cyber intelligence report -...
TRANSCRIPT
–
2016-4-A
CYBER INTELLIGENCE REPORT
1 | P a g e
Contents Friday, April 5, 2016 ................................................................................................................................................... 2
Summary ...................................................................................................................................................................... 2
Interesting News ......................................................................................................................................................... 2
News: ............................................................................................................................................................................ 3
News: HIPAA ......................................................................................................................................................... 4
News: SCADA ........................................................................................................................................................ 5
News: Cyber Laws & Legislation ......................................................................................................................... 5
News: Computer Forensics ................................................................................................................................... 5
Malicious Logic: .......................................................................................................................................................... 6
Exploits .................................................................................................................................................................... 6
CVE Advisories: .......................................................................................................................................................... 7
Advisories................................................................................................................................................................ 7
Published Defacements of .Govs – Zone-H.org ...................................................................................................... 9
Zone-h Attack Statistics ........................................................................................................................................... 10
Credits: ....................................................................................................................................................................... 11
Sponsors: .................................................................................................................................................................... 11
CYBER INTELLIGENCE REPORT
2 | P a g e
tuesdAy, April 5, 2016 The Cyber Intelligence Report is an Open Source Intelligence AKA OSINT resource focusing on advanced persistent threats and other digital dangers received by over ten thousand individuals. APTs fit into a cybercrime category directed at both business and political targets. Attack vectors include system compromise, social engineering, and even traditional espionage. Included are clickable links to news stories, vulnerabilities, exploits, & a list of active hackers. V/r, Jeremy Martin
summAry Symantec ThreatCon Low: Basic network posture This condition applies when there is no discernible network incident activity and no malicious code activity with a moderate or severe risk rating. Under these conditions, only a routine security posture, designed to defeat normal network threats, is warranted. Automated systems and alerting mechanisms should be used.
interesting news Websites recently alleged to be defaced include the BLM, CIA, Energy.gov, IC3, and NOAA. More on page 9. Hacker reveals $40 attack that steals police drones from 2km away - www.theregister.co.uk No encryption in pro-grade drones: just sniff Wi-Fi and copy signals. IBM security guy Nils Rodday says thieves can hijack expensive professional drones used widely across the law enforcement, emergency, and private sectors thanks to absent encryption in on-board chips. Rodday says the €25,000 (US$28,463, £19,816, AU$37,048) quadcopters can be hijacked with less than $40 of hardware, and some basic knowledge of radio communications. With that in hand attackers can commandeer radio links to the drones from up to two kilometres away, and block operators from reconnecting to the craft. The drone is often used by emergency services across Europe, but the exposure could be much worse; the targeted Xbee chip is common in drones everywhere and Rodday says it is likely many more aircraft are open to compromise. The Germany-based UAV boffin worked with the consent and assistance of the unnamed vendor to pry apart the internals of the drone and the Android application which controls it. He found encryption, while supported, was not active in the Xbee chips due to performance limitations, and that the WiFi link used to control the aircraft at altitudes below 100 metres was protected by extremely vulnerable WEP. read more: http://www.theregister.co.uk/2016/04/01/hacker_reveals_40_attack_to_steal_28000_drones_from_2km_away/
CYBER INTELLIGENCE REPORT
3 | P a g e
news: News: Information Warfare
Writers who spied - The Economist (blog).
Pakistan: Iran Has Nothing to Do With Indian Espionage - The Diplomat.
Cambridge spy Kim Philby's denial of espionage - BBC News.
'Outlander' switches its game to juicy espionage - mySanAntonio.com.
Turkish journalists have espionage case hearing - WCVB Boston.
Charleston hospitals prepare for potential cyber threats - Charleston Post Courier.
Nuclear Security Summit addresses cyberthreats - FCW.com.
Mobile, ransomware pose big cyber threats: Chris Young, senior vice-president, Intel - Times of India.
Threat Hunting: Open Season on Cyber Threats - PR Newswire (press release).
Alleged Dam Hacking Raises Fears of Cyber Threats to Infrastructure - Newsweek.
Oculus Rift's Privacy Policy Says It's Not Liable If It's Hacked.
Hackers Demo Persistent, Quiet Attacks Through Windows DSC.
Magic Kinder App Could Let Hackers Send Vids To Your Kids.
