Friday, August 17, 2012
Daily Report
Top Stories
• Researchers identified a trojan targeting
the defense, aerospace, chemical, and technology industries that spreads via
email that contains a malicious file. – Threatpost
6.
August 16, Threatpost –
(International) Email trojan tageting defense, aerospace and other
industries. What appears to be a targeted attack campaign against several
high-value industries is using a trojan that employs rigged PDFs to deliver its
payload. Targeting organizations in the defense, chemical, technology, and
aerospace industries, the MyAgent trojan is primarily spreading through email
as a zipped .exe file or PDF attachment, according to researchers at the
FireEye Malware Intelligence Lab. FireEye examined a sample of MyAgent that, once
executed, opens a PDF file titled ―Health Insurance and Welfare Policy‖ and
then drops a second executable, titled ―ABODE32.exe,‖ in the temp directory,
they say in their report. FireEye notes the ―ABODE32.exe‖ executable accesses
Windows Protected Storage, which holds the passwords for Internet Explorer,
Outlook, and other applications. Once the trojan infects its host machine, it
communicates with its command and control (C&C) server, the user agent
string and URI of which are hard-coded into MyAgent‘s binary. Also, FireEye
noticed the malware loading different DLLs to communicate with its C&C
server. Despite MyAgent‘s relatively high detection rate, its dynamic
intermediary stages place it among what FireEye considers advanced malware.
JavaScript within the PDF variety of MyAgent determines which version of Adobe
Reader is running on its host and then deploys well-known exploits tailored to
the specific version. If the machine is running any of Reader 9.0‘s
predecessors, then MyAgent exploits the ―Collab.getIcon()‖ vulnerability.
Source: http://threatpost.com/en_us/blogs/email-trojan-tageting-defense-aerospace-and-other-industries-081612
• The governor of Louisiana declared a state
of emergency for Plaquemines Parish August 15 as a saltwater intrusion has
tainted drinking water, forcing the parish to rely on deliveries of bottled
water for its water supply. – WAFB 9 Baton Rouge
23.
August 15, WAFB 9 Baton Rouge –
(Louisiana) State of emergency for Plaquemines Parish. The governor of
Louisiana declared a State of emergency for Plaquemines Parish August 15 as the
parish faced drinking water issues from a saltwater intrusion. A salt wedge
moved up the Mississippi River because of historic low levels of water on the
river, affecting the parish‘s water supply. The Governor‘s Office of Homeland
Security and Emergency Preparedness (GOHSEP) delivered 30,000 bottles of water
to the parish. GOHSEP transported the first delivery of 6,900 bottles of water
to the parish August 15. The Louisiana National Guard deployed a truck
containing 4,000 gallons of water to the parish August 16 and will continue to
provide this same supply for 5 days. The parish wants to use four barges to
supplement the local water supply. The barges must be tested to ensure they are
safe to carry water and the water will be filtered after it is transported.
Once treated, the department of health and hospitals will test it to be certain
it meets federal standards and is safe for human consumption. Source: http://www.wafb.com/story/19290222/state-of-emergency-for-plaqu
• A founding member of the Scottish National
Liberation Army, an outlawed militant group, was indicted on charges he emailed
bomb threats over several weeks that disrupted campus life and forced the
evacuation of more than 100 buildings on the University of Pittsburgh campus. –
Associated Press
29.
August 15, Associated Press –
(Pennsylvania) FBI: Man in Ireland charged with Pitt bomb threats. A
founding member of the Scottish National Liberation Army, an outlawed militant
group, was indicted August 15 on charges he emailed bomb threats that disrupted
campus life and forced the evacuation of more than 100 buildings on the
University of Pittsburgh (Pitt) campus in Pennsylvania earlier this year. The
Dublin, Ireland man was charged with 17 emailed threats sent to the school
April 6-21, and with emailed bomb threats against federal courthouses in
Pittsburgh, Erie, and Johnstown in June. He is also charged with threatening a
Pittsburgh-based U.S. attorney — who led the investigation that resulted in his
indictment — in a June 20 email. Pitt began receiving bomb threats written on
bathroom stalls in mid-February, for which nobody has yet been charged. The
suspect, in custody in Ireland, allegedly sent his emails to capitalize on the
momentum from the earlier threats. In all, the university received 52 threats
against 160 buildings that prompted 136 evacuations, the Pitt chancellor said.
The threats cost the school more than $300,000 in direct expenses, including
overtime for police and other staff, bomb squads, and special equipment to
detect such devices. Federal prosecutors also announced new charges against two
Ohio men for YouTube threats that claimed university computers had been hacked.
