February 24, 2015 The IWC CIR is an OSINT resource focusing on advanced persistent threats and other digital dangers. APTs fit into a cybercrime category directed at both business and political targets. Attack vectors include system compromise, social engineering, and even traditional espionage. Summary Symantec ThreatCon Level 2 - Medium: Increased alertness

This condition applies when knowledge or the expectation of attack activity is present, without specific events occurring or when malicious code reaches a moderate risk rating.

Malware found in hard drive firmware! Are your forensic tools now useless? I have been teaching clean room data recovery, digital forensics, and system exploitation for many years. It has recently come to light that many different hard drives from multiple vendors have been found with malware or malicious logic installed in the firmware. Infecting a drive before it goes out is nothing new and has been done against many nation states and companies alike. What is new is that the hard to access firmware was infected. This may not sound like a big deal, but firmware is special code that not only tells the hardware how to act, it tells the Operating system how to interact with the hardware. Firmware on a hard drive tells the headstack or moving arms in a spinning platter drive how to read the analog data off the magnetic disk. It tells the motor how fast to spin. It controls everything about the hard drive before the motherboard or operating system can recognize the drive as a drive. The firmware is stored in two places on traditional hard drives. The first is the Printed Circuit Board (PBC) on the bottom of the drive. The next area is called the System Area or “S.A.” for short. This area is also called the negative cylinders, maintenance tracks, reserved cylinders, calibration area, initialization area, and diskware. The name depends on the manufacturer. Think of the SA as a database stored in a special area of the drive that only the hard drive was designed to access. This database contains the serial number, SMART data, the bad block lists, and other information, including the firmware overlays/executable code/updates. It was designed this way because it is easier to update the drive than it is the PCB hardware.

InformationWarfareCenter.com 1 | P a g e

CIR

Unfortunately, just like the inability to even standardize a name, vendors have different methods of implementing the SA. Different sizes of the SA to different sizes of the fields in the database to different items stored. This adds too many variables to even bother with for most data recovery experts let alone hackers. Another issue is that the data is written in a physically different format called Utility Block Addressing or UBA modules. What does this mean for forensics? Well, besides the likelihood of this code running with root or system privileges, this negative space cannot be natively seen by even the operating system. As far as the computer is concerned, the hard drive starts at sector 0 and the negative space is before this. Sector 0 has generally contained the Master Boot Record or MBR. This is the code that tells the motherboard how to handle the data on the drive starting at sector 1. Even the “government used gold standard” in forensic tools can only see sector 0 to the last sector, thus making them ineffective at finding this threat. Data recovery tools on the other hand can see this area since many drive failures are caused by the firmware being corrupted. Tools like the PC3000 from DeepSpar cans see this area and even backup and replace it. The other option is you can write your own tool to access this area like the actors of this malware have done. Remember though, that each drive family and manufacturer will most likely be different. This means that the malware was customized for many different drive configurations. This alone makes it an Advanced Persistent Threat. Are your forensic tools useless? No. Not completely. Even though your traditional post mortem or dead box forensic methods cannot see this threat, there are other forensic vectors such as memory analysis and network monitoring. Every network connection leaves a fingerprint. You just have to find it. Now, before anyone claims that a 14 year old perpetrated this attack, use common sense. Is it possible? Yes. Is it Likely? Not in a long shot. Like in Law Enforcement, you should talk to M.O.M. Explain Means, Operandi, and Motive. This took a lot of skill. This took a lot of knowledge. Whoever wrote this had an extensive budget to fund the research and purchase new drives as they came out. This was likely a team that had the wherewithal to test and keep up to date with the different SA parameters and the patience to wait for the “Profit”… About the Author Jeremy Martin is a Senior Security Researcher that has focused his work on Red Team penetration testing, Computer Forensics, and Cyber Warfare. Starting his career in 1995 Mr. Martin has worked with fortune 200 companies and Federal Government agencies, receiving a number of awards for service. Helping build several incident response teams and computer forensic labs, he has been fully qualified to testify in court as an expert witness. Jeremy also teaches classes such as the Advanced Ethical Hacking, Computer Forensics, Clean Room Data Recovery, and Security Management (CISSP/CISM). His current research projects include vulnerability analysis, threat profiling, exploitation automation, anti-forensics, wireless/cell surveillance, and reverse engineering malware.

InformationWarfareCenter.com 2 | P a g e

CIR

NewS: INFormatIoN warFare Africa is new 'El Dorado of espionage', leaked intelligence files reveal - The Guardian. CIA looks to expand its cyber espionage capabilities - Washington Post. Corporate espionage case: Cabinet secretary Ajit Seth to chair high-level ... - Economic Times. Companies Of Several Indian Billionaires Embroiled In A Case Of Corporate ... - Forbes. Peru waits for Chile response to espionage complaint - Peru this Week. Snowden: Spy Agencies 'Screwed All of Us' in Hacking Crypto Keys - Wired. Gemalto sees no significant impact from hacking issue - Reuters. Why Firmware Is So Vulnerable to Hacking, and What Can Be Done About It - Wired. Hackers attack the US State Department thousands of times a day - Digital Trends. From Hacking Systems To Hacking People - Dark Reading. Snowden, Laura, And Glenn Did An AMA This Morning. Why Firmware Is So Vulnerable To Hacking, And What Can Be Done About It. Yahoo Exec Goes Mano A Mano With NSA Director Over Backdoors. Ad-Blocking Software Is 'Worse Than Superfish'. Hackers Cut In Line At The Burning Man Ticket Sale. BlackShades Co-Creator, Alex Yucel, Pleads Guilty. How The NSA's Firmware Hacking Works. Facebook Security Finds 10 Superfish Sub-Species. Battery Power Alone Can Be Used To Track Android Phones. Cisco IPv6 Processing Bug Can Cause DoS Attacks. Microsoft / McAfee Move To Gut Superfish From Lenovo Laptops. Android backdoor lurking inside legitimate apps. Magnitude exploit kit changes tack to make money from CryptoWall ransomware. Malware is less concerned about virtual machines. Standardizing complaints, sharing cyber info and tracking Ebola. Silicon Valley is becoming bigger player in Washington. Cyber Uncertainty [National Guard]. Cyber Infiltration During Operation Protective Edge. A timely warning from the feds: Bitcoins are the 'Wild West'. Data breaches and high-risk vulnerabilities continue to dominate. Why utilities need to worry about the 10 most vulnerable consumer devices.

NewS: HIPPa HIPAA crackdown coming: How to prep for audits - Government Health IT. Are physician practices up-to-date on HIPAA compliance? - Healthcare Dive. Is it a HIPAA violation to chart while you're technically off the clock? - Nurse.com. Anthem hack: Does HIPAA federal health privacy law have a gap? - NOLA.com. Should encryption be a mandatory requirement of HIPAA? - mHealthNews.

NewS: SCaDa How 'Power fingerprint' could improve security for ICS/SCADA systems - Networks Asia. Copa-Data releases latest version of HMI/SCADA software zenon 7.20 - OnWindows.com. The Impact of Piracy on SCADA - Automation World. Siemens sighs: SCADA bugs abound - The Register.

NewS: Cyber LawS & LegISLatIoN Marsico Cyber Bullying Legislation Passes Through House - abc27. It's time to update antiquated cybersecurity legislation - Washington Examiner. House Homeland Security Committee to Mull Cyber Legislation at Hearing - ExecutiveGov. Proposed legislation would force car companies to take cyber security ... - Autoblog (blog). Legislation and the future of federal cybersecurity - FCW.com.

InformationWarfareCenter.com 3 | P a g e

CIR

NewS: ComPuter ForeNSICS Computer Forensics Critical in the Trial of Silk Road's Ross Ulbricht - HSToday (blog). Police Units Specialize in Forensics Reviews of Smartphones, Tablets - NBC4 Washington. Stevens Point police seek computer forensics training this week at meeting - WSAU. exPLoItS WordPress Holding Pattern Theme Arbitrary File Upload. HP Client Automation Command Injection. Zeuscart 4 Cross Site Scripting / SQL Injection. WordPress Admin Shell Upload. Kony EMM 1.2 Insecure Direct Object Reference. MyConnection Server 8.2b Cross Site Scripting. Zabbix 2.0.5 Password Disclosure. xaviershay-dm-rails 0.10.3.8 MySQL Credential Disclosure. WeBid 1.1.1 Unrestricted File Upload. WordPress ADPlugg 1.1.33 Cross Site Scripting. Samsung iPolis Buffer Overflow. Clipbucket 2.7.0.4.v2929-rc3 Blind SQL Injection. PHP DateTimeZone Type Confusion Infoleak. PHP DateTime Use-After-Free. Javascript Injection For Eval-Based Unpackers. phpBugTracker 1.6.0 CSRF / XSS / SQL Injection. WordPress Easy Social Icons 1.2.2 CSRF / XSS. 4images Cross Site Scripting / Clickjacking. Mediafire Open Redirect. OpenCRM SQL Injection. WordPress WooCommerce 2.2.10 Cross Site Scripting. MyBB 1.8.3 Cross Site Scripting. Rackspace Cross Site Scripting. Beehive Forum 1.4.4 - Stored XSS Vulnerability. HP Client Automation Command Injection. WonderPlugin Audio Player 2.0 - Blind SQL Injection and XSS. PCMan FTP Server 2.0.7 - Buffer Overflow - MKD Command. Realtek 11n Wireless LAN utility - Privilege Escalation. WordPress Webdorado Spider Event Calendar 1.4.9 - SQL Injection. WordPress Easy Social Icons Plugin 1.2.2 - CSRF Vulnerability. phpBugTracker 1.6.0 - Multiple Vulnerabilities. Zeuscart v.4 - Multiple Vulnerabilities. [dos] - PHP DateTime Use After Free Vulnerability. CVe aND aDVISorIeS

CVE-2015-2055. 2015-02-23 Zhone GPON 2520 with firmware R4.0.2.566b allows remote attackers to cause a denial of service via a long string in the oldpassword parameter. (CVSS:0.0) (Last Update:2015-02-23)

CVE-2015-1587. 2015-02-19 Unrestricted file upload vulnerability in file_to_index.php in Maarch LetterBox 2.8 and earlier and GEC/GED 1.4 and earlier allows remote attackers to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via a request to a predictable filename in tmp/. (CVSS:7.5) (Last Update:2015-02-20)

InformationWarfareCenter.com 4 | P a g e

CIR

Red Hat Security Advisory 2015-0264-01. Tue, 24 Feb 2015 17:01:19 GMT Red Hat Security Advisory 2015-0264-01 - This update corrects several security vulnerabilities in the IBM Java Runtime Environment shipped as part of Red Hat Satellite 5.6. In a typical operating environment, these are of low security risk as the runtime is not used on untrusted applets. Several flaws were fixed in the IBM Java 2 Runtime Environment.

Red Hat Security Advisory 2015-0263-01. Tue, 24 Feb 2015 17:00:58 GMT Red Hat Security Advisory 2015-0263-01 - This update corrects several security vulnerabilities in the IBM Java Runtime Environment shipped as part of Red Hat Satellite 5.7. In a typical operating environment, these are of low security risk as the runtime is not used on untrusted applets. Several flaws were fixed in the IBM Java 2 Runtime Environment. Users of Red Hat Satellite 5.7 are advised to upgrade to these updated packages, which contain the IBM Java SE 6 SR16-FP3 release. For this update to take effect, Red Hat Satellite must be restarted, as well as all running instances of IBM Java.

Red Hat Security Advisory 2015-0260-01. Tue, 24 Feb 2015 01:47:20 GMT Red Hat Security Advisory 2015-0260-01 - YAML is a data serialization format designed for human readability and interaction with scripting languages. LibYAML is a YAML parser and emitter written in C. An assertion failure was found in the way the libyaml library parsed wrapped strings. An attacker able to load specially crafted YAML input into an application using libyaml could cause the application to crash. All libyaml users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications linked against the libyaml library must be restarted for this update to take effect.

Red Hat Security Advisory 2015-0257-01. Tue, 24 Feb 2015 01:46:43 GMT Red Hat Security Advisory 2015-0257-01 - Samba is an open-source implementation of the Server Message Block or Common Internet File System protocol, which allows PC-compatible machines to share files, printers, and other information. An uninitialized pointer use flaw was found in the Samba daemon. A malicious Samba client could send specially crafted netlogon packets that, when processed by smbd, could potentially lead to arbitrary code execution with the privileges of the user running smbd.

Ubuntu Security Notice USN-2508-1. Tue, 24 Feb 2015 01:46:36 GMT Ubuntu Security Notice 2508-1 - Richard van Eeden discovered that the Samba smbd file services incorrectly handled memory. A remote attacker could use this issue to possibly execute arbitrary code with root privileges.

Ubuntu Security Notice USN-2507-1. Tue, 24 Feb 2015 01:46:29 GMT Ubuntu Security Notice 2507-1 - Jose Duart discovered that e2fsprogs incorrectly handled invalid block group descriptor data. A local attacker could use this issue with a crafted filesystem image to possibly execute arbitrary code.

Ubuntu Security Notice USN-2509-1. Tue, 24 Feb 2015 01:46:18 GMT Ubuntu Security Notice 2509-1 - The ca-certificates package contained outdated CA certificates. This update refreshes the included certificates to those contained in the 20141019 package.

Debian Security Advisory 3171-1. Tue, 24 Feb 2015 01:42:51 GMT Debian Linux Security Advisory 3171-1 - Richard van Eeden of Microsoft Vulnerability Research discovered that Samba, a SMB/CIFS file, print, and login server for Unix, contains a flaw in the netlogon server code which allows remote code execution with root privileges from an unauthenticated connection.

Debian Security Advisory 3169-1. Tue, 24 Feb 2015 01:42:49 GMT Debian Linux Security Advisory 3169-1 - Several vulnerabilities have been fixed in eglibc, Debian's version of the GNU C library.

Red Hat Security Advisory 2015-0250-01. Mon, 23 Feb 2015 18:32:22 GMT Red Hat Security Advisory 2015-0250-01 - Samba is an open-source implementation of the Server Message Block or Common Internet File System protocol, which allows PC-compatible machines to share files, printers, and other information. An uninitialized pointer use flaw was found in the Samba daemon.

InformationWarfareCenter.com 5 | P a g e

CIR

Red Hat Security Advisory 2015-0254-01. Mon, 23 Feb 2015 18:28:00 GMT Red Hat Security Advisory 2015-0254-01 - Samba is an open-source implementation of the Server Message Block or Common Internet File System protocol, which allows PC-compatible machines to share files, printers, and other information. An uninitialized pointer use flaw was found in the Samba daemon. A malicious Samba client could send specially crafted netlogon packets that, when processed by smbd, could potentially lead to arbitrary code execution with the privileges of the user running smbd.

Red Hat Security Advisory 2015-0252-01. Mon, 23 Feb 2015 18:25:22 GMT Red Hat Security Advisory 2015-0252-01 - Samba is an open-source implementation of the Server Message Block or Common Internet File System protocol, which allows PC-compatible machines to share files, printers, and other information. An uninitialized pointer use flaw was found in the Samba daemon. A malicious Samba client could send specially crafted netlogon packets that, when processed by smbd, could potentially lead to arbitrary code execution with the privileges of the user running smbd.

Red Hat Security Advisory 2015-0251-01. Mon, 23 Feb 2015 18:24:00 GMT Red Hat Security Advisory 2015-0251-01 - Samba is an open-source implementation of the Server Message Block or Common Internet File System protocol, which allows PC-compatible machines to share files, printers, and other information. An uninitialized pointer use flaw was found in the Samba daemon. A malicious Samba client could send specially crafted netlogon packets that, when processed by smbd, could potentially lead to arbitrary code execution with the privileges of the user running smbd.

Red Hat Security Advisory 2015-0249-01. Mon, 23 Feb 2015 18:22:22 GMT Red Hat Security Advisory 2015-0249-01 - Samba is an open-source implementation of the Server Message Block or Common Internet File System protocol, which allows PC-compatible machines to share files, printers, and other information. An uninitialized pointer use flaw was found in the Samba daemon. A malicious Samba client could send specially crafted netlogon packets that, when processed by smbd, could potentially lead to arbitrary code execution with the privileges of the user running smbd.

Debian Security Advisory 3166-1. Mon, 23 Feb 2015 18:02:00 GMT Debian Linux Security Advisory 3166-1 - Jose Duart of the Google Security Team discovered a buffer overflow in in e2fsprogs, a set of utilities for the ext2, ext3, and ext4 file systems. This issue can possibly lead to arbitrary code execution if a malicious device is plugged in, the system is configured to automatically mount it, and the mounting process chooses to run fsck on the device's malicious filesystem.

Red Hat Security Advisory 2015-0252-01. Mon, 23 Feb 2015 17:55:55 GMT Red Hat Security Advisory 2015-0252-01 - Samba is an open-source implementation of the Server Message Block or Common Internet File System protocol, which allows PC-compatible machines to share files, printers, and other information. An uninitialized pointer use flaw was found in the Samba daemon. A malicious Samba client could send specially crafted netlogon packets that, when processed by smbd, could potentially lead to arbitrary code execution with the privileges of the user running smbd.

Debian Security Advisory 3168-1. Mon, 23 Feb 2015 14:44:00 GMT Debian Linux Security Advisory 3168-1 - Kousuke Ebihara discovered that redcloth, a Ruby module used to convert Textile markup to HTML, did not properly sanitize its input. This allowed a remote attacker to perform a cross-site scripting attack by injecting arbitrary JavaScript code into the generated HTML.

Red Hat Security Advisory 2015-0256-01. Mon, 23 Feb 2015 14:02:22 GMT Red Hat Security Advisory 2015-0256-01 - Samba is an open-source implementation of the Server Message Block or Common Internet File System protocol, which allows PC-compatible machines to share files, printers, and other information. An uninitialized pointer use flaw was found in the Samba daemon.

InformationWarfareCenter.com 6 | P a g e

CIR

Red Hat Security Advisory 2015-0255-01. Mon, 23 Feb 2015 13:33:00 GMT Red Hat Security Advisory 2015-0255-01 - Samba is an open-source implementation of the Server Message Block or Common Internet File System protocol, which allows PC-compatible machines to share files, printers, and other information. An uninitialized pointer use flaw was found in the Samba daemon. A malicious Samba client could send specially crafted netlogon packets that, when processed by smbd, could potentially lead to arbitrary code execution with the privileges of the user running smbd.

Debian Security Advisory 3165-1. Sun, 22 Feb 2015 18:22:00 GMT Debian Linux Security Advisory 3165-1 - Jiri Horner discovered a way to cause xdg-open, a tool that automatically opens URLs in a user's preferred application, to execute arbitrary commands remotely.

Debian Security Advisory 3167-1. Sun, 22 Feb 2015 18:22:00 GMT Debian Linux Security Advisory 3167-1 - Jakub Wilk reported that sudo, a program designed to provide limited super user privileges to specific users, preserves the TZ variable from a user's environment without any sanitization. A user with sudo access may take advantage of this to exploit bugs in the C library functions which parse the TZ environment variable or to open files that the user would not otherwise be able to open. The later could potentially cause changes in system behavior when reading certain device special files or cause the program run via sudo to block.

Cisco Security Advisory 20150220-ipv6. Sat, 21 Feb 2015 14:44:00 GMT Cisco Security Advisory - A vulnerability in the parsing of malformed IP version 6 (IPv6) packets in Cisco IOS XR Software for Cisco Network Convergence System 6000 (NCS 6000) and Cisco Carrier Routing System (CRS-X) could allow an unauthenticated, remote attacker to cause a reload of a line card that is processing traffic. The vulnerability is due to improper processing of malformed IPv6 packets carrying extension headers. An attacker could exploit this vulnerability by sending a malformed IPv6 packet, carrying extension headers, through an affected Cisco IOS XR device line card. An exploit could allow the attacker to cause a reload of the line card on the affected Cisco IOS XR device. Cisco has released free software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Debian Security Advisory 3164-1. Sat, 21 Feb 2015 13:33:00 GMT Debian Linux Security Advisory 3164-1 - Pierrick Caillon discovered that the authentication could be bypassed in the Typo 3 content management system.

HP Security Bulletin HPSBPV03266. Fri, 20 Feb 2015 20:22:00 GMT HP Security Bulletin HPSBPV03266 - Potential security vulnerabilities have been identified with certain HP Networking and H3C switches and routers running NTP. The vulnerabilities could be exploited remotely to allow execution of code, disclosure of information and denial of service (DoS). Revision 1 of this advisory.

Red Hat Security Advisory 2015-0246-01. Thu, 19 Feb 2015 23:03:14 GMT Red Hat Security Advisory 2015-0246-01 - OpenStack Image service provides discovery, registration, and delivery services for disk and server images. It provides the ability to copy or snapshot a server image, and immediately store it away. Stored images can be used as a template to get new servers up and running quickly and more consistently than installing a server operating system and individually configuring additional services. It was discovered that an authenticated user could use a path traversal flaw in glance to download or delete any file on the glance server that is accessible to the glance process user. Note that only setups using the OpenStack Image V2 API were affected by this flaw.

InformationWarfareCenter.com 7 | P a g e

CIR

ZoNe-H attaCk StatIStICS:

N° Notifier Single def. Mass def. Total def. Homepage def. Subdir def.

1. Barbaros-DZ 3449 157 3606 1223 2383

2. Hmei7 2843 1510 4353 774 3579

3. Ashiyane Digital Security Team 2838 4101 6939 1314 5625

4. LatinHackTeam 1438 1266 2704 2254 450

5. iskorpitx 1324 955 2279 786 1493

6. Fatal Error 1110 1723 2833 2453 380

7. HighTech 926 3218 4144 3255 889

8. chinahacker 889 1344 2233 4 2229

9. MCA-CRB 854 626 1480 374 1106

10. By_aGReSiF 757 1427 2184 802 1382

InformationWarfareCenter.com 8 | P a g e

CIR

InformationWarfareCenter.com 9 | P a g e