chain..."
___

The Onion/Twitter compromise...
- http://h-online.com/-1859850
9 May 2013

:mad: :mad:
 
Last edited:
Name.com hacked ...

FYI...

Name.com hacked...
- https://www.computerworld.com/s/art..._to_reset_passwords_following_security_breach
May 9, 2013 - "Domain registrar Name.com forced its customers to reset their account passwords on Wednesday following a security breach on the company's servers that might have resulted in customer information being compromised. Hackers might have gained access to usernames, email addresses, encrypted passwords as well as encrypted credit card information, the company said in an email message sent to customers that was later posted online by users. The credit card information was encrypted with private keys stored in a separate location that wasn't compromised, Name.com said in the email. The company did not specify the type of encryption used, but referred to it as being "strong." The alert email instructed recipients to click on a link in order to perform a password reset, a method that was criticized by some users and security researchers, because it resembles that used in phishing attacks... A hacker group called Hack the Planet (HTP) claimed earlier this week that they compromised Name.com in their attempt to hack into Linode, a virtual private server hosting firm. In a recently published "hacker zine," HTP said that they managed to acquire the domain login for Linode, as well as for Stack Overflow, DeviantArt and others from Name.com. Name.com did not immediately respond to an inquiry seeking confirmation of HTP's claims and other information about the attack..."

- http://www.welivesecurity.com/2013/05/09/name-com-warns-customers-and-resets-passwords-after-breach/
9 May 2013

:fear: :mad:
 
Last edited:
Cdorked.A malware redirection spreads

FYI...

Cdorked.A malware redirection spreads ...
- https://atlas.arbor.net/briefs/index#-69874705
May 09, 2013 - "The previously reported Cdorked / Darkleech attack campaign, previously observed affecting Apache servers, has been observed to infect other webservers. The attack has been associated with the delivery of malware.
Analysis: Nginx and Lighttpd have also been seen to be infected as part of this campaign. Original exploitation vectors are not yet well known but past experience suggests that weak passwords and vulnerable web applications could be likely vectors.
ESET offers a tool to detect in-memory traces of this malware - please see: http://www.welivesecurity.com/wp-content/uploads/2013/04/dump_cdorked_config.c
Source: http://www.theregister.co.uk/2013/05/08/cdorked_latest_details/

- http://www.welivesecurity.com/2013/...lighttpd-and-nginx-web-servers-also-affected/
7 May 2013 - "... We have observed more than 400 webservers infected with Linux/Cdorked.A. Out of these, 50 are ranked in Alexa’s top 100,000 most popular websites... In a typical attack scenario, victims are redirected to a malicious web server hosting a Blackhole exploit kit. We have discovered that this malicious infrastructure uses compromised DNS servers, something that is out of the ordinary... one point needs to be clear about Linux/Cdorked.A. We still don’t know for sure how this malicious software was deployed on the web servers. We believe the infection vector is not unique. It cannot be attributed solely to installations of cPanel because only a fraction of the infected servers are using this management software. One thing is clear, this malware does not propagate by itself and it does not exploit a vulnerability in a specific software. Linux/Cdorked.A is a backdoor, used by the malicious actor to serve malicious content from legitimate websites... we recommend keeping browsers, browser extensions, operating systems, and third party software like Java, PDF readers and Flash players fully up-to-date to avoid being infected by this on-going campaign. Use of an antivirus program is also recommended..."

:fear::fear:
 
Last edited:
Drupal.org & group.drupal.org password disclosure

FYI...

Drupal.org & group.drupal.org password disclosure
- https://isc.sans.edu/diary.html?storyid=15905
Last Updated: 2013-05-30 04:12:54 UTC - "The Drupal security teams have identified a breach in the environment that has disclosed passwords. As their notification here*, states most of the passwords were salted and hashed, older passwords were not (although common practice is to store the salt value in the same table as the password, so that might not actually help much). According to the update they are still investigating what else may have been accessed. If you have one of those accounts happy password changing. If you use that password anywhere else (and of course you don't) you might want to change that while you are at it..."
* https://drupal.org/news/130529SecurityUpdate
"The Drupal.org Security Team and Infrastructure Team has discovered unauthorized access to account information on Drupal.org and groups.drupal.org. This access was accomplished via third-party software installed on the Drupal.org server infrastructure, and was not the result of a vulnerability within Drupal itself. This notice applies specifically to user account data stored on Drupal.org and groups.drupal.org, and not to sites running Drupal generally. Information exposed includes usernames, email addresses, and country information, as well as hashed passwords. However, we are still investigating the incident and may learn about other types of information compromised, in which case we will notify you accordingly. As a precautionary measure, we've reset all Drupal.org account holder passwords and are requiring users to reset their passwords at their next login attempt..."
___

- http://h-online.com/-1873388
30 May 2013

:fear::fear::sad:
 
Last edited:
You must log in or register to reply here.
Back
Top