Trump Cards: Hotel Chain Breached, Credit Card Data Stolen.
Panama Papers: 11.5 Million Documents Leaked Detailing Offshore Assets.
Tor Calls Out CloudFlare Over Blocking Of Services.
FBI Offers Crypto Assistance To Local Cops.
Turkey's Entire Citizenship Database May Have Been Leaked.
Hacker Reveals $40 Attack That Steals Police Drones From 2km Away.
Google April Fool's Gmail Button Sparks Backlash, Loses Jobs.
Reddit Has Lost Its Warrant Canary.
The DoD Invites You To Hack The Pentagon This Month.
Magento Becomes Fresh Target For KimcilWare Ransomware.
Cyber Criminals 'Hacked Law Firms'.
US Marine Corps Launches Hacker Support Unit.
Patch Out For 'Ridiculous' Trend Micro Command Execution Vuln.
Appeals Court: No Stingrays Without A Warrant, Judge.
SideStepper Allows For MITM Between iOS Devices, MDM Tools.
Nearly 1,500 Vulnerabilities Found In Automated Medical Equipment.
CYBER INTELLIGENCE REPORT
4 | P a g e
Cisco, Snort Scramble To Plug Malware Hole.
FBI Agrees To Unlock Another iPhone In Homicide Case.
The FBI Lost This Round Against Apple, But Aims To Win The War.
FBI Resists Call To Reveal Tor Hacking Secrets.
Google Has Also Been Asked To Unlock Stuff For The FBI.
LiveJournal Hit With Angler Exploit Kit.
FBI Tip Line Receives ‘Actionable’ Tips Daily.
Countering Violent Extremism.
New York JTTF Celebrates 35 Years.
HIG Symposium.
Preparing for the Pope.
ISIL and Antiquities Trafficking.
Attacks on Arkansas Power Grid.
Oklahoma City Bombing: 20 Years Later.
New Most Wanted Terrorist.
FBI WMD Exercise Tests Response to Chemical Attack.
Help Identify Individuals Traveling Overseas for Combat.
FBI, Interpol Host Critical Infrastructure Symposium.
Terrorist Incident Response Training.
A Conversation with Our Legal Attaché in Nairobi, Part 2.
The Year in Review, Part 1. News: HIPAA
Senate leaves out HIPAA research changes - Politico.
Kinvey Collaborates with Google to Launch HIPAA Compliant Mobile Backend as a Service on Google
Cloud Platform - Business Wire (press release).
HIPAA Compliance With Confidential Data Destruction Company In Santa Clarita - KHTS Radio.
How Providers Can Prepare For Round 2 Of HIPAA Audits - Lexology (registration).
Automated HIPAA transactions can save payers, providers $8.5B each year - FierceHealthPayer.
CYBER INTELLIGENCE REPORT
5 | P a g e
News: SCADA
Broadband CPNI, SCADA Hack, NG911 Standards, Lifeline Expanded, Wireless West - The National Law
Review.
New Portal Launched For ICS/SCADA Threat Intelligence-Sharing Among Nations - Dark Reading.
8 Tips for SCADA Success - BizTech Magazine.
AutoSave for System Platform Named Wonderware HMI and SCADA Technology Partner Product of the
Year by ... - ThomasNet News (press release) (blog).
SCADA Solutions says you can teach an old wind farm new tricks - Windpower Engineering (press release). News: Cyber Laws & Legislation
MedStar Cyber Attack Shows Need for HHS to Implement Cybersecurity Law - HIT Consultant.
Cyber fallout from the Panama Papers - Politico.
Sanders outraises Clinton among tech workers; Senate encryption bill on its way; card breach at Trump
hotels? - Washington Post.
Brexit: Leaving the EU could trigger UK science patent law rejig - The Register.
Carter Unveils Goldwater Nichols Reform - DefenseNews.com. News: Computer Forensics
The Latest: Spain will trace offshore company funds - Times Daily.
Dixie Forum features DSU's Computer Crime Institute - St. George Daily Spectrum.
Cyber Sleuths - UA News.
Dubai Police's 3D camera to identify culprits by how they walk - Emirates 24|7.
Marshall accepting applications for forensics conference - Huntington Herald Dispatch.
