Monthly Wrap Up
Ashley Madison Data No Longer Behind Closed Doors
This month has seen continued fallout from July’s data breach of the extramarital dating site Ashley Madison. On August 18, one month from the initial news of the breach, the Impact Team allegedly released a 10GB cache of data via a torrent link published on a “hidden service” website accessible via Tor. This dump of data contained personal information of all 30 million users including email, physical addresses, profile information and credit card transaction information.
Two days after the release of this data, the Impact Team published a further 20GB via the same means, this time containing internal documents and emails belonging to Avid Life Media (ALM), the parent company of Ashley Madison.
The release of personal information has caused blackmail cyber attacks against Ashley Madison users, with blackmailers threatening to disclose details of their membership to the adultery-enabling site to their spouses unless a sum of money is paid.
Since then, ALM has announced that CEO Noel Biderman has stepped down and the hunt for the person or people responsible for this breach continues.
Reference: We Live Security
British Mobile Phone Retailer Mysteriously Hacked
Earlier this month, the British mobile phone retailer, Carphone Warehouse, suffered a large data breach involving the personal details of up to 2.4 million customers. In addition, credit card details of up to 90,000 customers may have been accessed.
Although details are sparse, it seems that the customers of Carphone Warehouse’s online businesses OneStopPhoneShop.com, e2save.com and Mobiles.co.uk were most affected.
Unlike other high-profile breaches in recent weeks, this one is unusual in that no one has come forward to claim responsibility. There is little information regarding who may have done it or where the data has gone. Given this lack of information, it is likely this was a professional operation rather than an act of hacktivism and the data is likely to be drip-fed onto cyber criminal marketplaces.
Reference: SC Magazine
Malvertising Campaigns Run Rampant
This month, there has been a flurry of malvertising cases against high profile websites including Yahoo, AOL, MSN, and the dating site Plenty of Fish.
The cases involving Yahoo, AOL, and MSN seem related. Yahoo was the first to become affected, with users being redirected to Azure-hosted domains and served the Angler Exploit Kit (EK). Although the payload was not observed, this EK is usually associated with adware and ransomware such as Cryptowall. Later in August, the same modus operandi was observed affecting the AOL domain. Toward the end of the month, a similar attack was detected affecting MSN, albeit with a slight variation. In this case, the redirects guided users to domains in the Red Hat cloud instead of Microsoft Azure. As with the other occurrences, the users were served the Angler Exploit Kit.
The popular dating website Plenty of Fish also hosted a malvertising campaign this month. The site, which serves three million users daily, was observed redirecting users via advertisements to URLs shortened using the goo.gl service. From there, users were served the Nuclear Exploit Kit and ultimately, the “Timba” banking Trojan if exploitation attempts were successful.
Reference: Malwarebytes Blog
- Log Manager could detect malicious activity, such as a brute force attack from internally compromised host against internal servers.
- The ActiveWatch service to detect the malware attempting to send specifically crafted packets.
- ActiveWatch Premier anomaly detection to detect the malware attempting to contact malicious remote host.
Sphinx Banking Trojan Is No Myth
The infamous Zeus malware that goes by the name of “Sphinx” also emerged in August. It is a banking Trojan designed to work on Windows 7 and Vista and can adapt and survive in low-privilege environments such as the “Guest” account. Once installed, the Trojan has a back connect VNC capability that allows direct VNC logins to the infected machine. This enables the operator to make banking transfers directly from the unsuspecting victim.
In addition, once infected, the victim’s machine can be used as a SOCKS proxy. By migrating to trusted processes, the malware can conduct its command and control over known protocols in an effort to bypass firewalls and stay under the radar of antivirus products.
“Sphinx” has been seen for sale on underground forums in both English and Russian and sells for approximately $500 USD. Interestingly, as the Trojan gained publicity, the seller was observed increasing prices to reflect the increased demand.
Reference: Security Affairs
Cloud Providers Asked to Report IT Incidents and Breaches
The US government introduced new rules this month governing how cloud providers should report IT incidents and breaches if they are responsible for storing or processing government data. The new rules only apply to those companies holding unclassified data; special requirements are already in place for classified data storage.
The rules are anticipated to affect 10,000 companies and will require them to report data breaches and other cyber attacks within 72 hours of discovery. They will also be required to save system images for 90 days and share any discovered malware with the Department of Defense.
Reference: The Register
Adobe Flash Remains Favorite Target for Hackers
Adobe recently enlisted the support of Google’s Project Zero team to assist in mitigating a common technique used to exploit vulnerabilities found in the Flash Player browser plugin. Within weeks, Adobe saw the inclusion of an exploit within Angler EK that successfully bypassed the new protections.
In reaction, Adobe released a new version of Flash Player (188.8.131.52) that adds improvements to the new mitigations. This will again challenge potential hackers to find new ways to leverage vulnerabilities in the product.
Amazon also announced that it would no longer accept Flash advertisements on its platform and the Chrome web browser will pause ads served in Flash in the hopes of neutralizing the malvertising threat often facilitated by Flash exploits. Both of these moves point to the acceptance of Adobe Flash as a favorite target of cyber criminals when it comes to exploiting their way to a system compromise.
Reference: Network World
|184.108.40.206 – NEW|
|220.127.116.11 – NEW|
|18.104.22.168 – NEW|
|22.214.171.124 – NEW|
Most Attacked Usernames / Passwords
Most Attacked Ports
|445||Microsoft Directory Service|
|139||NetBIOS Session Service|
|22||Secure Shell (SSH)|
|3389||Remote Desktop Protocol|
|8080||HTTP Alternate (Proxy)|
|1433||Microsoft SQL Server|
|1111||LM Social Server|
|9999||Abyess Web Server|