Friday, August 17, 2012 

Daily Report

Top Stories

 • Researchers identified a trojan targeting the defense, aerospace, chemical, and technology industries that spreads via email that contains a malicious file. – Threatpost

6. August 16, Threatpost – (International) Email trojan tageting defense, aerospace and other industries. What appears to be a targeted attack campaign against several high-value industries is using a trojan that employs rigged PDFs to deliver its payload. Targeting organizations in the defense, chemical, technology, and aerospace industries, the MyAgent trojan is primarily spreading through email as a zipped .exe file or PDF attachment, according to researchers at the FireEye Malware Intelligence Lab. FireEye examined a sample of MyAgent that, once executed, opens a PDF file titled ―Health Insurance and Welfare Policy‖ and then drops a second executable, titled ―ABODE32.exe,‖ in the temp directory, they say in their report. FireEye notes the ―ABODE32.exe‖ executable accesses Windows Protected Storage, which holds the passwords for Internet Explorer, Outlook, and other applications. Once the trojan infects its host machine, it communicates with its command and control (C&C) server, the user agent string and URI of which are hard-coded into MyAgent‘s binary. Also, FireEye noticed the malware loading different DLLs to communicate with its C&C server. Despite MyAgent‘s relatively high detection rate, its dynamic intermediary stages place it among what FireEye considers advanced malware. JavaScript within the PDF variety of MyAgent determines which version of Adobe Reader is running on its host and then deploys well-known exploits tailored to the specific version. If the machine is running any of Reader 9.0‘s predecessors, then MyAgent exploits the ―Collab.getIcon()‖ vulnerability. Source:

 • The governor of Louisiana declared a state of emergency for Plaquemines Parish August 15 as a saltwater intrusion has tainted drinking water, forcing the parish to rely on deliveries of bottled water for its water supply. – WAFB 9 Baton Rouge

23. August 15, WAFB 9 Baton Rouge – (Louisiana) State of emergency for Plaquemines Parish. The governor of Louisiana declared a State of emergency for Plaquemines Parish August 15 as the parish faced drinking water issues from a saltwater intrusion. A salt wedge moved up the Mississippi River because of historic low levels of water on the river, affecting the parish‘s water supply. The Governor‘s Office of Homeland Security and Emergency Preparedness (GOHSEP) delivered 30,000 bottles of water to the parish. GOHSEP transported the first delivery of 6,900 bottles of water to the parish August 15. The Louisiana National Guard deployed a truck containing 4,000 gallons of water to the parish August 16 and will continue to provide this same supply for 5 days. The parish wants to use four barges to supplement the local water supply. The barges must be tested to ensure they are safe to carry water and the water will be filtered after it is transported. Once treated, the department of health and hospitals will test it to be certain it meets federal standards and is safe for human consumption. Source:

 • A founding member of the Scottish National Liberation Army, an outlawed militant group, was indicted on charges he emailed bomb threats over several weeks that disrupted campus life and forced the evacuation of more than 100 buildings on the University of Pittsburgh campus. – Associated Press

29. August 15, Associated Press – (Pennsylvania) FBI: Man in Ireland charged with Pitt bomb threats. A founding member of the Scottish National Liberation Army, an outlawed militant group, was indicted August 15 on charges he emailed bomb threats that disrupted campus life and forced the evacuation of more than 100 buildings on the University of Pittsburgh (Pitt) campus in Pennsylvania earlier this year. The Dublin, Ireland man was charged with 17 emailed threats sent to the school April 6-21, and with emailed bomb threats against federal courthouses in Pittsburgh, Erie, and Johnstown in June. He is also charged with threatening a Pittsburgh-based U.S. attorney — who led the investigation that resulted in his indictment — in a June 20 email. Pitt began receiving bomb threats written on bathroom stalls in mid-February, for which nobody has yet been charged. The suspect, in custody in Ireland, allegedly sent his emails to capitalize on the momentum from the earlier threats. In all, the university received 52 threats against 160 buildings that prompted 136 evacuations, the Pitt chancellor said. The threats cost the school more than $300,000 in direct expenses, including overtime for police and other staff, bomb squads, and special equipment to detect such devices. Federal prosecutors also announced new charges against two Ohio men for YouTube threats that claimed university computers had been hacked. Source:

 • Two law enforcement officers died and two were wounded in a series of apparently linked shootings in LaPlace, Louisiana, authorities said. – CNN

33. August 16, CNN – (Louisiana) Louisiana ‘ambush’ kills 2 deputies, wounds 2. Two law enforcement officers died and two were wounded in a series of apparently linked shootings early August 16 in LaPlace, Louisiana, authorities said. The first shooting happened in a parking lot for a steel plant, the St. John the Baptist sheriff said. The second happened when officers went to a trailer park to investigate the first shooting and were ambushed by a man armed with what the sheriff described as an assault rifle. A Louisiana State Police (LSP) colonel said multiple weapons were involved and at least 20 shots were fired. In addition to the two wounded law enforcement officers, two of the five people taken into custody were hospitalized with gunshot wounds, a LSP trooper said. One of the wounded officers was shot in the shoulder and is expected to survive, a law enforcement source said. Police do not believe anyone else involved in the shooting is at large. The shootings unfolded in the parking lot at the Bayout Steel Plant in LaPlace, about 25 miles west of New Orleans, when a man opened fire on a law enforcement officer working a traffic detail. Despite being shot multiple times, the officer was able to describe the suspect to dispatchers, the sheriff said. That description, along with a civilian report of a speeding car, led responding officers to a nearby trailer park. As the deputies were questioning two people, a man came outside and ―ambushed my two officers,‖ he said. Source:


Banking and Finance Sector

8. August 15, Associated Press – (New York) 4 charged in 2008 NYC armored car heist. Federal authorities in New York City have charged four people in the 2008 robbery of an armored car courier, including the now-former courier, a Manhattan U.S. attorney announced August 15. The courier and three co-defendants face charges including conspiracy to commit bank larceny in connection to the September 2008 robbery of $330,000 at an M&T Bank branch on First Avenue in Manhattan. The U.S. Attorney said the defendants, along with others, put together a plan for the robbery of the money as it was being taken from a Dunbar Armored car into the bank branch. The former courier was arrested in Richmond, Virginia, and was due in federal court there August 16. The three co-defendants made appearances in a Manhattan federal court August 15. Source:
Information Technology Sector

37. August 16, Help Net Security – (International) NSS Labs expose inadequate AV products. NSS Labs testing showed 9 of 13 popular consumer antivirus products failed to provide adequate protection against exploits targeting 2 recent critical Microsoft vulnerabilities. Only four vendors — Avast, Kaspersky, McAfee and Trend Micro — successfully blocked all attacks delivered over both HTTP and HTTPS. The research director at NSS Labs said, ―These results clearly demonstrate protection deficiencies for many vendors when their products are configured with default ‗out-of-the-box‘ settings, which are what is most commonly employed in the consumer market.‖ ―This test revealed that numerous vendors that protected against an exploit over HTTP failed to protect against the same exploit delivered via HTTPS,‖ the company‘s chief research officer said. ―Vendors who did not perform well might want to reconsider their default settings in this age of attacks against SSL and other protocols.‖ The research director added, ―Enterprises embracing the ‗bring your own device‘ approach to workplace technology need to be aware of the ramifications the product selection choices their users make, as they impact the organization‘s security posture and attack profile.‖ Source:

38. August 15, Computerworld – (International) Google boosts bonuses for Chrome bug bounty hunters. August 14, Google boosted payments to researchers for reporting bugs in Chrome, saying the move was prompted by a decline in vulnerabilities submitted by outsiders. ―Recently, we‘ve seen a significant drop-off in externally reported Chromium security issues,‖ a Chrome software engineer said in an August 14 post to the Chromium Blog. ―This signals to us that bugs are becoming harder to find.‖ He outlined new bonuses Google will award researchers who report certain kinds of flaws. All the bonuses start at $1,000 but can climb from there. Google will add the bonuses to the base payments — which range from $500 to $3,133 — for bugs that are ―particularly exploitable,‖ found in the more bug-free sections of Chrome‘s code, and for vulnerabilities that affect more than just the browser. Source:

39. August 15, Threatpost – (International) Serious vulnerabilities remain in Reader after huge patch release, researchers say. Adobe patched a huge number of flaws in its Reader software on Windows and Mac OS X August 14, many of which were reported to the company by members of Google‘s internal security team, which set up a long-term fuzzing program to look for interesting crashes in the embedded PDF viewer in the Chrome browser. However, the Google researchers said there are still many serious vulnerabilities in the application running on Windows and OS X that Adobe failed to patch. The researchers released limited details on the bugs and some advice for users on how to mitigate the risks from the vulnerabilities. Source:

40. August 15, Threatpost – (International) Bafruz backdoor disables antivirus, intercepts communications with social media sites. A new family of malware is using a complex set of capabilities to disable antimalware and listen in on sessions between users and some social networks. Dubbed Bafruz, the malware is essentially a backdoor trojan that is also creating a peer-to-peer network of infected computers. August‘s Microsoft Malicious Software Removal Tool release will include the Win32/Bafruz family. Bafruz‘s capabilities include the ability to uninstall antivirus and security products, intercept social media communications sites such as Facebook and Vkontakte, install Bitcoin mining software, and perform denial-of-service attacks. It also communicates with other infected machines across a peer-to-peer protocol to download new components onto host machines, according to the Microsoft Malware Protection Center. Source:

41. August 15, Threatpost – (International) ICS-CERT warns of serious flaws in Tridium Niagara software. DHS and the Industrial Control Systems Computer Emergency Response Team warned users of some popular Tridium Niagara AX industrial control system software about a series of major vulnerabilities in the applications that are remotely exploitable and could be used to take over vulnerable systems. The bugs, discovered by two researchers, are the latest in a series of vulnerabilities found in the esoteric industrial control systems software packages that control utilities and other critical systems. The string of bugs that were reported by the two researchers include a directory traversal issue that gives an attacker the ability to access files that should be restricted. They also discovered the Niagara software stores user credentials in an insecure manner. There are publicly available exploits for some of the vulnerabilities. Tridium issued an alert about the problems and also published a patch to address them. Source:

For another story, see item 42 below in the Communications Sector
Communications Sector

42. August 15, IDG News Service – (National) AT&T hit by DDoS attack, suffers DNS outage. A distributed denial-of-service attack aimed at AT&T‘s DNS (Domain Name System) servers disrupted data traffic for some of the company‘s customers. The multi-hour attack began early August 15 Pacific Standard Time. ―Due to a distributed denial of service attack attempting to flood our Domain Name System servers in two locations, some AT&T business customers are experiencing intermittent disruptions in service,‖ an AT&T spokesman told IDG News Service by email. ―Restoration efforts are underway and we apologize for any inconvenience to our customers.‖ The attack appeared to have affected enterprise customers using AT&T‘s managed services DNS product. Source:

43. August 15, McCook Daily Gazette – (Nebraska) Police report scam targeting Verizon cell phone users. Scammers are calling Verizon Wireless subscribers in the McCook, Nebraska area, according to local police, McCook Daily Gazette reported August 15. According to reports, the caller indicates the company is working on cell towers or subscriber services in the area, and there may be a temporary interruption of their cellular service. For their inconvenience, the caller says, the company is paying subscribers $50 for each hour they are without service. The caller then gives a service or claim number and is insistent that the subscriber write it down, as that is the only way to claim their reimbursement. The caller then asks for verification through provision of a password and the last four digits of one‘s Social Security number. The caller ID may show a 308 area code number. Source:

For another story, see item 40 above in the Information Technology Sector