Bugzilla Breach Attributed to Privileged User

This week, we hear about the recent breach within Mozilla’s security issues tracking service “Bugzilla” and a new variant of the Carbanak banking Trojan.

Breach

Bugzilla Breach Attributed to Privileged User 

The Mozilla foundation is well known for developing the Firefox web browser and the Thunderbird email client. Mozilla publicly announced that they have incurred a breach within their security issues tracking service “Bugzilla.” Bugzilla is used by Mozilla to track bugs and security holes and most of the service contains publicly accessible information except for details about security vulnerabilities currently being evaluated, patched or ignored. Credentials for a privileged user within the Bugzilla service appear to be the source of the breach and it is believed the attacker had access for at least a year.

Mozilla confirmed the attacker gained access in September 2014 through the privileged user account. The information accessed contained 185 non-public bugs: 

  • 110 bugs protected as proprietary information
  • 22 minor security issues rated low or moderate
  • 53 security bugs rated high or critical

Information on 10 other bugs became available between when the breach was identified and when it was remediated. So far, only one bug has evolved into an exploit identified in the wild. This bug was found operating on a Russian news site and was capable of attacking all versions of Firefox for Windows, Mac and Linux.

Mozilla confirmed the privileged account used has been deleted and two-factor authentication has been implemented. Also, the level of information privileged users can access within Bugzilla has been limited. Mozilla has also directed users to ensure Firefox is up to date and change any stored passwords in the browser.

References: Mozilla Blog | Threat Post | Mozilla Blog

Mitigation Strategies:

  • Network traffic analysis to detect data exfiltration
  • 24x7 Security Monitoring to provide anomaly detection
  • Log management could detect any suspicious user account activity and external IP information from the attacker if logs are configured.

Malware

New Variant of Carbanak Trojan Discovered

A new version of the notorious Carbanak Trojan has been observed in the wild by researchers at CSIS Security Group. Kaspersky Labs first discovered Carbanak, also known as “Anunak,” earlier this year. Cyber criminals used the malware to infiltrate over 100 banks in 30 countries and allegedly steal $1 billion.

Last week, CSIS discovered that the Carbanak malware is still being used in attacks targeting major organizations in Europe and the United States using spear phishing as the attack vector. Security experts discovered the first new Carbanak sample while conducting forensic analysis on an infected Windows machine that malicious actors had compromised in an effort to carry out fraudulent online banking transactions.

While the binaries identified by the security firm are almost identical to previous versions, experts noted that there are some differences. For example, the new variant has been used to target organizations located in new geographical locations. The new Carbanak sample also uses random files and mutexes. For command and control (C2) communications, the Trojan relies on predefined IP addresses instead of domains, and it uses a new proprietary protocol.

Researchers have also pointed out that the new Carbanak version is signed using a code-signing certificate issued by Comodo to a Russia-based wholesale company. Experts believe this company might have been set up by the cybercriminals, using a fake or stolen identity, to request legitimate code-signing certificates so that they do not have to sign their malware with stolen certificates.

References: Kaspersky Blog

Mitigation Strategies:

Top 20 IP Addresses

115.159.64.220 188.212.103.182
222.186.42.164 95.173.187.162  - NEW
117.21.176.36  - NEW 77.221.130.44  - NEW

123.57.77.111

79.141.165.41  - NEW
82.221.128.206 104.232.79.22  - NEW
61.186.245.211  - NEW 213.229.103.90  - NEW
195.210.46.98  - NEW 162.252.172.150  - NEW
113.204.53.134  - NEW 94.242.221.68  - NEW
117.21.173.36 46.166.161.166  - NEW

199.66.200.42

209.58.130.151  - NEW