Monthly Wrap Up
August 2015

August 2015 was a hot month for breaches and malware, check out what happened this month in our monthly wrap up.

Breaches

Ashley Madison Data No Longer Behind Closed Doors

This month has seen continued fallout from July’s data breach of the extramarital dating site Ashley Madison. On August 18, one month from the initial news of the breach, the Impact Team allegedly released a 10GB cache of data via a torrent link published on a “hidden service” website accessible via Tor. This dump of data contained personal information of all 30 million users including email, physical addresses, profile information and credit card transaction information.

Two days after the release of this data, the Impact Team published a further 20GB via the same means, this time containing internal documents and emails belonging to Avid Life Media (ALM), the parent company of Ashley Madison.

The release of personal information has caused blackmail cyber attacks against Ashley Madison users, with blackmailers threatening to disclose details of their membership to the adultery-enabling site to their spouses unless a sum of money is paid.

Since then, ALM has announced that CEO Noel Biderman has stepped down and the hunt for the person or people responsible for this breach continues.

Reference: We Live Security

Mitigation Strategies:

  • 24x7 ActiveWatch security monitoring to provide anomaly detection.
  • Log Manager collecting logs from a file integrity management solution would show data changes made on servers.
  • Active WatchPremier service to detect data exfiltration via anomaly detection.

British Mobile Phone Retailer Mysteriously Hacked

Earlier this month, the British mobile phone retailer, Carphone Warehouse, suffered a large data breach involving the personal details of up to 2.4 million customers. In addition, credit card details of up to 90,000 customers may have been accessed.

Although details are sparse, it seems that the customers of Carphone Warehouse’s online businesses OneStopPhoneShop.com, e2save.com and Mobiles.co.uk were most affected.

Unlike other high-profile breaches in recent weeks, this one is unusual in that no one has come forward to claim responsibility. There is little information regarding who may have done it or where the data has gone. Given this lack of information, it is likely this was a professional operation rather than an act of hacktivism and the data is likely to be drip-fed onto cyber criminal marketplaces.

Reference: SC Magazine

Mitigation Strategies:

  • ActiveWatch Premier service to detect data exfiltration via anomaly detection.
  • 24x7 ActiveWatch security monitoring to detect the intrusion and possible data leakage.
  • Web Security Manager signatures to detect and block specific malicious HTTP User-Agents.

Malware

Malvertising Campaigns Run Rampant 

This month, there has been a flurry of malvertising cases against high profile websites including Yahoo, AOL, MSN, and the dating site Plenty of Fish.   

The cases involving Yahoo, AOL, and MSN seem related. Yahoo was the first to become affected, with users being redirected to Azure-hosted domains and served the Angler Exploit Kit (EK). Although the payload was not observed, this EK is usually associated with adware and ransomware such as Cryptowall. Later in August, the same modus operandi was observed affecting the AOL domain. Toward the end of the month, a similar attack was detected affecting MSN, albeit with a slight variation. In this case, the redirects guided users to domains in the Red Hat cloud instead of Microsoft Azure. As with the other occurrences, the users were served the Angler Exploit Kit.

The popular dating website Plenty of Fish also hosted a malvertising campaign this month. The site, which serves three million users daily, was observed redirecting users via advertisements to URLs shortened using the goo.gl service. From there, users were served the Nuclear Exploit Kit and ultimately, the “Timba” banking Trojan if exploitation attempts were successful. 

Reference: Malwarebytes Blog

Mitigation Strategies:

  • Log Manager could detect malicious activity, such as a brute force attack from internally compromised host against internal servers.
  • The ActiveWatch service to detect the malware attempting to send specifically crafted packets.
  • ActiveWatch Premier anomaly detection to detect the malware attempting to contact malicious remote host.

Sphinx Banking Trojan Is No Myth

The infamous Zeus malware that goes by the name of “Sphinx” also emerged in August. It is a banking Trojan designed to work on Windows 7 and Vista and can adapt and survive in low-privilege environments such as the “Guest” account.  Once installed, the Trojan has a back connect VNC capability that allows direct VNC logins to the infected machine. This enables the operator to make banking transfers directly from the unsuspecting victim.

In addition, once infected, the victim’s machine can be used as a SOCKS proxy. By migrating to trusted processes, the malware can conduct its command and control over known protocols in an effort to bypass firewalls and stay under the radar of antivirus products.

“Sphinx” has been seen for sale on underground forums in both English and Russian and sells for approximately $500 USD. Interestingly, as the Trojan gained publicity, the seller was observed increasing prices to reflect the increased demand.

Reference: Security Affairs

Mitigation Strategies:

  • ActiveWatch Premier service to provide anomaly detection.
  • ActiveWatch IDS signatures to detect the malware attempting specifically observed call back information.
  • Log Manager could detect any suspicious user account activity.

Cloud Security

Cloud Providers Asked to Report IT Incidents and Breaches 

The US government introduced new rules this month governing how cloud providers should report IT incidents and breaches if they are responsible for storing or processing government data. The new rules only apply to those companies holding unclassified data; special requirements are already in place for classified data storage. 

The rules are anticipated to affect 10,000 companies and will require them to report data breaches and other cyber attacks within 72 hours of discovery. They will also be required to save system images for 90 days and share any discovered malware with the Department of Defense.

Reference: The Register

Web Security

Adobe Flash Remains Favorite Target for Hackers

Adobe recently enlisted the support of Google’s Project Zero team to assist in mitigating a common technique used to exploit vulnerabilities found in the Flash Player browser plugin. Within weeks, Adobe saw the inclusion of an exploit within Angler EK that successfully bypassed the new protections.

In reaction, Adobe released a new version of Flash Player (18.0.0.232) that adds improvements to the new mitigations. This will again challenge potential hackers to find new ways to leverage vulnerabilities in the product.

Amazon also announced that it would no longer accept Flash advertisements on its platform and the Chrome web browser will pause ads served in Flash in the hopes of neutralizing the malvertising threat often facilitated by Flash exploits. Both of these moves point to the acceptance of Adobe Flash as a favorite target of cyber criminals when it comes to exploiting their way to a system compromise.

Reference: Network World

Honeypot Data - Top 20's

IP Addresses
209.126.230.71 – NEW
180.97.106.161
180.97.106.162
180.97.106.37
180.97.106.36
58.49.58.61 – NEW
222.186.42.164
61.155.9.142
82.221.128.206
113.204.53.134
61.186.245.211
175.44.17.134
118.98.104.21
192.99.47.149
104.206.96.58
115.159.64.220 – NEW
222.186.21.184
198.57.247.208
213.251.182.103 – NEW
92.51.244.131
Most Attacked Usernames / Passwords
root/admin
root/123456]
admin/admin
root/root
admin/(blank password)
ubnt/ubnt
admin/password
root/default
root/administrator
root/123456
root/654321
root/zaq1xsw2
root/qazwsx
root/aaaaaa
root/a123456
root/qwerty
root/888888
root/11111111
root/pass123
root/159357
Most Attacked Ports
445 Microsoft Directory Service
139 NetBIOS Session Service
25 SMTP
22 Secure Shell (SSH)
23 Telnet
110 POP3
3389 Remote Desktop Protocol
80 HTTP
3306 MySQL
8080 HTTP Alternate (Proxy)
135 RCP Locator
3128 Squid Proxy
1433 Microsoft SQL Server
443 HTTPS
21 FTP
1080 Socks (Proxy)
1111 LM Social Server
143 IMAP2
9999 Abyess Web Server
5000 UPnP