Source: http://www.google.com/hostednews/ap/article/ALeqM5hPPQfeJ-dqkkh-6t8rankZ2gzu7g?docId=f40a9bb21ef34dd681b9f107c61e85b1
• Two law enforcement officers died and two
were wounded in a series of apparently linked shootings in LaPlace, Louisiana,
authorities said. – CNN
33.
August 16, CNN – (Louisiana) Louisiana
‘ambush’ kills 2 deputies, wounds 2. Two law enforcement officers died and
two were wounded in a series of apparently linked shootings early August 16 in
LaPlace, Louisiana, authorities said. The first shooting happened in a parking
lot for a steel plant, the St. John the Baptist sheriff said. The second
happened when officers went to a trailer park to investigate the first shooting
and were ambushed by a man armed with what the sheriff described as an assault
rifle. A Louisiana State Police (LSP) colonel said multiple weapons were
involved and at least 20 shots were fired. In addition to the two wounded law
enforcement officers, two of the five people taken into custody were
hospitalized with gunshot wounds, a LSP trooper said. One of the wounded
officers was shot in the shoulder and is expected to survive, a law enforcement
source said. Police do not believe anyone else involved in the shooting is at
large. The shootings unfolded in the parking lot at the Bayout Steel Plant in
LaPlace, about 25 miles west of New Orleans, when a man opened fire on a law
enforcement officer working a traffic detail. Despite being shot multiple
times, the officer was able to describe the suspect to dispatchers, the sheriff
said. That description, along with a civilian report of a speeding car, led
responding officers to a nearby trailer park. As the deputies were questioning
two people, a man came outside and ―ambushed my two officers,‖ he said. Source:
http://www.cnn.com/2012/08/16/justice/louisiana-officers-shot/index.html?hpt=hp_t1
Details
Banking and Finance Sector
8. August 15, Associated Press – (New York) 4
charged in 2008 NYC armored car heist. Federal authorities in New York City
have charged four people in the 2008 robbery of an armored car courier,
including the now-former courier, a Manhattan U.S. attorney announced August
15. The courier and three co-defendants face charges including conspiracy to
commit bank larceny in connection to the September 2008 robbery of $330,000 at
an M&T Bank branch on First Avenue in Manhattan. The U.S. Attorney said the
defendants, along with others, put together a plan for the robbery of the money
as it was being taken from a Dunbar Armored car into the bank branch. The
former courier was arrested in Richmond, Virginia, and was due in federal court
there August 16. The three co-defendants made appearances in a Manhattan
federal court August 15. Source: http://www.myfoxny.com/story/19289717/4-charged-in-2008-nyc-armored-car-heist
Information Technology Sector
37. August
16, Help Net Security – (International) NSS Labs expose
inadequate AV products. NSS Labs testing showed 9 of 13 popular consumer
antivirus products failed to provide adequate protection against exploits
targeting 2 recent critical Microsoft vulnerabilities. Only four vendors —
Avast, Kaspersky, McAfee and Trend Micro — successfully blocked all attacks
delivered over both HTTP and HTTPS. The research director at NSS Labs said, ―These
results clearly demonstrate protection deficiencies for many vendors when their
products are configured with default ‗out-of-the-box‘ settings, which are what
is most commonly employed in the consumer market.‖ ―This test revealed that
numerous vendors that protected against an exploit over HTTP failed to protect
against the same exploit delivered via HTTPS,‖ the company‘s chief research
officer said. ―Vendors who did not perform well might want to reconsider their
default settings in this age of attacks against SSL and other protocols.‖ The
research director added, ―Enterprises embracing the ‗bring your own device‘
approach to workplace technology need to be aware of the ramifications the
product selection choices their users make, as they impact the organization‘s
security posture and attack profile.‖ Source: http://www.net-security.org/malware_news.php?id=2224
38. August
15, Computerworld – (International) Google boosts bonuses for Chrome bug bounty
hunters. August 14, Google boosted payments to researchers for reporting
bugs in Chrome, saying the move was prompted by a decline in vulnerabilities
submitted by outsiders. ―Recently, we‘ve seen a significant drop-off in
externally reported Chromium security issues,‖ a Chrome software engineer said
in an August 14 post to the Chromium Blog. ―This signals to us that bugs are
becoming harder to find.‖ He outlined new bonuses Google will award researchers
who report certain kinds of flaws. All the bonuses start at $1,000 but can
climb from there. Google will add the bonuses to the base payments — which
range from $500 to $3,133 — for bugs that are ―particularly exploitable,‖ found
in the more bug-free sections of Chrome‘s code, and for vulnerabilities that
affect more than just the browser. Source: http://www.computerworld.com/s/article/9230309/Google_boosts_bonuses_for_Chrome_bug_bounty_hunters
39. August
15, Threatpost – (International) Serious vulnerabilities remain in Reader
after huge patch release, researchers say. Adobe patched a huge number of
flaws in its Reader software on Windows and Mac OS X August 14, many of which
were reported to the company by members of Google‘s internal security team,
which set up a long-term fuzzing program to look for interesting crashes in the
embedded PDF viewer in the Chrome browser. However, the Google researchers said
there are still many serious vulnerabilities in the application running on
Windows and OS X that Adobe failed to patch. The researchers released limited
details on the bugs and some advice for users on how to mitigate the risks from
the vulnerabilities. Source: http://threatpost.com/en_us/blogs/serious-vulnerabilities-remain-reader-after-huge-patch-release-researchers-say-081512
40. August
15, Threatpost – (International) Bafruz backdoor disables antivirus,
intercepts communications with social media sites. A new family of malware
is using a complex set of capabilities to disable antimalware and listen in on
sessions between users and some social networks. Dubbed Bafruz, the malware is
essentially a backdoor trojan that is also creating a peer-to-peer network of
infected computers. August‘s Microsoft Malicious Software Removal Tool release
will include the Win32/Bafruz family. Bafruz‘s capabilities include the ability
to uninstall antivirus and security products, intercept social media
communications sites such as Facebook and Vkontakte, install Bitcoin mining
software, and perform denial-of-service attacks. It also communicates with
other infected machines across a peer-to-peer protocol to download new
components onto host machines, according to the Microsoft Malware Protection
Center. Source: http://threatpost.com/en_us/blogs/bafruz-backdoor-disables-antivirus-intercepts-communications-social-media-sites-081512
41. August
15, Threatpost – (International) ICS-CERT warns of serious flaws in Tridium
Niagara software. DHS and the Industrial Control Systems Computer Emergency
Response Team warned users of some popular Tridium Niagara AX industrial
control system software about a series of major vulnerabilities in the
applications that are remotely exploitable and could be used to take over
vulnerable systems. The bugs, discovered by two researchers, are the latest in
a series of vulnerabilities found in the esoteric industrial control systems
software packages that control utilities and other critical systems. The string
of bugs that were reported by the two researchers include a directory traversal
issue that gives an attacker the ability to access files that should be
restricted. They also discovered the Niagara software stores user credentials
in an insecure manner. There are publicly available exploits for some of the
vulnerabilities. Tridium issued an alert about the problems and also published
a patch to address them. Source: http://threatpost.com/en_us/blogs/ics-cert-warns-serious-flaws-tridium-niagara-software-081512
For another story, see item 42 below in the Communications Sector
Communications Sector
42.
August 15, IDG News Service –
(National) AT&T hit by DDoS attack, suffers DNS outage. A
distributed denial-of-service attack aimed at AT&T‘s DNS (Domain Name
System) servers disrupted data traffic for some of the company‘s customers. The
multi-hour attack began early August 15 Pacific Standard Time. ―Due to a
distributed denial of service attack attempting to flood our Domain Name System
servers in two locations, some AT&T business customers are experiencing
intermittent disruptions in service,‖ an AT&T spokesman told IDG News
Service by email. ―Restoration efforts are underway and we apologize for any
inconvenience to our customers.‖ The attack appeared to have affected
enterprise customers using AT&T‘s managed services DNS product. Source: http://www.pcworld.com/businesscenter/article/260940/atandt_hit_by_ddos_attack_suffers_dns_outage.html
43.
August 15, McCook Daily Gazette –
(Nebraska) Police report scam targeting Verizon cell phone users. Scammers
are calling Verizon Wireless subscribers in the McCook, Nebraska area,
according to local police, McCook Daily Gazette reported August 15. According
to reports, the caller indicates the company is working on cell towers or
subscriber services in the area, and there may be a temporary interruption of
their cellular service. For their inconvenience, the caller says, the company
is paying subscribers $50 for each hour they are without service. The caller
then gives a service or claim number and is insistent that the subscriber write
it down, as that is the only way to claim their reimbursement. The caller then
asks for verification through provision of a password and the last four digits
of one‘s Social Security number. The caller ID may show a 308 area code number.
Source: http://www.mccookgazette.com/story/1882136.html
For
another story, see item 40 above in the Information Technology
Sector