Wednesday, September 19, 2012
Daily Report
Top Stories
• A FBI report shows cybercriminals targeted
banks and credit unions, using spam, phishing emails, and malware, to illegally
transfer money in amounts between $400,000 and $900,000. – Softpedia See item 7 below in the Banking and Finance Sector
• Peregrine Financial Group’s CEO pleaded
guilty in court in Iowa to carrying out a 20-year fraud that stole $200 million
from about 24,000 customers. – Associated Press See item 9 below in the Banking and Finance Sector
• Al Qa’ida’s branch in North Africa is
calling for attacks on U.S. diplomats in many countries, and an escalation of
protests against an anti-Islam video that triggered a wave of demonstrations. –
Associated Press
25.
September 18, Associated Press –
(International) Al Qaeda branch in North Africa calls for attacks on US
diplomats. Al Qa’ida’s branch in North Africa is calling for attacks on
U.S. diplomats and an escalation of protests against an anti-Islam video that
triggered a wave of demonstrations in Muslim countries. In a statement released
September 18, al Qa’ida in the Land of the Islamic Maghreb praised the killing
of the U.S. ambassador to Libya, in an attack on the U.S. consulate in Benghazi
September 11. The group threatened attacks in Algeria, Tunisia, Morocco, and
Mauritania in response to the movie that denigrates the Prophet Muhammad.
Yemen-based al Qa’ida in the Arabian Peninsula recently issued a similar call
for attacks on U.S. diplomatic facilities. The group is al Qa’ida’s most active
branch in the Middle East. Source: http://www.foxnews.com/world/2012/09/18/al-qaeda-branch-in-north-africa-calls-for-attacks-on-us-diplomats/
• Students at Louisiana State University
returned to their dorms September 17, many hours after a bomb threat. Police
spoke to counterparts in other States hit during a recent spate of bomb threats
against colleges. – Reuters
29.
September 17, Reuters – (Louisiana) Students
return to Louisiana State University after bomb scare. Students at
Louisiana State University (LSU) in New Orleans were allowed to return to their
dorms late September 17 after police swept residential halls on the campus
following a bomb threat. Dining and recreational facilities also were reopened,
LSU said in a statement. The university was evacuated following a telephoned
threat to the East Baton Rouge Parish emergency center at 10:32 a.m. and the
center relayed the information to campus police, said a university spokesman.
The university chancellor made the decision to evacuate the campus, and LSU
alerted students, faculty, and staff via text message at about 11:30 a.m., he
said. As word of the threat spread, public school officials placed three nearby
elementary schools and one high school on lockdown, according to the East Baton
Rouge Parish School System. Louisiana State Police were talking to their
counterparts in other areas of the nation where university bomb threats were
reported the week of September 10 of to determine whether there were
similarities. Source: http://www.reuters.com/article/2012/09/18/us-usa-louisiana-evacuation-idUSBRE88G15820120918?feedType=RSS&feedName=domesticNews
• Microsoft issued a security advisory
September 17 that confirmed in-the-wild attacks are exploiting an unpatched bug
in Internet Explorer (IE), which comprises 53 percent of all browsers used
worldwide. – Computerworld See item 39
below in the Information Technology
Sector
• Firefighters continued to battle wildfires
in Washington that scorched dozens of square miles of acreage, burned or
threatened thousands of structures, and forced hundreds of evacuations. – Associated
Press; Yakima Herald-Republic (See item 48)
48.
September 17, Associated Press; Yakima
Herald-Republic – (Washington) Crews labor away on Yakima Complex
blazes. Work to prevent a fire burning west of Yakima, Washington, from
growing went well September 17 as crews continued to establish fire breaks. But
fire officials were unsure when it will be fully contained. Firefighters dug
fire lines on the west end of the Wild Rose Fire, which is part of the Yakima
Complex Fire burning east of Rimrock Lake. That fire was last reported at about
1,300 acres, but growth was minimal, said a Yakima Complex Fire spokesman. Meanwhile,
another State team of roughly 350 firefighters that took over the Table
Mountain Fire burning on about 2,500 acres near Blewett Pass in Kittitas County
worked toward containment. Evacuations in the area remained in place September
17. That fire forced the closure of all land east of U.S. Highway 97 and south
of U.S. Highway 2 in the Okanogan Wenatchee National Forest, according to a
news release from fire officials overseeing the Yakima Complex Fire. Two
firefighters suffered minor injuries. Both were treated at area hospitals and
released, the news release said. Meanwhile in the Wenatchee area, an inversion
moved in September 16, holding smoke in the region where 1,700 people were
fighting a complex of wildfires burning on about 51 square miles. Hundreds of
people have been evacuated. The Wenatchee complex was about 17 percent
contained as of September 17. No homes had burned, but nearly 800 houses and
other structures were threatened. The firefighting effort had so far cost an
estimated $8.1 million. Source: http://www.yakima-herald.com/stories/2012/09/17/crews-labor-away-on-yakima-complex-blazes
Details
Banking and Finance Sector
7. September
18, Softpedia – (International) FBI: Networks of financial institutions
targeted with malware, RATs, and keyloggers. A FBI report shows that
cybercriminals have started focusing their efforts on targeting the networks of
financial institutions, Softpedia reported September 18. Cybercriminals are
relying on spam, keyloggers, Remote Access Trojans (RATs), phishing, and other
malicious elements to steal employee log-in credentials. The Internet Crime
Complaint Center (IC3) reported that the stolen information has been utilized
to perform unauthorized wire transfers for amounts between $400,000 and
$900,000. In the first phase of these operations, the criminals use spam and
phishing emails. Once they compromise the machine of an employee, they plant
RATs, keyloggers, and other pieces of malware to gain access to internal
networks and the details needed to access third party systems. Most of the
victims appear to be small to medium-sized banks and credit unions, but major
financial institutions have also been targeted. In some cases, the crooks
launched distributed denial-of-service attacks against the bank’s Web site,
most likely to cover up their fraudulent transactions. Source: http://news.softpedia.com/news/FBI-Networks-of-Financial-Institutions-Targeted-with-Malware-RATs-and-Keyloggers-293126.shtml
8. September
18, The Register – (International) ‘How I crashed my bank, stole PINs with a
touch-tone phone’. Miscreants can crash or infiltrate banks and help desks’
touch-tone and voice-controlled phone systems with a single call, a security
researcher warned, according to The Register September 18. A researcher who
works for iSight Partners said audio processing algorithms in office telephone
networks and speech-driven command software are liable to crash when bombarded
with unusual data in ―fuzzing‖ attacks. Certain DTMF (Dual-Tone
Multi-Frequency) signals can cause private branch exchanges (PBX) and
interactive voice response (IVR) systems to raise exceptions and bail out, much
in the same way unexpected input data can disrupt applications running on a
desktop computer or server. PBX and IVR machines are often used to run phone
banking, call centers, and other interactive telephone systems. Given the
appropriate DTMF input, it may be possible to crash backend application servers
or convince them to cough up sensitive data. Repeating the trick to bring down
a machine effectively launches a denial-of-service attack on the phone line as
a paper by the researcher explained. ―We would be able to extract sensitive
information about the application’s hosted environment with these sorts of
bugs. Since applications that use DTMF algorithms are mainly phone-based, it
was possible to extract output in the form of audio data‖, he said. He also
claimed it was possible to extract customer PINs from an unnamed Indian bank.
Source: http://www.theregister.co.uk/2012/09/18/dtmf_phone_system_hack_attack/
9. September
18, Associated Press – (Iowa; National) Peregrine CEO pleads guilty in scandal. Peregrine
Financial Group’s CEO pleaded guilty in court in Iowa, September 17 to carrying
out a 20-year, $200 million fraud that he first confessed to in a note found on
him after an unsuccessful suicide attempt in July. The CEO pleaded guilty to
charges of mail fraud, embezzling customer funds, and making false statements
to two regulatory agencies. He acknowledged that he secretly withdrew funds
from about 24,000 customers starting in the 1990s, and used computers to make
phony bank statements to conceal the theft. He gave fraudulent statements to
his accounting department showing fictitious deposits and balances. The false
numbers were used to generate monthly reports to regulators showing the company
was holding more than $200 million in customer funds than it actually had. He
fooled auditors with the National Futures Association by changing the bank’s
address in the statements to a post office box he controlled. The auditors
would mail forms asking the bank to verify Pergrine’s account balances; the CEO
would send back false documents purporting to be from the bank. Source: http://www.omaha.com/article/20120918/MONEY/709189965/1707
10. September
18, The Register – (International) Romanians plead guilty to credit card hack on
U.S. Subway shops. Two Romanian nationals who were extradited to the United
States in May confessed their involvement in a $10 million scam aimed at
stealing credit and debit card data from payment terminals at hundreds of
Subway restaurants and other merchants across the country, according to a U. S.
attorney’s office, The Register reported September 18. They were among four
Romanian nationals extradited in May after being charged in December 2011 with
hacking into Subway vulnerable point-of-sale (POS) computers between 2009 and
2011. The scheme led to the compromise of more than 146,000 payment cards. The
hack against POS terminals relied on identifying machines running exploitable
remote desktop software applications. The U.S. Department of Justice said one
of the men hacked into these systems to install keystroke logging applications,
which subsequently recorded card data from swiped cards before transferring
this information to dump sites. In some cases he had to crack passwords to
circumvent the remote desktop applications, which in normal use were used to
update the software on POS terminals. The other individual admitted to
attempting to make fraudulent transactions using the stolen credit card data as
well as selling the data to co-conspirators. Source: http://www.theregister.co.uk/2012/09/18/romanian_cybercrooks_plead_guilty/
Information Technology Sector
39. September
18, Computerworld – (International) Microsoft confirms hackers exploiting
critical IE bug, promises patch. September 17, Microsoft issued a security
advisory that confirmed in-the-wild attacks are exploiting an unpatched bug in
Internet Explorer (IE). The software maker is working on a fix. The advisory
addressed the zero-day vulnerability that was found and disclosed by a researcher
the weekend of September 15. September 17, the Metasploit open-source
penetration framework published an exploit module for the bug. All but one
supported edition of IE are affected: 2001’s IE6, 2006’s IE7, 2009’s IE8, and
2011’s IE9. Together, those browsers accounted for 53 percent of all browsers
used worldwide in August. The only exception was IE10, the browser bundled with
the new Windows 8, which does not contain the bug. Microsoft acknowledged it
was investigating reports of a vulnerability but it did not promise a patch.
The bug, when Microsoft patches it, will be rated ―critical.‖ Exploiting the
flaw allows hackers to execute code and opens Windows XP, Vista, and Windows 7
to drive-by attacks that only require getting victims to visit a malicious or
compromised Web site. Until a patch is available, Microsoft recommends users
block attacks with EMET 3.0 (Exploit Mitigation Experience Toolkit), boost IE’s
security zone settings to ―high, and configure the browser to display a warning
before executing scripts. Source: http://www.computerworld.com/s/article/9231396/Microsoft_confirms_hackers_exploiting_critical_IE_bug_promises_patch
40. September
18, The H – (International) Apple fixes VNC security problem in Remote
Desktop 3.5. September 17, Apple released an update to the 3.5.x branch of
its Apple Remote Desktop (ARD) administration application to close a known
security hole. Version 3.5.3 of the desktop management solution for remotely
managing Mac OS X systems corrects an information disclosure vulnerability
(CVE-2012-0681) when connecting to third-party VNC servers that could result in
data not being encrypted when the ―Encrypt all network data‖ setting is
enabled. When this happens, no warning is presented to alert users that the connection
could be insecure. Source: http://www.h-online.com/security/news/item/Apple-fixes-VNC-security-problem-in-Remote-Desktop-3-5-1710538.html
41. September
17, Infoworld – (International) Jenkins integration server suffers security
vulnerabilities. Jenkins, the open source continuous integration server,
faced several security vulnerabilities September 17, with the Jenkins project
leader recommending upgrades to the Jenkins core and some plug-ins to fix the
problems. A security advisory posted by the project leader cites four
vulnerabilities, including two affecting the Jenkins core. The first vulnerability
was deemed critical. It allows unprivileged users to insert data into Jenkins
master, which can lead to remote code execution. For this vulnerability to be
exploited, the attacker must have an HTTP access to a Jenkins master, and he
must have a read access to Jenkins,‖ the security advisory said. The second
vulnerability in the core involves a cross-site scripting vulnerability,
allowing an attacker to craft a URL that points to Jenkins, with an attacker
able to hijack a legitimate user’s session. Two other vulnerabilities, also
involving cross-site scripting, affect the Violations and Continuous
Integration Game plugins. The Violations plug-in scans for violation XML files
in the build workspace; the Game plug-in offers tips on improving builds.
Source: http://www.computerworld.com/s/article/9231372/Jenkins_integration_server_suffers_security_vulnerabilities
42. September
17, eSecurity Planet – (International) Mobile emphasis at HP’s Pwn2Own. September
19, HP planned to host its first mobile Pwn2Own hacking competition at the
EUSecWest event in Amsterdam, Netherlands. The event will challenge security
professionals to find and exploit flaws in mobile technology for cash and prize
awards. The contest will take aim at mobile Web browsers, near field
communication (NFC), and Short Message Service (SMS), as well as cellular
baseband technologies. Apple iOS, Blackberry, and Android smartphones will be
among the devices under attack. HP will award the largest prize in the mobile
Pwn2own contest to the researcher who can demonstrate a cellular baseband
vulnerability. Source: http://www.esecurityplanet.com/hackers/mobile-emphasis-at-hps-pwn2own.html
43. September 17, Threatpost – (International) New
iteration of TDSS/TDL-4 botnet uses domain fluxing to avoid detection. A
new version of the TDSS/TDL-4 botnet is rapidly growing, primarily because it
is having success using an evasion technique known as a domain generation
algorithm (DGA) to avoid detection, researchers at Damballa Security revealed
September 17. The algorithm helps the latest version of the botnet conduct
click-fraud campaigns and is used primarily to rapidly move communication
between victims and command-and-control servers from domain to domain, a
technique known as domain fluxing, similar to fast fluxing. Since this new
version appeared in May, it has reportedly infected 250,000 unique victims,
including machines inside government agencies, ISP networks, and 46 of the
Fortune 500. Damballa researchers said they found 85 command and control
servers and 418 domains related to the new version, primarily hosted in Russia,
Romania, and the Netherlands. Source: http://threatpost.com/en_us/blogs/new-iteration-tdsstdl-4-botnet-uses-domain-fluxing-avoid-detection-091712
For more stories, see items 7, 8 and 10 above in
the Banking and Finance Sector
and 44 below in the Communications Sector
Communications Sector
44. September
17, Threatpost – (National) Developer warns millions of Virgin Mobile
subscribers about authentication flaw. An Alamo, Texas developer September
17 warned Virgin Mobile U.S. subscribers that their accounts can be hacked
after the company failed to respond with a fix. ―I reported the issue to Virgin
Mobile a month ago and they have not taken any action, nor informed me of any
concrete steps to fix the problem, so I am disclosing this issue publicly,‖ he
said in a blog post. He said he found that the carrier’s current authentication
method relied on the user’s phone number and a six-number PIN to access an
account. Using his own account, he created a script to narrow in on the 1
million possible passwords. Once the script unlocked his numeric PIN he realized
―pretty much anyone can log into your Virgin Mobile account and wreak havoc, as
long as they know your phone number.‖ He said he contacted the firm and its
parent, Sprint, in August to alert them to the issue but became frustrated with
the pace of the investigation and lack of communication. After several emails
back and forth with a Sprint official, he was told September 14 the company did
not plan further action on Virgin Mobile’s end. Source: http://threatpost.com/en_us/blogs/developer-warns-millions-virgin-mobile-subscribers-about-authentication-flaw-091712
For more stories, see items 8 above in the Banking and Finance Sector and 42 above in the Information Technology Sector
Department of Homeland Security
(DHS)
DHS Daily Open Source Infrastructure Report Contact Information
About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday]
summary of open-source published
information
concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on
the
Department of Homeland Security Web site: http://www.dhs.gov/IPDailyReport
Contact Information
Content and Suggestions: Send mail to cikr.productfeedback@hq.dhs.gov or contact the DHS
Daily Report Team at (703)387-2314
Subscribe to
the
Distribution List: Visit the
DHS Daily Open Source Infrastructure Report and follow
instructions to
Get e-mail updates when this information
changes.
Contact DHS
To report physical infrastructure incidents or to request information, please contact the National Infrastructure
To report cyber infrastructure incidents or to
request information,
please contact US-CERT at soc@us-cert.gov or visit their Web
page at www.us-cert.go v.
Department of Homeland Security Disclaimer
The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to
educate and
inform personnel engaged
in infrastructure protection. Further reproduction
or redistribution is subject to original copyright
restrictions. DHS provides no
warranty of ownership of the copyright,
or accuracy with respect to
the
original
source material.