Friday, December 23, 2011

Complete DHS Daily Report for December 23, 2011

Daily Report

Top Stories

• The Sykipot malware used in recent, targeted attacks against defense contractors appears to have been designed, in part, to steal information relating to U.S. military drones and unmanned aerial vehicles. – InformationWeek (See item 7)

7. December 21, InformationWeek – (International) More Sykipot malware clues point to China. The Sykipot malware used in recent, targeted attacks against defense contractors appears to have been designed, in part, to steal information relating to U.S. military drones and unmanned aerial vehicles, InformationWeek reported December 21. To date, “there have been a lot of different campaigns with different command-and-control servers,” said researchers at Alienvault Labs in a blog post. “The modus operandi is simple, they send emails with a malicious attachment or link, sometimes using a zero-day exploit [on] key employees of different organizations.” The Sykipot malware used in recent targeted attacks involved JavaScript-embedded malicious PDF files that were emailed to targets, and which exploited a zero-day Adobe Reader vulnerability that was recently patched. However, in targeted attacks, attackers often include information — in the form of attachments — that they think recipients will find interesting. Conversely, this highlights the type of information attackers are seeking. Notably, all of the infections associated with a particular command-and-control (C&C) server for a Sykipot variant have been tied to a phishing e-mail that includes information about the Boeing joint unmanned combat air system X-45, as well as the Boeing X-37 orbital vehicle. The Alienvault researchers found the related attack campaigns appear to have been running since at least August 2011, although the C&C server used was first registered in March 2011. Again, the drone-information-seeking Sykipot variant is but one of many. Symantec said it has seen “unconfirmed traces” of Sykipot dating as far back as 2006. However, the Sykipot family of malware only appeared to become widespread in 2010, via obfuscated script files that exploited Internet Explorer vulnerabilities to execute arbitrary code. The Alienvault researchers found while many of the C&C servers involved in Sykipot appear to be based in the United States, it appears that attackers “used well-known public exploits to hack into U.S.-based servers and then [installed] ... software to proxy the connections between the infected systems and the real C&C server.” Most of those C&C servers use a Web server known as Netbox, which is a Windows-based server that allows developers to deploy ASP applications as standalone executables. All told, about 80 percent of the world’s Netbox servers are located in China. Furthermore, the tool’s documentation is available solely in Mandarin. That coincides with previous research into Sykipot conducted by Symantec, which found that the malware produced Chinese-language error messages. The Alienvault researchers also cross-referenced which of those Netbox servers were using a digital certificate known to have been employed as part of the Sykipot attacks. Ultimately, they matched seven IP addresses, all owned by “China Unicom Beijing province network.” Of those, six appeared to point directly to a known Sykipot C&C server. Source:

• Walmart is recalling powdered infant formula from 3,000 stores in 49 states after an infant may have died from a rare infection that can be caused by milk-based powdered formula. – Food Safety News (See item 21)

21. December 22, Food Safety News – (National) Walmart recalls powdered formula after baby’s death. As Missouri public health officials investigate the death of a 10-day-old infant who may have succumbed to a rare Cronobacter sakazakii (C. sakazakii) infection, Walmart said it is recalling a single batch of Enfamil powdered infant formula from its stores as a cautionary measure, Food Safety News reported December 22. Walmart announced that it was removing 12.5-ounce cans of Enfamil Newborn powder from 3,000 stores in 49 states. According to the Lebanon Daily Record, the baby died December 18 after he was removed from life support. The preliminary diagnosis was an infection with the bacterium C. sakazakii, a rare cause of bloodstream and central nervous system infections in infants. The fatality rate among infected newborns has been reported to be as high as 33 percent. What caused the Missouri baby’s infection is unknown, but there was evidence in other cases of C. sakazakii that milk-based powdered infant formulas served as the source. World Health Organization guidelines advise that parents should be aware “that powdered infant formula is not a sterile product and may be contaminated.” Mead Johnson, manufacturer of Enfamil, said it is working with health authorities to identify the source of the baby’s infection. A spokesperson said the company tests ingredients and finished powdered infant formula products for C. sakazakii, and that the batch used by the child’s family tested negative for the bacterium when it was produced and packaged. Source:


Banking and Finance Sector

8. December 22, Cleveland Plain Dealer – (Ohio) Two men plead guilty in $44 million mortgage fraud case in Cuyahoga County. In what the Cuyahoga County, Ohio prosecutor called the country’s largest mortgage fraud case, two defendants pleaded guilty December 21 to crimes involving more than 500 real estate deals totaling $44 million in fraudulent loans. The mastermind of the scheme pleaded guilty in Cuyahoga County Common Pleas Court to 11 counts, including engaging in a pattern of corrupt activity and money laundering. He faces up to 8 years and 3 months in prison. Another man involved in the scheme pleaded guilty to 10 counts, including tampering with records and money laundering. He owned and operated a title company that misled banks into believing that buyers were making down payments. “The magnitude of this crime is hard to fathom,” the prosecutor said. “A total of 453 homes, 358 of which fell into disclosure, were part of a master scheme to bilk the banking and real estate industries out of funds.” The verdict comes 8 months after a federal jury found him and his partner guilty of conspiracy and wire-fraud charges. The typical scheme involved setting up straw buyers to purchase homes and then falsely claim home improvements were done, which would inflate the homes’ value when he refinanced them. He then sold the homes to unqualified buyers with assistance from real estate agents, mortgage brokers, and title companies, a spokeswoman for the county prosecutor’s office said. The deception resulted in $44 million worth of fraudulently obtained mortgages. Nearly all the homes were sold in Cleveland and its eastern suburbs. Most fell into foreclosure. Source:

9. December 22, Grand Rapids Press – (Michigan) Byron Center men indicted in $46 million investment scheme, federal records show. As investment fund founders, two Byron Center, Michigan, residents looked to other church-going people to offer their guaranteed investment opportunities. However, authorities said, the two helped themselves to $46.5 million in investors’ money – and wiped out life savings, retirement funds, and equity in homes belonging to people throughout Michigan, the Grand Rapids Press reported December 22. When investors’ money actually was invested, “those investments yielded catastrophic losses,” a federal prosecutor said. These allegations were contained in documents unsealed the week of December 19 in a U.S. district court in Grand Rapids where the pair are facing multiple charges of mail fraud and money laundering. They are accused of using the money for themselves and to make interest payments to suggest that investments sold were earning money. Neither had extensive training or experience in finance or investment-fund management. One of the men was a licensed insurance agent, while the other was a real-estate agent and broker, the government said. Still, the two started their own investment funds beginning in 2005. They formed a “private investment group” called Accelerated Income Group, or AIG, and told potential investors they had contacts with stock and currency traders to deliver returns as high as 100 percent or more, the government said. The government said the men also recruited others, usually insurance agents with established clients, to bring in new investors. The investors were often retired, or elderly, and trusted their insurance agents, who encouraged them to invest life savings and retirement accounts, the government said. Source:

10. December 22, Associated Press – (Texas) Ex-AmeriFirst CEO guilty of mail, securities fraud. Prosecutors said a North Texas man faces decades in prison over investment fraud that targeted senior citizens. A federal jury in Dallas December 21 convicted the man of four counts of securities fraud and five counts of mail fraud. He was chief executive officer (CEO) of now-defunct AmeriFirst Funding Corp. and AmeriFirst Acceptance Corp. He faces a maximum 20 years in prison per count. He is in custody until sentencing in April. Another man was convicted in 2010 of nine counts of securities fraud. He is serving 25 years in prison. Investigators said the pair raised more than $50 million from investors in Texas and Florida but misled customers, mainly retirees, about returns. Officials said the CEO wrongly spent investment money on an airplane, sports cars, and property. Source:

11. December 21, KRQE 13 Albuquerque – (New Mexico) Disgraced broker admits Ponzi scheme. A former mortgage broker faces up to 12 years in federal prison for masterminding a Ponzi scheme prosecutors said defrauded at least 600 investors of more than $74 million, KRQE 13 Albuquerque reported December 21. He pleaded guilty in federal court to two counts of wire and mail fraud from a 30-count indictment handed up by a grand jury in February. The plea agreement includes a money judgment of $74.7 million against the man, which prosecutors said is a portion of the proceeds from the scam, and requires him to resolve a pending federal securities case and his personal and business bankruptcy cases. The indictment accused the man of taking money from investors for real-estate projects that never happened. Instead he used money from new investors to make dividend payments to earlier investors while pocketing the rest to support himself and his Albuquerque, New Mexico real-estate business. The plea deal comes on the heels of a separate agreement worked out with his former accounting manager. She was also charged in connection with the Ponzi scheme, but earlier in December court documents were unsealed showing she had cut a deal with prosecutors that required her to testify against her employer. Source:

12. December 21, Federal Bureau of Investigation – (National) Principals of defunct hedge fund plead guilty to international fraud scheme. A Salt Lake City man pleaded guilty December 21 in federal district court to conspiracy to commit fraud, less than 2 weeks before his jury trial was scheduled to begin. His co-defendant and former business partner pleaded guilty in April. The pair were the principals of a Utah-based hedge fund operator known as Coadum Advisors, which drew hundreds of investors nationwide into a series of investment funds from 2005-2008. The defendants pleaded guilty to conspiring to defraud their investors by lying to them about how their money was invested, what returns were being earned, and what balances investors held. The charges, and other information presented in court: the two men operated Coadum Capital from 2005 through early 2008, which at its height attracted nearly 250 investors and nearly $40 million in investments. Coadum offered shares in hedge funds and advertised monthly returns often exceeding 5 percent. Part of the sales pitch that Coadum made to investors was that their funds would remain protected in an escrow account and would therefore not be at risk. In fact, although investors were instructed including one in Atlanta, the money did not stay in any such account. Rather, unbeknownst to investors, the pair transferred over $20 million overseas to accounts in Switzerland and the Mediterranean island of Malta. This money was supposedly invested in a series of hedge funds or other investments operated by a supposed Malta-based trader. These investments produced no earnings at all, and, in fact, by the end of 2007 only a fraction of the transferred funds remained deposited in these European accounts. The pair also used over $10 million in supposedly escrowed investor funds to pay expenses to operate the business, to pay investors who had requested distributions of supposed earnings, and to fund various small companies mostly owned by the defendants themselves or relatives. The two continued to send account statements every month to investors that represented that their funds remained intact, preserved in escrow accounts, and that monthly earnings of 3-7 percent continued to accrue. They knew these statements were false, because they knew the funds were not protected in escrow accounts, had not been generating earnings, and the balances being reported to investors were inflated. The two men were indicted in December 2010 on 22 counts of mail fraud, wire fraud, and conspiracy. Source:

13. December 21, Bloomberg – (National) BofA agrees record $335M fair-lending deal. Bank of America Corp. will pay a record $335 million to compensate Countrywide Financial Corp. borrowers who were charged more for home loans based on race and national origin. Countrywide, acquired by Bank of America in 2008, assessed higher fees and interest rates to more than 200,000 black and Hispanic borrowers, the U.S. Department of Justice said in a statement December 21. The lender also steered minorities into higher-cost subprime mortgages from 2004 to 2007, even when they qualified for prime loans, the agency said. The penalty for Bank of America, the second-largest U.S. lender by deposits, dwarfs the $30 million total for all previous fair-lending settlements extracted by the agency, including $6.1 million paid last year by American International Group Inc. The review covered 2.5 million loans, including data on terms and creditworthiness of borrowers, according to the Justice Department. The agency said Countrywide allowed loan officers and brokers to vary interest rates and fees, and knew it was discriminating against minorities. Whites with similar credit profiles received prime loans, according to the statement. Source:

14. December 21, Bloomberg – (National) E*Trade will pay $79 million to settle shareholder lawsuit. E*Trade Financial Corp., the New York-based online brokerage, will pay $79 million to settle a shareholder lawsuit over losses from mortgages and home-equity loans. E*Trade announced the settlement in a regulatory filing December 21. The agreement requires the company to pay $10.75 million, which will be reflected as an expense in the fourth quarter of 2011, with the balance paid by insurance carriers, according to the filing. The lawsuit and other similar class actions were filed in 2007 based on claims that company officers violated their fiduciary duties to shareholders concerning losses in E*Trade’s portfolio of mortgages and home equity loans, according to the filing. As part of the settlement E*Trade officials deny any wrongdoing. Source:

15. December 20, Associated Press – (National) SEC accuses Willie Gault, Hollywood agent of pumping up medical device company’s stock price. Federal regulators December 20 sued a former NFL wide receiver and five other people, accusing them of taking part in a scam to artificially inflate the stock of a heart monitoring device company, the Associated Press reported December 20. The complaint filed in Los Angeles against the receiver, a talent agent, and an attorney alleges that they defrauded investors by giving the impression that Heart Tronics Inc. had millions of dollars in sales orders between 2006 and 2008 when in fact it did not. The attorney reaped nearly $8 million using the receiver and talent agent’s celebrity status to foster investor confidence in Heart Tronics, authorities said. The former receiver is accused of using investors’ money for his own personal use, including the purchase of company stock to give the appearance there was strong demand for Heart Tronics shares. The attorney was arrested in a parallel criminal investigation, authorities said. The complaint, which seeks the return of any ill-gotten gains, described the three other defendants as a stock promoter, a stockbroker, and a handyman. Source:

16. December 20, Bloomberg News – (International) Aon will pay $16.3 million to resolve U.S. bribery probes. Aon Corp. (AON) has agreed to pay $16.3 million to resolve criminal and civil probes of possible bribes paid overseas to get business, Bloomberg reported December 20. Aon settled a civil enforcement action by the U.S. Securities and Exchange Commission (SEC), agreeing to pay $14.5 million and denying wrongdoing. Chicago-based Aon also will pay a $1.76 million criminal fine and signed a Justice Department non-prosecution agreement that requires anti-bribery controls. Aon subsidiaries made more than $3.6 million in improper payments between 1983 and 2007 related to business in countries including Costa Rica, Egypt, Vietnam, Indonesia, United Arab Emirates, Myanmar, and Bangladesh, the SEC alleged. The payments led to $11.4 million in illicit profits, the agency claimed. In 2009, Aon paid a 5.25-million pound ($7.9 million) fine to Britain’s Financial Services Authority (FSA) for not having sufficient anti-bribery controls. The Justice Department agreed to not prosecute Aon for violating the Foreign Corrupt Practices Act. It cited Aon’s “extraordinary cooperation” with the Justice Department and SEC, its “timely and complete disclosure” of facts about improper payments in eight nations, its “early and extensive remedial measures,” and the fine it paid to the FSA. Source:

Information Technology

35. December 22, The Register – (International) Facebook scams now spread by dodgy browser plug-ins. Con men developed a new approach towards spreading scams on Facebook. Instead of using status updates as a lure, the latest generation of Facebook scams attempt to trick marks into installing malicious browser extensions. The plug-ins are supposedly needed to view non-existent video clips supposedly posted by an earlier victim. Once installed, these malign browser ad-ons spread the scam from one user’s profile to another. Source:

36. December 22, H Security – (International) phpMyAdmin 3.4.9 fixes XSS vulnerabilities. Version 3.4.9 of phpMyAdmin was released, closing two security holes in the open source database administration tool. The update fixes vulnerabilities in the phpMyAdmin setup interface and the export panels in the server, database, and table sections that could be exploited for cross-site scripting attacks. All 3.4.x versions up to and including 3.4.8 are affected – upgrading to 3.4.9 corrects the issues. Alternatively, patches are provided. The new release also fixes nine other bugs related to navigation, the user interface, and the edit functionality. Source:

37. December 22, Softpedia – (International) Security experts advise users to ditch Java. After installing operating systems on their computing machines, most individuals rush to install applications that help them browse the Web. While many believe that without components such as Flash and Java they will be unable to access certain content, there are always safer, more secure, alternatives. F-Secure researchers reported many people use Java, but in reality they do not need it, its presence only giving cybercriminals the opportunity to exploit the device it is installed on. The main issue is many Internet users confuse Java with JavaScript, a crucial component for the Web. “If you’re running Java, but not the latest version, you’re vulnerable. So either you have to check at all times that you have the latest version of Java — or get rid of it altogether,” said a F-Secure researcher. After studying the Blackhole exploit kit’s control panel, the experts discovered more than 16,000 computers were taken over using the Java Rhino vulnerability. Source:

38. December 21, H Security – (International) VLC Media Player 1.1.13 fixes security vulnerability. Version 1.1.13 of the open source VLC Media Player closes a hole found in previous releases that could be exploited by an attacker to compromise a user’s system. The maintenance and security update addresses a buffer overflow vulnerability in the VLC TiVo demuxer that could be used to crash the application’s process. The VideoLAN project developers note that, on some systems, it may also be possible to execute arbitrary code on a victim’s system. For an attack to be successful, a user must first open a specially crafted file or a malicious Web site. Versions 0.9.0 to 1.1.12 are affected; upgrading to 1.1.13 fixes the issue. Alternatively, users can manually remove the TY demux plug-in (libty_plugin.*) from the VLC plug-in directory, preventing TiVo files from opening in the player. According to the 1.1.13 shortlog, the release also includes translation updates and fixes for several other bugs. Source:

Communications Sector

39. December 22, Watertown Daily Times – (New York) WNYF-TV signal off from Watertown. Broadcast and DirecTV viewers of WNYF-TV 28 have not been able to watch the station’s programming since December 16, when its high-definition transmitter in Watertown, New York, went off the air. Equipment problems began causing interruptions and outages for both the WWNY-TV7 and WNYF signals December 16. On December 20, service was restored to the WWNY high-definition signal, which carried WWNY’s CBS programming and WNYF Fox network programming. But that signal and WNYF from the Massena transmitter have remained spotty through continued problems and attempts to correct them. “We have a microwave specialist working on it,” the programming director for the two stations said. With parts from six units, crews found they could not keep two microwave signals working. With the microwave specialist, staff are checking the dish alignments and ensuring moisture didn’t infiltrate the system, which could also cause failure. “We haven’t figured out what the problem is and we don’t know when we will be back up,” the programming director said. Source: