Friday, October 31, 2014

EXCLUSIVE - The Malware Hitlist

The following list is a historical look at Backoff and similar malware over the past few months. Many Retailers have been affected by this malware and the list appears to be growing rapidly. This is a 3 month time slice of malware that was detected by sensors and reported by third parties. Please keep in mind that these reports are only as accurate as the whois records and many of the offending host have been taken offline. No additional information will be released at this time.

VPLS Hosting Company - Multiple
JSC VimpelCom
Wrangler Forum
LG DACOM Corporation
Lockheed Martin Corporation - Multiple
Hyundai Corporation
Military Networks - Multiple
Jimmy Johns - Multiple
Department of Veterans Affairs - Multiple
Netago - Multiple
City of Georgetown Texas
L3 Communications
ANL - Multiple (Government)
Leon Lundberg
EGI Hosting
Korea Telecom
City of Phoenix, Arizona
Sheetz Inc
Northrop Grumman Corporation
KDDI Corporation
CNCGroup China - Multiple
SONY - Multiple
P.F. Chang's - Multiple
RN Data
Starbucks- Multiple
Ross Department Stores
Goodwill - Multiple
Harvard Business School
Nieman Marcus
OVH Systems
Ionity Corporation
City of Atlanta GA
Astro Telecommunications
Michaels Corporation
US Army Colo
Qutar Petroleum - Multiple
Extended Care Allscripts - Multiple
Western Union - Multiple
United Parcel Service - Multiple
Bartell Hotels - Multiple
US Airways
Aria Telecom
Dairy Queen - Multiple
City of Los Angeles CA
Department of Energy
LA Police Department - Multiple
Aaron Brothers
NRC Systems
NDC Systems
Sears/KMart - Multiple
Home Depot - Multiple
Amazon Web Services - Multiple

Additional Entities:
Visafone Communications Limited
Korea Telecomm - Multiple

NOTIFICATIONS: Pending Patient Notifications

SLC Security Services LLC will begin notifying patients of Cape Fear Valley Health System (Fayetteville, NC) and WakeMed (Various Locations) after formal notification has been made to the entities formally.

We have previously contacted both entities and neither entity responded to our notification letters.

BREACH: Freeborn County Sherriff's Office

Freeborn County administration is investigating a suspected data breach within law enforcement, according to Administrator John Kluever.

He said he and other information technology staff are looking into the possibility that someone was unnecessarily viewing open investigation files and disseminating parts of those files in the public.
He declined to comment on how the suspected breach was discovered and whether it has any connection to the upcoming election in the Freeborn County Sheriff’s Office.
“If you access something for a nongovernmental purpose, that would be a data breach,” Kluever said.

He hopes to have more answers by the end of next week.

Kluever said if a data breach is found, state statute requires officials to contact anyone who might have been affected.

The Freeborn County Sheriff’s Office has been rife with controversy and even an anonymously defamatory website, which also is under investigation. It’s unclear whether the data breach is related.

Type: State Government
Area: Law Enforcement
First Noted: 31 October 2014 9:25 AM EST
Location: MN
Total Records: Unknown

Status: Not Monitoring for Follow Up (Not a client of SLC Security Services LLC)

BREACH: Watsons Bay Hotel (

The host at is compromised and is serving up malware. The IP and Domain have been added to our block list.

Wednesday, October 29, 2014

Peerblock updates and signature updates

Clients and Lab users. We have updated our signatures, MD5 hashes, IP and network information. Customers we have already pushed the MD5 and IP blocks to your devices. Internet and open source users may want to update your Peerblock or rules.

Added 5 new variants that we are seeing in email
Added 23 IP address and 14 networks, removed some expired records


OPINION: PCI-DSS Pretty Much Useless...

Merchants must meet more than 400 requirements, like installing firewalls, updating antivirus software, and ensuring that credit card readers haven't been tampered with. 

We hate to break it to you but having a firewall, antivirus and checking your credit card readers for tampering will not protect you from a data breach. We were reading an article on PCI-DSS and nearly choked

It looks to us like anybody can pass one of these retailers audits. They better be thankful it's not us doing the audits or these folks would be in trouble.

The news item we were reading is here.

This is exactly why the industry will continue to get hacked and breached frequently. The people making the rules don't understand real security, and the rules and regulations don't address real issues.

The audits are conducted only once a year, so they may not provide a full picture of a retailer’s security.

That's true. Security administrators make changes nearly every day, or at least they should. Without safeguards in place they can change items that would make them non-compliant and if they are not audited for a full year that's a great big open invitation for problems.

“To most security guys, it’s just a box you check to protect the CEO. It’s not real security.”

Yeah we agree with that statement. That is why we fail 80-90% of all first time audit clients. The difference is we see the work through until we are confident that they have real security in place and we assist our client's in securing their network, not just giving them the findings and suggestions. Most clients we deal with need assistance and assurance to ensure that the changes made are effective.

It's a sad state in the security world. There are companies that do it write but unfortunately there are many that fail at security as well.

Today's Naughty List - 28 Oct 2014   Netherlands (NLD)   n/a n/a   United States (USA)   New York New York   China (CHN)   n/a n/a   China (CHN)   Zhejiang Hangzhou

SLC Security Auditing Framework Community Edition

SLC Security Services LLC announced today that we will be releasing our auditing framework as freeware. The free version of the software will only audit systems and will not include any of the lockdown capabilities of the software. The lockdown framework can be used to check computer policies and several community supported templates will be included in the free edition.

We anticipate making the free version of the software available sometime in the next week. All that we ask is that you let us know if you find any issues with the templates or the program itself. We are releasing version 2 community edition and will continue to release the software 1 version behind our production software. The production software has additional functionality such as:

  • Lockdown - The ability to apply a template to a system
  • Reports - Ability to run scheduled reports
  • Auditing Documentation - Ability to deviate from a lockdown policy and documentation for auditors - A requirement if you do not meet the audit policies
  • History Tracking - Prompts for information when an item changes - Like after a patch may change a setting
  • Unlimited Use - The community edition will only audit the local machine. The community edition when run as an Administrator can audit remote systems
  • Linux Support - Not available in the community edition
We decided that it would be good for potential customers to have a way to prepare for audits easily and to have reports for their systems.

The community edition does not require any authentication or Internet access to run. The software may also be run from a thumb drive.

Users can email templates they wish to share to for inclusion in the commercial product. If your template is included in a future release we will give you a licensed copy of the software for your personal or professional use.

Patient Disclosure Monitoring - 28 Oct 2014

Webex Trollers on the Prowl

We have been asked by a company to determine who has been dialing into their Webex. The Webex session showed a phone number but the person on the other end failed to identify themselves on the call.

We quickly advised the client to password protect the Webex sessions. Why wouldn't you password protect your Webex sessions in the first place? It's the same reason passwords are reused. Ease of access.

Brian Krebs previously reported on companies using Webex without passwords. His research indicated several dozen large companies were hosting meetings without passwords. I have actually logged into the wrong Webex on two occasions because of fat fingering meeting numbers when connecting to Webex. When this occurred I told the person(s) on the call that I had inadvertently connected to their meeting and promptly hung up.

One of the vulnerabilities we have noted is that companies that use hosted Webex services in many cases fail to password protect their meetings and this is something you should probably check for in your organization. It's not a big deal in most cases unless your discussing patients or unless you are a financial institution. However all businesses should be wary as we are pretty sure China and Russia may also troll Webex for companies in order to clean intelligence information.

If you notice somebody on your Webex that you can't identify your best option is to terminate the meeting and send out new invitations with a password protected Webex.

The Learning Series: Lesson 1 Access Control List - Be specific, Be precise!

As many of you know this blog is staffed by volunteers and various individuals that have experience in computer forensics, network forensics, malware deconstruction, operating systems and other areas of expertise. SLC Security Services LLC (the sponsor of this blog) has been working to really define some of the goals of this project and one of the main items on the to do list was to provide some tutorials and write ups for network administrators and security staff to assist them with various items that may be of help when securing their networks and infrastructure.

One of the first things we notice during audits is that many corporates fail to use ACL's (access control list) effectively. When properly used and ACL may mean the difference between simply having a single machine compromised and have customer data stolen. I think we all can agree that rebuilding a single system is a better use of company resources than rebuilding an entire site or multiple sites and ACL's are one way to ensure that a simple exploited system does not result in a much larger disclosure or compromise of PHI/PII or credit card data.

When we audit most companies one of the first things we usually notice in about 90% of our audits is that administrators rarely if ever setup the correct ACL's on their systems. ACL's are a last line of defense in ensuring that even if a box is compromised that the data residing on that system cannot leave your infrastructure without you knowing about it. In about 70% of audits we have performed over the last year we have identified either incorrectly implemented ACL's, no ACL's in place at all or a major lack of understanding of the corporate network layout so ACL's are implemented only to block specific items.

Let's take a POS example of one place that ACL's should ALWAYS be implemented. POS systems by their design only have to communicate over the network to a few different servers. You would want to allow only the communication from the POS system to only the system and services required for operation and everything else should be blocked. One recent remediation after a compromise indicated that the traffic leaving the network was being sent out over the HTTPS protocol to the Internet through a proxy server that was setup externally. There were several places in which an ACL would have stopped an automated or hacker dead in their tracks had the proper ACL's been implemented on the network switch and router that was sitting between the POS system network and the Internet. The POS system in this case had a VPN client enabled on it that was an SSL VPN so blocking HTTPS entirely would not have worked but restricting HTTPS traffic with an ACL to the single host that the POS system needed to talk to would have closed those ports and not allowed the credit card data to leave the POS network. The POS system needed only to talk to 3 other IP addresses on 2 other services for proper operation. The first question we ask was why there were no ACL's on the network switches and the customers response was we didn't feel it was neccesary.

After the audit I can tell you that every location is not secured with the proper ACL's. Had the ACL's been implemented from the start this client would not have had to notify their customers of the breach and we would not have had to go in a reverse engineer a pretty nasty attack.

Some general rules:
1. Only allow these systems to talk to known systems required for proper operation. Block everything else.
2. Use multiple layers of ACL's on switches, routers and firewalls. This will ensure that if one device is compromised that there are backups to prevent traffic from leaving the network that is not authorized.
3. Know what traffic is going where. Open up services one at a time and only for the required network destinations. There should be no blanket rules allowing HTTP for example. Why would a POS system need to access the Internet? It doesn't and if it does it would only access a vendor site for updates so only allow that single system to get to the vendor sites for updates and block HTTP access to everything else.
4. Block anything not being used. Deny should be the default rule with all ACL's. Sure it takes time to build complicated ACL's in your network but it helps to keep your network secure and your machines from talking to machines that are not authorized.

We hope you have gotten something useful out of this article. Feel free to comment or ask questions and we will try and help individuals and answer any questions you may have.

This article was written by Kevin Wetzel lead investigator for SLC Security Services LLC. Mr. Wetzel has been an investigator for over 20 years and has specialized in computer forensics, private fraud investigations and computer security services for corporations, government and individual clients. Mr. Wetzel is a member of SLC Security Services LLC and is a contributor to this blog.

Peerblock Update

We have once again rolled out a huge update to our peerblock list. It's probably a good time to force your peerblock to force an update from our servers.

Customer have already been updated automatically.

BREACH: Hackers breach some White House computers

Hackers thought to be working for the Russian government breached the unclassified White House computer networks in recent weeks, sources said, resulting in temporary disruptions to some services while cyber teams worked to contain the intrusion.

White House officials, speaking on condition of anonymity to discuss an ongoing investigation, said the intruders did not damage any of the systems, and to date, there is no evidence that the classified network was hacked.

“In the course of assessing recent threats, we identified activity of concern on the unclassified Executive Office of the President network,” said one White House official. “We took immediate measures to evaluate and mitigate the activity....Unfortunately, some of that resulted in the disruption of regular services to users. But people were on it and are dealing with it.”

The FBI, Secret Service and National Security Agency are all involved in the investigation. White House officials are not commenting on who was behind the intrusion or how much data, if any, was taken.



Additional Stories:

NEWS: AZ State Retirment System Responds To Potential Data Breach via OSINT-X Newswires

The Arizona State Retirement System is responding to a potential data breach affecting almost 44,000 members. Officials believe some sensitive member information was lost within the mail system.

The breach occurred when the state retirement system lost track of two unencrypted CDs storing member names and social security numbers. The information was being sent by mail to a dental insurance provider as part of a monthly data transfer, however the package did not have a tracking number.



NEWS: NSA Chief Warns Companies Against Revenge Hacking via OSINT-X Newswires

Businesses, under siege from hackers looking to steal sensitive information, increasingly want to take matters into their own hands. But the head of the National Security Agency is warning them not to become hackers themselves.

"Be very careful about going down that road," Adm. Michael Rogers, the NSA director, said Tuesday at a cybersecurity event hosted by the U.S. Chamber of Commerce. "As a nonlawyer, I would tell you, wow, think about the legal implications of this."

Some business groups are tired of focusing only on defensive measures as hackers breach their systems. They want to retaliate and damage the hackers' computer systems.

Advocates of "hacking back" say that punishing attackers can be an effective tool for a company to protect itself.


Some MD5's to catch some nastiness - Enjoy


Tuesday, October 28, 2014

NEWS: Cyberattacks Point to Russia via OSINT-X Newswires

We agree Fireeye!

Earlier this year, investigators for Silicon Valley security company FireEye Inc. visited a U.S. firm to determine who, and what, sneaked into the firm’s network harboring military secrets.
There they found what they call a sophisticated cyberweapon, able to evade detection and hop between computers walled off from the Internet. The spy tool was programmed on Russian-language machines and built during working hours in Moscow....

BREACH: ASRS 44000 retirees affected

Nearly 44,000 state retirees may have had their personal data compromised in a security breach, and the Arizona State Retirement System is spending about $291,000 to provide identity-protection services for them.

The pension system this month began notifying affected retirees, all of whom were enrolled in the ASRS dental plans.

The system has offered to pay for 12 months of services with AllClear ID, the same company that is providing identity-theft protection to customers affected by a breach at Home Depot.

Those affected can call AllClear ID at 1-855-731-6012 for help. The benefits include credit monitoring and a $1 million identity-theft insurance policy.

Type: State Government
Area: Retirement Plan
First Noted: 27 October 2014 12:25AM EST
Location: AZ
Total Records: 44000+

Status: Not Monitoring for Follow Up (Not a client of SLC Security Services LLC)

Noisy Much?

 kevin109.190.158.183smtp2014-10-27 16:42:51
 kevin109.190.158.183system2014-10-27 16:41:37
 kevin109.190.158.183smtp2014-10-27 16:42:15

Didn't we already report you guys in a previous compromised host report? I thought so!   France (FRA)   n/a n/a

Monday, October 27, 2014

Malware Hit List - It's coming this week - Updated

This week Vulnerable Disclosures will be releasing a list of companies, individuals and firms affected by hard to detect malware including new variants of Zeus and Backoff. The list has been generated through indicators, IDS and IPS reports, reports from customers and clients and through analysis of C+C servers. The list will be fairly extensive.

Just because a company appears on the list does not mean that they are still infected just that at some point the malware was present on systems originating from networks controlled by those organizations. The list will be extensive.

Whois information as we know is not 100% accurate so please take that into account as well. We are reporting only what we are seeing in our system and some information may not be correct if Whois records are not up to date or accurate.

Update: We have  been asked to give the time frame of the analysis. The results that will be posted will contain data from 1 Aug through 25 Oct, 2014. So roughly a 3 month period.

We will be listing the top 100 based on number of unique IP addresses or confirmed connections from a particular network. 

Sunday, October 26, 2014

BREACH: Delaware River and Bay Authority

The Delaware River and Bay Authority is warning customers of a possible data breach on board the Cape May-Lewes Ferry.

The Authority says they were notified on July 30, 2014 of a possible security compromise involving credit and debit card data stored on certain systems at the ferry's terminals and vessels. An investigation into this incident was investigated by the Authority's team as well as third-party forensics experts.

