Tuesday, July 26, 2011

Complete DHS Daily Report for July 26, 2011

Daily Report

Top Stories

• The U.S. defense industry is under siege by cyber spies in an attack that provided a link to a rigged spreadsheet containing a real list of high-level executives, Dark Reading reports. (See item 18)

18. July 22, Dark Reading – (International) New targeted attack campaign against defense contractors under way. The U.S. defense industry is under siege by cyber spies in an attack that provides a link to a rigged spreadsheet containing a real list of high-level defense industry executives who attended a recent Intelligence Advanced Research Projects Activity event, Dark Reading reported July 22. A defense contractor friend of the CEO of Invincea sent him a copy of a targeted yet suspicious e-mail with the unsolicited attachment he received. It appears the attackers sent the same e-mail and malicious attachment to the other 163 event attendees, the CEO said. The embedded URL — which appears to be a subdomain of a domain that redirects to the legitimate research project Web site — provides a ZIP archive to the attendee roster, which includes the names of directors, presidents, and CEOs of major defense and intelligence companies. “Unzipped, you see an XLS-looking file, but it’s actually an executable,” the CEO said. “It extracts another custom program that’s an HTTP client. This client beacons out to a server. You wouldn’t notice it even if you were looking at your system process table: It looks like standard browser activity.” It is not until the system is rebooted, however, that problems begin: The client reaches out to a command-and-control (C&C) server, which sends it another executable file. “That’s the payload of the weapon,” the CEO said. A team at ThreatGrid analyzed the executable, and found it is a remote C&C trojan hosted on a Web site. The trojan gives the attackers full control of the victim’s machine and Internet settings in the registry, and can update root certificate lists that could be used for SSL man-in-the-middle attacks. The researchers were unable to tell how far the attackers got or what they might have stolen. They said the attack appeared to be an ongoing, active campaign targeting multiple defense contractors with similar methods but some different documents and executables. Source: http://www.darkreading.com/database-security/167901020/security/attacks-breaches/231002455

• Investigators probing the ransacking of International Monetary Fund (IMF) computers concluded a recent attack was carried out by cyber spies connected to China, according to Bloomberg. See item 21 below in the Banking and Finance Sector


Banking and Finance Sector

19. July 24, Spokane Spokesman-Review – (International) Tamarack founder sues Credit Suisse for racketeering, fraud, conspiracy, more. The founder and former board chairman of the failed Tamarack Resort in Tamarack, Idaho, and the founder and former manager and developer of the Yellowstone Club in Montana, have filed to intervene in a pending lawsuit against Credit Suisse, charging the Swiss bank with racketeering, fraud, conspiracy, and more, in a scheme they charge directly contributed to the financial failure of both resorts. The existing lawsuit, originally filed in January of 2010 by a group of property owners from four failed luxury resorts, charged the second-largest bank in Switzerland with engaging in a “predatory” lending scheme designed to force all four resorts into foreclosure, and acquire the pricey properties for pennies on the dollar while raking in “enormous” fees. In addition to Tamarack and the Yellowstone Club, the 2010 federal lawsuit covers two other failed luxury resorts: Lake Las Vegas in Nevada, and Ginn Sur Mer resort in the Bahamas. The scheme, according to the legal filings, involved a “new and exotic real estate loan product” that Credit Suisse developed in 2004, targeting owners of high-end real real estate resort developments with the pitch they could enjoy all the future profits and equity from their developments. Appraisal values for the properties were vastly inflated using a new methodology. As a result, the Yellowstone Club was appraised at $420 million in September o004, but in July 2005, it was appraised at $1.165 billion. Tamarack was appraised at $284 million in December 2005, but 1 month later Credit Suisse said it was worth $1.5 billion. The Swiss bank ran the huge loans through its Cayman Islands branch, which the new filings charge “consisted of a lonely PO box and no office personnel whatsoever.” The original lawsuit seeks $8 billion in actual damages, and $16 billion in punitive damages, including $150 million each for the four communities impacted by the failed resort projects. Source: http://www.spokesman.com/blogs/boise/2011/jul/24/tamarack-founder-sues-credit-suisse-racketeering-fraud-conspiracy-more/

20. July 22, Port Huron Times-Herald – (Michigan) Former Citizens First executive charged. A former Citizens First Savings Bank executive has been charged with hiding troubled assets from the Federal Deposit Insurance Corporation (FDIC). According to documents filed in a U.S. district court in Michigan, the man ordered that unfavorable real estate appraisals be purged from Citizens’ mortgage loan files in July 2009 before they were examined by the FDIC. Hiding the roughly 100 troubled assets was meant to prevent examiners from accurately assessing the bank’s stability, the U.S. district attorney’s Office alleged. The former executive resigned October 2, 2009, as president of mortgage banking. The FDIC closed Citizens First, based in Port Huron, Michigan, April 30, 2010. First Michigan Bank took over the bank’s deposits and assets. The federal case against the former executive was opened in June. If convicted, he faces up to 30 years in prison, and/or $1 million in fines. Source: http://www.thetimesherald.com/article/20110722/NEWS05/110722008/Former-Citizens-First-executive-charged?odyssey=mod|mostcom

21. July 22, Bloomberg – (International) China-based spies said to be behind hacking of IMF computers. Investigators probing the recent ransacking of International Monetary Fund (IMF) computers have concluded the attack was carried out by cyber spies connected to China, according to two people close to the investigation. Computer specialists have spent several weeks piecing together information about the attack, which the IMF disclosed June 8. Evidence pointing to China includes an analysis of the attack methods, as well as the electronic trail left by hackers as they removed large quantities of documents from the IMF’s computers. The multistaged attack, which used U.S.-based servers as part of their equipment, ended May 31, people involved in the investigation said. IMF officials have said little publicly about the scope of the attack or its origins, citing the on-going nature of the investigation, which involves outside forensics experts, and the fund’s own information-technology team. People familiar with the incident said the hackers were able to download a large quantity of documents from dozens of computers on the IMF’s network, which was first infected when an employee downloaded a file containing a piece of sophisticated spying software that quickly spread. The IMF is a cornerstone institution in the global economic system, managing financial crises around the world. Its computers are likely to contain confidential documents on the fiscal health of many countries. The financial status of countries is critical data for major nation-state investors or holders of sovereign debt. The IMF’s adviser to the chief information officer said in an e-mail to IMF staff that the attack was not related to identity theft or commercial fraud, another indication the intruders were not ordinary cyber thieves. Source: http://www.bloomberg.com/news/2011-07-21/spies-connected-to-china-said-to-have-carried-out-hacking-of-imf-computers.html

Information Technology Sector

43. July 25, Computer Weekly – (International) SecurEnvoy tackles trojan-based cookie hack. SecurEnvoy has developed a security technique to protect a secure Web session it claims solves the problem of hacking session cookies. According to SecureEnvoy, cybercriminals can hijack a user’s online session through cookies. The technique involves infecting a computer with a trojan, and then intercepting relevant Web-based commands — plus cookie transmissions — to prevent the Web site noting the legitimate user has terminated their online session. “By using a trojan to log the relevant GET and POST commands, as well as injecting data into an active Web session, cybercriminals can allow a legitimate user to log off their online Web service, but keep the session alive on another internet connection,” SecurEnvoy’s chief security officer said. While most two-factor authentication systems do not include protection beyond initial authentication, SecurEnvoy said it has built steps to protect the integrity of the session and its associated cookie. Even if someone tries to intercept the session cookie and other relevant data through nefarious means, the lack of authentication in combination with the fingerprinted cookie session will cause the unauthorized session to be dropped, SecurEnvoy said. Source: http://www.computerweekly.com/Articles/2011/07/25/247389/SecurEnvoy-tackles-trojan-based-cookie-hack.htm

44. July 25, H Security – (International) phpMyAdmin updates close critical security holes. Versions and of phpMyAdmin close four security holes in the open source database administration tool. According to the phpMyAdmin developers, the security releases address two “critical” vulnerabilities that could lead to possible session manipulation in swekey authentication or remote code execution. A “serious” bug that could allow an attacker to perform a local file inclusion and a “minor” cross-site scripting (XSS) hole have also been fixed. Versions and earlier are affected. The 2.11.x branch, which reached its end of life earlier in July, is not affected by the session manipulation hole, but may be affected by the others. Source: http://www.h-online.com/security/news/item/phpMyAdmin-updates-close-critical-security-holes-1285281.html

45. July 23, Help Net Security – (International) Oslo bombing Facebook scams infecting 1 user per second. Websense has found an alarming number of Facebook scams taking advantage of the recent attacks in Oslo, Norway. As of July 23, one scam appears to be infecting one user every second. The scam is a form of “clickjacking” that replicates itself on users’ walls after they click on fake posts within their news feed. Users should be cautious when clicking on breaking news trends and stories within search results related to the Oslo attacks. Searching for breaking trends and current news represented a higher risk (22.4 percent) than searching for objectionable content (21.8 percent). Source: http://www.net-security.org/secworld.php?id=11328

46. July 22, Help Net Security – (International) Chameleon-like fake AV delivered via clever social engineering. A complex and efficient fake AV spreading campaign has been spotted targeting Facebook users. It starts with users apparently contacted by a Facebook friend via the social network’s chat feature. The message contains a link to a YouTube video. The user follows the link and sees they can’t watch the video until they follow a download link to upgrade Abobe Flash Player. The file the user actually downloads is Trojan(dot).FakeAV(dot)LVT. “It copies itself as %windir%\services32.exe and as %windir%\update.X\svchost.exe, where update is a hidden directory and X is the version of the malware,” a BitDefender researcher said. “After that, it adds a registry key in %SYSTEM% and the malicious code is added thus to the list of authorized applications for the firewall or it disables the firewall altogether. Then it proceeds to disable all notifications generated by the firewall, the update module and whatever antivirus it finds” The malware has the ability to detect which legitimate AV solution the user has installed on the computer, and to display personalized warning message windows that mimic the ones thE legitimate solution would present. The malware “finds” a virus on the system and asks the user to reboot the computer so it can clean it up. The reboot triggers an unwelcome series of events: the system boots in safe mode, which allows the malware to start and uninstall the legitimate AV solution, and then the system is rebooted once again — this time in normal mode. The now unprotected system is ready to be misused by a downloader component integrated in the trojan, which downloads further malware from an array of URLs, depending on the OS running on the computer. Source: http://www.net-security.org/malware_news.php?id=1780

47. July 22, threatpost – (International) Apple laptop batteries can be bricked, firmware hacked. A security researcher has discovered a method that enables him to completely disable the batteries on Apple laptops, making them permanently unusable, and perform a number of other unintended actions. The method, which involves accessing and sending instructions to the chip housed on smart batteries could also be used for more malicious purposes. The basis of research is the battery used in most Apple laptops. The battery has a chip on it that contains instructions for how IT is meant to behave and interact with the operating system, and other components. Source: http://threatpost.com/en_us/blogs/apple-laptop-batteries-can-be-bricked-firmware-hacked-072211

48. July 22, H Security – (International) iCal messages crash Lotus Domino server. IBM is warning users of a vulnerability in its Lotus Domino product that could be exploited to crash the server. According to the company, an attacker could send a specially crafted iCal message to a Domino server, causing the Router task to utilize 100 percent of the CPU. When the message is opened in the Notes client, both the client and server will crash. The server will restart, exhaust resources and crash again, repeatedly. The flaw allows for denial of service attacks on the server. Versions up to and including Lotus Notes/Domino 8.5.2 Fix Pack 2 (FP2) are reportedly affected. IBM has provided an interim fix in Domino 852FP2IF1. Alternatively, users can upgrade to Lotus Notes/Domino 8.5.2 Fix Pack 3 (FP3), which was released July 18, to close the hole. Source: http://www.h-online.com/security/news/item/iCal-messages-crash-Lotus-Domino-server-1284243.html

Communications Sector

49. July 25, WPTZ 5 Plattsburgh – (New York) Land-line telephone service is experiencing network problems. Residents in the North Country of New York were experiencing sporadic problems with connecting telephone calls from land lines July 24 and 25. Phone companies were experiencing network problems in Clinton, Essex, and Franklin counties that were causing sporadic phone system problems including possible outages and/or inability to place phone calls. 9-1-1 systems were still functioning. Source: http://www.wptz.com/r/28650198/detail.html

50. July 25, International Falls Journal – (Minnesota) Psalm 99.5 radio tower collapses. A 650-foot transmitting tower for Psalm 99.5, a non-commercial Christian radio station based in International Falls, Minnesota, collapsed July 24. It was the station’s largest tower which carried its main signal. The tower was located near Loman and transmitted music and talk programming to Falls and Fort Frances, and throughout several larger towns in northern Minnesota. The station’s staff worked quickly to put up a temporary 100-foot antenna to resume programming in the Falls and Fort Frances Juyl 24, but the station manager said the range the station was on the air was at most a 15-mile radius. The fallen tower could transmit throughout a 90-mile radius as well as send signal to receivers in the Iron Range to be rebroadcast in other cities. Psalm was off the air in three-quarters of its listening area, including seven towns that have translators built to pick up signal from the fallen tower. Those cities include Bemidji, Red Lake, Warroad, Ely, Babbitt, Tower, and Angle Inlet. Psalm’s second station in Hibbing had a tower sending a signal to Grand Rapids, Eveleth/Virginia, Hoyt Lakes, Chisholm, and Cook. Programming in those areas was still on the air. Optimistically, the station manager said, the station would have a new tower in October. Source: http://www.ifallsdailyjournal.com/pages/full_story/push?article-Psalm+99-5+radio+tower+collapses &id=14787065&instance=comments

51. July 24, Findlay Courier – (Ohio) Telephone service outage in Arcadia, Vanlue. Telephone service in Arcadia and Vanlue, Ohio, was out of service July 24, the Hancock County Sheriff’s Office said after being contacted by TDS Telecom. A lightning strike caused the outage July 23, the sheriff’s office said. 911 services were also affected. No time frame had been established as of July 24 to restore services. Source: http://www.thecourier.com/Issues/2011/Jul/24/ar_news_072411_story3.asp?d=072411_story3,2011,Jul,24&c=n

No comments: