Exploits for vulnerabilities in Adobe’s ColdFusion application server have been at the heart of a number of incidents this year, including a compromise of servers belonging to the Washington State Court system. This level of action has prompted Adobe to release five security updates for the software this year already, including hotfixes sent out today for two vulnerabilities being exploited in the wild.
Adobe, which for a few months has been synchronizing its monthly security updates with Microsoft’s, also released patches today for vulnerabilities in Adobe Reader and Flash Player; none of those flaws are actively being exploited.
It remains unclear which ColdFusion vulnerability was the center of the Washington State breach, though the court said in a statement there were breaches in February and March. An Associated Press report last week said the vulnerability exploited in the attack had already been patched.
The fixes released today address vulnerabilities in ColdFusion 10, 9.0.2, 9.0.1 and 9.0 for Windows, Mac and Unix. One vulnerability, CVE-2013-1389, enables remote code execution on a server running ColdFusion, while the other, CVE-2013-3336, allows unauthorized remote access to files stored on the server. It is this bug, Adobe said, that is currently being exploited.
Adobe also patched 13 memory corruption vulnerabilities in Flash Player that could cause the ubiquitous media player to crash and allow attackers to gain remote control over a compromised computer. Version 22.214.171.124 for Windows was given the most critical rating. Mac, Linux and Android patches were also released, as was a fix for Adobe AIR 126.96.36.1990.
The Adobe Reader bulletin patches 30 vulnerabilities in Reader and Acrobat 11.0.02 for Windows and Mac, and Reader 9.5.4 and earlier 9.x versions for Linux. The vulnerabilities involved include 18 memory corruption vulnerabilities that could lead to remote code execution. The remainder of the security updates resolve integer underflow, use-after-free, stack overflow, buffer overflow, integer overflow and information leakage vulnerabilities.
Unlike the Cold Fusion bugs, none of the Flash or Reader vulnerabilities have been spotted in the wild, Adobe said.
In the Washington State breach, hackers took advantage of an unpatched ColdFusion instance to grab as many as 160,000 Social Security numbers belonging to anyone booked into a city or county jail between September 2011 and December 2012. Driver’s license numbers belonging to up to one million Washington citizens may also have been accessed, the court said.
“The vast majority of the site contains non-confidential, public information. No personal financial information, such as bank account numbers or credit card numbers, is stored on the site,” they said in the statement. “However, other data stored on the server did include social security numbers, names, dates of birth, addresses, and driver license numbers that may have been accessed. Although there is no hard evidence confirming the information was in fact compromised, the data was still vulnerable and should be considered as potentially exposed.”
A news report says the beleaguered Bloomberg financial data and news service accidentally posted online more than 10,000 private messages between traders and clients at some of the world’s largest banks. The breaches, said to be part of a former employee’s data mining project, took place in 2009 and 2010.
The revelation, first reported by The Financial Times, will do little to restore public confidence in the company’s data security after its editor-in-chief had admitted just hours early on Monday that the news agency had allowed its journalists access to confidential client data since the 1990s.
“Our reporters should not have access to any data considered proprietary. I am sorry they did. The error is inexcusable,” wrote Matthew Winkler in an opinion piece on the Bloomberg Web site. “Last month, we immediately changed our policy so that reporters now have no greater access to information than our customers have. Removing this access will have no effect on Bloomberg news-gathering.”
The company is being investigated by a number of agencies, including the European Central Bank and U.S. Treasury and U.S. Federal Reserve, after senior executives at Goldman Sachs complained that a Hong Kong-based Bloomberg reporter had called to ask about a partner’s employment status after noticing the person hadn’t logged into a Bloomberg terminal for some time.
Winkler said the company’s reporters had limited access to data, including login histories and “high-level types of user functions on an aggregated basis, with no ability to look into specific security information.”
The company supplies financial terminals to traders, regulators and central bankers worldwide for about $20,000 annually. It reportedly has more than 315,000 terminal subscribers, who use the service to gather real-time data on markets and instant message each other.
On Friday, the CEO and president of Bloomberg LP, the parent company, posted on the Bloomberg Blog that reporters never accessed “trading, portfolio, monitor, blotter or other related systems or our clients’ messages.”
“Last month we changed our policy so that all reporters only have access to the same customer relationship data available to our clients,” wrote Daniel Doctoroff on Friday. “Additionally, we decided to further centralize our data security efforts by appointing one of our most senior executives to the new position of Client Data Compliance Officer. This executive is responsible for reviewing and, if necessary, enhancing protocols which among other things will continue to ensure that our news operations never have access to confidential customer data.”
The latest breach involving more than 10,000 messages was discovered by a Financial Times reporter doing a Google search. After the journalist contacted the company for comment on Monday, the confidential lists immediately removed from the Internet.
The private messages were part of a data-mining project being done with a client’s consent by an employee who is no longer with the company. They involved confidential exchanges between traders and their clients at dozens of the world’s largest banks and had been available for public consumption for several years.
New York City Mayor Michael Bloomberg, the majority owner of the financial information company, has not been involved in daily operations for a number of years, including since he took office in 2002. He has refused to comment on the privacy and security breaches, citing an agreement with the city’s Conflicts of Interest Board.
Blog: Microsoft Updates May 2013 - Slew of Internet Explorer Critical Vulnerabilities, Kernel EoP, and Others
Microsoft released a long list of updates for Microsoft software today. The most interesting appear to be those patching Internet Explorer and the kernel software vulnerabilities. In all, ten critical "use-after-free" vulnerabilities are patched in IE along with one important Information Disclosure vulnerability, and three elevation of privilege vulnerabilities are being patched as well. Almost all of these IE vulnerabilities were reported by external security researchers working through HP's Zero Day Initiative.
Facebook users are being warned of malicious Firefox and Chrome extensions that can give an attacker remote control over a Facebook profile.
Microsoft has seen an increase in activity around these extensions, in particular in Brazil. The threat is detected as Trojan:JS/Febipos.A and has been updated recently.
“This Trojan monitors a user to see if they are currently logged in to Facebook. It then attempts to get a configuration file from the website <removed>[,]info/sqlvarbr.php,” said Jonathan San Jose of the Microsoft Malware Protection Center. “The file includes a list of commands of what the browser extension will do.”
The malware can add posts to a profile, like pages, join groups or invite others to join groups, chat and comment on posts. So far, Microsoft said it has seen posts in Portuguese on hijacked profiles trying to get users to click on a link, purported to be a video about a bullying-related suicide. Facebook has already blocked the link as malicious.
The Trojan, meanwhile, acts as a dropper and opens backdoor connections. When the malware infects Chrome, it tries to connect to du-pont.info/updates/[removed]/BL-chromebrasil[.]crx, while on Firefox, the connection is to du-pont.info/updates/[removed]/BL-mozillabrasil[.]xpi. The malware then attempts to update itself from either of those domains.
The malware’s capabilities and messages it posts to entice other users to infect themselves depends on the configuration file downloaded to the malware, Microsoft said. One link Microsoft shared as an example had 2,746 Likes, had been shared 167 times and had 165 comments, indicating a notable number of potential victims. Within hours after the initial analysis, all of those numbers had risen.
“There may be more to this threat because it can change its messages, URLs, Facebook pages and other activity at any time,” Microsoft’s San Jose said.
IE users are not at risk, Microsoft added.
Google and Mozilla have recently added protections that address threats via browser extensions. Google, in December, announced that it would halt silent extensions in Chrome. These used to be done without permission via the Windows registry mechanism, a feature that allows the installation of extensions alongside other applications, enabling third parties to opt-in users without their permission.
Those are now disabled by default in Chrome and a dialog pops up explaining the effect of the extension on the browser and any potential risks. The new feature also automatically disables any extensions installed using external deployment options in the past as well.
Mozilla, meanwhile, added a click-to-play feature beginning with Firefox 17 in November that prevents users from running out of date or vulnerable plug-ins or extensions. The move was designed to block exploits targeting these older versions of plug-ins such as Adobe Flash and Reader.
One of the nine sites serving malware tied to the recent watering hole attack on the U.S. Department of Labor was located in Cambodia and has ties to the United States Agency for International Development (USAID).
Speculation has it that the DoL attack was targeting downstream employees at the Department of Energy who work on nuclear weapons programs. This site, meanwhile, was apparently after employees of USAID, which is a federal organizations that funnels assistance to impoverished or oppressed nations.
The DoL’s Site Matrices Exposures site is a repository of data on toxic substances present at nuclear facilities run by the Department of Energy. The infected Cambodian site is a page belonging to the Better Health Services project, a USAID-funded initiative to strengthen health care services in Cambodia. Researchers at Invicea and AlienVault also said that European aerospace, defense and security companies were also compromised, but none have been identified.
The attacks targeting USAID used social media accounts on Twitter and Facebook to entice victims to click on shortened URLs leading them to the University Research Co. website, Romang said.
Romang found a connection referrer to the website on the backend server used in the attack. He discovered a Twitter account created on March 18 from @natividad_usaid that was providing links to the infected site; the Twitter account was deleted on April 10.
“Some Twitter users were directly contacted in order to incite them to click to the link and most of these users were related to USAID,” Romang said.
Even the link listed in the Twitter account’s profile description contained a malicious shortened url leading users to a file hosted on a Dropbox account that Romang said is a direct link to the Poison Ivy malware.
The file establishes a connection to a command and control server microsoftUpdate[.]ns1[.]name and drops an executable called conime[.]exe which opens remote connections on ports 443 and 53, according to Invicea, and registry changes are made to maintain persistence on infected machines.
A second connection referrer was found, Romang said, this one to a phony Facebook profile for a supposed USAID employee Kelly Black, a University of Virginia graduate living in D.C. The account included a profile picture of two young blonde women and was created and deleted on March 24, Romang said. The account was busy, however, finding 41 friends—most with ties to USAID—and each post contained a link to the University Research Co. and messages about a Mekong water sanitation project. One curious Facebook friend of Kelly Black’s wanted to know which woman she was in the picture, which turns out was of a couple of supporters of the Swedish national soccer team taken during the 2012 European championships in Poland, Romang said.
Microsoft urges IE 8, at a minimum, to apply the Fix It for the zero day until a patch is released. The vulnerability is a remote-code execution use-after free flaw, which happens because of how the browser handles objects after they’ve been deleted.
The Poison Ivy RAT, meanwhile, is a backdoor that an attacker can use to remotely access compromised machines and add or delete files, edit Registry files, view or kill running processes, network connections and services, and add or delete applications. It can be used for espionage as well as some variants have the capability to start remote command shells, take screenshots, start audio or video recordings and drop keylogging software.
Photo: Ryan Rodrick Beiler / Shutterstock.com
It’s no secret that Java has moved to the top of the target list for many attackers. It has all the ingredients they love: ubiquity, cross-platform support and, best of all, lots of vulnerabilities. Malware targeting Java flaws has become a major problem, and new statistics show that this epidemic is following much the same pattern as malware exploiting Microsoft vulnerabilities has for years.
Security researchers and software vendors have known for a long time that attackers will wait for new patches to come out and then reverse engineer the fixes in order to find the specifics of the vulnerabilities. It’s a concern, especially for large vendors such as Microsoft, Adobe and Oracle whose software runs on hundreds of millions of machines and have regular, predictable patch cycles that attackers can depend on. This gives them a monthly or quarterly batch of fixes to sink their teeth into.
And the attackers also know that many users don’t install patches right away. Microsoft has succeeded in getting many of its customers to use automatic updates, especially in the enterprise. But there still are plenty of users, particularly consumers, who don’t take advantage of automatic updates, leaving them open to attacks. When it comes to Java, anecdotal evidence has supported the idea that even though there has been a steady stream of new vulnerabilities over the last few years, attackers have tended to focus most of their attention on older flaws for which patches already have been published.
Research from Microsoft shows that there has been a huge spike in malware targeting Java vulnerabilities since the third quarter of 2011, and much of the activity has centered on patched vulnerabilities in Java. Part of the reason for this phenomenon may be that attackers like vulnerabilities that are in multiple versions of Java, rather than just one specific version.
“In Q3 and Q4 of 2012 two new vulnerabilities, CVE-2012-4681 and CVE-2012-5076, were found. But we didn’t observe any prevalence of Java malware abusing these newer vulnerabilities above malware abusing the older Java vulnerabilities, CVE-2012-0507 and CVE-2012-1723. The reason behind this might be that only Java 7 installations were vulnerable to CVE-2012-4681 and CVE-2012-5076, whereas CVE-2012-0507 and CVE-2012-1723 also target Java 6. As there are still many users that use Java 6, the malware writers might have tried to target Java 6 installations by including older vulnerabilities in the exploit package. We can assume that, for this reason, they didn’t do away with the older vulnerabilities,” Jeong Wook Oh of Microsoft said.
“So there were two kinds of Java vulnerabilities that appeared in 2012 overall: One is the category that applies to both multiple versions of Java including Java 6 and 7, and the other are the vulnerabilities that only applies to Java 7. So when new vulnerabilities that are only applicable to Java 7 are discovered, the attacker’s strategy was usually to combine it with older vulnerabilities that cover more versions of Java. In that way, they could achieve more coverage than just using a single exploit in one package.”
Oh looked specifically at four Java vulnerabilities from 2012 that malware targeted, only one of which was a zero day. The other three flaws already had patches available when the malware targeting them appeared. This is the same kind of pattern followed by malware that targets vulnerabilities in Microsoft products and Adobe applications. It, of course, just lends more support to the advice that security experts are always giving users: Install patches as soon as they’re available.
Defenders are at an asymmetric disadvantage when it comes to defending their networks. Attackers spend every minute of their day focused exclusively on penetrating your network to accomplish their mission…and opportunities abound. Today’s modern networks go beyond the walls of the enterprise to include endpoints, mobile devices, and virtual desktops and data centers. These extended networks constantly evolve and create new attack vectors including mobile devices, web-enabled and mobile applications, hypervisors, social media, web browsers and home computers. The job of the defender has never been more challenging.
Unfortunately, defenders don’t have the luxury of spending their days focused on security. The reality is that most IT security teams are understaffed, hampered by static and disconnected security technologies and consumed with addressing compliance and regulatory issues and other business imperatives. Unfocused on threats for too long, they risk being blindsided by attackers gaining maximum leverage of new vulnerabilities and new techniques to gain entry and achieve their objective, be it to gather data or simply to destroy.
Security teams need to recalibrate the way they approach security. To stay ahead of threats they need to start thinking like attackers. The only way to do this is to change their security model to be threat-centric; to address the extended network and the full attack continuum – before, during and after an attack. And to be truly effective, this threat-centric model must encompass all aspects of a security – not only technology, but processes and people as well.
Here are just few recommendations for how to move forward with a threat-centric approach to security.
Technology: It’s a natural instinct to go for low-hanging fruit first so most organizations start by protecting their core networks with solutions that are typically the fastest and easiest to deploy. But ‘silver bullets’ don’t exist and this approach alone won’t suffice. Attackers don’t discriminate and will take advantage of any gap in protection to reach their end goal. You need solutions that also protect endpoints, mobile and virtual environments. They must work together in a continuous fashion and they must span the full attack continuum.
Before an attack, defenders need comprehensive awareness and visibility of what’s on the extended network – devices, operating systems, services, applications, users, content and potential vulnerabilities. Establishing a baseline of information is a critical first step in defending your organization from attack. From there you can implement policies and controls to defend it, for example implementing access control over applications and users to minimize the attack surface.
During an attack, the ability to continuously detect threats and block them is critical. And because threats change so quickly, having the ability to learn and update detection information based on evolving threat intelligence is critical to maintaining security effectiveness.
After an attack, marginalizing the impact becomes the priority. To do this defenders need to take a proactive stance with retrospective security, the ability to identify the root cause, understand the scope of the damage, contain the event, eliminate the risk of re-infection, remediate it and bring operations back to normal.
Processes: There are two aspects to consider here; the first is identifying processes ripe for automation. There aren’t enough hours in the day and IT security teams have too many other responsibilities to be able to address today’s barrage of attacks with manual approaches. The ability to reduce labor intensive tasks and streamline processes with automation is essential. Tools that can intelligently identify and automatically alert only on relevant security events can save security teams hours investigating events that aren’t real threats. In addition, being able to automatically enforce and tune security policies and rules to keep pace with the changing threat landscape and evolving IT environment minimizes risk of exposure to the latest threats and vulnerabilities.
The second aspect to consider is an incident response process. Security events happen and many organizations don’t have an incident response plan in place. Every organization should have a designated Incident Response team, even if not full time, that is cross-functional and trained to communicate and respond to security events. The team needs to be backed by documented processes and policies. For example, an InfoSec Policy must be put in place to ensure you’re protecting the right data. An incident response runbook with clear step-by-step instructions for the team to follow in the event of an attack, including incident notification and a collaboration call tree, leads to better, swifter and more accurate containment and remediation. Finally, systematic program reviews on a quarterly basis can ensure that your policies, configurations and rules performance are protecting your organization as needed.
Education: At the end of the day, technology and processes are only as good as the people behind them. Organizations must be committed to keeping their staff highly trained on the current threat landscape. Ongoing professional development with a specific focus on being able to identify an incident, know how to classify it and how to contain and eliminate it will help keep security teams apprised of the latest techniques used by attackers to disguise threats, exfiltrate data and establish beachheads for future attacks. Certifications and trainings to remain current on security technologies and how to optimize their deployment and tuning for maximum security effectiveness ensure organizations are getting the most from their IT security investments.
In these particularly challenging times for security professionals, it’s imperative they re-balance and optimize operations for a consistent emphasis on the threat. By putting a threat focus closer to the center of what they do they’ll have the clarity, the resources and the liberty they need to sharpen decision-making and confront the greatest risks to their enterprise.
Al Huger is the vice president of development, cloud technology group, at Sourcefire.
Gmail and Google Apps account hijacking has been the linchpin of a number of high-profile targeted attacks, starting with the Aurora attacks of 2009, right up until last week’s attack against the Twitter account belonging to the satirical Onion news site.
Granted we’re talking about two very different levels of severity between stealing data from the defense industrial base and sending out a few politically motivated hoax Tweets, but the thirst for legitimate credentials among state-sponsored hackers, cybercriminals and hacktivists won’t abate any time soon.
The chase, along with the general inadequacy of passwords, has forced Google for one to aggressively pursue a new direction for authentication into its online services. The company this week announced a new long-term plan for strong authentication, one that builds off a similar initiative in 2008 that led to the current implementations of two-factor authentication for Gmail and risk-based login challenges in order to determine if requests for access are indeed from the intended user.
Going forward, Google hopes to put strong authentication in place when endpoints such as laptops, tablets or smartphones are first configured and have the device act as an authenticator. It also explained a number of other measures it would like to see implemented in the relatively near future. Clearly, smart phones have changed the dynamic of authentication for Google.
“With mobile devices like Android the usability is even further improved because you only login to the device once at the OS level and it works across all the apps on the device instead of having to go through a multi-step login flow for each application,” said Eric Sachs, a product manager with the Google security team. “However to improve the usability of this approach, one of our goals will be to have a consistent concept of identity between the OS, applications, and websites accessed from the browser on the device.”
Google has also thrown its support behind the ChannelID open standard, which aims to secure the cookie on the device that certifies the user has signed in to a service. The concept puts up a barrier for man in the browser attacks that attempt to sniff and steal cookies as they’re passed to the browser. This tighter connection between cookies and encryption keys as proposed in the standard and currently in place in the Chrome browser is another priority initiative for Google going forward.
“In essence, the browser self-provisions an anonymous public-private key pair for each web domain it needs to talk to via SSL. The web domain can use the consistent SSL public key Channel ID presented by the client device to tie into cookies that it issues to the client device,” Sachs said. “But once the cookies are ‘tied’ in this manner, they are no longer reusable bearer tokens. The web server will only accept them as part of a connection that has been digitally signed with the same ChannelID. ChannelID significantly reduces the risk associated with leaked reusable bearer tokens.”
At the start of its initial five-year plan, Sachs said Google did not anticipate the use of smartphones as authenticators. But with apps providing one-time passwords, for example, Sachs said Google is experimenting with apps that display notifications about risky behavior and alert the user to approve an action within an app before moving forward. This would remove from the equation hackers who might have remote access to an app from gaining access.
“That type of ‘login approval’ approach has another interesting security aspect. While risk-based and strict two-factor login challenges do improve the security of a sign-in flow, they still have the potential to be broken through phishing attacks that trick a user into providing an OTP,” Sachs said. “But the ‘login approval’ approach makes phishing much harder and thus provides the potential to provide even stronger protection than Google’s two-factor offering.”
Google said it also is re-thinking how to unlock devices so that passcodes are no longer necessary, and involve the use of fingerprint scanners, Near Field Communication between devices, or proximity readers. These same concepts could be applied, Google said, where the OS would intervene when a risky behavior appears in the browser and request the user to approve it via a fingerprint check, for example. Google acknowledges this could require changes to APIs and how the OS and browser communicate.
“Once again, the time may be right given the ubiquity of personal devices such as mobiles and tablets,” Sachs said. “Further, the notion of a ‘local authentication’ to the device is becoming an accepted and expected part of the user experience.”
Adobe is set to push security updates for various versions of its Acrobat and Reader software packages, in tandem with Microsoft, in the May edition of Patch Tuesday.
According to the Adobe Product Security Incident Response Team, each of the updates in this month’s patch are considered serious, meaning that the updated provide fixes for vulnerabilities that an attacker could exploit to execute malicious code on user machines without user knowledge.
Additionally, each of the updates is receiving the most urgent priority one or two ratings. Priority one means that attackers are likely exploiting the to-be-fixed vulnerability in the wild; priority two denotes fixes for vulnerabilities that have, historically, placed users at an elevated risk for exploit, but for which there are currently no known exploits in the wild.
Adobe’s Patch Tuesday release will provide priority two rated fixes for Adobe Reader version XI (11.0.02) on Windows and Mac, version X (10.1.6) and earlier 10.x versions on Windows and Mac, version 9.5.4 and earlier 9.x versions on Mac, and version 9.5.4 and earlier 9.x versions on Linux machines.
The patch shipment also a provides priority one fix for a vulnerability in Adobe Reader version 9.5.4 and earlier 9.x versions for Windows.
The release will also supply priority two fixes for Adobe Acrobat version XI (11.0.02) for Windows and Macintosh, version X (10.1.6) and earlier 10.x versions for Windows and Macintosh, and version 9.5.4 and earlier 9.x versions for Macintosh.
Acrobat’s priority one fix resolves a vulnerability in version 9.5.4 and earlier 9.x versions for Windows.
Attackers using a vulnerability in Adobe’s ColdFusion app server were able to compromise servers belonging to the Washington State court system sometime in the last few months and walked off with data belonging to as many as a million residents of the state. The attackers had access to 160,000 Social Security numbers and the driver’s license numbers and names of a million people.
Officials say they’re uncertain exactly when the breach occurred, although they believe it to have been sometime after September. The breach of the court system’s Web site occurred in two separate incidents, which were discovered in February and March of this year.
“Once the breach was discovered, AOC took immediate action to further secure the environment and begin investigation and analysis into the depth and severity of the breach. In addition, AOC collaborated with the Washington State Consolidated Technology Services (CTS) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) for internet security, who provided valuable information in determining the scope of this security breach. MS-ISAC is a focal point for cyber threat prevention, protection, response and recovery for the nation’s state, local, territorial and tribal governments. The MS-ISAC 24×7 cyber security operations center provides real-time network monitoring, early cyber threat warnings and advisories, vulnerability identification, and mitigation and incident response. AOC has implemented significant security enhancements to ensure that our systems and data are secure and to prevent the potential for future compromise,” the court system said in a statement on its site.
The attackers had no access to financial information, but were able to access 160,000 SSNs. The court warned that anyone who had been booked into a city or county jail between September 2011 and December 2012 is at risk for having their SSN affected by the breach. The potential pool of people whose driver’s license numbers and names were accessed is much larger:
- If you received a DUI citation in Washington State between 1989 through 2011; or
- If you had a traffic case in Washington State filed or resolved in a district or municipal court between 2011 through 2012; or
- If you had a superior court criminal case in Washington State filed against you or resolved between 2011 through 2012
Adobe is planning to patch a vulnerability on ColdFusion next week, but it’s not clear whether that is the same flaw that the attackers in this operation exploited.
Eight members of a New York cybercrime cell have been indicted in a carefully coordinated heist that drained $45 million from thousands of ATMs in less than 24 hours.
In an federal indictment unsealed Thursday in Brooklyn, authorities charge the attacks were reminiscent of a suspense movie in which the defendants and their co-conspirators carried out a scheme dubbed “Unlimited Operation” because of the unlimited proceeds that were possible.
Authorities allege the cybergang hacked into a credit card processor’s networks and compromised prepaid debit cards to dramatically raise withdrawal limits or account balances. The card numbers were given to associates around the world (in at least 26 countries) to cash out the fake cards using compromised card data, including PINs, as quickly as possible. The cash was then spent on kickbacks or luxury goods, such as Porsche and Mercedes cars and Rolex watches, and spent around the world.
The global attacks were marked by “the surgical precision of the hackers carrying out the cyberattack.” Of the $45 million believed to have been stolen, $2.8 million came from New York City machines.
“As charged in the indictment, the defendants and their co-conspirators participated in a massive 21st century bank heist that reached across the Internet and stretched around the globe,” said U.S. Attorney Loretta Lynch in a prepared statement. “In the place of guns and masks, this cybercrime organization used laptops and the Internet. Moving as swiftly as data over the Internet, the organization worked its way from the computer systems of international corporations to the streets of New York City, with the defendants fanning out across Manhattan to steal millions of dollars from hundreds of ATMs in a matter of hours.”
Among the eight charged in the elaborate scheme were alleged New York ringleader Alberto Yusi Lajud-Pena, 23, also known as “Prime” and “Albertico.” He was reportedly murdered a few weeks ago in the Dominican Republic. Others included in the four-count federal indictment are Elvis Rafael Rodriguez, 24; Emir Yasser Yeje, 24; Joan Luis Minier Lara, 22; Evan Jose Pena, 35; Jose Familia Reyes, 24; Jael Mejia Collado, 23; and chung Yu-Holguin, 22.
According to the government’s filings, the first operation on December 22, 2012, targeted a credit card processor that processed transactions for prepaid MasterCard debit cards issued by the National Bank of Ras Al-Khaimah PSC, also known as RAKBANK, in the United Arab Emirates. “After the hackers penetrated the credit card processor’s computer network, compromised the RAKBANK prepaid card accounts, and manipulated the balances and withdrawal limits, casher cells across the globe operated a coordinated ATM withdrawal campaign,” the U.S. Justice Department outlined.
“In total, more than 4,500 ATM transactions were conducted in approximately 20 countries around the world using the compromised RAKBANK account data, resulting in approximately $5 million in losses to the credit card processor and RAKBANK. In the New York City area alone, over the course of just two hours and 25 minutes, the defendants and their co-conspirators conducted approximately 750 fraudulent transactions, totaling nearly $400,000, at over 140 different ATM locations in New York City.”
The second heist took place between the afternoon of February 19 and early morning of February 20, 2013. This time the target was a credit card processor that serviced MasterCard prepaid debit cards for the Bank of Muscat, located in Oman. “This attack was particularly devastating: Over the course of approximately 10 hours, casher cells in 24 countries executed approximately 36,000 transactions worldwide and withdrew about $40 million from ATMs.”
The global investigation involved assistance and cooperation from authorities from numerous countries, including MJapan, Canada, Germany, Romania, the United Arab Emirates, Dominican Republic, Mexico, Italy, Spain, Belgium, France, United Kingdom, Latvia, Estonia, Thailand and Malaysia.
Microsoft will ship 10 bulletins in the May edition of Patch Tuesday. The company considers just two of the patches critical, one of which supplements the currently available “Fix it” tool that resolved the IE zero-day vulnerability exploited recently in a watering-hole attack targeting the U.S. Department of Labor.
The critical patches address that and other vulnerabilities in Microsoft Windows and Internet Explorer that could give an attacker the ability to execute code remotely.
The remaining important patches will mend a denial of service hole in Windows, a spoofing issue in that and the .NET framework, a remote code execution bug in Lync, two remote code execution flaws and one information disclosure problem in Office, an information disclosure vulnerability in Windows Essentials, and an elevation of privilege defect in Windows.
Wolfgang Kandek, the CTO of Qualys Inc., writes on his blog that systems administrators should prioritize the IE zero-day vulnerability that enabled the Department of Labor hack and the other remote code execution flaws.
Kandek says that the second bulletin addresses the IE 8 zero-day mentioned above, while the first bulletin provides fixes for the IE vulnerabilities made public in the Pwn2Own contest at CanSecWest conference in March.
The Tuesday release will also include patches for Adobe and a new version of Reader. Most importantly, Adobe is working on a fix for a recent ColdFusion zero-day that should be ready for shipment on Tuesday.
Microsoft will release the patches on Tuesday, replacing the advanced notification bulletins on their Security TechCenter webpage.
Domain registrar Name.com has informed its customers via email of a data breach and asked them to reset their passwords.
The company, based in Denver, said it discovered a breach and customer account information such as encrypted credentials and credit card numbers may have been accessed along with customer email addresses.
“It appears that the security breach was motivated by an attempt to gain information on a single, large commercial account at Name.com,” the customer email said.
Name.com told its customers that it uses strong encryption to store payment card data and that the encryption keys required to access that data was not compromised. EPP codes required for domain transfers were also not affected in the breach, as in the case with the keys, those were stored separately from the compromised data.
“We take the matter very seriously,” the email said. “We’ve already implemented additional security measures and will continue to work diligently to protect the safety and security of your personal information.”
Name.com said on its Twitter feed that it was staggering the release of notifications to customers and information about password resets. As of 2 p.m. ET, there was no mention of the breach on the Name.com website, nor on its corporate blog.
The company is taking some heat because it is asking its users to click on an email link in order to proceed with a password reset. This is the same tactic a phishing email would use, for example. Name.com does remind its users that if they use their passwords on other sites, to change those too.
Webhosting.info said Name.com is the 27th largest registrar by total domains with 498,035; Go Daddy is the leader with more than 25 million domains and 32 percent market share.
This is the second large password breach in the last two weeks. On April 28, daily deal site LivingSocial report it had been breached and hackers accessed user names, email addresses and encrypted passwords. More than 50 million were advised to change their passwords. LivingSocial said no credit card data was accessed.
Microsoft later this month will release a new version of its EMET protection tool, and this iteration will include a certificate pinning feature that will enable users to associate a specific certificate with a given certificate authority. The feature is designed a defense against man-in-the-middle attacks that use forged certificates to redirect users or intercept protected traffic.
EMET is a toolkit designed specifically to help prevent certain kinds of exploits from working on protected applications. For example, users can deploy EMET to get the advantages of DEP or ASLR in applications that were not compiled with those exploit mitigations enabled. The new version of EMET is due May 28 and is beta trim right now. The addition of certificate pinning is a significant one, although the feature only works by default when users are browsing with Internet Explorer.
Certificate pinning is a technique that can be used as a defense against attacks that take advantage of users’ trust in certificates and CAs, a trust that has been exploited many, many times in recent years. The compromises of Comodo, DigiNotar and other CAs have exposed the cracks in the CA infrastructure that have been there since its inception but rarely are noticed by anyone outside of the immediate vicinity. Attackers have discovered ways to issue fraudulent certificates to themselves for various important sites, notably Google, Mozilla, Yahoo and others.
Some of those attacks would not have been as damaging as they were if the users on the other end of the Web connection from the fake certificates had certificate pinning available. That defense would have allowed users to pin the Google SSL certificate to the Google Internet Authority, which issues the company’s legitimate certificates. EMET, which is meant as an enterprise tool, can help organizations fix that situation.
“EMET 4.0 comes with Certificate Trust enabled by default, including a set of pre-configured websites for the most common domains used by Microsoft online services; nevertheless, since we believe that certificate pinning is a useful tool to detect MITM attacks targeting any domain and not just Microsoft services, we designed Certificate Trust totally configurable, in order to allow any user to configure custom pinning rules that will be enforced when browsing the web with Internet Explorer,” Elia Florio of Microsoft wrote.
“EMET 4.0 has a main switch button in the system mitigation panel that can be used to activate or de-activate Certificate Trust. Once enabled, users have to specify which certificates and Root Certificate Authorities to trust. Users can verify that the Certificate Trust feature is activated from the EMET GUI by checking that the system status of this mitigation is “Enabled” and that Internet Explorer process (iexplore.exe) is in the list of configured apps (with or without memory mitigations enabled). This configuration allows EMET to inject into the protected process a new small module (EMET_CE.DLL) that will operate only within Internet Explorer to enforce the certificate pinning protection.”
There is a function in EMET 4.0 that allows advanced users to create some exceptions for certificate pinning, as well, based on variables such as key size and country of origin for the certificate. Users also can manually opt-in other executables for the certificate pinning, including another browser.
In addition to the certificate pinning feature, EMET 4.0 also includes protection against some techniques that researchers developed last year to bypass previous versions of the toolkit.
“For example, instead of hooking and protecting only functions at the kernel32!VirtualAlloc layer of the call stack, EMET 4.0 will additional hook lower level functions such as kernelbase!VirtualAlloc and ntdll!NtAllocateVirtualMemory. These “Deep Hooks” can be configured in EMET’s Advanced Configuration. We have seen exploits attempt to evade EMET hooks by executing a copy of the hooked function prologue and then jumping to the function past the prologue. With EMET 4.0’s “Anti detours” option enabled, common shellcode using this technique will be blocked. Finally, EMET 4.0 also includes a mechanism to block calls to banned API’s,” Microsoft said.
A pro-Syrian regime hacker collective known as the Syrian Electronic Army (SEA) recently compromised the Twitter, Google Apps and other accounts belonging to The Onion, a long-running satirical news publication in the U.S. Like The New York Times before it, The Onion published a fascinating (non-comical) tell-all, indicating that it, like the Associated Press, had it fallen victim to a SEA spear phishing campaign.
Unlike the attack at The New York Times, which was the work of a state-funded, military-grade attack team, the SEA launched a fairly typical spear-phishing attack against the editorial team at The Onion. In fact, this campaign was almost identical to an attack it launched weeks earlier that resulted in a successful compromise of the Associated Press.
According to The Onion’s frank and honest assessment, the SEA used three distinct methods to compromise employee accounts at the Onion. First, on May 3, “from strange, outside email addresses,” the SEA sent the phishing email–screen-grabbed below–to a few of The Onion’s employees:
From here, The Onion’s IT Team said, at least one employee followed the link that appeared to lead to the Washington Post, but actually led to a compromised website that, in turn, redirected users to a fraudulent Google application credential reset page. Again, at least one employee fell for the ruse, and consequently gave the SEA access to his or her Gmail account.
Now that the SEA had access to an employee account, on May 6, it used it to send more of the same phishing email to other Onion employees. At this point, likely because the phishing emails were coming from a trusted email account, a number of employees followed the link. Only two employees actually entered their credentials into the fraudulent forms though, one of which had access to The Onions social media accounts.
The Onion then became aware of the compromise and sent out a company-wide password reset email. At the same time, the attackers sent a duplicate but fraudulent password reset email to everyone at The Onion except the IT teams, which compromised another two corporate accounts.
The Onion then published an article titled, “Syrian Electronic Army Has A Little Fun Before Inevitable Upcoming Deaths At Hands Of Rebels.” To which the SEA responded by publishing the contents of editorial emails on Twitter. The Onion’s IT team now admits that it did not know for sure which accounts were compromised and forced a password reset for every company account, ending the saga.
Ironically, this phishing post-mortem is hosted on an unrelated domain, so we reached out to The Onion for confirmation, because the People’s Daily, a Communist Party paper in China, looked silly when it ran with The Onion’s top available bachelor story about Kim Jong Un, which was, of course, a joke. The Onion’s press contact confirmed that this article is indeed a legitimate and accurate telling of what happened.
Microsoft has released a Fix-It to address an Internet Explorer 8 zero-day that was exploited in a watering hole attack against the U.S. Department of Labor website last week.
The Fix It is a temporary mitigation until a patch is released. Microsoft’s next scheduled Patch Tuesday security updates are set for next week, though it’s unlikely an update for CVE-2013-1347 will be ready in time.
The vulnerability is present only in IE 8, Microsoft said. The flaw is a use-after free memory corruption bug that would allow an attacker to be able to remotely execute code on a compromised machine.
“The Fix It is an effort to help protect as many customers as possible, as quickly as possible,” said Dustin Childs, group manager Trustworthy Computing.
This is the second Fix It that Microsoft has issued this year. The first was also for a similar memory-related vulnerability in IE in January that was used in watering hole attacks against a number of government, political and manufacturing websites. IE 8 was the primary culprit there as well, though IE 6 and 7 were also vulnerable yet no exploits were public for those two versions.
According to Net Market Share, IE 8 has the highest market share with 23 percent, followed by IE 9 (18 percent) and Chrome 26.0 (13 percent). Experts who analyzed the attack against the Department of Labor’s Site Exposure Matrices website said that the typical government agency worker would likely still be running IE 8, making them a tempting target for such an attack.
This tactic has been employed not only against government workers and political activists as part of espionage campaigns, but against a popular mobile developer’s website that ensnared a number of Facebook, Apple, Microsoft and Twitter employees.
In the case of the DoL, the target was likely downstream employees of the Department Energy who work on nuclear weapons programs, experts at Invincea speculated. The DoL’s SEM site is a resource for employees who may have been exposed to radiation. The redirect on the site was sending visitors to a site hosting the Poison Ivy remote access Trojan, malware that is used espionage campaigns; it opens a backdoor on compromised computers where attackers can move about unnoticed.
Microsoft’s first Fix It of 2013, however, wasn’t a smashing success. Shortly after it was released, researchers at Exodus Intelligence reported they were able to bypass it. While the Fix It did address one means attackers had at their disposal to get onto victims’ machines, it didn’t address all possible avenues.
Adobe is readying a patch for a critical vulnerability in its ColdFusion Web application server that is being used in attacks right now. The vulnerability affects several versions of ColdFusion running on Windows, Unix and OS X.
The flaw, which Adobe plans to patch on May 14, can be used by a remote attacker to retrieve files from affected servers. There is a public exploit available for the vulnerability, making the patch a high priority for enterprises running ColdFusion.
“There are reports that an exploit for this vulnerability is publicly available. ColdFusion customers who have restricted public access to the CFIDE/administrator, CFIDE/adminapi and CFIDE/gettingstarted directories (as outlined in the ColdFusion 9 Lockdown Guide and ColdFusion 10 Lockdown Guide) are already mitigated against this issue,” Adobe said in its advisory.
The company recommends that customers running vulnerable versions of ColdFusion, which include 10, 9, 9.02 and 9.01, follow the recommendations in the ColdFusion 9 Lockdown Guide and ColdFusion 10 Lockdown Guide to help install mitigations that will prevent exploitation of this vulnerability.
One of the largest online music streaming services was briefly singing a different tune after learning a new Google Chrome plug-in allowed users to download copies of songs for free.
Google this week pulled from its Chrome Web Store the browser extension known as Downloadify, which exploited a vulnerability in Spotify’s web player to allow a user to download a DRM-free, MP3 backup of a song as it started playing.
“It is effectively stealing,” Sheena Sheikh, an intellectual property attorney told the BBC. “You are committing an infringement. You’re not authorised to download the songs. You don’t have permission.”
Although Google removed the extension from its Chrome store, it might still be circulating on other sites. The Dutch developer also published the code on GitHub, according to CNET. He reportedly took advantage of a flaw in the Spotify Web client that lacked encryption — unlike the desktop and mobile versions. He also told a reporter at The Verge he did not plan to update the program and believed Spotify had taken steps to boost its security.
Spotify currently has about 6 million subscribers and is second only to Apple as a digital revenue source for major music recording companies.
Sometime around 2:45 PM EDT yesterday, Syria’s BGP routes were severed and the country disappeared from the Internet. Just as quickly as it had fallen, Syria came back online this morning.
In March, the Middle Eastern nation entered the third year of a violent conflict in which the country’s ruling regime, headed by President Bashar al-Assad, is fighting a civil war against the Syrian National Coalition, a hodgepodge group of militias led by the Free Syrian Army and the Syrian Islamic Liberation Front. Syria lost its Internet connection similarly in November of last year.
Umbrella Security reported the outage, saying resolvers belonging to its parent company, OpenDNS, showed a precipitous drop in inbound and outbound Internet traffic. Search giant Google and the Internet monitoring Renesys Corporation would later confirm the blackout. Neither of the top-level domains located in Syria could be reached for the duration of the outage, which lasted just less than 20 hours.
“There have been numerous incidents where access to and from the Internet in Syria was shut down,” Explained Umbrella Security CTO Dan Hubbard. “Shutting down Internet access to and from Syria is achieved by withdrawing the BGP routes from Syrian prefixes.”
Internet traffic routing relies on the BGP, which distributes routing information and ensures that Internet-connected routers know how to connect IP addresses. When and if an IP range goes dark, it is removed from the BGP routes, letting the routers know that those IPs are no longer reachable. During the outage, Hubbard said the usual 70 or so routes into the BGP routing tables for Syria had decreased to just three routes.
The disconnect meant that Syria could not communicate with the outside world. It’s not clear whether the outage disrupted Internet communication within the besieged nation’s borders.
Oddly, as pointed out by the Electronic Frontier Foundation, despite the “unprecedented humanitarian crisis” that is ongoing in Syria, the country’s Internet has, for the most part, remained available, offering the world a stark view into a brutal civil war.