The Authority says the compromised data came from cards used from September 20, 2013 to August 7, 2014 and were used at systems relating to food, drink and retail sales at the Ferry. The Authority says the credit and debit card data potentially at risk includes the card number, the cardholder's name and/or the card's expiration date.

 NOTE: We are not releasing any additional information on this breach at this time.

Shellshock via email? You bet'cha - UPDATED

Starting yesterday we began seeing some known spam host trying to execute code via specially crafted email messages. We believe SANS also is reporting similar traffic but we have not confirmed this at this time.

One of the recent breaches we reported on seems to be the source of some of these messages but not all. We are in the process of conducting additional research and will release additional information later today.


Saturday, October 25, 2014

Backoff Malware and Variants are Spreading through POS Systems Quickly

We have had several retailers notify us that they are having problems keeping the Backoff variant off their point of sales systems. We have given them the quick run down on what they can do to protect themselves and then a few weeks go by and they call again. We have offered to assist them in locking down their systems correctly. In fact this week we provided a lock down script in our Auditing Toolkit specifically for retailers to apply to their point of sales system.

The Backoff malware is being modified to avoid detection and since it runs differently than previous malware variants each system must be checked as it can run in memory without any indication of any issue. We have even seen some variants that actually seek out other traffic and send it out using protocols that typically would not be a problem (including DNS traffic request with payloads).

The best bet is to hire a security firm that specializes in this type of protection. Symantec has stated that known threats are safe in recent testing and it's really starting to annoy us. In fact we have been doing submissions by request all week and the latest signatures still do not detect known variants. We are starting to feel as though these companies don't care to protect against this or see some sort of liability if they miss something. Well Symantec you are missing a lot of the viruses and malware that is causing head aches to the financial industry.

In our testing of 22 malware and virus samples on Friday Symantec only detected 7 of the samples. The other variants went undetected although Virus Total detected 21 of the 22 samples as malicious. As of today Virus Total detected 22 of 22 samples so it's a little concerning that AV vendors are lagging so far behind.

We have continually updated our MD5 hash feed with the latest threats but it's impossible to keep up with the variants. We have turned to our cloud infrastructure for help and will be allowing binary submissions soon. Clients already submit samples to our cloud for analysis and scoring and we are noting an uptick in Backoff this week.

There will be more to come on this topic but Antivirus is not the answer even though corporations keep telling us we have a firewall and we have antivirus. How does this stuff keep getting in? It's getting in because your teams are not adequately trained to identify unconventional threats. This is why this malware goes months without being detected even though external indicators are alerting people to problems.

We will continue to notify entities until they start to take notice. We are getting tired of the "if I don't know about it, it's not a problem" attitude. Ignoring the problem is NOT the way to proceed. We have 56 entities that we are set to list on vulnerable disclosures. We have notified all 56 of problems and have not seen responses. This will probably get interesting very, very quickly when the full list is put out there.

BREACH: Qutar Petrolium Hacked

Qutar Petrolium appears to be owned at this time. What is interesting is that we started seeing malicious activity the past few days and the activity is increasing. The company has not disclosed anything to date yet their network systems appear to be attacking worldwide.

A notification has been sent out to their administrators and to date we have not gotten a response.

The servers appear to be under the control of a third party.

UPDATE: It appears as though this activity has been occurring for well over 5 months without any resolution to date.  Our OSINT-X product has seen traffic since late June 2014.

Second Breach Kinston, NC Government

70 Lenoir County employees information has been published in a salary report. An employee failed to remove the information that included names and social security numbers in the documents.

The report was sent to one person who had worked in law enforcement and understood the gravity of the situation.

Let's hope we don't have to report on Kinston again in the future. This is the second report in 2 months.

RESEARCH: Cloud Providers Ignoring Malware Laden Host

During our recent research we have been seeing an uptick in the number of cloud hosting providers that are hosting malware and malicious content as well as viruses. The elastic nature of cloud providers provisioning is allowing hackers to take over legitimate customers sites shortly after they a provisioned and before security settings can be applied. During our testing the average time from provisioning until most sites are infected or hacked is less than 25 minutes.

This is troubling and it seems hackers love these cloud environments because of the lack in security controls when a node is brought online. Just as quickly as they appear they can be taken offline and re-provisioned and the process begins again. It's a cat and mouse game at it's finest.

We are noting many malware C+C servers are being hosted on a handful of cloud providers to include Amazon and Cisco web services clouds. It's difficult to block by IP or hostname in some cases because hundreds or even thousands of legitimate host may be natted behind a single IP.



Disclosed a public release of customer information.

Type: Retail
Area: Cell Provider
First Noted: 24 October 2014 1:25AM EST
Location: Various
Total Records: NA

Status: Not Monitoring for Follow Up (Not a client of SLC Security Services LLC)



Disclosed a public release of customer information.

Type: Retail
Area: Cell Provider
First Noted: 24 October 2014 1:25AM EST
Location: Various
Total Records: NA

Status: Not Monitoring for Follow Up (Not a client of SLC Security Services LLC)

Reeves International Inc Hacked (

Reeves International Inc. is informing customers of a data breach of one of their online retail sites called Breyer Horses . On September 9, 2014 the company discovered an unauthorized party installed malware on the server hosting the Breyer Horse website, the malware compromised customers' personal data. The dates of the attack were from March 31, 2013 through October 6, 2014.

The information compromised includes names, addresses, website usernames and passwords, payment card account numbers, card expiration dates, and payment card security codes.

For anyone affected or those with questions call 1-877-572-06281-877-572-0628 twenty-four hours a day Monday through Sunday (excluding holidays).

Type: Internet
Area: Commercial
First Noted: 24 October 2014 1:25PM EST
Location: California
Total Records: NA

Status: Not Monitoring for Follow Up (Not a client of SLC Security Services LLC)

Friday, October 24, 2014

Today's Peerblock Update

If you are updating your peerblock from our servers you may wanna force an update today. This will protect you from several nasty malware variants. Our clients were already updated earlier today. Have a great weekend everybody!

NEWS: SLC Security Services certified as an Electronic Countermeasures School

(Raleigh, NC) - Earlier this week SLC Security Services LLC's founder and CEO Kevin Wetzel was granted approval by the North Carolina Private Protective Services Board to operate an approved Electronic Countermeasures school. SLC Security Services LLC has been providing corporate Electronic Countermeasures for over 8 years and has been involved with this business for over 20 years.

The company has been providing courses privately to Government contracts and now is able to certify individuals for licensing in North Carolina. Classes are to be scheduled every other month but private classes also will be offered to corporations wishing to certify their security and IT staff.

In order to take the course your employees must be US Citizens and must pass a background check and verification process. The licensing course requires 40 hours of training but we recommend 80 hours of training so your staff can get a good understanding of the practical applications of detecting, defeating and the remediation of covert listening devices and wiretaps.


NEWS: Hackers Threatening Judge in Silk Road Case

We are getting reports and mainstream news has started reporting that hackers are targeting judge Katherine Forest whom is set to oversea the trial of Silk Road's alleged founder Ross Ulbricht's trial. Several blog postings on darknet have already released personal information on Mrs. Forest including her address, picture and social security number. Hackers are upset that the trial is taking place and several groups have promised additional releases of information of Mrs. Forest friends and family.

It's appears as though Federal authorities are investigating the threats to determine the validity of the post. Hackers appear to be upset at the Government's claims of how they were able to identify Mr. Ulbricht and bring charges as many of the reports and news media reports indicated that the Government itself may have used underhanded techniques to determine the owner of the server of the Silk Road underground marketplace. The site was frequently used to sell illegal items such as drugs and stolen information.

Even if they can prove that Mr. Ulbricht was in fact operating the site that still creates some legal challenges as methods used to determine his identity may be heavily questions in court but it appears as though all the defense arguments brought to date have largely been ignored by the judge and that appears to be why she is personally being targeted. 

Wednesday, October 22, 2014

ALERT: Organized Chinese Hacking Attacks NET

We highly recommend you block the netblock listed above. We have seen a serious rise in the number of reports of hacking from this IP space.

alert tcp any any -> 80 (msg: "SLC Security Alert of Malicious 
Activity"; classtype:network-scan; sid:2014102201)

ABUSE: CARI.NET ( Complaints

We started fielding complaints this morning from in California. Our clients are reporting brute force attacks from this entity.

Contact Information:
8929 Complex Dr, San Diego, CA 92123 (858) 974-5080

Please note that this attacker has also appeared on our Naughty List entries today. This indicates large amounts of external reports of malicious activity from this host.

Today's Naughty List - 22 Oct 2014   Taiwan (TWN)   T'ai-pei Taipei   India (IND)   n/a n/a   Indonesia (IDN)   Jawa Tengah Mega   Poland (POL)   n/a n/a   Brazil (BRA)   n/a n/a   Ecuador (ECU)   Tungurahua Ambato   Ethiopia (ETH)   n/a n/a   Italy (ITA)   n/a n/a*   United States (USA)   California San Diego   United Kingdom (GBR)   n/a n/a   Italy (ITA)   Lombardia Milan   Italy (ITA)   n/a n/a

* = Earlier report
See related story

NEWS: Don't say we didn't warn you about this one

Security researchers have been talking behind the scenes with Microsoft concerning the recent patching efforts on CVE-2014-4114. Apparently we are not the only ones that noticed the problem with the patch last week. McAfee apparently had warned Microsoft that the patch was not 100% effective in stopping attacks that were being seen in the wild.

We reported last week that we were aware of the zero day being exploited.  See our earlier story. 

We noticed that hackers were largely still performing the attack with a slightly different payload method (as indicated by our distributed IDS system and honeypot indicators). We had several VM images attacked but the exploit still required that an end user to take an action before the payload was delivered. 

At no time were our customers vulnerable to this attack as our SLC Security appliances had signatures to detect the issue last week when we first discovered the problem.

Code appeared on a popular hacker website last Weds concerning the OLE issue and an updated script was uploaded the following day. 

Another Issue
While the issue we reported on is slightly different the premise is the same except that the variant we are seeing only activates during a reboot and not by an infected email attachment. The actual exploit we report on is still exploitable on Windows but is not able to be patched because in order to do so would require individual vendors to patch their products. Utilizing similar vectors allows a malicious attacker to run code through an undisclosed Windows service flaw that is not easily fixable and has been exploitable for several years now. This issue remains unpatched and vulnerable although we have only seen it used by a select few security firms during penetration testing.

Tuesday, October 21, 2014

Wow - Still think your phone and faxes are secure?

I was coming back from the store today and guess what I observed? You can tell from the picture that our local phone company (AT&T) takes your phone security seriously. This phone slick was open in the middle of the day with nobody around it for at least 2 hours. With many Government offices and Businesses nearby this does not give us a warm and fuzzy by any means.

Today's Naughty List - Increased Activity 21 oct 2014   Costa Rica (CRI)   n/a n/a   Indonesia (IDN)   n/a n/a   India (IND)   n/a n/a   Australia (AUS)   Queensland Glenview   Indonesia (IDN)   Jawa Tengah Mega   Indonesia (IDN)   Jakarta Raya Jakarta   Canada (CAN)   n/a n/a   United Kingdom (GBR)   n/a n/a   Brazil (BRA)   n/a n/a   Trinidad and Tobago (TTO)   Saint George Valsayn   Hungary (HUN)   Budapest Budapest   Costa Rica (CRI)   n/a n/a   United States (USA)   Ohio Columbus   Italy (ITA)   Lazio Rome   Ethiopia (ETH)   n/a n/a   Italy (ITA)   n/a n/a   United States (USA)   New Jersey Woodbridge   United States (USA)   Florida Miami   United States (USA)   California Los Angeles   United States (USA)   California Los Angeles   United States (USA)   Texas Round Rock   Italy (ITA)   Emilia-Romagna Carpi   Switzerland (CHE)   Aargau Brugg   Italy (ITA)   Lombardia Milan   Italy (ITA)   n/a n/a  

BREACH: POINT360 Hacked (

We received information and have logs tonight confirming that POINT360.COM has been hacked. The company located at 2701 Media Center Dr. Los Angeles, CA 90065 has a server that is attacking other companies and appears to be under the control of an external third party. A notification was sent out from our SOC this evening and it appears as though the companies mail server is actively attacking our clients. The system is also showing up on our threat list and is also showing up in other reports.

