Friday, August 26, 2016



Complete DHS Report for August 26, 2016

Daily Report                                            

Top Stories

• Crews worked August 23 to restore power to approximately 75,000 Harris County, Texas residents after a transformer faulted and caught fire at the CenterPoint Energy substation in northwest Harris County. – KTRK 13 Houston

1. August 24, KTRK 13 Houston – (Texas) Most power restored after CenterPoint substation fire. Crews worked to restore power to approximately 75,000 Harris County, Texas residents August 23 after a transformer faulted and caught fire at the CenterPoint Energy substation in northwest Harris County, prompting officials to issue a 3-hour shelter-in-place for nearby residents, evacuate Hamilton Middle School, and close the Lone Star College Cypress-Fairbanks location until August 24. Source: http://abc13.com/news/thousands-without-power-after-centerpoint-substation-fire/1482037/

• The Georgia Environmental Protection Division finished removing 500,000 gallons of contaminated water from an unnamed tributary of the Nickajack Creek in Smyrna, Georgia, August 22 after 2,300 gallons of cleaning fluid leaked into the creek from an Apollo Technologies facility August 13. – Atlanta Journal-Constitution

11. August 23, Atlanta Journal-Constitution – (Georgia) Cleanup of chemical spill in creek complete near Cobb homes. The Georgia Environmental Protection Division finished removing 500,000 gallons of contaminated water from an unnamed tributary of the Nickajack Creek in Smyrna, Georgia, August 22 after 2,300 gallons of carburetor cleaning fluid leaked into the creek from an Apollo Technologies facility August 13. Source: http://www.ajc.com/news/news/local/cleanup-chemical-spill-cobb-county-creek-coming-al/nsKyM/

• LeakedSource reported that over 25 million user records and private data were leaked from 3 of Mail.ru forums, including Cross Fire game, ParaPa Dance City game, and Ground War: Tank game due to outdated vBulletin forum software. – Softpedia

22. August 24, Softpedia – (International) Mail.ru forums hack compromises over 25 million user accounts. LeakedSource reported that over 25 million user records from 3 of Mail.ru forums, including Cross Fire game, ParaPa Dance City game, and Ground War: Tank game were leaked due to outdated vBulletin forum software that was compromised to allow hackers access to data including usernames, passwords, and emails, among other information. The Mail.Ru Group stated that the leaked passwords were no longer valid and were associated with forums of game projects the company previously acquired. Source: http://news.softpedia.com/news/mail-ru-forums-hack-compromises-over-25-million-user-accounts-507599.shtml

• The U.S. Bureau of Reclamation awarded American Hydro of York, Pennsylvania a $19 million contract August 11 to update pump generation units at the John W. Keys III Pump Generating Plant near Spokane, Washington. – U.S. Bureau of Reclamation

23. August 22, U.S. Bureau of Reclamation – (Idaho) Reclamation awards $19 million contract for pump-generating plant upgrades at Grand Coulee Dam. The U.S. Bureau of Reclamation announced August 22 it awarded American Hydro of York, Pennsylvania a $19 million contract August 11 to replace and update equipment for pump generation units 5 and 6 at the John W. Keys III Pump Generating Plant at the Grand Coulee Dam near Spokane, Washington, in order to provide greater efficiency, flood control, water delivery, and hydropower production at the facility. The updates are part of a 20-year modernization effort that is expected to be completed in January 2020.

Financial Services Sector

See item 19 below in the Information Technology Sector

Information Technology Sector

17. August 25, SecurityWeek – (International) Cisco updates ASA software to address NSA-linked exploit. Cisco began releasing updates for its Adaptive Security Appliance (ASA) software resolving a remote code execution flaw leveraged by a zero-day exploit, dubbed EXTRABACON which affects the Simple Network Management Protocol (SNMP) code of the ASA software and can be exploited by a remote hacker to cause a system crash or execute arbitrary code. Cisco advised users to update their installations to version 9.1.7(9) or later. Source: http://www.securityweek.com/cisco-updates-asa-software-address-nsa-linked-exploit

18. August 25, SecurityWeek – (International) Attackers can target enterprises via GroupWise collaboration tool. Micro Focus released patches resolving critical vulnerabilities in its GroupWise collaboration tool, including two reflected cross-site scripting (XSS) flaws that can be abused to execute arbitrary JavaScript and hijack and admin’s session, a persistent XSS vulnerability affecting the GroupWise WebAccess message viewer that can be exploited by embedding malicious code in an email and getting the victim to interact with the message, and a heap-based buffer overflow flaw affecting the GroupWise Post Office Agent and GroupWise WebAccess that could be used to achieve remote code execution, among other vulnerabilities. Micro Focus advised users to update their installations to GroupWise 2014 R2 SP1 HP1 or later. Source: http://www.securityweek.com/attackers-can-target-enterprises-groupwise-collaboration-tool

19. August 24, SecurityWeek – (International) Android botnet uses Twitter for receiving commands. Researchers from ESET reported a new Android backdoor, dubbed Android/Twitoor impersonates a MMS program or adult content player application and uses a defined Twitter account to receive commands after being launched, which either instruct the backdoor to download malicious applications, including mobile banking malware onto the infected device or to switch to a different command and control (C&C) Twitter account. Researchers also found that Twitoor botnet’s transmitted messages are encrypted and use new communication methods, such as social networks in order to remain undetected and more difficult to block.

20. August 24, SecurityWeek – (International) Flaw allow attackers to hijack VMware vRA appliances. VMware addressed vulnerabilities affecting its vRealize Automation (vRA) appliances, including a flaw in vRA 7.0.x appliance via port 40002 that can be abused for remote code execution and allow an attacker to gain access to a low-privileged account on the affect device, and a second flaw in vRA 7.0.x and VMware Identity Manager 2.x that can be exploited by a hacker with access to a low-privileged account to obtain root privileges. VMware reported attackers could combine the vulnerabilities to compromise and take control of a vRA appliance and urged users to update vRA to version 7.1.

For another story, see item 22 above in Top Stories

Communications Sector

Nothing to report

Thursday, August 25, 2016



Complete DHS Report for August 25, 2016

Daily Report                                            

Top Stories

• Ford Motor Company issued a recall August 24 for 77,502 of its model years 2013 – 2015 vehicles in select makes due to faulty fuel pump control modules, which may fail and cause the engine to stall while the vehicle is in motion. – TheCarConnection.com

2. August 24, TheCarConnection.com – (National) Recalls: 2017 Ford Escape; 2013-15 Ford Flex, Taurus, Lincoln MKS, MKT; 2015-16 Ford Transit. Ford Motor Company issued a recall August 24 for 77,502 of its model years 2013 – 2015 vehicles in select makes sold in the U.S. due to a faulty fuel pump control module which may fail and cause the engine to stall or shut off while the vehicle is in motion, thereby increasing the risk of an accident. Ford also issued a recall for 17,985 of its model year 2017 Ford Escape vehicles sold in the U.S. due to faulty software that can cause the power windows to close with excessive force, thereby increasing the risk of injury. Source:

• Four private equity fund advisers affiliated with Apollo Global Management, LLC agreed August 23 to pay $52.7 million to settle charges that the advisers misled investors and failed to monitor a senior partner who charged personal expenses to Apollo-advised funds. – U.S. Securities and Exchange Commission See item 3 below in the Financial Services Sector

• Four people were arrested in Murfreesboro, Tennessee, August 17 when police discovered 83 magnetic strips in the suspects’ vehicle. – WGNS 1450 AM Murfreesboro See item 4 below in the Financial Services Sector

• Researchers warned that the Navis WebAccess component of the Navis maritime transportation logistics software suite was plagued by a zero-day structured query language (SQL) injection flaw after U.S. ports suffered cyber-attacks. – Softpedia

7. August 23, Softpedia – (International) US ports targeted with zero-day SQL injection flaw. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) warned that the Navis WebAccess component of the Navis maritime transportation logistics software suite was plagued by a zero-day structured query language (SQL) injection flaw after U.S. ports reported a series of attacks that targeted publicly available news-pages in the Navis application and occurred as a part of the Uniform Resource Locator (URL) string due to a flaw in the application’s error reporting system. Navis released a patch for the flaw and ICS-CERT stated all five U.S. companies using the application have applied the necessary patches. Source: http://news.softpedia.com/news/us-ports-targeted-with-zero-day-sql-injection-flaw-507566.shtml

Financial Services Sector

3. August 23, U.S. Securities and Exchange Commission – (National) Apollo charged with disclosure and supervisory failures. The U.S. Securities and Exchange Commission announced August 23 that 4 private equity fund advisers affiliated with Apollo Global Management, LLC agreed to pay a $52.7 million settlement to resolve claims that the Apollo advisers failed to adequately inform investors about accelerated monitoring fees and benefits the advisers received, failed to disclose information regarding interest payments made on a loan between an adviser’s affiliated general partner and 5 funds, and failed to monitor a senior partner who charged personal expenses to Apollo-advised funds and their portfolio companies. Source: https://www.sec.gov/news/pressrelease/2016-165.html

4. August 23, WGNS 1450 AM Murfreesboro – (Tennessee) Four arrested in fraudulent credit card case in Murfreesboro. Four people were arrested in Murfreesboro, Tennessee, August 17 when police discovered 83 magnetic strips in the suspects’ vehicle after the group allegedly used re-encoded credit cards at an area Walmart store to make multiple fraudulent purchases. Source: http://wgnsradio.com/four-arrested-in-fraudulent-credit-card-case-in-murfreesboro--cms-34556

Information Technology Sector

17. August 24, Help Net Security – (International) Leaked EXTRABACON exploit can work on newer Cisco ASA firewalls. Researchers from SilentSignal discovered the EXTRABACON exploit of the zero-day buffer overflow vulnerability affecting the Simple Network Management Protocol (SNMP) code of the Cisco Adaptive Security Appliance (ASA), Private Internet eXchange (PIX), and Firewall Services Module versions 8.4. (4) and earlier leaked by ShadowBrokers, can also be modified to compromise ASA version 9.2.(4). Cisco researchers are working to develop a definite solution of the exploit. Source: https://www.helpnetsecurity.com/2016/08/24/extrabacon-newer-cisco-asa/

18. August 23, Softpedia – (International) Two free decrypters available for WildFire ransomware. Kaspersky and Intel McAfee released two decrypters that can unclock files encrypted by WildFire ransomware infections and are available for download from the NoMoreRansom Website. Researchers stated that since July 23, WildFire infected 5,309 devices and earned 136 Bitcoin, or $79,000 from users paying the ransom. Source: http://news.softpedia.com/news/two-free-decrypters-available-for-wildfire-ransomware-507572.shtml

19. August 23, Softpedia – (International) Face authentication systems can be bypassed using a VR headset & Facebook photos. Researchers from the University of North Carolina at Chapel Hill reported hackers could bypass face authentication systems on the 1U App, BioID, KeyLemon, Mobius, and True Key after finding that if an attacker passes a high-resolution photo through a three-dimensional (3D) modeling software, then transfers the 3D head to a virtual reality (VR) device, a machine running the facial recognition software will authenticate the attacker. Researchers found that in photos where the quality was lower, such as social media photos, the authentication rate was lower. Source: http://news.softpedia.com/news/face-authentication-systems-can-be-bypassed-using-a-vr-headset-facebook-photos-507568.shtml

For additional stories, see item 7 above in Top Stories and item 21 below in the Communications Sector

Communications Sector

20. August 24, Help Net Security – (International) Cybercriminals select insiders to attack telecom providers. Kaspersky Lab and B2B International researchers reported that 28 percent of all cyber-attacks involve malicious activity by insiders after finding that cybercriminals were using insiders to gain access to telecommunications networks and subscriber data, and recruiting employees through underground message boards, or through blackmail, forcing the employee to distribute spear-phishing campaigns on behalf of the attacker, hand over corporate credentials, or provide information on the company’s internal systems in order to hack a targeted telecommunications firm.

21. August 24, Softpedia – (International) Critical flaws let attackers hijack cellular phone towers. Security researchers from Zimperium discovered three critical flaws affecting software packages from Legba Incorporated, Range Networks, and OsmoCOM, among other vendors running on Base Transceiver Station (BTS) stations, including a flaw in a core BTS software service that exposes the device to external connections, which could allow an attacker to reach the BTS station’s transceiver and take remote control of the BTS station, extract information from the passing data, alter Global System for Mobile Communications (GSM) traffic, or crash the station. Researchers also discovered a memory buffer overflow bug that could allow an attacker to run malicious code on the device, and an issue that allows an attacker to remotely execute commands on the station’s transceiver module without administrative credentials. Source: http://news.softpedia.com/news/critical-flaws-let-attackers-hijack-cellular-phone-towers-507579.shtml