Wednesday, July 6, 2016




Complete DHS Report for July 6, 2016

Daily Report                                            

Top Stories

A DTE Energy Co. building in Michigan was deemed a total loss following a natural gas explosion July 2 that prompted the evacuation of nearly 1,500 residents after a vehicle crashed through a fence and into a natural gas main. – Detroit Free Press

2. July 3, Detroit Free Press – (Michigan) DTE Energy building called ‘total loss’ after explosion. A DTE Energy Co. training facility building in Melvindale was deemed a total loss following a natural gas explosion July 2 that prompted the evacuation of nearly 1,500 residents after a vehicle crashed through a fence and into a natural gas main, causing the explosion.

Lightning struck the Grand River Energy Center in Chouteau, Oklahoma, July 1 disabling a cooling pump and starting a fire that burned for several hours overnight. – KOTV 6 Tulsa

3. July 2, KOTV 6 Tulsa – (Oklahoma) Repairs to Chouteau GRDA Plant may take a year due to extent of fire. Lightning struck the Grand River Energy Center in Chouteau, Oklahoma, July 1 disabling a cooling pump and starting a fire that burned for several hours overnight, forcing an evacuation. Officials stated that it may take at least a year to complete repairs.

Crews reached 5 percent containment July 4 of the Hot Pot Fire which has burned approximately 122,390 acres in northeastern Nevada. – Elko Daily Free Press

22. July 5, Elko Daily Free Press – (Nevada) Firefighters hold line at Midas, 122,000 acres scorched. Crews reached 5 percent containment July 4 of the Hot Pot Fire which has burned approximately 122,390 acres in northeastern Nevada. Voluntary evacuations were ordered in Midas and operations at Midas Mine were shut down due to a loss of power. Source: http://elkodaily.com/news/local/firefighters-hold-line-at-midas-acres-scorched/article_95d0b6c0-d14f-5dd2-8011-0c56e4f60b35.html


A security researcher discovered a zero-day firmware vulnerability in the Unified Extensible Firmware Interface (UEFI), which is installed on all Lenovo ThinkPad series laptops, after identifying that the flaw exists in the System Management Mode (SMM) code of Lenovo’s UEFI. – SecurityWeek See item 36 below in the Information Technology Sector
 

Financial Services Sector

6. July 4, Manchester Journal Inquirer – (Connecticut) 4 men face credit card fraud-related charges. Four men were arrested in Tolland, Connecticut, July 2 after police were notified that the group allegedly attempted to use several fake or stolen credit cards at a Mobil gas station. A subsequent search of the suspects’ vehicle revealed numerous fraudulent credit cards in various stages of production, a credit card embossing machine, and two electronic credit card writers, among other illicit materials. Source: http://www.journalinquirer.com/crime_and_courts/men-face-credit-card-fraud-related-charges/article_2a3c582a-4193-11e6-943f-8364a47a07b6.html

7. July 2, WTXF 29 Philadelphia – (Pennsylvania) ‘Straw Hat Bandit’ strikes North Wales bank. Authorities are searching for a man dubbed the “Straw Hat Bandit” who is suspected of robbing 10 banks in the Philadelphia area since 2012, including a PNC Bank branch in North Wales July 2.

For another story, see item 1 below

July 3, Miami Herald – (Florida) 2 Miami men accused of sucking credit card info from gas pumps. Authorities arrested two Miami men July 3 after officers found the duo installing credit card skimming devices on pumps at a Valero gas station in Marathon, Florida, while the gas station was closed.

Information Technology Sector

28. July 4, Softpedia – (International) Flaws in free SSL tool allowed attackers to get SSL certificates for any domain. StartCom released a new version of its StartEncrypt Linux tool after a security researcher from CompuTest discovered the product had several design and implementation flaws that could allow an attacker to extract signatures from any Web site that enables its users to upload files including GitHub and Dropbox. In addition, an attacker could obtain Secure Sockets Layer (SSL) certificates for other domains. Source: http://news.softpedia.com/news/flaws-in-free-ssl-tool-allowed-attackers-to-get-ssl-certificates-for-any-domain-505977.shtml

29. July 4, Softpedia – (International) Free decrypter available for download for MIRCOP ransomware. A security researcher created a decrypter tool that can recover files locked by the MIRCOP ransomware without paying the ransomware fee after an independent researcher and security researchers from Trend Micro revealed the presence of the new ransomware family at the end of June. Source: http://news.softpedia.com/news/free-decrypter-available-for-download-for-mircop-ransomware-505976.shtml

30. July 4, Softpedia – (International) New Adwind RAT campaign with zero AV detection targets businesses in Denmark. Security researchers from Heimdal Security discovered a spam email campaign was targeting Danish companies after finding that the spam emails came with malicious file attachments named “Doc-[Number].jar” that were not detected by antivirus engines, even if the attachments carried Adwind Remote Access Trojan (RAT). Researchers believe the campaign may target other international countries as the emails were written in English. Source: http://news.softpedia.com/news/new-adwind-rat-campaign-with-zero-av-detection-targets-businesses-in-denmark-505974.shtml

31. July 4, Softpedia – (International) Malware spread via Facebook makes 10,000 victims in 48 hours. Security researchers from Kaspersky Lab reported that from June 24 – June 27, cyber criminals were using Facebook spam messages to distribute malware to user accounts and allegedly selling Facebook “likes” and “shares” via botnet of infected devices by informing users about mentions in comments and convincing them to access a link that would secretly download a trojan on the user’s computer, as well as secretly install an extension in the user’s Google Chrome Web browser. Facebook blocked the technique and Google removed the extension from its Chrome Web Store. Source: http://news.softpedia.com/news/malware-spread-via-facebook-makes-10-000-victims-in-48-hours-505969.shtml

32. July 4, SecurityWeek – (International) Critical vulnerability breaks Android full disk encryption. An independent Israeli security researcher discovered that Qualcomm Secure Execution Environment (QSEE) was plagued with a critical elevation of privilege (EoP) flaw that affects 57 percent of Android devices, which could allow an attacker to bypass the Full Disk Encryption (FDE) security feature previously implemented in Android 5.0 Lollipop. The flaw could allow a compromised, privileged application, with access to QSEECOM, to execute arbitrary code in the TrustZone content. Source: http://www.securityweek.com/critical-vulnerability-breaks-android-full-disk-encryption

33. July 4, SecurityWeek – (International) Spam campaign distributing Locky variant Zepto ransomware. Security researchers from Cisco Talos warned customers that the Zepto ransomware, a variant of the Locky ransomware, was found distributing over 4,000 spam emails June 27, and distributing as many as 137,731 emails in 4 days via an attached .zip archive that contains a malicious JavaScript. Researchers reported that the campaign contained a total of 3,305 unique samples that convinced targets to open the spam emails by using various subject lines and sender profiles including “CEO” and VP of Sales.” Source: http://www.securityweek.com/spam-campaign-distributing-locky-variant-zepto-ransomware

34. July 4, Softpedia – (International) HawkEye keylogger users employ hacked emails accounts to receive stolen data. Security researchers from Trustwave discovered a spam email campaign was using the HawkEye keylogger to allow attackers to collect emails, browsers, and File Transfer Protocol (FTP) settings and passwords by delivering malicious Rich Text Format (RTF) documents disguised as Microsoft Word files to victims, and allowing the hijacked accounts to reroute all messages received from a victim’s email address to the attacker’s personal inbox. Source: http://news.softpedia.com/news/hawkeye-keylogger-users-employ-hacked-emails-accounts-to-receive-stolen-data-505958.shtml

35. July 4, IDG News Service – (National) Second man pleads guilty to hacking entertainment celebs. The U.S. District Court for the Central District of California reported that an Illinois resident pleaded guilty for his involvement in a phishing scheme where he gained access to several female celebrities and non-celebrities’ usernames, passwords, and personal information including private photographs and videos after he sent them emails disguised as security accounts of Internet service providers. The culprit accessed at least 300 Apple iCloud and Google Gmail accounts. Source: http://www.computerworld.com/article/3090952/security/second-man-pleads-guilty-to-hacking-entertainment-celebs.html

36. July 4, SecurityWeek – (International) Firmware zero-day allows hackers to disable security features. A security researcher discovered a zero-day firmware vulnerability in the Unified Extensible Firmware Interface (UEFI), which is installed on all Lenovo ThinkPad series laptops, after identifying that the flaw exists in the System Management Mode (SMM) code of Lenovo’s UEFI and can be exploited for several malicious actions including disabling the Secure Boot feature, disabling UEFI write protections, and bypassing Windows 10 Enterprise security features. Lenovo is investigating the incident. Source: http://www.securityweek.com/uefi-zero-day-allows-hackers-disable-security-features

37. July 3, Softpedia – (International) Satana ransomware encrypts your boot record and prevents your PC from starting. Security researchers from Malwarebytes reported that the new ransomware dubbed Satana encrypts files using the same method as other ransomware families, but attaches its email address to each file, encrypting the Master Boot Record (MBR) and replaces it with its own. Once a user restarts their computer, the MBR boot code will load and lock the user out of the computer while Santa’s ransom note displays on the screen. Source: http://news.softpedia.com/news/satana-ransomware-encrypts-your-boot-record-and-prevents-your-pc-from-starting-505933.shtml

For another story, see item 39 below in the Communications Sector

Communications Sector

38. July 4, WSYX 6 Columbus/WTTE 28 Columbus – (Ohio) Verizon: Outage issue resolved in central Ohio. Verizon reported July 4 that it resolved a hardware issue in its switching network which knocked out phone service for an unknown amount of its 1x voice service customers in central Ohio for at least 3 hours. Source: http://abc6onyourside.com/news/local/verizon-outages-reported-throughout-central-ohio

39. July 4, SecurityWeek – (International) Unpatched flaws plague Sierra Wireless Industrial Gateways. An independent security researcher reported that the Sierra Wireless AirLink Raven XE and XT modems were plagued with several flaws including a lack of anti-Cross-Site Request Forgery (CSRF) tokens in AceManager that could allow an attacker to perform arbitrary actions if they convince victims to open a malicious link. In addition, the product was plagued with a flaw that pertained to the existence of a default account that could allow an attacker, with access to the network, log into the device’s Web administration interface, among other flaws. Source: http://www.securityweek.com/unpatched-flaws-plague-sierra-wireless-industrial-gateways