Security Incidents Digest, Aug. 18 – Sep. 18

Black Tuesday August the 13th brought numerous challenges to (primarily) corporate users of Microsoft products. The company released patches for critical vulnerabilities in Windows, Exchange Server and Active Directories. As

Black Tuesday

August the 13th brought numerous challenges to (primarily) corporate users of Microsoft products. The company released patches for critical vulnerabilities in Windows, Exchange Server and Active Directories. As a result, some users experienced serious problems such as the inability to search through email (broken indexing), Windows crashing and similar problems.

“Microsoft is aware of problems with update 2874216 that affect Exchange Server 2013. The issue could cause Exchange Server to stop indexing mail on servers” – Microsoft’s bulletin said. The problem was resolved by the update on August, 27.



Fighting for medical records

In the last decade of August a report came out about several organizations founding the Medical Identity Fraud Alliance (MIFA), aimed at combating medical ID theft. The key players are establishing solutions and best practices, technologies and research, and educating and helping empower consumers to better protect their increasingly targeted health information. “Medical identity theft is being called the fastest-growing type of fraud,” says Robin Slade, a development coordinator for MIFA. “It contributes to the increasing cost of health care.”

Slade says there were 1.85 million victims of medical ID fraud last year, but most insured adults are unaware of this new form of crime, which comes with the added risk of physically endangering victims. For example, if records show a discrepancy in blood types, the consequences can be dangerous.

Moreover, some 40 percent of medical ID theft victims have had their health insurance canceled due to fraudulent charges in spite of being totally innocent.

According to the latest data, some 94 percent of U.S. health-care organizations have been hit by at least one data breach, with stolen information selling like hot cakes in cyberspace.

More: [1], [2]


The Syrian Electronic Army: war reports

In August and September, the infamous Syrian Electronic Army  (a group of hacktivists eagerly supporting Syrian President Bashar al-Assad) had a real ball. They compromised third-party link network Outbrain, allowing the group to change some of the third-party content on at least four major news sites, including The Washington Post, Time, and CNN. They did not stop with that though. In the last three months, the Syrian Electronic Army has compromised numerous Twitter accounts, including those used by major news services, such as Agence France-Presse (AFP) and Reuters. In addition, the group has hacked a variety of other news organizations, reportedly including the British Broadcasting Corp. (BBC), and Al Jazeera. Two Twitter services were hijacked as well.

They went after the media to propagate their message. It is funny that they even attacked The Onion, a news satire site, as well as Blender Artists, a popular forum for of users of Blender, which is a free 3D graphics software.

The most successful attacks were banal phishing attacks.

More: [1], [2]


Jumping in the dirt again

A new version of the well-known DDoS-toolkit DirtJumper Drive appeared on the Internet. Now it allows attackers to detect and avoid protection from DDoS-attacks. There are ICMP attacks and attacks prolonging the time of the active connection among the added ways to bypass the security.

More information here.


Java in tatters

In late August, Java 6 users were strongly recommended to upgrade to Java 7 update 25, because a serious flaw in Java 6 was revealed in June (and never patched). There were already so many exploits for it. The malicious toolkit Neutrino clearly contains these exploits.

Unfortunately, Java 7 appeared to have a few very serious problems, too. There is a way to trick the Java alert system, which warns about the absent electronic signature of a specific application. There are also ways to rename applications with an electronic signature, and even to make the sandoxed application execute commands of an arbitrary server.

More: [1]

It should be noted that the cyber espionage program NetTraveler now attempts to exploit vulnerabilities in Java, too. The detailed analysis is published on Securelist.


G20: major attacks for the major economies

The G-20 venue in St. Petersburg usually produces an increase of mailings and malware attacks. According to Rapid7 researchers, multiple groups (potentially originating in China) are responsible for the attacks, including a prominent group known as the Calc Team or APT-12.

In particular, one of the G20-themed attacks featured a PDF document entitled “Global Partnership for Financial Inclusion Work Plan 2013.” It was a Windows executable file that tried to disguise itself as a PDF document. No exploit was used and the attacker uniquely relied on social engineering.

More details here


Tor: botnets and the FBI

The sharply increased popularity that the Tor anonymous network turned out to have may have been due to a botnet. It was a very large one too. In early September, the number of Tor clients grew to 2.5 million, the vast majority from the botnet Mevade (aka LazyAlienBikers).

The botnet, which had been in operation since at least 2009, began moving its infrastructure en mass to Tor in mid-August. It was a big botnet even before going to Tor too, there were anywhere from 1.4 to 5 million infected machines in the botnet Mevade.

The decision by the operators of the so-called Mevade botnet to use the Tor network for masking their command-and-control (C&C) infrastructure actually backfired and drew more attention.



The botnet is not the only problem for Tor though. The FBI publicly acknowledged distributing malware amongst the clients of the network in July 2013 to identify its users.

This information was revealed to the press after the hearing on the possible extradition of Freedom Hosting/Tor founder Eric Eoin Marques, who was arrested in Ireland at the request of U.S. law enforcers. Marques is accused of actively distributing child pornography.



Beware of notifications

Facebook users were again subjected to a massive attack that tricked victims with emails or Facebook messages telling people they had been tagged in a Facebook post. When users went to Facebook and clicked the link, they were sent to a separate web site and prompted to download a browser extension or plug-in to watch a video.

However, instead of the video, the user downloaded a malicious program that could take control of the Google Chrome browser. The attack is quite dangerous because many people commonly save email, Facebook and Twitter login data in their browsers, so the attackers can masquerade as the victim and tap those accounts. Once that plug-in is downloaded, the attackers can access everything stored in the Google Chrome browser, including accounts with saved passwords.



This is urgent. Yours truly, Microsoft 

Microsoft rushed out a Fix It tool yesterday in lieu of a patch after multiple reports that attackers were using the vulnerability to target Internet Explorer 8 and 9. The vulnerability exists in the way that IE accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability could corrupt memory in a way that could permit an attacker to execute code in the context of the current user within IE.


Understanding Samsung Knox

Samsung, maker of handsets and all devices tech-related, has created a secure Android environment called Knox, which aims to resolve the laundry list of security problems facing IT teams as