Posts tagged ‘flash’

SANS Internet Storm Center, InfoCON: green: Angler’s best friends, (Mon, Jul 27th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Nope, not the kind of angler whose best friends are rubber boots, strings tied into flies, or a tape measure that starts with 5inches where others have a zero. This is about the Angler Exploit Kit, which currently makes rampant use of the recent Adobe Flash zero-days to exploit the computers of unsuspecting users, and to push Cryptowall 3.0 on to them. Fellow ISC Handler Brad has covered before how this works.

Looking though our quite exhaustive (but likely nowhere near complete) list of IP addresses that were seen hosting Angler EK over the past 30 days or so, it is obvious that the crooks behind this exploit kit have a pretty savvy operation going on. First of all, they seem to test the waters at a new hosting provider, probably to see how quickly they get evicted. If no or slow action is forthcoming, the same provider will likely become the main Angler hoster a couple of days down the road. Obviously, this is bound to create some ruckus and lead to some complaints with said provider, but by the time the provider gets around to investigating, the bad guys usually have hopped one house down the road.

Amazingly, they seem to get away with this – staying at the same provider, but just switching to another IP address. With most providers these days touting the features of their Cloud, including the ability to spin up your image in any of our 20 data centers around the globe within a matter of seconds, this isnt really surprising. But it sure is highly unwelcome from a malware fighting point of view. We used to hate the fast flux domain name switcheroo, but now increasingly were getting fast instance, where the exploit hosting site itself moves every hour or two.

The statistics from this month also look like it takes the average hoster/provider about a week to catch on that the bad guys are simply moving onto the adjacent vacant lot, and to start evicting them for good. Though even this is hard to tell from the data – it could well also be that the providers never really caught on, and the bad guys just moved on their own to a new neighbourhood, for opsec reasons.

Without further ado, heres an excerpt from the list of Angler hosting sites that weve observed recently.

July 1148.251.167.57Hetzner Online AG, GermanyJuly 1  148.251.167.107Hetzner Online AG, GermanyJuly 8  176.9.245.141Hetzner Online AG, GermanyJuly 9  176.9.245.140Hetzner Online AG, GermanyJuly 10 176.9.245.142Hetzner Online AG, GermanyJuly 12 176.9.245.142Hetzner Online AG, GermanyJuly 14206.190.134.189Westhost Salt Lake City, USAJuly 15 185.48.58.51Sinarohost, NetherlandsJuly 16 206.190.134.188Westhost Salt Lake City, USAJuly 16 206.190.134.190Westhost Salt Lake City, USAJuly 17 69.162.90.107Limestone Networks, Dallas, USAJuly 19 69.162.64.156Limestone Networks, Dallas, USAJuly 20 69.162.116.123Limestone Networks, Dallas, USAJuly 20 185.43.223.165Wibo/Hostlife, Netherlands and Czech RepublicJuly 21 69.162.116.125Limestone Networks, Dallas, USAJuly 23 216.245.213.141Limestone Networks, USA and NtherlandsJuly 23 69.162.86.36Limestone Networks, Dallas, USAJuly 23 69.162.64.158Limestone Networks, Dallas, USAJuly 24216.245.213.138Limestone Networks, USA and NtherlandsJuly 24 185.43.223.164Wibo/Hostlife, Netherlands and Czech RepublicJuly 25 185.43.223.162Wibo/Hostlife, Netherlands and Czech Republic

Now, of course, Im not insinuating that this misuse occurs with the tacit or implicit approval of the providers, likely, they are just being taken for a ride, but if you are such a provider, and you receive a complaint about one of your IPs hosting Angler EK, how about:

– checking ALL your IPs, not just the one that was reported, and keep checking over the next week or two
– correlating the data used to purchase these IPs, and proactively suspend, or at least activate a full packet trace, on all others that match similar info?

Icing on the cake would be if you as the provider could spend some brain cycles to translate the awesome Emerging Threat signatures from matching on client traffic to matching on server traffic (no big deal, primarily, you just need to flip $HOME_NET and $EXTERNAL_NET, and maybe adjust the from_server flow direction, depending on the rule match) and then apply these onto your inbound stream. You know, 20+ days after a signature became available for the current Angler EK landing page traffic .. one would think that you, as a professional web hoster, had some way to detect such traffic into your datacenters, and that it would take you less than a week to put a lid on it?

Also, it would help a lot if all you hosters could submit ALL your intelligence on this incident to Law Enforcement. Eventually (like, 3 years down the road…), the law will catch up with the perps, and decent evidence is what makes a conviction stick. I also suspect that it would work wonders if Law Enforcement could stop by for a chat with the CEOs of the hosters who seem to be having a hard time keeping the Angler from fishing in their waters, and offer suitable assistance. Most of these hosters are in cut-throat competition, and any revenue seems to be good revenue, but a little visit from the Feds might help to put things into perspective.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

LWN.net: Security updates for Monday

This post was syndicated from: LWN.net and was written by: ris. Original post: at LWN.net

Arch Linux has updated apache (multiple vulnerabilities).

Debian has updated freexl (denial of service), mariadb-10.0 (multiple vulnerabilities), mysql-5.5 (multiple vulnerabilities), and tidy (two vulnerabilities).

Debian-LTS has updated groovy (code execution), inspircd (denial of service), libidn (information disclosure), ruby1.9.1 (denial of service), and tidy (two vulnerabilities).

Fedora has updated bind (F22:
denial of service), condor (F21: code
execution), cups-filters (F21: code
execution), drupal7-migrate (F22; F21: cross-site scripting),
drupal7-views_bulk_operations (F22;
F21: permission bypass), openstack-cinder (F21: file disclosure), pcre (F21: two vulnerabilities), python-keystonemiddleware (F22: certificate
verification botch), rawstudio (F22;
F21: two vulnerabilities), redis (F22; F21: code
execution), squashfs-tools (F22: two
vulnerabilities), thunderbird (F22;
F21: multiple vulnerabilities), webkitgtk4 (F22: denial of service), and xen (F22; F21: privilege escalation).

Gentoo has updated postgresql (multiple vulnerabilities).

openSUSE has updated flash-player
(11.4: two vulnerabilities), libcryptopp
(13.2, 13.1: information disclosure), libidn (13.2, 13.1: information disclosure),
firefox, thunderbird (11.4: multiple
vulnerabilities), rubygem-jquery-rails
(13.2, 13.1: CSRF vulnerability), rubygem-rack (13.2, 13.1: denial of service),
rubygem-rack-1_3 (13.2, 13.1: denial of
service), and rubygem-rack-1_4 (13.2, 13.1:
denial of service).

Slackware has updated httpd (multiple vulnerabilities) and php (multiple vulnerabilities).

SUSE has updated firefox, nspr, nss (SLE12; SLES11SP4; SLE11SP3: multiple vulnerabilities) and PHP (SLE11SP3: multiple vulnerabilities).

Linux How-Tos and Linux Tutorials: Which Linux Chrome OS Clone is Right For You?

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Jack Wallen. Original post: at Linux How-Tos and Linux Tutorials

Solus desktop

When the Chromebook first arrived on the scene, most people thought they’d go the way of the netbook. Maybe the little laptops that could would hang around for a brief period and, once the novelty of the price tag wore off, they’d go away to make room for the devices that do the real work. 

Thing is, said real work (from an end-user perspective) tends to be 90 percent browser based. So the Chromebook hung around and eventually became one of the hottest selling devices on the market. Beyond price, one of the reasons for the incredible popularity of the Chromebook is its simplicity. Across the landscape of the PC-verse, it doesn’t get much easier than ChromeOS. However, because Chrome OS is a proprietary solution, owned by Google, you cannot simply download the platform and install it on common x86/64 hardware. To get around that, there are approximations available that can be installed on off-the-shelf hardware that recreate the Chrome OS experience. 

With that in mind, it makes perfect sense that a handful of Chrome OS-like Linux distributions would appear. In theory, it’s a perfect amalgamation of simplicity and power. You get the ease of use found with ChromeOS and the added power of the full-blown Linux platform. 

But if you’re looking to get such elegant simplicity with the added power, where do you turn? A handful of Linux distributions have popped up over the last few years that do an outstanding job of re-creating ChromeOS. Which of these do the best job of mimicking Chrome OS and which manage to retain all that which makes Linux an outstanding platform?

Here are my top contenders for this title.

Solus

Solus started out as Evolve OS and is, to date, one of the finest Linux distributions to take a swing at the Chrome OS platform. The developers of Solus promise a “no scope-creep” platform that will provide a modern desktop-focused Linux distribution. Under the hood, Solus is pure Linux. In this case, it’s what’s on top that counts… that being the Budgie desktop (Figure 1).

This is a singular desktop environment created to almost perfectly mimic the Chrome OS experience. Budgie does integrate with the GNOME stack, so there is not only the familiar minimalism of Chrome OS, but the power of GNOME underneath. Another unique feature of Solus is the package manager. Forked from Pardus Linux, the package manager offers the same level of simplicity found in Budgie (Figure 2).

budgie desktop

What is most impressive about Solus is that this is a fairly new project and is already enjoying an amazing level of stability. Once installed, you’d think you were using a distribution that’s been around the block a few times. Consider this—Solus started out as Evolve OS and the beta of the initial release was only just available January 2015. Now dubbed Solus, the platform is already a production-ready desktop. Another very impressive aspect of Solus is how much thought was put into the overall design. Each and every tool was perfectly themed to retain the look and feel of Solus throughout.

If you’re looking for the one distribution that best fits the Chrome OS mode, and adds just enough Linux to make it more flexible than the official release, Solus is what you’re looking for.

Chromixium

Chromixium is next in line for the title of best in breed for ChromeOS clone. This particular take on Chrome OS is based on Ubuntu Linux, so it already has quite a lot going for it. But the bits and pieces of Ubuntu are mostly under the hood. It’s what’s on top of the hood that will interest most Linux users. The Chromixium distribution uses an old-school approach with the help of the Openbox Window Manager (a derivation of the original Blackbox WM).

What sets Chromixium apart from Solus is the menu system. If you look on the desktop (Figure 3), you’ll find the ChromeOS-looking menu button that you can click to gain access to all the Googly-goodness the desktop has to offer. 

Chromixium google menu

If, however you right-click anywhere on the desktop, you’ll find an Openbox menu ready to give you access to all of the Linux-goodness the desktop has to offer (Figure 4). 

Figure 4: The Chromixium “Linux” menu.

At first, this might seem like a clunky means to handle the desktop menu system. However having the Google bits isolated from everything else does make for an efficient means of isolating searches (as you can search Google from the Chromixium desktop menu).

If you’re looking for a ChromeOS-like Linux distribution that offers a nod to a bit of old-school Linux, give Chromixium a go.

Chromium OS

Chromium OS is an open source project that forms the base of Google’s Chrome OS. This means you can expect a fairly pure form of Chrome OS on your standard hardware. Of course, getting ChromiumOS up and running isn’t nearly as simple as that of either Solus or Chromixium. For ChromiumOS, you either run the platform from a USB flash drive or from a virtual image (with the help of VirtualBox) and then install the platform. This fact does make ChromiumOS a bit of a challenge for the average user, but if you’re interested, you can follow these steps to get ChromiumOS ready to run from a USB drive: 

  1. Download the appropriate image (according to your architecture)

  2. Insert a flash drive

  3. Extract the downloaded file

  4. Open a terminal window

  5. Change into the directory containing the newly extracted image file

  6. Issue the command (using admin rights—so either by su’ing to root or using sudo) dd if=ChromeOS.img of=/dev/sdX bs=4M (Where ChromeOS.img is the full name of the image file and sdX is the location of your flash drive*)

  7. Allow the command to finish

  8. You should now have a bootable Chromium OS USB drive.

* To find out the location of the mounted flash drive, you can issue the command mount and check for the exact location of the drive.

NOTE: If the above instructions fail to produce a working bootable USB drive, you can try using the Win32 Image Writer instead (you’ll need a working copy of Windows for this).

Once you have Chromium OS up and running, you can install the operating system to your hard drive but it will erase your entire drive (You can dual boot but you must install the other OS first and it’s not nearly as easy as dual booting with a standard Linux OS). Also, just to be safe, unplug any external or internal drives that contain data you do not want erased. For information on the actual installation of Chromium OS, check out the official how-tos here and here.

As you might expect, Chromium OS is that which Chrome OS is built upon, so you won’t find any extra Linux goodness within the menu. But, if you’re looking for a pure Chrome OS experience on your non-chromebook hardware, this is the way to go.

Which ChromeOS clone is best?

Which route you take to Chrome OS depends on your needs. If you’re looking for Pure Chrome OS, you’ll want to go with Chromium OS. If you’re looking for a nearly-identical Chrome OS experience, with an additional boost from the Linux desktop, go with Solus. If you want the best of both worlds, give Chromixium a try.

One way or another, you’ll have the look and feel of Chrome OS working on your non-Chromebook hardware.

LWN.net: Friday’s security updates

This post was syndicated from: LWN.net and was written by: n8willis. Original post: at LWN.net

Arch Linux has updated flashplugin (code execution) and lib32-flashplugin (code execution).

Mageia has updated flash-player-plugin (M4, M5: multiple vulnerabilities).

Oracle has updated java-1.7.0-openjdk (O5: multiple vulnerabilities).

Red Hat has updated flash-plugin (RHEL 5, 6: multiple
vulnerabilities), java-1.6.0-sun (RHEL
5, 6, 7: multiple vulnerabilities), java-1.7.0-oracle (RHEL 5, 6, 7: multiple
vulnerabilities), and java-1.8.0-oracle (RHEL 5, 6, 7: multiple vulnerabilities).

SUSE has updated flash-player (SLE11; SLE12: multiple vulnerabilities) and php5 (SLE12: multiple vulnerabilities).

SANS Internet Storm Center, InfoCON: green: After Flash, what will exploit kits focus on next?, (Thu, Jul 16th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Introduction

Adobe has received some bad publicity regarding zero-day Flash player exploits due to the recent Hacking Team compromise [1,2]. This certainly isnt the first time Adobe hashadsuch issues[3]. With HTML5 video as an alternative to Flash player, one might wonder how long Flash player will be relevant. Google has announced the next stable version of Chrome will block auto-playing Flash elements [4], and Firefox started blacklisting Flash player plugins earlier this week [5]. With people like Facebooks chief security officer calling for Adobe to announce an end-of-life date for Flash [6], Ive been wondering about the future of Flash player.

More specifically, Ive been wondering what exploit kit (EK) authors will turn to, once Flash player is no longer relevant.

In recent months, most EK traffic Ive generated used a Flash exploit to infect vulnerable Windows hosts. The situation with Flash player today is much like the situation with the Javathat Irememberback in 2013 and most of 2014. However, in the fall of 2014, most EKs dropped Java exploits from their arsenal and started relying on Flash player as a vehicle for their most up-to-date exploits.

A recent history Java exploits in EK traffic

Java exploits were prevelant when I first started blogging about EK traffic in 2013 [7]. Back then, Blackhole EK was still a player, and I commonly saw Java exploits in EK traffic.

The threat landscape altered a bit when the EKs alleged creator Paunch was arrested. Organizations that monitor EK traffic noticed a sharp reduction of Blackhole EK traffic in 2014 compared to the previous year [8]. Duringthatsame time, I started noticing moreFlash exploits in EK traffic.By September 2014 most of the remaining EKs stopped using Java.

My last documented dates for Java exploits in exploit kit traffic are below (read: exploit kit name- date Java exploit last seen).

  • Angler EK – 2014-09-16 [9]
  • FlashPack EK – 2014-08-30 [10]
  • Nuclear EK – 2014-09-08 [11]
  • Magnitude EK – 2014-08-15 [12]
  • Sweet Orange EK – 2014-09-25 [13]
  • Rig EK – 2014-09-06 [14]

Of note, FlashPack EK and Sweet Orange EK have disappeared, and they are not currently a concern. Neutrino EK was dormant from April through October of 2014, and when it came back, I didnt see it using any Java exploits.

Fiesta EK still sends several different types of exploits depending on the vulnerable client, and it still has Java exploits in its arsenal. Other lesser-seen EKs like KaiXin still use Java exploits. However, the majority of EKs gave up on Java sometime last year.

What were recently seeing with Flash exploits

Most exploit kits use the latest available Flash exploits. Angler, Neutrino, Nuclear, Magnitude, and Rig EK are all using the latest Hacking Team Flash player exploit based on CVE-2015-5122 [15]. If youhave Flash player on a Windows computer, you should be running the most recent Flash update (version 18.0.0.209 as Im writing this).

Earlier I generated Angler EK traffic to infect a Windows host running Flash player 18.0.0.203 on IE 11.” />
Shown above: An image of the Angler EK infection and post-infection CryptoWall 3.0 traffic in Wireshark. ” />
Shown above: Angler EK sending a Flash exploit, based on CVE-2015-5122, targeting Flash 18.0.0.203.

The infected hostsbitcoin address for ransompaymentwas 1LY58fiaAYFKgev67TN1UJtRveJh81D2dU. The address is the same one” />
Shown above: Decrypt instructions from the infected host.

Final words

Today, the majority ofEKs utilizeFlash player exploits based on the most recently knownvulnerabilities. But this situation cant last forever. If Flash is no longer relevant, what will EK authors turn to for their latest exploits? Will they go back to Java? Will they focus on browser vulnerabilities? It will be interesting to see where things stand in the next year or so.

A pcap of the 2015-07-15 Angler EK infection traffic is available at:

A zip file of the associated malware is available at:

The zip file is password-protected with the standard password. If you dont know it, email admin@malware-traffic-analysis.net and ask.


Brad Duncan
ISC Handler and Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net – Twitter: @malware_traffic

References:

[1] https://krebsonsecurity.com/2015/07/adobe-to-patch-hacking-teams-flash-zero-day/
[2] http://www.pcworld.com/article/2947312/second-flash-player-zeroday-exploit-found-in-hacking-teams-data.html
[3] http://krebsonsecurity.com/2015/02/yet-another-flash-patch-fixes-zero-day-flaw/
[4] http://arstechnica.co.uk/information-technology/2015/06/google-chrome-will-soon-intelligently-block-auto-playing-flash-ads/
[5] http://arstechnica.com/security/2015/07/firefox-blacklists-flash-player-due-to-unpatched-0-day-vulnerabilities/
[6] https://twitter.com/alexstamos/status/620306643360706561
[7] http://malware-traffic-analysis.net/2013/06/18/index.html
[8] http://www.symantec.com/connect/blogs/six-months-after-blackhole-passing-exploit-kit-torch
[9] http://malware-traffic-analysis.net/2014/09/16/index2.html
[10] http://malware-traffic-analysis.net/2014/08/30/index.html
[11] http://malware-traffic-analysis.net/2014/09/08/index2.html
[12] http://malware-traffic-analysis.net/2014/08/15/index.html
[13] http://malware-traffic-analysis.net/2014/09/25/index.html
[14] http://malware-traffic-analysis.net/2014/09/06/index.html
[15] http://malware.dontneedcoffee.com/2015/07/cve-2015-5122-hackingteam-0d-two-flash.html
[16] https://isc.sans.edu/forums/diary/Another+example+of+Angler+exploit+kit+pushing+CryptoWall+30/19863/

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Krebs on Security: The Darkode Cybercrime Forum, Up Close

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

By now, many of you loyal KrebsOnSecurity readers have seen stories in the mainstream press about the coordinated global law enforcement takedown of Darkode[dot]me, an English-language cybercrime forum that served as a breeding ground for botnets, malware and just about every other form of virtual badness. This post is an attempt to distill several years’ worth of lurking on this forum into a narrative that hopefully sheds light on the individuals apprehended in this sting and the cybercrime forum scene in general.

To tell this tale completely would take a book the size of The Bible, but it’s useful to note that the history of Darkode — formerly darkode[dot]com — traces several distinct epochs that somewhat neatly track the rise and fall of the forum’s various leaders. What follows is a brief series of dossiers on those leaders, as well as a look at who these people are in real life.

ISERDO

Darkode began almost eight years ago as a pet project of Matjaz Skorjanc, a now-36-year-old Slovenian hacker best known under the hacker alisas “Iserdo” and “Netkairo.” Skorjanc was one of several individuals named in the complaints published today by the U.S. Justice Department.

Butterfly Bot customers wonder why Iserdo isn't responding to support requests. He was arrested hours before.

Butterfly Bot customers wonder why Iserdo isn’t responding to support requests. He was arrested hours before.

Iserdo was best known as the author of the ButterFly Bot, a plug-and-play malware strain that allowed even the most novice of would-be cybercriminals to set up a global cybercrime operation capable of harvesting data from thousands of infected PCs, and using the enslaved systems for crippling attacks on Web sites. Iserdo was arrested by Slovenian authorities in 2010. According to investigators, his ButterFly Bot kit sold for prices ranging from $500 to $2,000.

In May 2010, I wrote a story titled Accused Mariposa Botnet Operators Sought Jobs at Spanish Security Firm, which detailed how Skorjanc and several of his associates actually applied for jobs at Panda Security, an antivirus and security firm based in Spain. At the time, Skorjanc and his buddies were already under the watchful eye of the Spanish police.

MAFI

Following Iserdo’s arrest, control of the forum fell to a hacker known variously as “Mafi,” “Crim” and “Synthet!c,” who according to the U.S. Justice Department is a 27-year-old Swedish man named Johan Anders Gudmunds. Mafi is accused of serving as the administrator of Darkode, and creating and selling malware that allowed hackers to build botnets. The Justice Department also alleges that Gudmunds operated his own botnet, “which at times consisted of more than 50,000 computers, and used his botnet to steal data from the users of those computers on approximately 200,000,000 occasions.”

Mafi was best known for creating the Crimepack exploit kit, a prepackaged bundle of commercial crimeware that attackers can use to booby-trap hacked Web sites with malicious software. Mafi’s stewardship over the forum coincided with the admittance of several high-profile Russian cybercriminals, including “Paunch,” an individual arrested in Russia in 2013 for selling a competing and far more popular exploit kit called Blackhole.

Paunch worked with another Darkode member named “J.P. Morgan,” who at one point maintained an $800,000 budget for buying so-called “zero-day vulnerabilities,” critical flaws in widely-used commercial software like Flash and Java that could be used to deploy malicious software.

Darkode admin "Mafi" explains his watermarking system.

Darkode admin “Mafi” explains his watermarking system.

Perhaps unsurprisingly, Mafi’s reign as administrator of Darkode coincided with the massive infiltration of the forum by a number of undercover law enforcement investigators, as well as several freelance security researchers (including this author).

As a result, Mafi spent much of his time devising new ways to discover which user accounts on Darkode were those used by informants, feds and researchers, and which were “legitimate” cybercriminals looking to ply their wares.

For example, in mid-2013 Mafi and his associates cooked up a scheme to create a fake sales thread for a zero-day vulnerability — all in a bid to uncover which forum participants were researchers or feds who might be lurking on the forum.

That plan, which relied on a clever watermarking scheme designed to “out” any forum members who posted screen shots of the forum online, worked well but also gave investigators key clues about the forum’s hierarchy and reporting structure.

logsruhroh

Mafi worked quite closely with another prominent Darkode member nicknamed “Fubar,” and together the two of them advertised sales of a botnet crimeware package called Ngrbot (according to Mafi’s private messages on the forum, this was short for “Niggerbot.” Oddly enough, the password databases from several of Mafi’s accounts on hacked cybercrime forums would all include variations on the word “nigger” in some form). Mafi also advertised the sale of botnets based on “Grum” a spam botnet whose source code was leaked in 2013.

SP3CIALIST

Conspicuously absent from the Justice Department’s press release on this takedown is any mention of Darkode’s most recent administrator — a hacker who goes by the handle “Sp3cialist.”

Better known to Darkode members at “Sp3c,” this individual’s principal contribution to the forum seems to have revolved around a desire to massively expand the membership of the form, as well as an obsession with purging the community of anyone who even remotely might emit a whiff of being a fed or researcher.

The personal signature of Sp3cialist.

The personal signature of Sp3cialist.