CYBER INTELLIGENCE REPORT
6 | P a g e
mAliCious logiC: Exploits
Sophos Cyberoam NG Series Cross Site Scripting.
Pulse 0.7.0 Final CSRF / Cross Site Scripting.
MeshCMS 3.6 Remote Command Execution.
Quanta LTE Router Code Execution / Backdoor Accounts.
Hexchat IRC Client 2.11.0 CAP LS Handling Buffer Overflow.
Hexchat IRC Client 2.11.0 Directory Traversal.
DotCMS 3.3 SQL Injection.
Cacti 0.8.8g SQL Injection.
PQI Air Pen Express CSRF / XSS / Insecure Direct Object Reference.
Bitcoin/Altcoin Stratum Pool Mass Duplicate Shares.
Easy File Sharing HTTP Server 7.2 SEH Overflow.
PCMAN FTP Server 2.0.7 Buffer Overflow.
ManageEngine Password Manager Pro 8.3 CSRF / XSS / Escalation / Bypass.
FortiManager / FortiAnalyzer 5.x Script Insertion.
Techsoft Web Solutions CMS 2016 Q2 SQL Injection.
BugCrowd CSV Injection.
MSIE MSHTML!CSVGHelpers::SetAttributeStringAndPointer Use-After-Free.
Mautic 1.3.0 CSRF / XSS / User Enumeration / DoS.
Xion Audio Player 1.5 Denial Of Service.
WordPress Advanced Video 1.0 Local File Inclusion.
WordPress Scoreme Theme Cross Site Scripting.
Virtual Freer 1.58 Cross Site Scripting.
MyBB 1.6.x / 1.8.x Tags Cross Site Scripting.
Packet Storm New Exploits For March, 2016.
Windows Kernel Bitmap Use-After-Free.
CYBER INTELLIGENCE REPORT
7 | P a g e
CVe AdVisories:
Advisories
• EMC Documentum D2 4.6 Configuration Object. Tue, 05 Apr 2016 01:51:01 GMT EMC Documentum D2 4.6 contains a fix for a D2 Configuration Object vulnerability that could potentially be exploited by malicious users to perform unauthorized updates on any D2 configuration object.
• Ubuntu Security Notice USN-2945-1. Tue, 05 Apr 2016 01:50:12 GMT Ubuntu Security Notice 2945-1 - It was discovered that XChat-GNOME incorrectly verified the hostname in an SSL certificate. An attacker could trick XChat-GNOME into trusting a rogue server's certificate, which was signed by a trusted certificate authority, to perform a man-in-the-middle attack.
• Ubuntu Security Notice USN-2944-1. Tue, 05 Apr 2016 01:50:03 GMT Ubuntu Security Notice 2944-1 - It was discovered that Libav incorrectly handled certain malformed media files. If a user were tricked into opening a crafted media file, an attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program.
• Optipng Invalid Write. Tue, 05 Apr 2016 01:40:19 GMT An invalid write may occur in optipng before version 0.7.6 while processing bitmap images due to `crt_row' being (inc|dec)remented without any boundary checking when encountering delta escapes.
• ARRIS SURFboard 6141 Modem Denial Of Service. Tue, 05 Apr 2016 01:32:12 GMT ARRIS SURFboard 6141 broadband cable modems suffer from a cross site request forgery vulnerability that allows an attacker to force a reboot.
• Tradukka.com Cross Site Scripting. Tue, 05 Apr 2016 00:44:44 GMT Tradukka.com suffered from a cross site scripting vulnerability.
• IBM Java Issue 67 Bad Patch. Tue, 05 Apr 2016 00:32:22 GMT The patch for Issue 67 in IBM Java discovered by Security Explorations in 2013 was found to be faulty.
• Open-Xchange 7.8.0 Cross Site Scripting. Mon, 04 Apr 2016 17:16:16 GMT Open-Xchange versions 7.8.0 and below suffer from multiple cross site scripting vulnerabilities.
• Gentoo Linux Security Advisory 201604-01. Mon, 04 Apr 2016 16:47:44 GMT Gentoo Linux Security Advisory 201604-1 - Multiple vulnerabilities have been found in QEMU, the worst of which could lead to arbitrary code execution, or cause a Denial of Service condition. Versions less than 2.5.0-r2 are affected.
• Red Hat Security Advisory 2016-0532-01.
CYBER INTELLIGENCE REPORT
8 | P a g e
Mon, 04 Apr 2016 16:47:28 GMT Red Hat Security Advisory 2016-0532-01 - Kerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos key distribution center. Security Fix: A memory leak flaw was found in the krb5_unparse_name() function of the MIT Kerberos kadmind service. An authenticated attacker could repeatedly send specially crafted requests to the server, which could cause the server to consume large amounts of memory resources, ultimately leading to a denial of service due to memory exhaustion.
• Red Hat Security Advisory 2016-0590-01. Mon, 04 Apr 2016 16:47:17 GMT Red Hat Security Advisory 2016-0590-01 - Red Hat Satellite is a system management tool for Linux-based infrastructures. It allows for provisioning, monitoring, and the remote management of multiple Linux deployments with a single, centralized tool. Security Fix: A cross-site scripting flaw was found in how XML data was handled in Red Hat Satellite. A user able to use the XMLRPC API could exploit this flaw to perform XSS attacks against other Satellite users. Multiple cross-site scripting flaws were found in the way certain form data was handled in Red Hat Satellite. A user able to enter form data could use these flaws to perform XSS attacks against other Satellite users.
• Debian Security Advisory 3540-1. Mon, 04 Apr 2016 16:47:06 GMT Debian Linux Security Advisory 3540-1 - Marcin Noga discovered an integer underflow in Lhasa, a lzh archive decompressor, which might result in the execution of arbitrary code if a malformed archive is processed.
• Debian Security Advisory 3539-1. Mon, 04 Apr 2016 16:46:53 GMT Debian Linux Security Advisory 3539-1 - Randell Jesup and the Firefox team discovered that srtp, Cisco's reference implementation of the Secure Real-time Transport Protocol (SRTP), does not properly handle RTP header CSRC count and extension header length. A remote attacker can exploit this vulnerability to crash an application linked against libsrtp, resulting in a denial of service.
• HP Security Bulletin HPSBGN03565 1. Mon, 04 Apr 2016 16:46:45 GMT HP Security Bulletin HPSBGN03565 1 - A vulnerability in the Linux kernel was addressed by HPE Virtualization Performance Viewer. The vulnerability could be exploited locally to allow Denial of Service (DoS). Revision 1 of this advisory.
• Slackware Security Advisory - mercurial Updates. Mon, 04 Apr 2016 16:46:39 GMT Slackware Security Advisory - New mercurial packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues.
CYBER INTELLIGENCE REPORT
9 | P a g e
published defACements of .goVs – Zone-h.org
Hacking Group Victim Example
3needan
www.ads.pr.gov/_input_3_M75.html Linux mirror
3xp1r3
ems.azdema.gov Linux mirror
AlfabetoVirtual
www.reaganlibrary.gov/images/j... Unknown mirror
AlfabetoVirtual
ssg.als.lbl.gov/alfa.html Linux mirror
AnadoluKartalları
www.cia.gov Linux mirror
Anonymous Arabe
aliquippapa.gov Win 2003 mirror
Apekz
meeteetsecd-wy.gov/Apekz.html Linux mirror
Ashiyane Digital Security Team
www.ic3.gov/media/2016/160317.... FreeBSD mirror
Blast3R_ma
www.houstonwaterbills.houstont... Win XP mirror
DexmoD
www.sta.ca.gov/docManager/1000... Linux mirror
FaHaD-HacK-iRaQ
txdmv.gov/Fahad.htm Linux mirror
Global Security
secure.nssl.noaa.gov/gsh.html Linux mirror
Global Security
ondemand.nssl.noaa.gov/util/gs... Linux mirror
Global Security
ciflow.nssl.noaa.gov/realtime/... Linux mirror
Global Security
archive.nssl.noaa.gov/tmeyer/g... Linux mirror
Global Security
blog.nssl.noaa.gov/wp-content/... Linux mirror
Global Security
tracker.nssl.noaa.gov/data/gsh... Linux mirror
Jund El-Sham Electronic
probate.mobilecountyal.gov Win 2003 mirror
Kuroi'SH
monroetwp-oh.gov/kp.html Linux mirror
Kuroi'SH
ashgrovemo.gov/kp.html Linux mirror
Moroccan Agent Secret
www.cascadecountymt.gov F5 Big-IP mirror
MrHax
teacheratsea.noaa.gov/php/welc... Linux mirror
MuhmadEmad
vegaalta.pr.gov/krd.html Linux mirror
NeT-DeViL
botdb.abcc.ncifcrf.gov/dsspRes... Linux mirror
NeT-DeViL
www.unioncountyga.gov/x.txt Win 2008 mirror
NeT-DeViL
www.northmiamifl.gov/x.txt Win 2008 mirror
NeT-DeViL
infosys.ars.usda.gov/issues/fi... OpenBSD mirror
NeT-DeViL
tcap.pw.usda.gov/bd/toronto_ta... OpenBSD mirror
NeT-DeViL
malt.pw.usda.gov/t3/barley/wha... OpenBSD mirror
NetDragonz
ppi.pds.nasa.gov/search/?sc=nu... Linux mirror
Nofawkx Al
pic.gov/def.htm Win 2008 mirror
Nofawkx Al
www.santarosa.fl.gov/images/ Win 2012 mirror
Nofawkx Al
www.fabius-ny.gov/news-images/... Linux mirror
Red hell sofyan
www.fmi.gov/Algeria.html Win 2008 mirror
Red hell sofyan
www.section508.gov/Algeria.php Win 2008 mirror
SoLo
sequoias.blm.gov Unknown mirror
Swan
www.nysenate.gov/senators/marc... Linux mirror
TAX
www.paris.ky.gov/index.php Unknown mirror
VanDaL_ma
www.cbonews.gov MacOSX mirror
VirtuaL
eastorange-nj.gov Linux mirror
ZeSn
www.miamidade.gov/govaction/ag... Win 2008 mirror
zNako
www.nc.gov Linux mirror
ZoRRoKiN
stanhopenj.gov Linux mirror
ZoRRoKiN
www.sturgismi.gov/bids/index.php Linux mirror
ZoRRoKiN
localhost.energy.gov/images/ju... Unknown mirror
CYBER INTELLIGENCE REPORT
10 | P a g e
Zone-h AttACk stAtistiCs:
N° Notifier Single def. Mass def. Total def. Homepage def. Subdir def.
1. Barbaros-DZ 3448 157 3605 1223 2382
2. Ashiyane Digital Security Team 3034 4217 7251 1382 5869
3. Hmei7 2865 1513 4378 775 3603
4. LatinHackTeam 1438 1266 2704 2254 450
5. iskorpitx 1324 955 2279 786 1493
6. Fatal Error 1210 2165 3375 2995 380
7. HighTech 1074 4067 5141 4140 1001
8. chinahacker 889 1344 2233 4 2229
9. MCA-CRB 854 626 1480 374 1106
10. By_aGReSiF 759 1431 2190 804 1386
11. oroboruo 724 917 1641 1273 368
12. Index Php 713 282 995 228 767
13. 3n_byt3 674 1955 2629 929 1700
14. HEXB00T3R 613 622 1235 407 828
15. brwsk007 612 261 873 31 842
16. Red Eye 604 1568 2172 2133 39
17. d3b~X 604 642 1246 64 1182
18. Swan 590 271 861 264 597
19. uykusuz001 561 153 714 38 676
20. 1923Turk 553 1618 2171 471 1700
21. Dr.SHA6H 545 1302 1847 1500 347
22. Over-X 517 1783 2300 1390 910
23. Mafia Hacking Team 513 602 1115 330 785
24. ZoRRoKiN 485 278 763 219 544
25. Digital Boys Underground Team 476 446 922 190 732
CYBER INTELLIGENCE REPORT
11 | P a g e
Credits: Jeremy Martin, IWC: Sr. Editor, Author, Designer, Threat Researcher Amy Martin, IWC: Editor Steve Williams, Scot Bradeen, CF360: Editor Tim Hoffman, THC: Editor
sponsors: Information Warfare Center (IWC): www.informationwarfarecenter.com Cyber Forensics 360 (CF360): www.cyberforensics360.com Tim Hoffman & Associates (TH&A): www.timhoffmanassociates.com Cyber Secrets: www.YouTube.com/iwccybersec