Information Technology Sector
38. May 2, H Security – (International) Firefox add-on exposes visited URLs. A Sophos researcher reported that the ShowIP add-on for Mozilla’s Firefox browser sends the URLs of visited Web pages to a Web service called ip2info.org in unencrypted form. Apparently, the browser extension does not restrict this behavior to the normal browsing mode — it also transmits URLs accessed via HTTPS and any sites visited while in “Private Browsing” mode. ShowIP displays the IP addresses (IPv4/IPv6) of the current Web page in the browser’s status bar and gives access to querying services. The extension is particularly popular with network administrators and developers; according to Mozilla, the add-on has been installed by nearly 170,000 Firefox users. The described behavior was first observed in version 1.3 of the GPLv2-licensed add-on, which was published April 19, and remains in newer releases. Many users complained about the privacy violation on Mozilla’s add-on page; the ShowIP Dev Team, the developer of the add-on, responded by explaining that the add-on sends the URL to the server “to access the ip2location database” and promised HTTPS will be added as soon as possible. Mozilla responded by rolling back the available version of ShowIP on the Mozilla Add-ons site to version 1.0, and said it is working with the developer to address the issues. Source: http://www.h-online.com/security/news/item/Firefox-add-on-exposes-visited-URLs-1565273.html
39. May 2, IDG News Service – (International) Microsoft detects new malware targeting Apple computers. Microsoft detected a new piece of malware targeting Apple OS X computers that exploits a vulnerability in the Office productivity suite patched nearly 3 years ago. The malware is not widespread, a researcher from Microsoft’s Malware Protection Center said. However, the malware shows hackers pay attention to people not applying patches when fixes are released, which puts their computers at a higher risk of becoming infected. The security update Microsoft released in June 2009, MS09-027, addressed two vulnerabilities that could be used by an attacker to gain remote control over a machine and run other code. Both vulnerabilities could be exploited with a specially-crafted Word document. The exploit discovered by Microsoft does not work with OS X Lion, but does work with Snow Leopard and prior versions. The researcher said it is likely attackers have knowledge about the computers they are attacking, such as the victim’s operating system version and patch levels. The malware delivered by the exploit is written specifically for OS X and is essentially a “backdoor,” or a tool that allows for remote control of a computer. Microsoft advised those who use Microsoft Office 2004 or 2008 for Mac or the Open XML File Format Converter for Mac to ensure those products applied the patch. Source: http://www.computerworld.com/s/article/9226777/Microsoft_detects_new_malware_targeting_Apple_computers
40. May 2, H Security – (International) Oracle makes SSL use in database clusters free. A recent exposure of a vulnerability in current Oracle databases made Oracle issue a new advisory and offer SSL support to particular customers for free. The vulnerability allows an attacker to listen in on database queries and has no appropriate patches. An Oracle blog post provides the background to why the company issued the new advisory — Oracle Security Alert for CVE-2012-1675 directs customers to two support notes, one for customers without Oracle Real Application Clusters (RAC) and one for those with Oracle RAC. For those without RAC, Oracle recommends limiting registration of new listeners to the local node and IPC protocols; instructions are provided in the Oracle Support note “Using Class of Secure Transport (COST) to Restrict Instance Registration.” For those with RAC or Exadata, the problem is more complex and the use of COST in those situations also means the use of SSL/TLS Encryption as detailed in the support note. The issue was SSL/TLS encryption was sold at extra cost as Oracle Advanced Security. However, Oracle has now updated its licensing so customers can use the SSL/TLS mechanisms to protect themselves against the vulnerability. With the change in licensing and the availability of an effective workaround, it is unlikely Oracle will be producing a patch for its databases in the near future. Oracle is, however, emphatic that users should fix the problem. The advisory indicates the problem affects Oracle Database 11gR2 11.2.0.2 and 11.2.0.3, 11gR1 11.1.0.7, and 10g 10.2.0.3, 10.2.0.4, and 10.2.0.5. Users of Oracle Fusion Middleware, Enterprise Manager, or E-Business Suite should also be aware of the issue as these products include the vulnerable Oracle Database software. Source: http://www.h-online.com/security/news/item/Oracle-makes-SSL-use-in-database-clusters-free-1565661.html
