table of contents 1. 1.1 persistent eitest malware ... docs/csirt/ict security monitoring... · by...
TRANSCRIPT
Table of Contents
1. Technology news and Security updates: .............................................................2
1.1 Persistent EITest Malware Campaign Jumps from Angler to Neutrino .......2
1.2 Three Exploit Kits Spreading Attacks for Recent Flash Player Zero Day ...2
1.3 Microsoft Intensifies Fight Against Terrorism....................................................3
1.4 GCHQ Infosec group disclosed kernel privilege exploit to Apple ................3
1.5 Govt commits to ICT access in schools ..............................................................4
1.6 iOS Update Causes New Bricking Problem, This Time With iPad Pro 9.7 ..4
1.7 The one thing you must do to avoid being scammed at an ATM in South
Africa 5
1.8 Cyber thieves exploit bank’s faith in SWIFT .......................................................5
1.9 Organizations unprepared for employee-caused security incidents ...........6
2. Cybercrime and Intelligence in the news: ............................................................7
2.1. Drupal websites hacked using SQL injection flaw ............................................7
2.2. China-Linked Attackers Target Indian Embassies Worldwide .......................7
2.3. Attack on Swiss Defense Firm Linked to Turla Cyberspies ...........................8
2.4. Dimension Data eyes Kenya cyber security contracts ....................................8
2.5. Hackers Destroy Fur Affinity Art Gallery Website .............................................9
2.6. Hackers Target Multiple Middle East Banks .......................................................9
3. Technical Security Alerts: ...................................................................................... 11
3.1 Vulnerabilities, Malware and exploits..................................................................... 11
1. Technology news and Security updates:
1.1 Persistent EITest Malware Campaign Jumps from Angler to Neutrino
A two-year-old EITest malware campaign is still going strong, fueled by the fact it has
shifted its distribution technique over time. Now, researchers at the SANS Institute’s
Internet Storm Center, are reporting EITest is morphing again based on analysis of the
malware campaign conducted earlier this month.
According to researcher Brad Duncan, the EITest malware campaign is being refueled
by the fact it is shifting from the Angler exploit kit to the Neutrino exploit kit.
During its run, I had only noticed the EITest campaign use Angler EK to distribute a
variety of malware payloads. That changed earlier this month, when I noticed an EITest
gate leading to Neutrino EK instead of Angler,” Duncan wrote in an Internet Storm
Center post.
Source: https://threatpost.com/persistent-eitest-malware-campaign-jumps-from-angler-to-
neutrino/118249/
1.2 Three Exploit Kits Spreading Attacks for Recent Flash Player Zero Day
Update Exploits for the most recent Adobe Flash Player zero-day vulnerability have been
integrated into the Angler, Neutrino and Magnitude exploit kits, and are leading
compromised computers to different ransomware strains, banking malware, and a
credential-stealing Trojan.
A French researcher who goes by the handle Kafeine told Threatpost that Neutrino has
embedded a working exploit for CVE-2016-4117 while Magnitude has not fully
implemented the exploit.
Kafeine this morning also confirmed that the Angler Exploit Kit has now integrated the
same Flash zero day exploit. The Angler exploits, however, are dropping the Dridex
banking Trojan. Dridex has primarily spread in spam and phishing emails, and used
malicious macros embedded in Office documents to download the Trojan.
Kafeine said that Magnitude is firing exploits for Flash Player up to version 21.0.0.213,
but the payloads are not executing, despite the presence of references to the vulnerable
code. It could be that the exploit was not implemented correctly; Kafeine said that as of
this morning the payloads were not working.
Source: https://threatpost.com/two-exploit-kits-spreading-attacks-for-recent-flash-player-zero-
day/118236/
1.3 Microsoft Intensifies Fight Against Terrorism
Microsoft has detailed some of the steps it is taking to combat terrorism, which include
removing terrorist content from its services and partnering with others to meet the
challenges presented by terrorists’ use of the Internet.
The Internet has proven to be a great channel for terrorist groups to promote violence
and to recruit more people for their causes, and Microsoft is one of the tech companies
to react to this issue. Evolving technology is demanding new measures to combat
terrorism, and Microsoft notes that the Internet has already shown that it can be used for
the worst reasons imaginable.
In a blog post, Microsoft explains that its services are meant to empower people, not
contribute to terrible acts, but that the company is also focused on promoting values
such as privacy, freedom of expression and the right to access information. Thus, one of
the main changes that the company made to its services involves the removal of terrorist
content from its services, including hosting services.
Source: http://www.securityweek.com/microsoft-intensifies-fight-against-terrorism
1.4 GCHQ Infosec group disclosed kernel privilege exploit to Apple
Communications and Electronics Security Group (CESG), the information security arm of
GCHQ, was credited with the discovery of two vulnerabilities that were patched by Apple
last week.
The flaws could allow hackers to corrupt memory and cause a denial of service through
a crafted app or execute arbitrary code in a privileged context.
The memory handling vulnerabilities (CVE-2016-1822 and CVE-2016-1829) affect OS X
El Capitan v10.11 and later operating systems, according to Apple's 2016-003 security
update. The memory corruption vulnerabilities allowed hackers to execute arbitrary code
with kernel privileges.
The disclosure raises questions about the use of zero day exploits by the U.K.'s GCHQ,
and intelligence agencies internationally. Security information professionals see
competing priorities from intelligence agencies in how they make use of vulnerabilities.
Source: http://www.scmagazine.com/gchq-infosec-group-disclosed-kernel-privilege-exploit-to-
apple/article/498288/
1.5 Govt commits to ICT access in schools
Government is determined to ensure the country's schools have access to smart
technologies to facilitate training for learners and teachers in critical ICT skills. This is the
word from telecoms minister Siyabonga Cwele, who noted South Africans need to
understand ICT has become an enabler of economic development and social inclusion.
Cwele's comments follow the handing over of a connected mobile ICT lab to the Dennis
A Mokoma Secondary School in Mabopane, Tshwane.
"This modern mobile ICT lab will enable our learners to access educational content,
provide them with connectivity to the Internet and assist with facilitating training and
learning," according to Cwele. "Our former president Nelson Mandela understood we
need to ensure all our people have access to an Internet connection, particularly those
who come from the townships and rural areas.
Source: http://www.itweb.co.za/index.php?option=com_content&view=article&id=152827:Govt-
commits-to-ICT-access-in-schools
1.6 iOS Update Causes New Bricking Problem, This Time With iPad Pro 9.7
Apple has pulled back a recent update to its iOS 9 operating system after some iPad Pro
9.7 owners reported disabled tablets after their machines underwent updates to the
company's iOS 9.3.2 software release.
An Apple spokesman confirmed the problem and the pullback of the iOS update in a
May 23 reply to an email inquiry from eWEEK.
"We're working on a fix for an issue impacting a small number of iPad units that are
receiving an error when trying to update the software," the spokesman told eWEEK.
"We'll issue an update as quickly as possible."
The iOS 9.3.2 update was causing owners of some iPad Pro 9.7 tablets to lose the use
of their devices, which were essentially "bricked," or left useless after the patch was
installed. Apple initially said it was looking into the issue after receiving "a small number
of reports" about the problem.
Source: http://www.eweek.com/mobile/ios-update-causes-new-bricking-problem-this-time-with-
ipad-pro-9.7.html
1.7 The one thing you must do to avoid being scammed at an ATM in South Africa
The South African Banking Risk Information Centre (Sabric) has warned that the
prevelance of cybercrime is increasing, and that people are defrauded of millions each
year.
“It affects business sectors and consumers, and this has called on security measures to
be put in place to protect assets and important information,” said Kalyani Pillay, Sabric
CEO.
“The responsibility of protecting yourself against cybercrime and increasing your
cybersecurity lies with every single one of us.”
FNB, Capitec, and Nedbank provided advice on how to avoid falling prey to criminals
targeting ATMs, and all stated that you should never allow anyone near you, your bank
card, or the ATM while you are withdrawing money.
Source: http://mybroadband.co.za/news/banking/164860-the-one-thing-you-must-do-to-avoid-
being-scammed-at-an-atm-in-south-africa.html
1.8 Cyber thieves exploit bank’s faith in SWIFT
Shortly after 7pm on 12 January 2015, a message from a secure computer terminal at
Banco del Austro (BDA) in Ecuador instructed San Francisco-based Wells Fargo to
transfer money to bank accounts in Hong Kong. Wells Fargo complied. Over 10 days,
Wells approved a total of at least 12 transfers of BDA funds requested over the secure
SWIFT system.
The SWIFT network – which allows banks to process billions of dollars in transfers each
day – is considered the backbone of international banking. In all, Wells Fargo transferred
$12 million of BDA's money to accounts across the globe.
Both banks now believe those funds were stolen by unidentified hackers, according to
documents in a BDA lawsuit filed against Wells Fargo in New York this year.
Source: http://news.softpedia.com/news/african-hacker-phished-his-way-into-2-million-worth-of-
airline-tickets-504353.shtml
1.9 Organizations unprepared for employee-caused security incidents
While employee-related security risks are the number-one concern for security
professionals, organizations are not taking adequate steps to prevent negligent
employee behavior, according to a new Ponemon Institute study.
The study, Managing Insider Risk Through Training & Culture, asked more than 600
individuals at companies that currently have a data protection and privacy training
program to weigh in on the topic of negligent and malicious employee behaviors, as well
as the consequences of poor security conduct and the effectiveness of training.
The study found that 55 percent of companies surveyed have already experienced a
security incident due to a malicious or negligent employee. However, despite investment
in employee training and other efforts to reduce careless behavior in the handling of
sensitive and confidential information, the majority of companies do not believe that their
employees are knowledgeable about the company’s security risks.
Source: https://www.helpnetsecurity.com/2016/05/23/employee-caused-security-incidents/
2. Cybercrime and Intelligence in the news:
2.1. Drupal websites hacked using SQL injection flaw
Hackers have attacked hundreds of Drupal websites, installing ransomware that hijacks
the website’s main page. Softpedia reported that the attackers exploited a two-year-old
vulnerability in Drupal for the SQL injection attacks.
Drupal website owners said their websites were locked, with the message:
“Website is locked. Please transfer 1.4 BitCoin to address
3M6SQh8Q6d2j1B4JRCe2ESRLHT4vTDbSM9 to unlock content.”
“The attacker’s scanning bot extracts the Drupal site’s version, then uses the CVE-2014-
3704 vulnerability to break into the affected websites and change the admin user’s
password,” reported Softpedia.
Source: http://mybroadband.co.za/news/security/165852-drupal-websites-hacked-using-sql-
injection-flaw.html
2.2. China-Linked Attackers Target Indian Embassies Worldwide
A threat group first analyzed more than two years ago has continued to improve its
malware arsenal and was recently observed targeting personnel at Indian embassies
worldwide.
The actor’s activities were brought to light in late 2013 by FireEye. The security firm had
analyzed a campaign aimed at foreign affairs ministries in Europe, which it dubbed
“Operation Ke3chang.”
FireEye linked the attackers to China and determined that they had been active since at
least 2010. At the time of the initial analysis, the group had been using three pieces of
malware named by researchers BS2005, BMW, and MyWeb.
Source: http://www.securityweek.com/china-linked-attackers-target-indian-embassies-worldwide
2.3. Attack on Swiss Defense Firm Linked to Turla Cyberspies
The recent cyber espionage attack aimed at Swiss defense firm RUAG was carried out
by the Russia-linked threat group known as Turla, according to a report commissioned
by the Swiss government.
RUAG is a Bern-based technology company owned by the Swiss government. The
organization specializes in aviation, space and defense with products ranging from
satellite equipment to ammunition.
News of a cyberattack on RUAG came to light earlier this month when Switzerland’s
Defense Minister Guy Parmelin revealed that his ministry was targeted by malicious
actors in January while he was attending the World Economic Forum. Parmelin said at
the time that the government was investigating a possible connection between the attack
on the country’s Department of Defense and an attack on RUAG.
Source: http://www.securityweek.com/attack-swiss-defense-firm-linked-turla-cyberspies
2.4. Dimension Data eyes Kenya cyber security contracts
South Africa IT infrastructure firm Dimension Data is offering remote security services to
Kenyan companies such as banks and others that handle high-risk data, Business Daily
reported. It has launched its Managed Security Services (MSS), which eliminates the
need for its clients to invest heavily in internal security experts, and helps them to
establish regulatory compliance.
MD of Dimension Data East Africa, Joseph Kairigo, said rates depend on the number of
machines or servers that are remotely monitored, and the sensitivity of the data. The
company will rely on its professional security service team across the Middle East and
Africa to deliver the service from its Security Operation Centres (SOCs). to keep off
competition.
MSS is able to capture live logs and send alerts of manipulation of electronic files and
any attempts to circumvent IT controls. This service offloads the burden of network
monitoring, advanced security analysis, and global intelligence correlation.
Source: http://www.telecompaper.com/news/dimension-data-eyes-kenya-cyber-security-contracts-
2--1144714
2.5. Hackers Destroy Fur Affinity Art Gallery Website
Hackers target Fur Affinity art gallery website delete everything — Thanks to the backup
the site is up and running once again!
A well-known and widely followed online hub of furries community called Fur Affinity
disappeared from the web. The furries community is a group of people having a keen
interest in anthropomorphic animal characters like foxes and wolves. The hackers wiped
off all sorts of content including art submissions and user profiles from Fur Affinity
website, which actually is an online gallery that allows users to upload music, art, and
written content.
It is quite possible that they also stole email addresses and hashed passwords. The
website’s self-proclaimed Director of Operations, who uses the nickname Chase, stated
in an announcement on the site’s discussion forum that “the attackers [gained] access to
personal user data, such as encrypted passwords and email addresses.”
Source: https://www.hackread.com/hackers-destroy-fur-affinity-website/
2.6. Hackers Target Multiple Middle East Banks
Hackers have been found scoping out banks throughout the Middle East in an apparent
reconnaissance mission ahead of a major offensive.
According to FireEye researchers, in the first week of May 2016, FireEye’s DTI identified
a wave of emails containing malicious attachments being sent to multiple banks in the
Middle East region. The ultimate payload is scripting used to collect important
information from the infected system, including the currently logged on user, the
hostname, network configuration data, user and group accounts, local and domain
administrator accounts, running processes and other data.
It’s likely this information will be used to architect and mount a wider and more damaging
campaign.
The attackers sent multiple emails containing macro-enabled Excel spreadsheet files to
employees. The themes of the messages used in the attacks are related to IT
Infrastructure, such as a log of “Server Status Reports” or a list of Cisco Iron Port
Appliance details. Interestingly, the macro will run successfully only on Windows Vista
and subsequent versions of the operating system.
“In one case, the content of the email appeared to be a legitimate email conversation
between several employees, even containing contact details of employees from several
banks,” FireEye noted. “This email was then forwarded to several people, with the
malicious Excel file attached.”
Source: http://www.infosecurity-magazine.com/news/hackers-target-multiple-middle/
3. Technical Security Alerts:
Technical security alerts are the current security issues, vulnerabilities, Malware and exploits provided proactively to provide timely
information about their impact, propagation and remediation. This information is sourced to provide to technical teams to protect their
infrastructure environments.
3.1 Vulnerabilities, Malware and exploits
The table below lists all the recent Vulnerabilities, Malware and exploits identified by ICT Security Monitoring Services team for
today.
Name
Description
Propagation
Technologies and
Software’s affected
Remedy
Severity
Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager JSON Privilege Escalation Vulnerability Source: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160523-pi-epnm
A vulnerability in the
application programming
interface (API) web interface
of the Cisco Prime
Infrastructure and Cisco
Evolved Programmable
Network Manager could allow
an authenticated, remote
attacker to perform privilege
escalation on the affected
device.
The vulnerability is due to
incorrect role-based access
control (RBAC) evaluation
when a low-privileged user
requests a web page or
service that should be
restricted. An attacker could
exploit this vulnerability by
performing reconnaissance
attacks to the application
web pages and services to
identify potential devices of
interest.
The following Cisco products are affected: Cisco Prime Infrastructure prior to version 3.1 Cisco Evolved Programmable Network Manager prior to version 1.2.4
Cisco has released software updates that address this vulnerability.
Medium Risk
Adobe Flash Player and AIR MSIMB32.dll DLL Load Remote Code Execution Vulnerability Source: https://tools.cisco.com/security/center/viewAlert.x?alertId=46342 Vendor Announcements Red Hat has released multiple CVE statements and a security advisory for bug 1335058 at the following link: CVE-2016-4116 and RHSA-2016-1079.
A vulnerability in Adobe Flash
Player and AIR could allow
an unauthenticated, remote
attacker to execute arbitrary
code.
An unauthenticated remote
attacker could exploit this
vulnerability by persuading
a user to access a
malicious link designed with
crafted flash content.
Processing such flash
content could allow an
attacker to cause the
MSIMB32.dll library to load
an arbitrary DLL file, which
could allow the attacker to
execute arbitrary code on
the system in the context of
the browser.
The following Adobe products are vulnerable:
Flash Player Desktop Runtime versions 21.0.0.226 and prior for Windows and Macintosh
Flash Player Extended Support Release versions 18.0.0.343 and prior for Windows and Macintosh
Flash Player versions 11.2.202.616 and prior for Linux
AIR Desktop Runtime versions 21.0.0.198 and prior
AIR SDK versions 21.0.0.198 and prior
AIR SDK & Compiler versions 21.0.0.198 and prior
Adobe has released software updates.
Critical Risk
End: