TA14-317A: Apple iOS “Masque Attack” Technique

Posted on November 13, 2014 by nb1302

NCCIC / US-CERT

National Cyber Awareness System:

TA14-317A: Apple iOS “Masque Attack” Technique
11/13/2014 09:17 AM EST
Original release date: November 13, 2014

Systems Affected

iOS devices running iOS 7.1.1, 7.1.2, 8.0, 8.1, and 8.1.1 beta.

Overview

A technique labeled “Masque Attack” allows an attacker to substitute malware for a legitimate iOS app under a limited set of circumstances.

Description

Masque Attack was discovered and described by FireEye mobile security researchers.[1] This attack works by luring users to install an app from a source other than the iOS App Store or their organizations’ provisioning system. In order for the attack to succeed, a user must install an untrusted app, such as one delivered through a phishing link.

This technique takes advantage of a security weakness that allows an untrusted app—with the same “bundle identifier” as that of a legitimate app—to replace the legitimate app on an affected device, while keeping all of the user’s data. This vulnerability exists because iOS does not enforce matching certificates for apps with the same bundle identifier. Apple’s own iOS platform apps, such as Mobile Safari, are not vulnerable.

Impact

An app installed on an iOS device using this technique may:

  • Mimic the original app’s login interface to steal the victim’s login credentials.
  • Access sensitive data from local data caches.
  • Perform background monitoring of the user’s device.
  • Gain root privileges to the iOS device.
  • Be indistinguishable from a genuine app.

Solution

iOS users can protect themselves from Masque Attacks by following three steps:

  1. Don’t install apps from sources other than Apple’s official App Store or your own organization.
  2. Don’t click “Install” from a third-party pop-up when viewing a web page.
  3. When opening an app, if iOS shows an “Untrusted App Developer” alert, click on “Don’t Trust” and uninstall the app immediately.

Further details on Masque Attack and mitigation guidance can be found on FireEye’s blog [1]. US-CERT does not endorse or support any particular product or vendor.

References

Revision History

  • November 13, 2014: Initial Release

This product is provided subject to this Notification and this Privacy & Use policy.

Posted in Security Alerts | 2 Comments

Support For Windows 2003 Server draws to an end

Posted on November 10, 2014 by nb1302

In a release from United States Computer Emergency Readiness Team it was announced that Microsoft would be ending its support for Windows 2003 Server from July 14th 2015. If you haven’t already done so I would suggest  now is the tme to start addressing this and take a hard look at your current and future needs and what Operating system would best suit you.If you need any help please contact us on +44 (0)1624 620469 or visit www.blueshell.im. Please find the alert below

NCCIC / US-CERTNational Cyber Awareness System:

TA14-310A: Microsoft Ending Support for Windows Server 2003 Operating System
11/10/2014 07:19 AM EST
Original release date: November 10, 2014

Systems Affected

Microsoft Windows Server 2003 operating system

Overview

Microsoft is ending support for the Windows Server 2003 operating system on July 14, 2015.[1] After this date, this product will no longer receive:

  • Security patches that help protect PCs from harmful viruses, spyware, and other malicious software
  • Assisted technical support from Microsoft
  • Software and content updates

Description

All software products have a lifecycle. End of support refers to the date when Microsoft will no longer provide automatic fixes, updates, or online technical assistance.[2] As of July 2014, there were 12 million physical servers worldwide still running Windows Server 2003.[3]

Impact

Computer systems running unsupported software are exposed to an elevated risk to cybersecurity dangers, such as malicious attacks or electronic data loss.

Users may also encounter problems with software and hardware compatibility since new software applications and hardware devices may not be built for Windows Server 2003.

Organizations that are governed by regulatory obligations may find they are no longer able to satisfy compliance requirements while running Windows Server 2003.

Solution

Computers running the Windows Server 2003 operating system will continue to work after support ends. However, using unsupported software may increase the risks of viruses and other security threats. Negative consequences could include loss of confidentiality, integrity, and or availability of data, system resources and business assets.

