Wednesday, December 14, 2011

Complete DHS Daily Report for December 14, 2011

Daily Report

Top Stories

• A cybercrime gang that primarily targets the chemical industry and defense firms launched a new series of attacks involving malware-laden e-mails purporting to be from security vendor Symantec. – IDG News Service (See item 5)

5. December 13, IDG News Service – (International) Industrial espionage gang sends malicious e-mails in security vendor's name. A cybercrime gang that primarily targets companies from the chemical industry has launched a new series of attacks that involve malware-laden e-mails purporting to be from security vendor Symantec, IDG News Service reported December 13. The gang's original industrial espionage effort against chemical and defense firms went from July through September. The "Nitro" attacks sent e-mails with a variant of the Poison Ivy backdoor crafted for targeted companies. Despite being publicly exposed in an October Symantec report, the gang has continued its efforts, and stuck to many of the same techniques, the security vendor said in a December 12 blog post. "The same group is still active, still targeting chemical companies, and still using the same social engineering modus operandi," Symantec researchers said. "That is, they are sending targets a password-protected archive, through email, which contains a malicious executable." The new attacks are using Symantec's October report to trick victims. One e-mail that was intercepted was crafted to appear as if it were sent by Symantec's technical support department, and warns recipients that many enterprise computers were infected with Poison Ivy. The rogue message include a special removal tool from Symantec to help customers scan systems. Attached to the e-mail is a 7-Zip archive called the_nitro_attackspdf.7z containing a malicious executable, and a copy of Symantec's October report. Symantec said the executable connects to a command-and-control (C&C) server hosted by the provider used in the previous attacks. Other attack e-mails claim to originate from Adobe Systems and contain a fake upgrade for Adobe Reader. Symantec took down the domain name used by the new C&C server, and alerted the hosting provider. Source:

• Occupy protesters disrupted operations at ports, railroads, and highways across the West Coast and in Midwestern cities, including Denver and Houston. – CNN (See item 14)

14. December 13, CNN – (National) Oakland Port reopens after protesters disrupt overnight operations. California's Oakland port terminal re-opened December 13 after Occupy protestors shut the facility down overnight, but the disruption "cost the Port and City of Oakland vital resources," a statement from officials said. "They hurt the many businesses that pay taxes and help us create jobs," said the communications manager for the port. On December 12, a statement from the port authority said there were "some delays of truck traffic" but said the port remained operational. But by Monday night, the protests had disrupted workers ability to get to work and impaired the port's ability to operate, officials said. Officials said the disruptions resulted in a backlog of of work to get through, cost workers shifts and wages, and caused a negative ripple effect for people up and down the West Coast. Demonstrations took place December 12 in Los Angeles, Seattle, Houston, and Portland, Oregon. Organizers said the goal was to shut down ports to "disrupt the economic machine that benefits the wealthiest individuals and corporations." In Houston, police arrested 20 protesters after dozens of police on foot and on horseback confronted a group who blocked an interstate on-ramp, authorities said. Groups of up to six protesters got down on the pavement and interlocked arms and legs, while a larger group stood near them yelling slogans. Officers set up barricades to cordon off protesters to free the ramp for traffic. Most protesters could be seen moving behind the barricades, with a few exceptions, including those who had lain down. Police handcuffed some protesters. Six face felony charges of using criminal instruments to block a public roadway, said a Houston police department spokesman. In Long Beach, California, protests caused isolated traffic delays but did not hinder port operations, according to the police chief. About 80 protesters demonstrated outside the gate of San Diego's port but caused no disruption, a port spokesman said. A spokesman for the port in Portland said the protests had partially shut down the port there. In addition to the West Coast port blockades, demonstrators in Salt Lake City and Denver said they were planning to disrupt operations of Wal-Mart distribution facilities. About 40 to 50 people protested at the Denver facility, CNN affiliate KCNC 4 Denver reported. Source:


Banking and Finance Sector

11. December 12, Bangor Daily News – (Maine) Limerick woman pleads guilty to theft of $10,000 from Key Bank branch. A woman pleaded guilty December 12 in federal court to stealing $10,000 between the summer or fall of 2010 and July 2011 from her former employer, Key Bank. She was working as a client services manager at the Kennebunk, Maine branch at the time of the thefts, according to the prosecution’s version of events to which she pleaded guilty. The theft was discovered July 18 when an unscheduled audit of the woman's drawer was conducted. In an interview that same day, she admitted to a bank investigator she had been stealing from her drawer for about 8 months, and had taken steps to conceal her theft. Source:

12. December 12, Montreal Gazette – (International) Man arrested in Montreal after violent U.S. bank robbery. A Canadian police tactical squad in Montreal, Quebec, arrested a man wanted in the U.S. by the FBI as a suspect in a violent bank robbery in Virginia where a police officer was fired upon in October. The man was arrested without incident in downtown Montreal December 11, according to a Montreal police constable. The armed robbery he was sought for was carried out October 14 in Winchester, Virginia. A man walked into the bank in the middle of the afternoon, pointed a revolver at three tellers, and left after they handed him money. Police officers arrived as the robber was fleeing. The robber fired shots at one officer, who was not struck. According to information released by the FBI, the man is also a suspect in other armed robberies, including three in Pennsylvania, and one in Delaware. Source:

For another story, see item 34 below in the Information Technology Sector

Information Technology

33. December 13, IDG News Service – (International) Windows Phone bug reportedly disables messaging. A reported vulnerability in Windows Phone causes its messaging features to be disabled after the device is sent a specific SMS or chat message. The bug was reported to the blog Winrumors, according to the researcher who administers the Web site. He wrote he and the reporter were notifying Microsoft. In a video, the Winrumors administrator shows that after a Windows Phone device receives the message, it shuts down. Upon reboot, the messaging hub tile does not work despite repeated attempts. The denial-of-service issue also occurs if a person is sent a specific Facebook or Windows Live Messenger chat message. Winrumors ran tests on the HTC Titan, the Samsung Focus Flash, and others running the 7740 version of Windows Phone 7.5 and the Mango RTM build 7720, the administrator wrote. "At this stage, there doesn't appear to be a workaround to fix the messaging hub apart from hard resetting and wiping the device," he wrote. The bug appears to have other strange effects. He found a live tile featuring updates from a Facebook friend will lock up if that friend posts a particular message. He wrote that problem could be avoided by initially booting up a device, getting past the lock screen quickly, and then removing the live tile before it flips over and locks the device. Source:

34. December 13, Softpedia – (International) Google Wallet stores too much unencrypted data, researchers say. A recent forensic analysis performed by researchers from ViaForensics showed while Google’s Wallet application can be highly useful for smartphone owners, doing a good job protecting their assets, there are some issues that may be security risks. During the experiment, performed on a rooted device, three methods of breaking the Wallet’s security were attempted: mad-in-the-middle (MitM) attacks, forensic analysis on the data stored on a device, and examination of system logs. The first conclusions were that MitM attacks are no match for the application since during account setup and during credit card add, the attempts of the experts failed. In the second phase, the forensic analysis, the app’s cache directory revealed pictures of some credit cards, the most significant information that could be seen being the card’s expiration date. However, before the research was finished, Google issued an update that resolved this issue. The SQL databases revealed the most information on the device’s owner, including credit card balance, limits, expiration date, cardholder name, transaction dates, and locations. All the data was left unencrypted. Another security bug patched by Google is the delete transaction or reset function did not actually delete the data, the researchers proving it could be easily recovered. Source:

35. December 12, Computerworld – (International) Google pulls 22 more malicious Android apps from Market. Google removed nearly two dozen malware-infected apps from its official Android Market in the last several days, a security company said December 11. So far in 2011, Google pulled more than 100 malicious Android apps from its download distribution channel. Lookout Security said it and other vendors notified Google of several recent waves of malicious apps — 22 apps altogether — that reached the Android Market. Google removed those programs from the e-mart, said Lookout. Lookout spotted nine malware-infected apps the week of December 5, and another 13 the weekend of December 10 and 11. The company dubbed the malware bundled with the fake apps "RuFraud", and said the code sent spurious text messages to premium numbers, racking up revenues for the criminals. While North American users were not affected — RuFraud was written not to target the United States, for instance — people in France, Germany, Italy, Poland, Russia, the United Kingdom, and several other eastern European and central Asian countries were. As in previous malicious app campaigns, the RuFraud apps borrowed elements of legitimate apps, but did not simply snatch complete apps, then re-package them with malicious code, said Lookout. The recent RuFraud operations began with horoscope apps, then moved on to Android phone wallpapers and downloaders posing as accessories to bestselling games such as "Angry Birds", and "Cut the Rope", then finished with a round of fake games, Lookout's researchers said. That last run accounted for the majority of downloads before Google pulled the apps. Lookout estimated about 14,000 copies of the fake games were grabbed by users. Source:

36. December 12, H Security – (International) Winamp update closes security holes. The developers at Nullsoft, a division of AOL Music, released version 5.623 of their Winamp media player for Windows to fix several bugs and close three security holes found in previous builds. According to security specialist Secunia, the new update addresses three vulnerabilities, rated as "highly critical", that could be exploited to compromise a victim's system. These include two integer overflow errors in the in_avi.dll plug-in, and an issue in the in_mod.dll plug-in that could lead to a heap-based buffer overflow and the execution of arbitrary code. For an attack to be successful, a victim must first open a specially crafted file. The problems were confirmed in version 5.622; other builds may also be affected. Source:

37. December 12, Help Net Security – (International) Spam campaign bypasses Gmail filters, employs Google Docs. Every so often, online crooks and spammers use Google Docs to host phishing forms or documents with embedded malicious links. One such spam campaign is currently delivering a simplistic e-mail with a link to a Google Docs to inboxes around the world. A Stanford researcher identified the campaign and found the e-mail effectively bypassed Google's spam filters — a rare occurrence. The link lead an untitled document touting fake/novelty university diplomas and degrees. Google Docs displays the number of people who viewed the document, so the researcher could see how many people were viewing it — which means they followed the link. "I saw 7 other people taking a look at the document while writing this post so it is clear that this campaign is active and successful," he commented. Source:

38. December 12, threatpost – (International) DNS hijacks now being used to serve Black Hole Exploit Kit. Attackers have been going after various pieces of the DNS infrastructure for a while, and it is not unusual for there to be organized campaigns that target certain industries or geographic regions. Lately, however, researchers are seeing a pattern where attackers add new names to existing domains and use those sub-domains to piggyback on the good reputation of sites and push counterfeit goods, pills, etc. Now, attackers are using the attack to push exploits via the Black Hole Exploit Kit. The attacks have been ongoing for a few months, and, while they are simple in theory, researchers are unable to figure out how the attackers managed to compromise the domains and get access to the DNS records to add their own sub-domains. Attackers have been able to alter domain records of dozens of existing, legitimate sites, including local government agencies, small businesses, community banks, and others and then inserted new sub-domain names into the records. Researchers at the SANS Internet Storm Center have been looking into the attacks and identified dozens of domains affected and poisoned with the insertion of myriad sketchy sub-domains pushing fake pharmaceuticals, loans, and other Internet spam staples. Source:

39. December 9, Industrial Control Systems Cyber Emergency Response Team – (International) ICS-ALERT-11-343-01—Control System Internet Accessibility. October 28, 2010, Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) published an alert titled “ICS-ALERT-10-301-01 — Control System Internet Accessibility.” The alert warned control system owners and operators a search engine called SHODAN was being used to locate Internet facing control systems. ICS-CERT is issuing this new alert to warn of an uptick in related activity and urge asset owners and operators to audit their control systems configurations and verify whether or not they are susceptible to an attack via this vector. ICS-CERT is tracking and responded to multiple reports of researchers using SHODAN, Every Routable IP Project, Google, and other search engines to discover Internet facing control systems. ICS-CERT coordinated this information with the identified control system owners and operators to notify them of their potential vulnerability to cyber intrusion and attack. When appropriate, ICS-CERT also coordinates with the corresponding sector Information Sharing and Analysis Centers or international Computer Incident Response Team to notify asset owners. In many instances, the exposed systems were unknowingly or unintentionally configured with potentially unsecure access authentication and authorization mechanisms. ICS-CERT works with the asset owner/operators and vendor or systems integrators whenever possible to remove any default credentials and secure these systems from attack. In cases where unauthorized access was identified, ICS-CERT assisted control system owners and operators with system and firewall data analysis to determine the extent of the intrusion and whether any configuration changes might have been made to the system. The use of readily available and generally free search tools significantly reduces time and resources required to identify Internet facing control systems. In turn, hackers can use these tools to easily identify exposed control systems, posing an increased risk of attack. Conversely, owners and operators can also use these same tools to audit their assets for unsecured Internet facing devices. Source:

For another story, see item 40 below in the Communications Sector

Communications Sector

40. December 13, Lancaster Intelligencer Journal; Lancaster New Era – (National) Windstream's nationwide outage shuts down Internet service for thousands here. More than a million Windstream customers nationwide, including thousands in Lancaster, Pennsylvania, were without Internet service for more than 5 hours December 13. Internet service was lost about 4:30 a.m., a Windstream spokesman said. It was restored in most areas at 9:30 a.m., he said. However, some Lancaster customers did not get service back until about 10:45 a.m. The spokesman said the problem originated with a DNS server. The cause of the outage remains under investigation, he said. Windstream has 1.35 million Internet customers in 29 states. Windstream telephone service was not affected. Source:

41. December 12, Associated Press – (New Jersey) Verizon apologizes for alert that warned customers to ‘take shelter now’. A Verizon “emergency” alert the company texted to its wireless customers December 12 triggered hundreds of calls from concerned residents to local and state offices. The company sent the alert to customers in Middlesex, Monmouth, and Ocean counties in New Jersey, warning of a ”civil emergency” and telling people to “take shelter now.” The message was meant to be a test but it was not labeled as such, Verizon later admitted. Within about 90 minutes, the state homeland security and emergency management offices posted on Twitter that no emergency existed, but by then people called a variety of local, county, and state agencies to express their concerns. In Monmouth County, the number of calls to the county 911 call center doubled between noon and 1 p.m. to more than 170, compared to the same time the week of December 5, a county sheriff’s department spokeswoman said. Verizon did not say why the message was sent without being labeled as a test, or whether the December 12 incident was the first time such a mistake occurred. Source:

For more stories, see items 33, 34, 35, 37, and 38 above in the Information Technology Sector