Sp3c is widely known as a core member of the Lizard Squad, a group of mostly low-skilled miscreants who specialize in launching distributed denial-of-service attacks (DDoS) aimed at knocking Web sites offline.

In late 2014, the Lizard Squad took responsibility for launching a series of high-profile DDoS attacks that knocked offline the online gaming networks of Sony and Microsoft for the majority of Christmas Day.

In the first few days of 2015, KrebsOnSecurity was taken offline by a series of large and sustained denial-of-service attacks apparently orchestrated by the Lizard Squad. As I noted ina previous story, the booter service — lizardstresser[dot]su — is hosted at an Internet provider in Bosnia that is home to a large number of malicious and hostile sites. As detailed in this story, the same botnet that took Sony and Microsoft offline was built using a global network of hacked wireless routers.

That provider happens to be on the same “bulletproof” hosting network advertised by “sp3c1alist,” the administrator of the cybercrime forum Darkode. At the time, Darkode and LizardStresser shared the same Internet address.

Another key individual named in the Justice Department’s complaint against Darkode is a hacker known only to most in the underground as “KMS.” The government says KMS is a 28-year-old from Opelousas, Louisiana named Rory Stephen Guidry, who used the Jabber instant message address “k@exploit.im.” Having interacted with this individual on numerous occasions, I’d be remiss if I didn’t at least explain why this person is at once the least culpable and perhaps most interesting of the group named in the law enforcement purge.

For the past 12 months, KMS has been involved in an effort to expose the Lizard Squad members, to varying degrees of success. To call this kid a master in social engineering is probably a disservice to the term of art itself: There are few individuals I would consider more skilled in tricking people into divulging information that is not in their best interests than this guy.

Near as I can tell, KMS has work assiduously (for his own reasons, no doubt) to expose the people behind the Lizard Squad and, by extension, the core members of Darkode. Unfortunately for KMS, his activities also appear to have ensnared him in this investigation.

To be clear, nobody is saying KMS is a saint. KMS’s best friend, a hacker from Kentucky named Ryan King (a.k.a. “Starfall” and a semi-frequent commenter on this blog), says KMS routinely had trouble seeing the lines between exposing others and involving himself in their activities. This kid was a master of social engineer, almost par none. Here’s one recording of him making a fake emergency call to the FBI,  eerily disguising his voice as that of President Obama.

For example, KMS is rumored to have played a part in exposing the Lizard Squad’s February 2015 hijack of Google.com’s domain in Vietnam. The message left behind in that crime suggested this author was somehow responsible, along with Sp3c and a Rory Andrew Godfrey, the only name that KMS was known under publicly until this week’s law enforcement action.

“As far as I know, I’m the only one who knew his real name,” said King, who described himself as a close personal friend and longtime acquaintance of Guidry. “The only botnets that he operated were those that he social engineered out of [less skilled hackers], but even those he was trying get shut down. All I know is that he and I were trying to get [root] access to Darkode and destroy it, and the feds beat us to it by about a week.”

The U.S. government sees things otherwise. Included in a heavily-redacted affidavit (PDF) related to Guidry’s case are details of a pricing structure that investigators say KMS used to sell access to hacked machines (see screenshot below)

kmsbot

As mentioned earlier, I could go on for volumes about the litany of cybercrimes advertised at Darkode. Instead, it’s probably best if I just leave here a living archive of screen grabs I’ve taken over the years of various discussions on the Darkode forum.

In its final days, Darkode’s true Internet address was protected from DDoS attacks and from meddlesome researchers by CloudFlare, a content distribution network that specializes in helping Web sites withstand otherwise crippling attacks. As such, it seems fitting that at least some of my personal archive of screen shots from my time on Darkode should also be hosted there. Happy hunting.

One final note: As happens with many of these takedowns, the bad guys don’t just go away: They go someplace else. In this case, that someplace else is most likely to be a Deep Web or Dark Web forum accessible only via Tor: According to chats observed from Sp3c’s public and private online accounts, the forum is getting ready to move much further underground.

Krebs on Security: Adobe, MS, Oracle Push Critical Security Fixes

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

This being the second Tuesday of the month, it’s officially Patch Tuesday. But it’s not just Microsoft Windows users who need to update today: Adobe has released fixes for several products, including a Flash Player bundle that patches two vulnerabilities for which exploit code is available online. Separately, Oracle issued a critical patch update that plugs more than two dozen security holes in Java.

ADOBE

Adobe’s Flash patch brings Flash to version 18.0.0.209 on Windows and Mac systems. This newest release fixes two vulnerabilities that were discovered as part of the Hacking Team breach. Both flaws are exploitable via code that is already published online, so if you must use Flash please take a moment to update this program.

brokenflash-aIf you’re unsure whether your browser has Flash installed or what version it may be running, browse to this link. Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x, should automatically update to the latest version. To force the installation of an available update on Chrome, click the triple bar icon to the right of the address bar, select “About Google” Chrome, click the apply update button and restart the browser.

The most recent versions of Flash should be available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.)

Please consider whether you really need Flash installed. It is a powerful program that is being massively leveraged by cybercriminals to break into systems. Monday’s post includes more information on how to remove Flash from your computer, depending on what operating system you use.

Adobe also issued security updates for Adobe Acrobat and its PDF Reader programs that fix at least 46 vulnerabilities in these products. Links to the latest versions of both programs are available in the Acrobat/Reader security advisory.

Finally, Adobe released a security update for its Shockwave Player software for Windows and Mac. This is another Adobe product that I have long urged people to uninstall, largely because most users have no need for Shockwave and it’s just as buggy as Flash but it doesn’t get updated nearly enough. In any case, links to the latest version of Shockwave are available in the advisory.

MICROSOFT

brokenwindowsWith today’s 14 patch bundles, Microsoft fixed dozens of vulnerabilities in Windows and related software. A cumulative patch for Internet Explorer corrects at least 28 flaws in the default Windows browser. Three of those IE flaws were disclosed prior to today’s patches, including one zero-day flaw uncovered in the Hacking Team breach.

Most of these IE bugs are browse-and-get-owned vulnerabilities, meaning IE users can infect their systems merely by browsing to a hacked or malicious Web site.

Another noteworthy update fixes at least eight flaws in various versions of Microsoft Office, including one (CVE-2424) that is actively being exploited by attackers.

More detailed summaries of the Microsoft patches released today can be found at Microsoft’s Security Bulletin Summary for July 2015, and at the Qualys blog.

ORACLE

Oracle’s patch for Java SE includes fixes for 25 security vulnerabilities, including a flaw that is already being actively exploited to break into systems running Java SE. A blog post by Trend Micro has more on the Java zero-day flaw, which was apparently used in targeted attacks in a cyber espionage campaign.

javamessThe latest version, Java 8 Update 51, is available from Java.com. But if you use Java, please take a moment to consider whether you still need this program on your computer. Java is yet another program that I have long urged users to do without, for most of the same reasons I’ve urged readers to ditch Flash and Shockwave: this widely installed and powerful program is riddled with security holes, and is a top target of malware writers and miscreants.

If you have an affirmative use or need for Java, there is a way to have this program installed while minimizing the chance that crooks will exploit unknown or unpatched flaws in the program: unplug it from the browser unless and until you’re at a site that requires it (or at least take advantage of click-to-play, which can block Web sites from displaying both Java and Flash content by default).

The latest versions of Java let users disable Java content in web browsers through the Java Control Panel. Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

Many people confuse Java with  JavaScript, a powerful scripting language that helps make sites interactive. Unfortunately, a huge percentage of Web-based attacks use JavaScript tricks to foist malicious software and exploits onto site visitors. For more about ways to manage JavaScript in the browser, check out my tutorial Tools for a Safer PC.

SANS Internet Storm Center, InfoCON: green: Adobe Updates Flash Player, Shockwave and PDF Reader, (Tue, Jul 14th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

In a warm up to patch Tuesday, it looks like we have a new version for Adobe Flash Player, Shockwave Player and PDF Reader. Given that some of the exploits against the vulnerabilities patchedare public, you may want to expedite patching and review your Flash Player and browser configuration.

the latest (patched) versions are (thanks Dave!):

– FlashPlayer 18.0.0.209
– Flash Player EST 13.0.0.305
– Reader 10.1.15
– Reader 11.0.12
– Shockwave Player”>12.1.9.159

Bulletins:

https://helpx.adobe.com/security/products/shockwave/apsb15-17.html
https://helpx.adobe.com/security/products/flash-player/apsb15-18.html
https://helpx.adobe.com/security/products/reader/apsb15-15.html

You can get the latest version here:https://get.adobe.com/flashplayer/

Also note that many browsers now allow you to disable Flash by default. You can re-enable it for sites that require Flash. Here is a nice page that will explain how to have your browser ask for permission before running plugins:

http://www.howtogeek.com/188059/how-to-enable-click-to-play-plugins-in-every-web-browser/


Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Linux How-Tos and Linux Tutorials: 10 Things to Do After Installing Linux Mint 17.2

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Swapnil Bhartiya. Original post: at Linux How-Tos and Linux Tutorials

The latest version of Linux Mint is out and it’s a major improvement over the previous releases (see my recent review). Linux Mint developers do a lot of additional work, on top of its Ubuntu base, which leaves users with comparatively less work to do after installation. For example, Linux Mint comes pre-loaded with restricted drivers and codecs. It also comes with VLC so users don’t have to worry about media playback.

That said, like any other operating system, depending on your needs, you may have to do some extra work to get your Linux Mint system ready. While some of the changes in this article are optional, a few are mandatory: such as keeping your system up-to-date.

Here are 10 things to do after you install Mint 17.2.

First of all you need to update the system

Even if you downloaded the brand new Linux Mint, from the time it was packaged and uploaded to the server and you downloaded it a lot of Open Source code has been written. The first thing you must do is run a system update before installing any new package. There are two steps involved with a system update: first, you refresh the repositories so they can pull information about the latest packages and then upgrade any package. You can do so by running this command (you must refresh your repositories before installing any package):

sudo apt-get update

Once all the info is refreshed, run the update:

sudo apt-get upgrade

I would also recommend running “sudo apt-get dist-upgrade” which can upgrade packages that the simple ‘upgrade’ command can’t (you can read more about the difference between two commands here).

sudo apt-get dist-upgrade

Install additional drivers

Ubuntu based systems have made it really easy to manage drivers (both open source and non-free) for various hardware. Open the Driver Manager tool which will scan your system and detect the supported hardware which may need non-free drivers. It will then offer appropriate drives for it and you can install the desired drivers for your hardware.

Install Google Chrome?

Looking at the vulnerabilities that Adobe’s Flash player has (one was disclosed and fixed this week), I would suggest staying away from the Flash plugin and instead use Google Chrome which comes with Flash support. You can download Google Chrome from their site and install it the way you would install any binary package, just make sure to choose the right architecture (32bit or 64bit for Ubuntu). There are additional benefits of using Chrome: it will also allow you to access services like Netflix which are not available for Firefox. On top of that, you will also gain access to the supported Chrome Apps from the Web Store

Install Cloud services

Google Drive is still not available for Linux, but there is a third-party solution called inSync which can be used to integrate Google Drive with your Linux Mint system. It’s a nifty solution which, unlike Google Drive, does have a one-time fee. You can easily install inSync by downloading either the binary or by adding its repository to the system from the official download page. I would strongly suggest to never install any software from unofficial or third-party sites.

These are not the only solutions for Linux users. Almost all major cloud services (except for Microsoft OneDrive) are available for Linux users. You can easily install Dropbox, ownCloud or Seafile on your system by downloading the binaries from the official sites.

Change search engine to Google

The Linux Mint team has commercial deals with several search providers which share revenues with the project. These search engines have been integrated with the Firefox browser, Yahoo! being the default one. That doesn’t mean you are locked into the default search engine Yahoo! which is powered by Microsoft Bing.

In my experience I found that the option to switch to Google has been buried down deep, making it a tad difficult for a new user to switch. After struggling with it for a while I settled down with an easier solution and that’s what I would recommend others. Open Firefox and visit ‘www.google.com‘; you will notice a blue ribbon offering to change your search engine to Google.

lm google

Click on ‘Yes, show me’ from the ribbon. Next click on the + icon on the search box and add Google.

Adding Google as your default search in Firefox

Then click on ‘Change Search Settings’ and choose Google from the list.

Step 3 in changing your default search to google.

You may also want to un-check ‘provide search suggestions’ so that your search box is clean and clutter free.

Now all your searches belong to Google.

Sync and protect your password with Firefox

There is now a built-in feature of Firefox which can save your passwords (and much more) securely on their servers so you won’t have to write them down or remember them. Open Firefox and then click on the three bars on the right.

Open Firefox and then click on the three bars on the right.

There you will see the option ‘sign in to sync‘. Follow the instructions and you are all set. You can choose what kind of stuff you want to be synced, which includes passwords, bookmarks, Tabs, History, Addons and preferences. The good news is you won’t have to reinstall all add-ons and change preferences when you change OS or move between systems. Once you log into the Firefox account, everything will be synced across machines.

Use Thunderbird Profile

I am a heavy Thunderbird user and use it to its full potential; thanks to add-ons like calendar. One of the lesser known, but most interesting, features of Thunderbird is the ability to easily change the location of data on the system. Now the question would be: why would I need it? I multi-boot with different distributions and it’s a waste of time to set-up Thunderbird in each distro and then waste precious space on the ‘home’ of each distro, only to have multiple copies of the same data on the same system.

I keep all of my data on a separate hard drive, outside ‘home’ directories. This drive is accessible by all distros, which makes it easier to work on the same files irrespective of the OS I am currently running. And that’s where I keep my Thunderbird data; so the same data is accessible across all distros eliminating duplication.

I use the ‘Profile’ feature of Thunderbird to achieve this. It also comes in handy when you hop from one distro to another as you won’t have to reconfigure your Thunderbird on each new distro.

It’s recommended to setup profile before you run Thunderbird for the first time. To configure Thunderbird Profile, open Terminal and run this command:

thunderbird -p

You will be greeted by this window.

Linux Mint Thunderbird profile window.

Click on ‘Create Profile ‘, give it a name and then ‘Choose Folder’. This will be the directory where all of your Thunderbird data will be saved. Once done, click on ‘finish’ and you are set. Next time when you boot into another system, run the same command, create the profile and then point it to the folder you created previously. All your email accounts, settings, and add-ons will be there, automatically. If you run multiple distros, just create a profile on each distro and point it to the same directory.

Setting up Trackpad

I did find it a bit frustrating to connect the Magic Trackpad to Linux Mint 17.2. Linux Mint asks you to enter a PIN when you try to connect devices like Trackpad; a task you can’t perform from a trackpad. What you need to do is choose the PIN option and try with ‘0000’ which ‘might’ connect the device. I had to make several attempts because the moment the device was detected it would switch to the default ‘enter PIN’ option. I think Linux Mint and should make it easy to connect such devices. When I tried it on Mac OS X, it detected that it was a Trackpad and instead of offering to enter PIN defaulted to ‘0000’ and paired with the device immediately.

Configuring the trackpad

Another issue I faced with Trackpad was that scrolling was not working out of the box. To enable that, open System Settings and go to TouchPad settings and select ‘vertical Scrolling’ (it should be selected by default).

Once you enabled that, you find that it’s not working on Firefox. To get it to work, open a Firefox browser and type ‘about:config‘ in the address bar. Firefox will throw a warning at you – ignore it and proceed. Then search for ‘gesture.swipe‘ and you will come across four results. Click on each, one by one, and delete the ‘value‘ field; scrolling will start working on Firefox.

How to upgrade from the previous version

If you are still on Linux Mint 17.1, then you won’t have to re-format your system and run a fresh install of Linux Mint 17.2. Now you can easily upgrade between major releases. Before running such an upgrade make sure to back-up your data so that, in case of a failed update, you don’t lose it. Run a system update to ensure all your packages are up-to-date. If there are applications that you don’t need, uninstall them to keep your system lean and mean.

Let’s start the major upgrade: Open ‘Update Manager’, refresh it, and install all the checked packages there.

Open 'Update Manager', refresh it, and install all the checked packages there.

Once everything is up-to-date, click on the ‘Edit’ menu and choose the third option (if available) to upgrade to the next release.

 Click on the 'Edit' menu and choose the third option (if available) to upgrade to the next release.

Then just follow the instructions and enjoy the latest version of Linux Mint.

That’s pretty much all that you need to do on Linux Mint to get most out of this great Linux distribution. There used to be a long list of things ‘to do’ after installing Linux Mint, but these days most things, such as configuring printers, work out of the box.

Now it’s your turn, let us know what are the things that you do after installing Linux Mint!

Krebs on Security: Third Hacking Team Flash Zero-Day Found

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

For the third time in a week, researchers have discovered a zero-day vulnerability in Adobe’s Flash Player browser plugin. Like the previous two discoveries, this one came to light only after hackers dumped online huge troves of documents stolen from Hacking Team — an Italian security firm that sells software exploits to governments around the world.

News of the latest Flash flaw comes from Trend Micro, which said it reported the bug (CVE-2015-5123) to Adobe’s Security Team. Adobe confirmed that it is working on a patch for the two outstanding zero-day vulnerabilities exposed in the Hacking Team breach.

We are likely to continue to see additional Flash zero day bugs surface as a result of this breach. Instead of waiting for Adobe to fix yet another flaw in Flash, please consider removing or at least hobbling this program.

flashpotus

Google Chrome comes with its own version of Flash pre-installed, but disabling it is easy enough. On a Windows, Mac, Linux or Chrome OS installation of Chrome, type “chrome:plugins” into the address bar, and on the Plug-ins page look for the “Flash” listing: To disable Flash, click the disable link (to re-enable it, click “enable”).

Windows users can remove Flash from non-Chrome browsers from the Add/Remove Programs panel, and/or using this Flash Removal Tool. Note that you must exit out of all Web browsers before running the tool. To verify that Flash has been removed, visit this page; if it says your browser needs Flash, you’ve successfully removed it.

For Mac users, AppleInsider carries a story today that has solid instructions for nixing the program from OS X once and for all.

“Flash has become such an information security nightmare that Facebook’s Chief Security Officer called on Adobe to sunset the platform as soon as possible and ask browser vendors to forcibly kill it off,” AppleInsider’s Shane Cole writes. “Though most exploits are targeted at Windows, Mac users are not invincible.”

I removed Flash entirely more than a month ago and haven’t missed the program one bit. Unfortunately, some sites — including many government Web sites  — may prompt users to install Flash in order to view certain content. Perhaps it’s time for a petition to remove Flash Player from U.S. Government Web sites altogether? If you agree, make your voice heard here.  For more on spreading the word about Flash, see the campaign at OccupyFlash.org.

If you decide that removing Flash altogether or disabling it until needed is impractical, there are in-between solutions. Script-blocking applications like Noscript and ScriptSafe are useful in blocking Flash content, but script blockers can be challenging for many users to handle.

Another approach is click-to-play, which is a feature available for most browsers (except IE, sadly) that blocks Flash content from loading by default, replacing the content on Web sites with a blank box. With click-to-play, users who wish to view the blocked content need only click the boxes to enable Flash content inside of them (click-to-play also blocks Java applets from loading by default).

Windows users who decide to keep Flash installed and/or enabled also should take full advantage of the Enhanced Mitigation Experience Toolkit (EMET), a free tool from Microsoft that can help Windows users beef up the security of third-party applications.

Krebs on Security: Hacking Team Used Spammer Tricks to Resurrect Spy Network

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Last week, hacktivists posted online 400 GB worth of internal emails, documents and other data stolen from Hacking Team, an Italian security firm that has earned the ire of privacy and civil liberties groups for selling spy software to governments worldwide. New analysis of the leaked Hacking Team emails suggests that in 2013 the company used techniques perfected by spammers to hijack Internet address space from a spammer-friendly Internet service provider in a bid to regain control over a spy network it apparently had set up for the Italian National Military Police.

hackingteam

Hacking Team is in the business of selling exploits that allow clients to secretly deploy spyware on targeted systems. In just the past week since the Hacking Team data was leaked, for example, Adobe has fixed two previously undocumented zero-day vulnerabilities in its Flash Player software that Hacking Team had sold to clients as spyware delivery mechanisms.

The spyware deployed by Hacking Team’s exploits are essentially remote-access Trojan horse programs designed to hoover up stored data, recorded communications, keystrokes, etc. from infected devices, giving the malware’s operator full control over victim machines.

Systems infested with Hacking Team’s malware are configured to periodically check for new instructions or updates at a server controlled by Hacking Team and/or its clients. This type of setup is very similar to the way spammers and cybercriminals design “botnets,” huge collections of hacked PCs that are harvested for valuable data and used for a variety of nefarious purposes.

No surprise, then, that Hacking Team placed its control servers in this case at an ISP that was heavily favored by spammers. Leaked Hacking Team emails show that in 2013, the company set up a malware control server for the Special Operations Group of the Italian National Military Police (INMP), an entity focused on investigating organized crime and terrorism. One or both of these organizations chose to position that control at Santrex, a notorious Web hosting provider that at the time served as a virtual haven for spammers and malicious software downloads.

But that decision backfired. As I documented in October 2013, Santrex unexpectedly shut down all of its servers, following a series of internal network issues and extensive downtime. Santrex made that decision after several months of incessant attacks, hacks and equipment failures at its facilities caused massive and costly problems for the ISP and its customers. The company’s connectivity problems essentially made it impossible for either Hacking Team or the INMP to maintain control over the machines infected with the spyware.

According to research published Sunday by OpenDNS Security Labs, around that same time the INMP and Hacking Team cooked up a plan to regain control over the Internet addresses abandoned by Santrex. The plan centered around a traffic redirection technique known as “BGP hijacking,” which involves one ISP fraudulently “announcing” to the rest of the world’s ISPs that it is in fact the rightful custodian of a dormant range of Internet addresses that it doesn’t actually have the right to control.

IP address hijacking is hardly a new phenomenon. Spammers sometimes hijack Internet address ranges that go unused for periods of time (see this story from 2014 and this piece I wrote in 2008 for The Washington Post for examples of spammers hijacking Internet space). Dormant or “unannounced” address ranges are ripe for abuse partly because of the way the global routing system works: Miscreants can “announce” to the rest of the Internet that their hosting facilities are the authorized location for given Internet addresses. If nothing or nobody objects to the change, the Internet address ranges fall into the hands of the hijacker.

Apparently nobody detected the BGP hijack at the time, and that action eventually allowed Hacking Team and its Italian government customer to reconnect with the Trojaned systems that once called home to their control server at Santrex. OpenDNS said it was able to review historic BGP records and verify the hijack, which at the time allowed Hacking Team and the INMP to migrate their malware control server to another network.

This case is interesting because it sheds new light on the potential dual use of cybercrime-friendly hosting providers. For example, law enforcement agencies have been known to allow malicious ISPs like Santrex to operate with impunity because the alternative — shutting the provider down or otherwise interfering with its operations –can interfere with the ability of investigators to gather sufficient evidence of wrongdoing by bad actors operating at those ISPs. Indeed, the notoriously bad and spammer-friendly ISPs McColo and Atrivo were perfect examples of this prior to their being ostracized and summarily shut down by the Internet community in 2008.

But this example shows that some Western law enforcement agencies may also seek to conceal their investigations by relying on the same techniques and hosting providers that are patronized by the very criminals they are investigating.

SANS Internet Storm Center, InfoCON: green: Another Adobe Flash Zero Day http://www.kb.cert.org/vuls/id/338736, (Sun, Jul 12th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

— Rick Wanner MSISE – rwanner at isc dot sans dot edu – http://namedeplume.blogspot.com/ – Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

SANS Internet Storm Center, InfoCON: green: OS X Adobe Flash Player Web plug-in Update – https://support.apple.com/en-us/HT202681, (Sat, Jul 11th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

———– Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Krebs on Security: Adobe To Fix Another Hacking Team Zero-Day

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

For the second time in a week, Adobe Systems Inc. says it plans fix a zero-day vulnerability in its Flash Player software that came to light after hackers broke into and posted online hundreds of gigabytes of data from Hacking Team, a controversial Italian company that’s long been accused of helping repressive regimes spy on dissident groups.

brokenflash-aIn an advisory published late Friday evening, Adobe said it plans to issue another Flash patch the week of July 13, 2015. “This vulnerability was reported to us following further investigation of the data published after the Hacker Team [sic] data breach,” the advisory notes.

Adobe said the flaw is present in the latest version of Flash for Windows, Mac and Linux systems, and that code showing attackers how to exploit this flaw is already available online.

There is every reason to believe this exploit will soon be folded into exploit kits, crimeware used to foist drive-by downloads when unsuspecting visitors browse to a hacked or booby-trapped site. On Wednesday, Adobe patched a different vulnerability in Flash that was exposed in the Hacking Team breach, but not before code designed to attack the flaw was folded into the Angler and Nuclear exploit kits.

If you were on the fence about removing or disabling Flash altogether, now would be a great time to reconsider. I recently blogged about my experience doing just that, and found I didn’t miss the program much at all after a month without it.

LWN.net: Friday’s security updates

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Arch Linux has updated openssl
(certificate verification botch).

CentOS has updated php (C6: many
vulnerabilities, some from 2014).

Debian has updated pdns (full fix
for denial of service) and pdns-recursor
(full fix for denial of service).

Gentoo has updated adobe-flash
(multiple vulnerabilities, one from 2014), chromium (multiple vulnerabilities), mysql (multiple vulnerabilities), net-snmp (denial of service from 2014), openssl (certificate verification botch), oracle-jre-bin (multiple vulnerabilities, some
from 2014), perl (denial of service from
2013), portage (certificate verification
botch from 2013), pypam (code execution
from 2012), and t1utils (multiple vulnerabilities).

Mageia has updated openssl
(certificate verification botch).

openSUSE has updated MariaDB
(13.2, 13.1: many vulnerabilities, some from 2014).

Oracle has updated php (OL6: many
vulnerabilities, some from 2014).

Red Hat has updated php (RHEL6:
many vulnerabilities, some from 2014) and php54-php (RHSC2: multiple vulnerabilities).

Scientific Linux has updated php
(SL6: many vulnerabilities, some from 2014).

Slackware has updated openssl
(certificate verification botch).

Ubuntu has updated firefox
(15.04, 14.10, 14.04: multiple vulnerabilities) and nss (two vulnerabilities).

LWN.net: Security advisories for Thursday

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Debian has updated python-django
(two vulnerabilities).

Mageia has updated bind (denial
of service), cups-filters (two code
execution vulnerabilities), flash-player-plugin (many vulnerabilities), openssh (access restriction bypass), and virtuoso-opensource (multiple unspecified vulnerabilities).

openSUSE has updated flash-player
(11.4: unspecified vulnerabilities), libwmf
(13.2, 13.1: multiple vulnerabilities), mysql-community-server (13.2, 13.1: cipher
downgrade), tiff (13.2, 13.1: multiple
vulnerabilities), and wireshark (13.2: two
denial of service vulnerabilities).

Red Hat has updated flash-plugin
(RHEL5&6: many vulnerabilities).

SUSE has updated flash-player
(SLE12: many vulnerabilities).

Ubuntu has updated python-django
(two vulnerabilities).

LWN.net: Security advisories for Wednesday

This post was syndicated from: LWN.net and was written by: ris. Original post: at LWN.net

Arch Linux has updated bind (denial of service) and flashplugin (code execution).

Debian has updated bind9 (denial of service).

Debian-LTS has updated linux-ftpd-ssl (segmentation fault).

openSUSE has updated flash-player
(13.2, 13.1: code execution).

Oracle has updated abrt (OL6: multiple vulnerabilities).

Scientific Linux has updated abrt
(SL6: multiple vulnerabilities).

Slackware has updated bind
(denial of service), cups (code execution), firefox (multiple vulnerabilities), and ntp (denial of service).

SUSE has updated bind (SLE11SP3:
denial of service) and Xen (SLES10SP4: two vulnerabilities).

Ubuntu has updated bind9 (15.04,
14.10, 14.04, 12.04: denial of service) and libwmf (15.04, 14.10, 14.04, 12.04: multiple vulnerabilities).

Krebs on Security: Adobe to Patch Hacking Team’s Flash Zero-Day

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Adobe Systems Inc. says its plans to issue a patch on Wednesday to fix a zero-day vulnerability in its Flash Player software that is reportedly being exploited in active attacks. The flaw was disclosed publicly over the weekend after hackers broke into and posted online hundreds of gigabytes of data from Hacking Team, a controversial Italian company that’s long been accused of helping repressive regimes spy on dissident groups.

A knowledge base file stolen from Hacking Team explaining how to use the company's zero-day Flash exploit.

A knowledge base file stolen from Hacking Team explaining how to use a Flash exploit developed by the company.

In an advisory published today, Adobe said “a critical vulnerability (CVE-2015-5119) has been identified in Adobe Flash Player 18.0.0.194 and earlier versions for Windows, Macintosh and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.”

Several reports on Twitter suggested the exploit could be used to bypass Google Chrome‘s protective “sandbox” technology, a security feature that forces the program to run in a heightened security mode designed to block attacks that target vulnerabilities in Flash. A spokesperson for Google confirmed that attackers could evade the Chrome sandbox by using the Flash exploit in tandem with another Windows vulnerability that appears to be unpatched at the moment. Google also says its already in the process of pushing the Flash fix out to Chrome users.

The Flash flaw was uncovered after Hacking Team’s proprietary information was posted online by hacktivists seeking to disprove the company’s claims that it does not work with repressive regimes (the leaked data suggests that Hacking Team has contracted to develop exploits for a variety of countries, including Egypt, Lebanon, Ethiopia, Sudan and Thailand). Included in the cache are several exploits for unpatched flaws, including apparently a Windows vulnerability.

According to new research from security firm Trend Micro, there is evidence that the Flash bug is being exploited in active attacks.

“A separate attack against one of these vulnerabilities shows that not sharing the discovery of vulnerabilities with the vendor or broader security community leaves everyone at risk,” wrote Christopher Budd, global threat communications manager at Trend. “This latest attack is yet another demonstration that Adobe is a prime target for exploit across commercial and consumer IT systems.”

There is no question that Adobe Flash Player is a major target of attackers. This Wednesday will mark the seventh time in as many months that Adobe has issued an emergency update to fix a zero-day flaw in Flash Player (the last one was on June 23).

Perhaps a more sane approach to incessantly patching Flash Player is to remove it altogether. Late last month, I blogged about my experience doing just that, and found I didn’t miss the program much at all. In any case, I’ll update this post once Adobe has issued an official fix.

SANS Internet Storm Center, InfoCON: green: Vulnerability announced for Adobe Flash Player 18.0.0.194 and earlier – CVE-2015-5119 – Flash Player update should be released tomorrow (2015-07-08) – more info at: https://helpx.adobe.com/security/products/flash-player/apsa15-03.html, (Tue, Jul 7th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

SANS Internet Storm Center, InfoCON: green: BizCN gate actor changes from Fiesta to Nuclear exploit kit, (Mon, Jul 6th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Introduction

An actor using gates registered through BizCN recently switched from Fiesta to Nuclear exploit kit (EK). This happened around last month, and we first noticed the change on 2015-06-15.

I started writing about this actor in 2014 [1, 2] and recently posted an ISC diary about it on 2015-04-28 [3]. Ive been calling this group the BizCN gate actor because domains used for the gate have all been registered through the Chinese registrar BizCN.

We collected traffic and malware samples related to this actor from Friday 2015-07-03 through Sunday 2015-07-05. This traffic has the following characteristics:

  • Compromised servers are usually (but not limited to) forum-style websites.
  • Gate domains have all been registered through the Chinese registrar BizCN using privacy protection.
  • The domains for Nuclear EK change every few hours and were registered through freenom.com.
  • Nuclear EK for this actor is on 107.191.63.163, which is an IP registered to Vultr, a hosting provider specializing in SSD cloud servers [4].
  • The payload occasionally changes and includes malware identified as Yakes [5], Boaxxe [6], and Kovter.

NOTE: For now, Kovter is relatively easy to spot, since its the only malware Ive noticed that updates the infected hosts Flash player [7].

Chain of events

During a full infection chain, the traffic follows a specific chain of events. The compromised website has malicious javascript injected into the page that points to a URL hosted on a BizCN-registered gate domain. The gate domain redirects traffic to Nuclear EK on 107.191.63.163. If a Windows host running the web browser is vulnerable, Nuclear EK will infect it. Simply put, the chain of events is:

  • Compromised website
  • BizCN-registered gate domain
  • Nuclear EK

Lets take a closer look at how this happens.

Compromised website

Compromised websites are the first step in an infection chain.” />

In most cases, the malicious javascript will be injected on any page from the site, assuming you get to it from a search engine or other referrer.

BizCN-registered gate domain

The gate directs traffic from the compromised website to the EK. The HTTP GET request to the gate domain returns javascript. In my last diary discussing this actor [3], you could easily figure out the URL for the EK landing page.” />

Weve found at least four IP addresses hosting the BizCN-registered gate domain. They are:

  • 136.243.25.241
  • 136.243.25.242
  • 136.243.224.10
  • 136.243.227.9

If you have proxy logs or other records of your HTTP traffic, search for these IP addresses. If you find the referrers, you might discover other websites compromised by this actor.

Nuclear EK

Examples of infection traffic generated from 2015-07-03 through 2015-07-05 all show 107.191.63.163 as the IP address hosting Nuclear EK. This IP address is registered to Vultr, a hosting provider specializing in SSD cloud servers [4]. ” />

Finally, Nuclear EK sends the malware payload. It” />

Malware sent by this actor

During the three-day period, we infected ten hosts, saw two different Flash exploits, and retrieved five different malware payloads. Most of these payloads were Kovter (ad fraud malware).” />

Below are links to reports from hybrid-analysis.com for the individual pieces of malware:

Final words

Its usually difficult to generate a full chain of infection traffic from compromised websites associated with this BizCN gate actor. We often see HTTP GET requests to the gate domain return a 404 Not Found. In some cases, the gate domain might not appear in traffic at all.

We believe the BizCN gate actor will continue to make changes as a way to evade detection. Fortunately, the ISC and other organizations try our best to track these actors, and well let you know if we discover any significant changes.

Examples of the traffic and malware can be found at:

As always, the zip file is password-protected with the standard password. If you dont know it, email admin@malware-traffic-analysis.net and ask.


Brad Duncan
Security Researcher at Rackspace and ISC Handler
Blog: www.malware-traffic-analysis.net – Twitter: @malware_traffic

References:

[1] http://malware-traffic-analysis.net/2014/01/01/index.html
[2] https://isc.sans.edu/diary/Gate+to+Fiesta+exploit+kit+on+9424221669/19117
[3] https://isc.sans.edu/diary/Actor+using+Fiesta+exploit+kit/19631
[4] https://www.vultr.com/about/
[5] https://www.virustotal.com/en/file/b215e4cf122e3b829ce199c3e914263a6d635f968b4dc7b932482d7901691326/analysis/
[6] https://www.virustotal.com/en/file/a0156a1641b42836e64d03d1a0d34cd93d3b041589b0422f8519cb68a4efb995/analysis/
[7] http://malware.dontneedcoffee.com/2015/07/kovter-adfraud-is-updating-flash-for-you.html

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

LWN.net: Friday’s security updates

This post was syndicated from: LWN.net and was written by: n8willis. Original post: at LWN.net

Arch Linux has updated firefox (multiple vulnerabilities) and wesnoth (information leak).

Debian has updated stunnel4
(authentication bypass).

Debian-LTS has updated libxml2 (multiple vulnerabilities) and pykerberos (insecure authentication).

Fedora has updated drupal6 (F21; F22:
account hijacking)
and drupal7 (F21; F22: multiple vulnerabilities).

openSUSE has updated flash-player (11.4).

Oracle has updated firefox (O5; O6; O7: multiple vulnerabilities).

Red Hat has updated firefox
(RHEL: multiple vulnerabilities) and openstack-cinder (RHEL OSP: file disclosure).

SUSE has updated MySQL (SLE
11 SP3: cipher downgrade attack),
ntp (SLE11 SP3: multiple vulnerabilities), and OpenSSL (SLE 10 Client Tools; SUSE Manager 11 SP2, Studio Onsite; SLE 11 SAP; SLE 11 SP1; SLE SM 11 SP3: multiple vulnerabilities).

LWN.net: Friday’s security updates

This post was syndicated from: LWN.net and was written by: n8willis. Original post: at LWN.net

CentOS has updated kvm (C5:
code execution).

Debian-LTS has updated librack-ruby (denial of service) and libwmf (multiple vulnerabilities).

openSUSE has updated flash-player (13.1, 13.2: code
execution), chromium (13.1, 13.2:
multiple vulnerabilities), and openssl
(13.1, 13.2: multiple vulnerabilities).

Oracle has updated kvm (O5:
code execution) and nss (O6; O7: cipher-downgrade attacks).

Red Hat has updated kernel
(RHEL5: privilege escalation) and kvm
(RHEL5: code execution).

Scientific Linux has updated kernel (SL7: multiple vulnerabilities)
and mailman (SL7: code execution).

SUSE has updated compat-openssl098 (SLE12: multiple
vulnerabilities), KVM (SLE11 SP3:
multiple vulnerabilities), and openssl
(SLE12: multiple vulnerabilities).

LWN.net: Thursday’s security updates

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

CentOS has updated nss (C7;
C6: cipher downgrade) and nss-util (C7; C6: cipher downgrade).

Debian has updated cacti (three vulnerabilities).

Fedora has updated xen (F20: multiple vulnerabilities).

Oracle has updated kernel 2.6.39 (OL6; OL5: two
vulnerabilities), kernel 3.8.13 (OL7; OL6: two
vulnerabilities), and kernel 2.6.32 (OL6; OL5: two
vulnerabilities)

Red Hat has updated chromium-browser (RHEL6: multiple vulnerabilities), flash-plugin (RHEL5&6: code execution), nss (RHEL6&7: cipher downgrade), php55-php (RHSC2: multiple vulnerabilities), and rh-php56-php (RHSC2: multiple vulnerabilities).

Scientific Linux has updated libreswan (SL7: denial of service) and php (SL7: multiple vulnerabilities).

SUSE has updated IBM Java
(SLE10SP4: multiple vulnerabilities) and Java (SLE11SP2: multiple vulnerabilities).

Ubuntu has updated python2.7,
python3.2, python3.4
(14.10, 14.04, 12.04: multiple vulnerabilities, some from 2013), tomcat6 (12.04: three vulnerabilities), and tomcat7 (15.04, 14.10, 14.04: multiple vulnerabilities).

LWN.net: Security updates for Wednesday

This post was syndicated from: LWN.net and was written by: ris. Original post: at LWN.net

Arch Linux has updated flashplugin (code execution).

CentOS has updated kernel (C7:
multiple vulnerabilities), libreswan (C7:
denial of service), mailman (C7: path
traversal attack), and php (C7: multiple vulnerabilities).

Debian has updated wireshark (denial of service).

Debian-LTS has updated zendframework (regression in previous update).

Fedora has updated curl (F22:
information disclosure), libwmf (F21: code
execution), openssl (F21: multiple vulnerabilities), and xen (F22; F21: multiple vulnerabilities).

Mageia has updated flash-player-plugin (multiple vulnerabilities).

openSUSE has updated cacti (13.2,
13.1: SQL injection), curl (13.2, 13.1: information disclosure), and libwmf (13.2; 13.1: code execution).

Oracle has updated kernel (OL7:
multiple vulnerabilities), libreswan (OL7:
denial of service), mailman (OL7: path
traversal attack), and php (OL7: multiple vulnerabilities).

SUSE has updated flash-player
(SLED12: code execution).

SANS Internet Storm Center, InfoCON: green: Adobe Flash Player Update – https://helpx.adobe.com/security/products/flash-player/apsb15-14.html, (Tue, Jun 23rd)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

-Kevin — ISC Handler on Duty

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.