The Microsoft “Microsoft Support Lifecycle Policy FAQ” page offers additional details.[2]

Users have the option to upgrade to a currently supported operating system or other cloud-based services. There are software vendors and service providers in the marketplace who offer assistance in migrating from Windows Server 2003 to a currently supported operating system or SaaS (software as a service) / IaaS (infrastructure as a service) products and services.[4,5] US-CERT does not endorse or support any particular product or vendor.

References

Revision History

  • November 10, 2014: Initial Release
Posted in Security Alerts | 1 Comment

Ever Thought why would I change to a Unix/Linux based system ?

Posted on November 9, 2014 by nb1302

The Article below is from 9 to 5 mac and written by Joe Rossignoli, I think it makes interesting reading Mac is often considered to expensive. However it is the only non windows based operating system that runs supported Microsoft Office which is the one excuse a lot of companies use not to switch to a Linux or Unix based operating system. There is also the other point that on average the life span of A Mac running OSX is greater than a windows based Intel system not to mention the last 2 OSX operating system updates have been free. I would also add how many cheap laptops and desktops actually have a real resale value. Finally I draw your attention to this companies problems and what cost reputation.

Home Depot blames security breach on Windows, senior executives given new MacBooks and iPhones

Home Depot Windows

Earlier this week, The Wall Street Journal published an in-depth look at The Home Depot’s recent security breach of its payment data systems, in which 56 million credit card accounts and 53 million email addresses of customers were compromised. A root cause of the security breach: a Windows vulnerability in the retailer’s main computer network.

“Once inside Home Depot’s systems after gaining credentials from the outside vendor, the hackers were able to jump the barriers between a peripheral third-party vendor system and the company’s more secure main computer network by exploiting a vulnerability in Microsoft Corp.’s Windows operating system, the people briefed on the investigation said,” writes the WSJ’s Shelly Banjo.

The report claims that while Microsoft did issue a security patch after the breach began, which was installed by The Home Depot, the fix arrived too late. According to sources familiar with the investigation, the hackers already had the ability to move across The Home Depot’s systems, including its point-of-sale system, as if they were high-level employees.

The report unravels a lot of details related to how the security breach played out, with one anecdote that I found particularly interesting. Following the breach, an IT employee allegedly purchased two dozen new MacBooks and iPhones for senior executives at The Home Depot, indicating that the home-improvement retailer may have lost at least some confidence in its Microsoft-based systems.

MacBooks and iPhones have faced their fair share of security vulnerabilities over the past few years, although recent studies conducted by Kaspersky Labs and similar firms have proven that both devices remain highly secure platforms in terms of protection against malware and other threats. But whether shiny new Macs and iPhones in The Home Depot’s boardroom will help it prevent another massive security breach remains to be seen.

Original link here

http://9to5mac.com/2014/11/09/home-depot-windows-breach-macbooks-iphones/

 

 

Posted in Technology | 26 Comments

Met Office gets £97m supercomputer

Posted on October 28, 2014 by nb1302

The Following is an excerpt was written by Colin Barker from zdnet , it is interesting that this beast will be running Linux all be it Crays version of it which I think speaks Volumes. Why not call us for a free consultation and see if Linux can fit into your IT environment you might be surprised just how much it could save you in more ways than you can imagine.

 

Every five or ten years the Met Office buys a new supercomputer that is bigger, faster and better than the previous one to improves weather forecasting. If only the weather had the predictability of a supercomputer everyone would be happy, but it doesn’t and that helps keep the supercomputer companies in business.

This time it is Cray Inc which has benefitted from the £97m ($128m) purchase of a Cray XC 40 supercomputer and Cray Sonexion storage systems. The XC40 will have a performance of 16 Petaflops and installation – which Cray says will be in three phases – is due to be completed next year.

The Cray will replace an array of IBM Power 6 systems that have a 140Tflops performance. The Met Office last used a Cray system back in 1997 when it installed a Cray T3E.

The new Cray will be headquartered at the Met Office in the Exeter Science Park. According to Cray it will be their largest supercomputer installation outside of the US. Cray estimates that the upgrade will give the Met Office 13 times the power it currently has.

Multiple system deliveries are expected between 2014 and 2017, said Cray in a statement, “with the major deliveries expected between 2015 and 2017”.

When completed the Cray will weigh 140 tonnes, have no less than 480,000 cores (compared to 40,000 in the IBM system), have 2 Petabytes of RAM (compared to 80,000 GB) and 17 Petabytes of storage. The Met Office estimates that at peaks it will manage 16,000 trillion calculations per second.

Special features of the Cray XC40 supercomputers include the Aries system interconnect along with a Dragonfly network topology that, Cray says, “will frees applications from locality constraints”. The DataWarp applications I/O accelerator technology will also be included along with a cooling system that Cray claims will lower customers total cost of ownership. The operating system will be Cray Linux.

Commenting on the deal the Met Office chief executive Rob Varley said: “This will lead to a step change in weather forecasting and climate prediction, and give us the capability to strengthen our collaborations with partners in the South West, UK and around the world”.

Posted in Blue Shell News | 6 Comments

US-CERT Alert TA14-300A: Phishing Campaign Linked with “Dyre” Banking Malware

Posted on October 28, 2014 by nb1302

Systems Affected

Microsoft Windows

Overview

Since mid-October 2014, a phishing campaign has targeted a wide variety of recipients while employing the Dyre/Dyreza banking malware. Elements of this phishing campaign vary from target to target including senders, attachments, exploits, themes, and payload(s).[1][2] Although this campaign uses various tactics, the actor’s intent is to entice recipients into opening attachments and downloading malware.

Description

The Dyre banking malware specifically targets sensitive user account credentials. The malware has the ability to capture user login information and send the captured data to malicious actors.[3] Phishing emails used in this campaign often contain a weaponized PDF attachment which attempts to exploit vulnerabilities found in unpatched versions of Adobe Reader.[4][5] After successful exploitation, a user’s system will download Dyre banking malware. All of the major anti-virus vendors have successfully detected this malware prior to the release of this alert.[6]

Please note, the below listing of indicators does not represent all characteristics and indicators for this campaign.

Phishing Email Characteristics:

  • Subject: “Unpaid invoic” (Spelling errors in the subject line are a characteristic of this campaign)
  • Attachment: Invoice621785.pdf

System Level Indicators (upon successful exploitation):

  • Copies itself under C:\Windows\[RandomName].exe
  • Created a Service named “Google Update Service” by setting the following registry keys:
    • HKLM\SYSTEM\CurrentControlSet\Services\googleupdate\ImagePath: “C:\WINDOWS\pfdOSwYjERDHrdV.exe”
    • HKLM\SYSTEM\CurrentControlSet\Services\googleupdate\DisplayName: “Google Update Service”

Impact

A system infected with Dyre banking malware will attempt to harvest credentials for online services, including banking services.

Solution

Users and administrators are recommended to take the following preventive measures to protect their computer networks from phishing campaigns:

US-CERT collects phishing email messages and website locations so that we can help people avoid becoming victims of phishing scams.

Posted in Security Alerts | Comments Off on US-CERT Alert TA14-300A: Phishing Campaign Linked with “Dyre” Banking Malware

US-CERT TA14-268A: GNU Bourne Again Shell (Bash) ‘Shellshock’ Vulnerability (CVE-2014-6271,CVE-2014-7169)

Posted on September 25, 2014 by nb1302

The following is an alert from the US-Cert alert system to test if your system is vulnerable try cut and pasting the following line in the command line prompt on your Unix or Linux System

env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”

if you get back two lines one saying

Vulnerable

and another saying

this is a test

then your system needs patching  if you just get this is a test then your ok. If your unsure as always contact us

National Cyber Awareness System:

TA14-268A: GNU Bourne Again Shell (Bash) ‘Shellshock’ Vulnerability (CVE-2014-6271,CVE-2014-7169)
09/25/2014 12:56 PM EDT
Original release date: September 25, 2014

Systems Affected

  • GNU Bash through 4.3.
  • Linux, BSD, and UNIX distributions including but not limited to:
    • CentOS 5 through 7
    • Debian
    • Mac OS X
    • Red Hat Enterprise Linux 4 through 7
    • Ubuntu 10.04 LTS, 12.04 LTS, and 14.04 LTS

Overview

A critical vulnerability has been reported in the GNU Bourne Again Shell (Bash), the common command-line shell used in most Linux/UNIX operating systems and Apple’s Mac OS X. The flaw could allow an attacker to remotely execute shell commands by attaching malicious code in environment variables used by the operating system [1]. The United States Department of Homeland Security (DHS) is releasing this Technical Alert to provide further information about the GNU Bash vulnerability.

Description

GNU Bash versions 1.14 through 4.3 contain a flaw that processes commands placed after function definitions in the added environment variable, allowing remote attackers to execute arbitrary code via a crafted environment which enables network-based exploitation. [2, 3]

Critical instances where the vulnerability may be exposed include: [4, 5]

  • Apache HTTP Server using mod_cgi or mod_cgid scripts either written in bash, or spawn subshells.
  • Override or Bypass ForceCommand feature in OpenSSH sshd and limited protection for some Git and Subversion deployments used to restrict shells and allows arbitrary command execution capabilities.
  • Allow arbitrary commands to run on a DHCP client machine, various Daemons and SUID/privileged programs.
  • Exploit servers and other Unix and Linux devices via Web requests, secure shell, telnet sessions, or other programs that use Bash to execute scripts.

Impact

This vulnerability is classified by industry standards as “High” impact with CVSS Impact Subscore 10 and “Low” on complexity, which means it takes little skill to perform. This flaw allows attackers to provide specially crafted environment variables containing arbitrary commands that can be executed on vulnerable systems. It is especially dangerous because of the prevalent use of the Bash shell and its ability to be called by an application in numerous ways.

Solution

Patches have been released to fix this vulnerability by major Linux vendors for affected versions. Solutions for CVE-2014-6271 do not completely resolve the vulnerability. It is advised to install existing patches and pay attention for updated patches to address CVE-2014-7169.

Many UNIX-like operating systems, including Linux distributions, BSD variants, and Apple Mac OS X include Bash and are likely to be affected. Contact your vendor for updated information. A list of vendors can be found in CERT Vulnerability Note VU#252743 [6].

US-CERT recommends system administrators review the vendor patches and the NIST Vulnerability Summary for CVE-2014-7169, to mitigate damage caused by the exploit.

References

Posted in Security Alerts | 6 Comments

Apple finds some iPhone 5 units have battery problems, opens replacement program

Posted on August 23, 2014 by nb1302

This Friday afternoon, Apple has opened up an iPhone 5 battery replacement program after discovering that a “very small percentage” of units “may suddenly experience shorter battery life or need to be charged more frequently.” The iPhone 5 was originally launched in September 2012, and Apple says that the affected units were sold between that month and January 2013. Apple’s support website includes a tool to check if your serial number belongs to a faulty iPhone 5…
Read more at http://9to5mac.com/2014/08/22/apple-finds-some-iphone-5-units-have-battery-problems-opens-replacement-program/#g71p0L0zAYsILAzR.99

The replacement program is available at Apple Retail Stores, Authorized Apple Service Providers, and via AppleCare. Apple tells eligible iPhone 5 owners to backup their data, Turn off Find my iPhone, and Erase all Content and Settings before coming in to have the battery system replaced. Apple says it won’t repair phones with other problems like cracked screens. If you’ve already paid to get your battery fixed (and you’re eligible for this replacement), Apple is offering refunds.

The replacement program is available beginning today in the United States and China. Other countries will begin offering replacements beginning August 29th. The program is available through March 1, 2015 and it does not extend your iPhone 5’s warranty. This iPhone 5 battery replacement program is the second in recent history. Late last year, Apple offered a smaller, less-public replacement program for iPhone 5s units with battery life issues. The iPhone 5 has also been affected by sleep/wake button issues.

 

 

 

Posted in Technology | 14 Comments

National Cyber Awareness System (POS Alert)

Posted on August 18, 2014 by nb1302

National Cyber Awareness System:

TA14-212A: Backoff Point-of-Sale Malware
07/31/2014 07:30 AM EDT
Original release date: July 31, 2014 | Last revised: August 18, 2014

Systems Affected

Point-of-Sale Systems

 

Overview

This advisory was prepared in collaboration with the National Cybersecurity and Communications Integration Center (NCCIC), United States Secret Service (USSS), Financial Sector Information Sharing and Analysis Center (FS-ISAC), and Trustwave Spiderlabs, a trusted partner under contract with the USSS.  The purpose of this release is to provide relevant and actionable technical indicators for network defense.

Recent investigations revealed that malicious actors are using publicly available tools to locate businesses that use remote desktop applications. Remote desktop solutions like Microsoft’s Remote Desktop [1] Apple Remote Desktop,[2] Chrome Remote Desktop,[3] Splashtop 2,[4] Pulseway[5], and LogMeIn[6] offer the convenience and efficiency of connecting to a computer from a remote location. Once these applications are located, the suspects attempted to brute force the login feature of the remote desktop solution. After gaining access to what was often administrator or privileged access accounts, the suspects were then able to deploy the point-of-sale (PoS) malware and subsequently exfiltrate consumer payment data via an encrypted POST request.

USSS, NCCIC/US-CERT and Trustwave Spiderlabs have been working together to characterize newly identified malware dubbed “Backoff”, associated with several PoS data breach investigations. At the time of discovery and analysis, the malware variants had low to zero percent anti-virus detection rates, which means that fully updated anti-virus engines on fully patched computers could not identify the malware as malicious.

Similar attacks have been noted in previous PoS malware campaigns [7] and some studies state that targeting the Remote Desktop Protocol with brute force attacks is on the rise.[8] A Mitigation and Prevention Strategies section is included to offer options for network defenders to consider.

Description

“Backoff” is a family of PoS malware and has been discovered recently. The malware family has been witnessed on at least three separate forensic investigations. Researchers have identified three primary variants to the “Backoff” malware including 1.4, 1.55 (“backoff”, “goo”, “MAY”, “net”), and 1.56 (“LAST”).

These variations have been seen as far back as October 2013 and continue to operate as of July 2014. In total, the malware typically consists of the following four capabilities. An exception is the earliest witnessed variant (1.4) which does not include keylogging functionality. Additionally, 1.55 ‘net’ removed the explorer.exe injection component:

  • Scraping memory for track data
  • Logging keystrokes
  • Command & control (C2) communication
  • Injecting malicious stub into explorer.exe

The malicious stub that is injected into explorer.exe is responsible for persistence in the event the malicious executable crashes or is forcefully stopped. The malware is responsible for scraping memory from running processes on the victim machine and searching for track data. Keylogging functionality is also present in most recent variants of “Backoff”. Additionally, the malware has a C2 component that is responsible for uploading discovered data, updating the malware, downloading/executing further malware, and uninstalling the malware.

Variants

Based on compiled timestamps and versioning information witnessed in the C2 HTTP POST requests, “Backoff” variants were analyzed over a seven month period. The five variants witnessed in the “Backoff” malware family have notable modifications, to include:

1.55 “backoff”

  • Added Local.dat temporary storage for discovered track data
  • Added keylogging functionality
  • Added “gr” POST parameter to include variant name
  • Added ability to exfiltrate keylog data
  • Supports multiple exfiltration domains
  • Changed install path
  • Changed User-Agent

1.55 “goo”

  • Attempts to remove prior version of malware
  • Uses 8.8.8.8 as resolver

1.55 “MAY”

  • No significant updates other than changes to the URI and version name

1.55 “net”

  • Removed the explorer.exe injection component

1.56 “LAST”

  • Re-added the explorer.exe injection component
  • Support for multiple domain/URI/port configurations
  • Modified code responsible for creating exfiltration thread(s)
  • Added persistence techniques

Command & Control Communication

All C2 communication for “Backoff” takes place via HTTP POST requests. A number of POST parameters are included when this malware makes a request to the C&C server.

  • op : Static value of ‘1’
  • id : randomly generated 7 character string
  • ui : Victim username/hostname
  • wv : Version of Microsoft Windows
  • gr (Not seen in version 1.4) : Malware-specific identifier
  • bv : Malware version
  • data (optional) : Base64-encoded/RC4-encrypted data

The ‘id’ parameter is stored in the following location, to ensure it is consistent across requests:

  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier

If this key doesn’t exist, the string will be generated and stored. Data is encrypted using RC4 prior to being encoded with Base64. The password for RC4 is generated from the ‘id’ parameter, a static string of ‘jhgtsd7fjmytkr’, and the ‘ui’ parameter. These values are concatenated together and then hashed using the MD5 algorithm to form the RC4 password. In the above example, the RC4 password would be ‘56E15A1B3CB7116CAB0268AC8A2CD943 (The MD5 hash of ‘vxeyHkSjhgtsd7fjmytkrJosh @ PC123456).

File Indicators:

The following is a list of the Indicators of Compromise (IOCs) that should be added to the network security to search to see if these indicators are on their network.

1.4

Packed MD5: 927AE15DBF549BD60EDCDEAFB49B829E

Unpacked MD5: 6A0E49C5E332DF3AF78823CA4A655AE8

Install Path: %APPDATA%\AdobeFlashPlayer\mswinsvc.exe

Mutexes:

uhYtntr56uisGst

uyhnJmkuTgD

Files Written:

%APPDATA%\mskrnl

%APPDATA%\winserv.exe

%APPDATA%\AdobeFlashPlayer\mswinsvc.exe

Static String (POST Request): zXqW9JdWLM4urgjRkX

Registry Keys:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier

HKCU\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service

User-Agent: Mozilla/4.0

URI(s): /aircanada/dark.php

1.55 “backoff”

Packed MD5: F5B4786C28CCF43E569CB21A6122A97E

Unpacked MD5: CA4D58C61D463F35576C58F25916F258

Install Path: %APPDATA%\AdobeFlashPlayer\mswinhost.exe

Mutexes:

Undsa8301nskal

uyhnJmkuTgD

Files Written:

%APPDATA%\mskrnl

%APPDATA%\winserv.exe

%APPDATA%\AdobeFlashPlayer\mswinhost.exe

%APPDATA%\AdobeFlashPlayer\Local.dat

%APPDATA%\AdobeFlashPlayer\Log.txt

Static String (POST Request): ihasd3jasdhkas

Registry Keys:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier

HKCU\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service

User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0

URI(s): /aero2/fly.php

1.55 “goo”

Pa  cked MD5: 17E1173F6FC7E920405F8DBDE8C9ECAC

Unpacked MD5: D397D2CC9DE41FB5B5D897D1E665C549

Install Path: %APPDATA%\OracleJava\javaw.exe

Mutexes:

nUndsa8301nskal

nuyhnJmkuTgD

Files Written:

%APPDATA%\nsskrnl

%APPDATA%\winserv.exe

%APPDATA%\OracleJava\javaw.exe

%APPDATA%\OracleJava\Local.dat

%APPDATA%\OracleJava\Log.txt

Static String (POST Request): jhgtsd7fjmytkr

Registry Keys:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier

HKCU\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service

User-Agent:

URI(s): /windows/updcheck.php

1.55 “MAY”

Packed MD5: 21E61EB9F5C1E1226F9D69CBFD1BF61B

Unpacked MD5: CA608E7996DED0E5009DB6CC54E08749

Install Path: %APPDATA%\OracleJava\javaw.exe

Mutexes:

nUndsa8301nskal

nuyhnJmkuTgD

Files Written:

%APPDATA%\nsskrnl

%APPDATA%\winserv.exe

%APPDATA%\OracleJava\javaw.exe

%APPDATA%\OracleJava\Local.dat

%APPDATA%\OracleJava\Log.txt

Static String (POST Request): jhgtsd7fjmytkr

Registry Keys:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier

HKCU\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service

User-Agent:

URI(s): /windowsxp/updcheck.php

1.55 “net”

Packed MD5: 0607CE9793EEA0A42819957528D92B02

Unpacked MD5: 5C1474EA275A05A2668B823D055858D9

Install Path: %APPDATA%\AdobeFlashPlayer\mswinhost.exe

Mutexes:

nUndsa8301nskal

Files Written:

%APPDATA%\AdobeFlashPlayer\mswinhost.exe

%APPDATA%\AdobeFlashPlayer\Local.dat

%APPDATA%\AdobeFlashPlayer\Log.txt

Static String (POST Request): ihasd3jasdhkas9

Registry Keys:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier

HKCU\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service

User-Agent:

URI(s): /windowsxp/updcheck.php

1.56 “LAST”

Packed MD5: 12C9C0BC18FDF98189457A9D112EEBFC

Unpacked MD5: 205947B57D41145B857DE18E43EFB794

Install Path: %APPDATA%\OracleJava\javaw.exe

Mutexes:

nUndsa8301nskal

nuyhnJmkuTgD

Files Written:

%APPDATA%\nsskrnl

%APPDATA%\winserv.exe

%APPDATA%\OracleJava\javaw.exe

%APPDATA%\OracleJava\Local.dat

%APPDATA%\OracleJava\Log.txt

Static String (POST Request): jhgtsd7fjmytkr

Registry Keys:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier

HKCU\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service

HKLM\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service

HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components\{B3DB0D62-B481-4929-888B-49F426C1A136}\StubPath

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{B3DB0D62-B481-4929-888B-49F426C1A136}\StubPath

User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0

URI(s):  /windebug/updcheck.php

Impact

The impact of a compromised PoS system can affect both the businesses and consumer by exposing customer data such as names, mailing addresses, credit/debit card numbers, phone numbers, and e-mail addresses to criminal elements. These breaches can impact a business’ brand and reputation, while consumers’ information can be used to make fraudulent purchases or risk compromise of bank accounts. It is critical to safeguard your corporate networks and web servers to prevent any unnecessary exposure to compromise or to mitigate any damage that could be occurring now.

Solution

At the time this advisory is released, the variants of the “Backoff’ malware family are largely undetected by anti-virus (AV) vendors. However, shortly following the publication of this technical analysis, AV companies will quickly begin detecting the existing variants. It’s important to maintain up‐to‐date AV signatures and engines as new threats such as this are continually being added to your AV solution. Pending AV detection of the malware variants, network defenders can apply indicators of compromise (IOC) to a variety of prevention and detection strategies.[9],[10],[11] IOCs can be found above.

The forensic investigations of compromises of retail IT/payment networks indicate that the network compromises allowed the introduction of memory scraping malware to the payment terminals. Information security professionals recommend a defense in depth approach to mitigating risk to retail payment systems. While some of the risk mitigation recommendations are general in nature, the following strategies provide an approach to minimize the possibility of an attack and mitigate the risk of data compromise:

Remote Desktop Access

  • Configure the account lockout settings to lock a user account after a period of time or a specified number of failed login attempts. This prevents unlimited unauthorized attempts to login whether from an unauthorized user or via automated attack types like brute force.[12]
  • Limit the number of users and workstation who can log in using Remote Desktop.
  • Use firewalls (both software and hardware where available) to restrict access to remote desktop listening ports (default is TCP 3389).[13]
  • Change the default Remote Desktop listening port.
  • Define complex password parameters. Configuring an expiration time and password length and complexity can decrease the amount of time in which a successful attack can occur.[14]
  • Require two-factor authentication (2FA) for remote desktop access.[15 ]
  • Install a Remote Desktop Gateway to restrict access.[16 ]
  • Add an extra layer of authentication and encryption by tunneling your Remote Desktop through IPSec, SSH or SSL.[17],[18]
  • Require 2FA when accessing payment processing networks. Even if a virtual private network is used, it is important that 2FA is implemented to help mitigate keylogger or credential dumping attacks.
  • Limit administrative privileges for users and applications.
  • Periodically review systems (local and domain controllers) for unknown and dormant users.

Network Security

  • Review firewall configurations and ensure that only allowed ports, services and Internet protocol (IP) addresses are communicating with your network. This is especially critical for outbound (e.g., egress) firewall rules in which compromised entities allow ports to communicate to any IP address on the Internet. Hackers leverage this configuration to exfiltrate data to their IP addresses.
  • Segregate payment processing networks from other networks.
  • Apply access control lists (ACLs) on the router configuration to limit unauthorized traffic to payment processing networks.
  • Create strict ACLs segmenting public-facing systems and back-end database systems that house payment card data.
  • Implement data leakage prevention/detection tools to detect and help prevent data exfiltration.
  • Implement tools to detect anomalous network traffic and anomalous behavior by legitimate users (compromised credentials).

Cash Register and PoS Security

  • Implement hardware-based point-to-point encryption. It is recommended that EMV-enabled PIN entry devices or other credit-only accepting devices have Secure Reading and Exchange of Data (SRED) capabilities. SRED-approved devices can be found at the Payment Card Industry Security Standards website.
  • Install Payment Application Data Security Standard-compliant payment applications.
  • Deploy the latest version of an operating system and ensure it is up to date with security patches, anti-virus software, file integrity monitoring and a host-based intrusion-detection system.
  • Assign a strong password to security solutions to prevent application modification. Use two-factor authentication (2FA) where feasible.
  • Perform a binary or checksum comparison to ensure unauthorized files are not installed.
  • Ensure any automatic updates from third parties are validated. This means performing a checksum comparison on the updates prior to deploying them on PoS systems. It is recommended that merchants work with their PoS vendors to obtain signatures and hash values to perform this checksum validation.
  • Disable unnecessary ports and services, null sessions, default users and guests.
  • Enable logging of events and make sure there is a process to monitor logs on a daily basis.
  • Implement least privileges and ACLs on users and applications on the system.
Posted in Technology | 8 Comments

Still Worried About switching to Linux ?

Posted on August 16, 2014 by nb1302

Turin’s local authorities have decided to switch to open source and entirely ditch all the Microsoft products, saving alot of money to the local government.

The mission of this move is to get rid of proprietary software, make Turin one of the first Italian open source city and save six million euros. Six million euros!!! Yes, it is a very high amount, isn’t it?

According to republica.it 8300 computers of the local administration will soon be powered by Ubuntu, shipped with Mozilla Firefox web browser and Open Office. No more Microsoft Office and Internet Explorer.

Alot of money is gone to buy licenses, pay proprietary software, so why not choose a free solution and a better one? Do you guys know how much would it cost to Turin if they had to upgrade their Windows operating systems from one version to another?

22 million euros! And would you like to know how much that price will go down if the local administration adopts Ubuntu? Ok, so if they switch to Ubuntu they will save 6 million euros, now you make the calculations.

There are many other European cities that are seeing Linux as a better solution than Windows for their IT infrastructure. For example, the German city Munich kicked Microsoft out of the city and switched to open source. According to Munich, this move saved it more 10 million euros.

Source reference UnixMen http://www.unixmen.com/turin-first-italian-open-source-city/

Posted in Blue Shell News | 4 Comments

Linux Nears Total Domination of the Top500 Supercomputers

Posted on August 4, 2014 by nb1302

It’s always been fun watching Linux claim a bit more of the Top500 with each successive ranking of the world’s most powerful supercomputers, but with this week’s release of the Top500 list’s 43rd edition, it’s beginning to look like the free and open source operating system is getting pretty close to complete domination.

Not only does Linux power all of the top 10 machines on the June 2014 list — including China’s winning Tianhe-2, which stole the show once again with its performance of 33.86 Petaflop/second (Pflop/s) on the Linpack benchmark — but it also now accounts for a full 97 percent of the full set of 500. A mere 15 supercomputers on the list *don’t* use Linux, including 12 using Unix and just two using Windows. (The last one is described simply as “Mixed.”)

Just a year ago, Linux’s share of the Top500 was 95.2 percent. At this rate, it’s only natural to speculate that Linux could claim a full 100 percent in not too long.

Other highlights from this latest Top500 list include a new entry in the No. 10 spot — a 3.14 Pflop/s Cray XC30 installed at an undisclosed U.S. government site — and an increase in the total combined performance of all 500 systems to 274 Pflop/s, up from 250 Pflop/s six months ago and 223 Pflop/s one year ago. A full 37 systems on the list now offer performance greater than one Pflop/s, compared with just 31 six months ago.

 

For Further Information see source Article http://www.linux.com/news/enterprise/high-performance/147-high-performance/778179–linux-nears-total-domination-of-the-top500-supercomputers

Posted in Blue Shell News | 5 Comments