Shearwater_Logo

January 2016 Internet Security Report


Threats

  • Microsoft DNS patching – Microsoft released a patch for DNS this month. Reported internally, however may allow remote code execution and should be applied to all Microsoft DNS servers. (MS15-127). Soon after release traffic to port 53 increased on the internet suggesting there may be an exploit available.

 If you have external facing Microsoft DNS server these should be patched as soon as possible.

  • Drive-by Ransomware – Cryptowall 4.0 is being used in another drive-by campaign. This campaign is conducted in stages, the first being the installation of Pony which harvests all usable usernames and passwords. Second is the installation of the angler exploit kit which is used to find flaws on the victims system. Once the flaws have been identified, they are used to install Cryptowall 4.0 onto the victim’s computer. This is actively being distributed using emails with word attachments as well as Excel spreadsheets. http://arstechnica.com/security/2015/12/newest-ransomware-pilfers-passwords-before-encrypting-gigabytes-of-data/

Educate users regarding opening emails with attachments, especially those that ask for content to be enabled.

Remind users regarding the reporting process in your organisation should they accidentally open and activate such email. The first action of the user should be to pull the network cable on their computer.

Ensure that there are viable backups of critical files in the organisation.

  • Since late November 2015, malicious spam (malspam) distributing TelsaCrypt ransomware has surged in a recent attack offensive [1]. Criminal groups are sending out massive amounts of emails containing attachments with zipped .js files. These zipped .js files–called Nemucod by ESET and some other security vendors [2]–download and install the TeslaCrypt ransomware. https://isc.sans.edu/diary/TeslaCrypt+ransomware+sent+using+malicious+spam/20507

Educate users regarding opening emails with attachments, especially those that ask for content to be enabled.

Remind users regarding the reporting process in your organisation should they accidentally open and activate such email. The first action of the user should be to pull the network cable on their computer.

Ensure that there are viable backups of critical files in the organisation

Whilst the risk currently in AU is considered low, it may need a rethink of how machines with malware are remediated. To ensure this threat, if present, is removed the volume boot records and master boot record should be rebuilt.

  • The war in Syria, which began several years ago, has recently become one of the most widely reported events in the media. Along with the growing interest of the international community in Middle East events, “Nigerian” scammers have also jumped on the bandwagon. Over the last few months, we have recorded an increase in the number of fraudulent emails utilizing the Syrian theme.” https://securelist.com/blog/spam-test/72867/arabian-tales-by-nigerians/

As these are standard phishing activities users should be educated regarding following links and opening attachments on emails.

Educate users regarding opening emails with attachments, especially those that ask for content to be enabled.

 

Breaches

  • Invest Bank in Sharjah, United Arab Emirates – A hacker has leaked customer data after the bank declined to pay approximately US $3 Million in Bitcoin as a ransom. The hacker has been identified as Hacker Buba. It is believed that Hacker Buba has a number of other files, other than those released, on customer data including entire SQL databases. Hacker Buba claimed to also have data from the following banks “UAE, Qater, ksa and etc”.

 

  • OPM breach update – A handful of hackers that allegedly broke into OPM’s database and stole data related to approximately 22 million current and former federal employees have been arrested by the Chinese government. Information about the suspects and their potential ties to the Chinese government have not been disclosed.

 

 

  • JD Wetherspoon – A breach consisting of around 656000 customers’ data has been made public by the retail company JD Wetherspoon. Data obtained includes names, dates of birth, email addresses, phone numbers, and a ‘limited’ number of credit card details belonging to around 100 customers. It appears that the breach vector was their website, which has since had a ‘complete overhaul. http://www.zdnet.com/article/jd-wetherspoon-loses-data-of-over-650000-customers-in-cyberattack/

 

 

 

Patches and Updates*

 

 

  • It appears that all major AV vendors have a flaw with the way they allocate memory for read, write and execute permission. They allocate these RWX permissions in a predictable way which could allow an attacker to inject malicious code. McAfee, Kaspersky and AVG have released patches for the flaw, others will follow. “Given the possible widespread nature of the problem, enSilo has created a free checking utility called AVulnerabilityChecker and stuck it on Github for anyone to use.” http://www.theregister.co.uk/2015/12/10/kaspersky_mcafee_avg_vulnerable/

 

 

Unauthorised admin access – ScreenOS 6.3.0r17 through 6.3.0r20.

VPN Traffic can be decrypted – ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20.

 

  • The admin issue CVE-2015-7755 relates to a hardcoded backdoor password in the system. It allows access via SSH or Telnet, regardless of the userid used. The second issue CVE-2015-7756 relates to IPSEC VPNs and may allow someone who intercepts VPN traffic to decode the traffic.
    Please review the KB and determine whether you have systems that may be susceptible. Scans for accessible juniper devices is ongoing.

\* Please note these are not all patches released during December. Our list outlines those patches or notifications that may have been missed, or have changed status since released or after additional information has been made available.

 

Other

  • DNS – Between November 30 and December 1, distributed denial-of-service attacks were carried out against the internet’s root name servers, a set of 13 server networks that are at the root of the domain-name system, or DNS, sometimes called the internet’s address book. The root server zones contain information that allows browsers to find top-level domains such as .com, .org, .net, and the country-specific domains attached to them. According to an incident report by root-servers.org, “most, but not all” DNS root name servers were experiencing five million queries per second, which was enough junk traffic to prevent some normal queries. http://www.zdnet.com/article/mystery-attackers-bombard-servers-at-the-internets-core/

 

  • Google will no longer trust one of Symantec’s root certificates, PCA3-G1, as a result of Symantec’s advisory that “this particular root certificate is based on older, lower-strength security that is no longer recommended, hasn’t been used to generate new certificates in several years, and will now be repurposed to provide transition support for some of our enterprise customers’ legacy, non-public applications.” http://www.scmagazine.com/google-will-remove-trust-of-symantecs-pca3-g1-certificate/article/459688/