New Phishing Campaign Discovered.

A CIS Cyber Alert (see below) has been published detailing a Phishing campaign that utilizes a weaponized PDF document that exploits a vulnerability in Adobe Reader(CVE-2013-2729). This campaign attempts to entice users to open the attached file by referring to an “Unpaid invoic”(sic)

This campaign is utilizing the Dyre Banking Trojan, focused on stealing banking credentials.

Recommendations:

  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Do not open email attachments from unknown or untrusted sources.
  • Limit user account privileges to those required only.
  • Remind users not to visit untrusted websites or follow links provided by unknown or untrusted sources.
  • Keep all operating system, applications and essential software up to date to mitigate potential exploitation by attackers.
  • Ensure that systems are hardened with industry-accepted guidelines.
  • Make sure all AV products are up-to-date with their signatures.
  • Implement filters at your email gateway for filtering out emails with subject line “Unpaid invoic”. [Note the typo]

REFERENCES:

PhishLabs:

http://blog.phishlabs.com/enhancements-to-dyre-banking-trojan

CVE:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2729

New SSLv3 Vulnerability

Also known as “Poodle”, this vulnerability could allow an attacker to steal web site login information or payment data.

“A vulnerability exists within the SSL version 3.0 protocol… allowing an attacker to hijack and decrypt session cookies that are utilized between a user’s web browser and the web site. This could lead to attackers obtaining enough information to temporarily impersonate web site visitor account logins and/or online payment systems.”

REFERENCES:

Google:

http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html

WIRED:

http://www.wired.com/2014/10/poodle-explained/

SANS:

https://isc.sans.edu/forums/diary/OpenSSL+SSLv3+POODLE+Vulnerability+Official+Release/18827

Multiple Vulnerabilities Released Today.

Several important vulnerabilities in Microsoft products, including Windows, Office, .NET, Internet Explorer, were released today along with patch information. They are:

  • Vulnerabilities in .NET Framework Could Allow Remote Code Execution (MS14-057)
  • Vulnerabilities in Kernel-Mode Driver Could Allow Remote Code Execution (MS14-058)
  • Vulnerability in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (MS14-061)
  • Cumulative Security Update for Internet Explorer (MS14-056)
  • Vulnerability in OLE Could Allow Remote Code Execution (MS14-060)
  • Multiple vulnerabilities found in Adobe Flash Player and Adobe AIR could allow an attacker to execute code remotely. (APSB14-22)
  • Critical Oracle Patches (http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html)

These Security Advisories will affect many users; student, staff and faculty; so it is important to update your instances of the software mentioned.

“BadUSB” Exploit

There is a new exploit that has hit the internet called BadUSB that poses a Security threat based on USB devices.  Instructions and applications to create infected USB devices are available on the internet.  The exploit allows installation into the USB’s firmware where it is run automatically when plugged into a computer system.  The firmware is the set of “instructions” used by the usb device to start up and be read by your computer.  Current anti-malware software does not read this area of devices and is unable to protect from this exploit.  If the anti-malware may be able to recognize the malware activity once it starts and be able to protect the computer and data; Keep your anti-malware up-to-date.

Since this exploit requires a user to  insert a USB that has been created to allow this exploit, Be careful of free USB drives, USB drives found, USB devices from unknown or suspicious sources and Always Lock Your Computer when you leave your desk.

Additional information on BadUSB can be found at http://mashable.com/2014/10/03/how-can-you-avoid-badusb/ or https://srlabs.de/badusb/

Shellshock – Bash Vulnerability

A serious bug in Bash was discovered last week. According to multiple sources this bug has been in Bash since 1992. Shellshock allows an attacker to execute arbitrary code in Bash by setting specific environment variables. Two CVE numbers have been assigned: CVE-2014-6271and CVE-2014-7169.

If you aren’t a Linux user you may not be familiar with Bash. Bash is a command shell used to issue commands to the computer via a text terminal. It is the default shell on Linux and Mac computers.

How does this affect me?

  • If you are a Mac user, your machine is vulnerable to this bug. Apple has released a patch HERE.
  • More than half of all web servers are Linux or Unix based. This means that an attacker can take over a web site and use it to infect the machines of users that visit the site.

Mac users: make sure that your version of Mac OSX has been patched.

Linux users: you will need to update Bash on your machine. the links below are for some of the more common distributions:

Redhat

Ubuntu

NOTE: at this time iOS and Android are not considered vulnerable, unless they have been jail-broken and have had Bash installed on them. Many terminal apps for both iOS and Android are based on Bash.

More information can be found at the links below:

https://isc.sans.edu/forums/diary/Update+on+CVE-2014-6271+Vulnerability+in+bash+shellshock+/18707

https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

http://krebsonsecurity.com/2014/09/shellshock-bug-spells-trouble-for-web-security/