Wednesday, April 20, 2011

Complete DHS Daily Report for April 20, 2011

Daily Report

Top Stories

• According to the Knoxville News Sentinel, a highly sophisticated cyber attack — known as Advanced Persistent Threat — forced Oak Ridge National Laboratory in Tennessee to shut down all Internet access and e-mail systems from April 15 to 17. (See item 28)

28. April 19, Knoxville News Sentinel – (Tennessee) Lab halts Web access after cyber attack. A highly sophisticated cyber attack — known as Advanced Persistent Threat (APT) — forced Oak Ridge National Laboratory (ORNL) in Tennessee to shut down all Internet access and e-mail systems from April 15 to 17. Those restrictions will remain in place until lab officials and others investigating the attack are sure the situation is well controlled and manageable, the ORNL director said April 19. He expects e-mail functions to be restored April 19 on a limited basis, with no attachments allowed and restrictions on length. “We made the decision (at about midnight April 15) to close down the connection to the Internet to make sure there was no data exfiltrated from the lab while we got the system cleaned up,” he said. The lab’s cyber specialists were monitoring the attack and recommended further action after it looked like efforts were under way to remove data from ORNL systems. The director said the APT threat at ORNL is similar to recent attacks on Google, RSA, and other government institutions and corporations. “In this case, it was initiated with phishing e-mail, which led to the download of some software that took advantage of a ‘zero day exploit,’ a vulnerability for which there is no patch yet issued,” he said. The vulnerability involved Internet Explorer. The lab has not yet detected any large-scale exfiltration of data. ORNL has solicited help from throughout government, including other Department of Energy labs. Outside experts arrived in Oak Ridge to participate in the investigation, he said. Some computers were confiscated and quarantined. He also confirmed that the phishing e-mail messages in this case were disguised as coming from the lab’s human resource department. Source: http://www.knoxnews.com/news/2011/apr/19/lab-halts-web-access-after-cyber-attack/

• The Associated Press reports firefighters around Possum Kingdom Reservoir, Coke County, and the Trans-Pecos of West Texas were struggling in the state’s dry conditions to fight fires April 19. Hundreds of homes and weekend retreats around Possum Kingdom were in the path of the fires. (See item 45)

45. April 19, Associated Press – (Texas) West Texas struggles against wildfires as dry, blustery weather fans the flames. Firefighters around Possum Kingdom Reservoir, Coke County, and the Trans-Pecos of West Texas are struggling in the state’s dry conditions to fight fires, Associated Press reported April 19. Hundreds of homes and weekend retreats around Possum Kingdom, a North Texas lake on the Brazos River, are in the path of the fires, with three fires expected to combine into one massive blaze. Meanwhile, fire crews worked to keep the Coke County fire north of San Angelo and other blazes in the rugged Trans-Pecos away from populated areas. One of the driest spells in Texas history has left most of the state in extreme drought, and wildfires in various parts of the state have burned more than 1,000 square miles of land in the past week — an area that combined would be the size of Rhode Island. A trooper with the Texas Department of Public Safety said heat from the flames of fires near Possum Kingdom Reservoir on the Brazos River grew so intense April 18 that cinders were sent high into the atmosphere. There, they became icy and fell to the ground in a process called “ice-capping,” he said. The fires drove residents from their homes along the shore of the North Texas lake, with at least 18 homes and 2 churches burned. The flames reached a storage building containing fireworks on the reservoir’s western shore. Two people who apparently wanted to see the fires from the air died when their single-engine biplane crashed near San Angelo, a Federal Aviation Administration spokesman said April 18. Source: http://www.washingtonpost.com/national/west-texas-struggles-against-wildfires-as-dry-blustery-weather-fans-the-flames/2011/04/19/AF3evA3D_story.html

Details

Banking and Finance Sector

8. April 19, Richmond Times-Dispatch – (National) Richmond financial adviser accused of Ponzi scheme. The Securities and Exchange Commission said April 18 that it filed civil charges against a Richmond, Virginia financial adviser, charging him with orchestrating a $7.7 million Ponzi scheme. The complaint alleges that the 66-year-old president and chief executive officer of Chesterfield County-based AIC Inc., directly and through three stockbrokers and an investment adviser fraudulently sold $7.7 million in AIC promissory notes and stocks to more than 74 investors in at least 14 states. Also named in the complaint are Community Bankers Securities LLC, an AIC subsidiary, Advent Securities Inc., CBS Advisors LLC, Allied Beacon Partners Inc, also known as Waterford Investor Services Inc., and two associated stockbrokers from Colorado and Florida. The three conspirators allegedly sold the investments to elderly and unsophisticated investors who lost significant portions of their savings, including retirement funds they relied on for financial security, according to the charges. New investor money was used to pay back existing investors’ principal, interest and dividends, reflecting the workings of a Ponzi scheme, according to the charges. From January 2006 through November 2009, about $2.5 million of new investor money was distributed to early investors, according to the SEC. The president and CEO used investor money to pay himself $952,258 in salary, advances, loans, interest, and dividends, the filing says. About $3.6 million was used to keep the subsidiary broker-dealers solvent. AIC promised to pay interest and dividends ranging from 9 percent to 12.5 percent on the promissory notes and preferred stock, knowing that it did not have the ability to pay those returns, according to the complaint. AIC and its subsidiaries were never profitable, the SEC said. The scheme collapsed in December 2009. Source: http://www2.timesdispatch.com/business/2011/apr/19/TDBIZ01-richmond-financial-adviser-accused-of-ponz-ar-981382/

9. April 18, Minnesota Star Tribune – (National) Two plead guilty in separate mortgage fraud scheme. A 49-year-old Champlin, Minnesota, woman admitted April 15 to participating in a mortgage fraud scheme involving at least 200 properties, principally in north Minneapolis, and mortgage proceeds of about $35 million. She pleaded guilty to conspiracy to commit mail and wire fraud. In her plea agreement, she admitted that from 2004 through 2007 she prepared false loan applications to help “investors” qualify for the loans by showing inflated incomes. The scheme’s masterminds were sent to prison in 2009, one for 8 years and the other for 7. Through their company, TJ Waconia, the two made north Minneapolis the epicenter of foreclosures in the state and gained $14 million in the resale of houses, prosecutors said. The scheme was revealed when neighborhood group staff members in the Folwell and Webber-Camden areas detected mass foreclosures that left blocks lined with vacant and deteriorating houses. In another federal fraud case, a 39-year-old contractor from Ham Lake, pleaded guilty April 18 to participating in a mortgage fraud scheme that involved seven fraudulent transactions with the two owners of Invescorp. The man pleaded guilty to one count of conspiracy to commit wire fraud. Source: http://www.startribune.com/local/minneapolis/120058509.html

10. April 18, Agence Presse-France – (International) S. Korea bank probed over ‘cyber-attack’ shutdown. Regulators launched an inquiry April 18 into South Korea’s largest banking network after a suspected cyber-attack left many customers unable to access their money for 3 days. A system crash that started April 12 left customers of the National Agricultural Cooperative Federation, or Nonghyup, unable to withdraw or transfer money, use credit cards, or take out loans. Nonghyup, which has about 5,000 branches, said it suspected the problem was caused by cyber-attackers, who entered commands to destroy computer servers and wipe out some transaction histories. “The latest incident was conducted internally... the meticulously designed commands entered through a laptop computer owned by a subcontractor company were carried out to simultaneously destroy the entire server system,” a Nonghyup official said. He said the suspected attack might have been staged by an “experienced” expert to cripple the entire network at the bank, which is the country’s largest in terms of branches. The bank’s services were partially restored after 3 days, but some — including an advance cash service — were still unavailable April 18. Around 310,000 customers have filed complaints and nearly 1,000 called for compensation. The major technical glitch also temporarily deleted records of some of Nonghyup’s 5.4 million credit card customers, leaving the firm unable to bill customers or settle payments to retailers. State prosecutors have launched a probe to see whether hackers attacked the bank’s system. The Financial Supervisory Service and central bank officials visited Nonghyup’s Seoul headquarters April 18 to investigate whether it had followed computer security rules. Nonghyup pledged full compensation for any damages to customers and stressed there was no leak of personal data. Source: http://www.google.com/hostednews/afp/article/ALeqM5gQsy2m31yHNentc1-hbpe2_fAa6Q?docId=CNG.72521c25a3f2aab3157b95f0fb41093d.181

Information Technology

36. April 19, Help Net Security – (International) Bredolab variant delivered by fake Facebook warning. A new Facebook scam deposits a message into users’ inboxes and and claims that their Facebook account has been spotted sending out spam and that their password has been changed to prevent it from doing so. Supposedly, the new password is contained in the attached .zip file, but it is just a ruse to make users open and run file, so that they end up with the computer infected by a variant of Bredolab. Source: http://www.net-security.org/malware_news.php?id=1699

37. April 19, Help Net Security – (International) Software industry risks and SQL injection trends. With the trend of targeted cyber attacks along with the exploitation of common vulnerabilities such as SQL injection, it is clear that the core software infrastructure of several critical industries remains extremely vulnerable. Veracode uncovered that those security vendors tasked with protecting enterprises are often the most at risk due to the poor quality of their very own software applications. In fact, 72 percent of security products and services applications analyzed in this report failed to meet acceptable levels of security quality. In its most recent State of Software Security report, Veracode analyzed 4,835 applications that were submitted to its cloud-based application security testing platform for independent security verification. That number is nearly double from the previous report (September 2010) and represents applications analyzed over the past 18 months. Despite many new findings, there is one constant data point: software remains fundamentally flawed. In fact, 58 percent of all software applications across supplier types continued to fail to meet acceptable levels of security quality upon initial submission to Veracode’s service. Source: http://www.net-security.org/secworld.php?id=10921

38. April 18, The Register – (International) Whitehats pierce giant hole in Microsoft security shield. Late last December, Microsoft researchers responding to publicly posted attack code that exploited a vulnerability in the FTP service of IIS told users it was a minimal threat because the worst it probably could do was crash the application. In part due to security mitigations added to recent operating systems, attackers targeting the heap-overrun flaw had no way to control data that got overwritten in memory, according to IIS’s Security Program Manager. However, White hat hackers from security firm Accuvant Labs demonstrated they had no trouble accessing parts of memory in the targeted machine that the protection – known as heap exploitation mitigation – should have made off limits. With that hurdle cleared, they showed the IIS zero-day bug was much more serious than Microsoft’s initial analysis had let on. Heap-exploitation mitigation made its Microsoft debut in Service Pack 2 of Windows XP, and has since been refined in later OSes. It works by detecting memory that has been corrupted by heap overflows, and then terminating the underlying process. Quickly, an entire class of vulnerabilities that once allowed attackers to take full control of the targeted operating system were wiped out. Running on the newer operating systems, the same exploits could do nothing more than crash the buggy application. The Accuvant Labs researchers were able to bypass the mitigation because Microsoft’s reworked heap design also included a new feature known as low fragmentation heap (LFH) which aims to improve speed and performance by providing a new way to point applications to free locations of memory. For reasons that remain unclear, the new feature did not make use of the heap-exploitation mitigations. The LFH is not turned on by default, and it turns out that it often requires a lot of work for an attacker to enable it. In the case of December’s IIS vulnerability, they turned it on by invoking several FTP commands in a particular way. With that out of the way, they had no trouble controlling the memory locations on the targeted machine. Source: http://www.theregister.co.uk/2011/04/18/windows_heap_exploit_shield_pierced/

39. April 18, Softpedia – (International) Backdoor distributed as Facebook Messenger application. New rogue e-mails posing as official Facebook communications lead users to a Web site distributing a backdoor as an application called Facebook Messenger. The e-mails bear a subject of “[user] listed you as his uncle” and make use of the real template corresponding to real Facebook notifications. The body message informs recipients of several pending actions, including a friendship request and includes a www(dot)facebook.com link that actually points to a third-party Web site. The rogue page advertises a program called Facebook Messenger, which according to its description, is supposed to be an “app for quick access to messages from your Facebook account.” The screenshots presented on the page are taken from an Android phone, but the file served for download is an executable called FacebookMessengerSetup.exe, not an .apk Android package. According to researchers from Trend Micro, the file is an installer for BKDR_QUEJOB.EVL, a backdoor that opens a connection on TCP Port 1098 and listens for commands. The backdoor allows attackers to update the malicious file, download and run other malware applications, and launch certain processes. Information about the infected system, such as installed antivirus products and OS version, is gathered and sent to an SMTP server. Source: http://news.softpedia.com/news/Backdoor-Distributed-as-Facebook-Messenger-Application-195582.shtml

40. April 16, Softpedia – (International) Microsoft patch disables TDL4 rootkit on 64-Bit Windows. Modifications made as part of a Windows update released by Microsoft the week of April 10 effectively kill the TDL4 rootkit on 64-bit Windows Vista and 7. Since 64-bit Windows only accepts digitally-signed drivers, there are very few rootkits that manage to infect such systems. One of them is TDL4, the latest version from the TDSS family of rootkits. It installs itself in the master boot record, making it possible to modify the operating system since the first moment it starts. On 64-bit systems, itleverages a boot configuration data (BCD) option called BcdOSLoaderBoolean_WinPEMode to disable the code integrity checks in the OS. Microsoft released KB2506014 April 12, an update which according to the corresponding advisory “addresses a method by which unsigned drivers could be loaded by winload.exe.” Security researchers from ESET note that this update removes the BcdOSLoaderBoolean_WinPEMode option abused by the TDL4 rootkit. In addition, the update intentionally modifies the size of a file called kdcom.dll by adding a KdReserved0 exported symbol. Under normal circumstances TDL4 checks the size of this file’s export directory and replace it with its own malicious version. According to the ESET researchers the change made to kdcom.dll serves no other purpose than to prevent the rootkit from replacing it. They also point that users of 32-bit Windows will not benefit from this update unless they install it manually, because TDL4 disables the Windows Update service on such systems. Source: http://news.softpedia.com/news/Microsoft-Patch-Disables-TDL4-Rootkit-on-64-Bit-Windows-195418.shtml

Communications Sector

Nothing to report