41. May 1, Infosecurity – (International) Trusteer finds new ransomware variant. Ransomware is malware that locks-up computers and demands payment for their release. A common ruse is to pretend the malware is actually a “seizure” by law enforcement agencies. Trusteer recently discovered a new variant. Using the Citadel malware platform — a descendant of the Zeus trojan — the new malware is called Reveton and claims to have come from the U.S. Department of Justice. It locks the computer and displays a warning screen claiming the IP address of the computer was detected accessing child pornography sites. A fine of $100 is payable. It advises how the payment should be made in order to unlock the computer. Source: http://www.infosecurity-magazine.com/view/25490/trusteer-finds-new-ransomware-variant/
42. May 1, Krebs on Security – (International) Service automates boobytrapping of hacked sites. One aspect of hacks seldom examined is the method by which attackers automate the booby-trapping and maintenance of their hijacked sites. This is another aspect of the cybercriminal economy that can be outsourced to third-party services. Often known as “iFramers,” such services can simplify the task of managing large numbers of hacked sites that are used to drive traffic to sites that distribute malware and browser exploits. A decent iFramer service will allow customers to verify large lists of file transfer protocol (FTP) credentials used to administer hacked Web sites, scrubbing lists of invalid credential pairs. The service will then upload the customer’s malware and malicious scripts to the hacked site, and check each link to ensure the trap is properly set. Currently, a huge percentage of malware in the wild has the built-in ability to steal FTP credentials from infected PCs. This is possible because those who administer Web sites often use FTP software to upload files and images, and allow those programs to store their FTP passwords. Thus, many modern malware variants will simply search for popular FTP programs on the victim’s system and extract any stored credentials. Some services offer a menu of extras to help customers maintain their Web-based minefields. Source: http://krebsonsecurity.com/2012/05/service-automates-boobytrapping-of-hacked-sites/ 43.
April 30, Threatpost – (International) New Flashback variant using Twitter as backup C&C channel. The latest version of the Flashback malware infecting Macs has a new command-and-control (C&C) infrastructure that uses Twitter as a fallback mechanism in the event the normal C&C system is not available. This version of Flashback, which infects Macs through exploitation of Java vulnerabilities, has the ability to communicate with two separate tiers of C&C servers. The first type is used as a relay for redirecting traffic from compromised machines. Those servers allow the attackers behind the Flashback botnet to hijack Web search traffic and push it to servers they control. The second tier is used to send commands to infected machines to perform specific actions on Macs. Analysts at Dr. Web, a Russian security firm, found that when infected Macs connect to the second type of C&C server, if they do not receive a correctly formatted reply, they will perform a search on Twitter for a specially formatted string. Source: http://threatpost.com/en_us/blogs/new-flashback-variant-using-twitter-backup-cc-channel-043012
- 17 -
44. April 30, SecurityWeek – (International) Attackers place command and control servers inside enterprise walls. Skilled attackers are burrowing their command and control (C&C) servers inside the networks of compromised businesses to circumvent security measures, according to a security expert familiar with the innovative new attack method. Trend Micro observed dozens of incidents where these tactics were used. In many cases, the compromised servers being used for C&C were compromised in previous attacks and hackers were able to maintain access, the researcher said. The technique helps attackers remain stealthy as they exfiltrate data, as very little C&C traffic leaves the network. Also, the cyber criminals that conduct these types of attacks were seen applying software patches to the compromised systems to ensure other attackers are kept out and the systems are not potentially red-flagged. Source: http://www.securityweek.com/new-attack-method-puts-command-and-control-servers-inside-enterprise-walls For another story, see item 45
Internet Alert Dashboard
To report cyber infrastructure incidents or to request information, please contact US-CERT at sos@us-cert.gov or visit their Web site: http://www.us-cert.gov Information on IT information sharing and analysis can be found at the IT ISAC (Information Sharing and Analysis Center) Web site: https://www.it-isac.org [Return to top]
Comments