We have updated our client rules on our IDS/IPS devices to show activity from this system.

Type: Internet
Area: Marketing
First Noted: 21 October 2014 1:25AM EST
Location: California
Total Records: NA

Status: Not Monitoring for Follow Up (Not a client of SLC Security Services LLC)

Additional Information: 

The server appears to be brute forcing accounts at other companies now as of 1:30AM EST.  
Responsible party notified of issue 1:39AM EST.  

There were a total of 2 systems carrying out these attacks. 

WARNING: Fraudulant Phone Charges, Hacking, FCC & FBI turning a blind eye

As an investigator I have seen many cases come and go. One in particular was a case involving a fraud of a foreigner that had sent money to the US. Upon learning that he was scammed he hired our firm to find the perpetrator of the scam so that he could press charges. I remember the amount of the loss was right around $300K USD we figured and local law enforcement called the Federal Bureau of Investigation as well as the US District Attorney for the district and I remember the response quite well. $300,000.00 was not enough money to justify an investigation. This was back in 2009. Now I can tell you that in 2007 $250,000.00 was enough to spawn a full FBI investigation because I was a consultant to one of these investigations so sometime between 2007 and 2009 the rules apparently have changed.

This is troublesome at some point because our tax dollars go toward the salaries and support of these Government operations. Criminals are starting to realize that the Federal agencies won't come after them if they keep the target number under a certain amount. Several exceptions appear to exist and that is when a story gets media coverage and could be damaging to a larger company we see activity out of these agencies. Also when it comes to banking, healthcare or other high profile attacks the FBI seems to spring into action.

We all understand that the FBI cannot and will not investigate every single crime or case that comes there way. And we get it. Investigations take time, money and resources to carry out and they are working with a limited budget as are the rest of us. So that brings us to our next story:

We have been watching closely several news stories that have hit the wires the past few months. Several of these stories are clearly indicating the many telecom companies are eating the cost of large bills and reporting theft of service issues.

"Hackers targeted the phone system at Bob Foreman’s architecture firm in Georgia, making $166,000 in calls in one weekend. "

It appears as though this activity is being conducted by hackers whom are getting a cut of the money from these premium dial service operators. Not a bad way to fund a black budget. While we are not saying that this type of activity is being conducted by official channels it's quite odd that given the scope of the attacks and multiple reports of this type that it would not spur some sort of interest.

We are keeping an eye on this one also. The Communications Fraud Control Association reports that this particular type of fraud cost consumers over $4 billion USD annually. That's not chump change. It shouldn't matter if these attacks are small in stature because of the shear number of attacks that are taking place.

Next time you see a charge for a phone sex or psychic line through your PBX and you know your end users are not calling, have a reputable firm inspect your PBX system. This should be a part of your auditing plan. SLC Security Services has engineers on staff that are highly skilled at securing PBX systems. With over 20 years of experience in this area and being an investigative company we have been involved in our fair share of investigations. Not once have we seen any law enforcement traction on this issue and that should change. You don't have a clue as to whom these fraudulent calls for funding and it could be a backdoor for funding terrorist activity, organized crime or other nefarious operations.

"That money was allegedly directed to a Saudi Arabian militant group that U.S. officials say financed the 2008 Mumbai terrorist attack. AT&T eventually reimbursed all consumers."


NEWS: Russians Ruled out by officials on JP Morgan Chase Hack - Conflicting releases by Chase on this one

Pay close attention to news stories such as this one:

Reuters Article

They are being very careful not to accuse Russia of state sponsored hacking but many of the systems linked to this attack were located in Russia. Also to note is that these are Federal agents reporting under political pressure. The article states that the attacks were not retaliation for US sanctions but that does not mean that Russian cyber criminals or organized crime were not behind the attack. It's all in the wording folks. Look at what the article states.

We stand by our earlier statements based on Russian speakers and additional information collected after the attack. JP Morgan may have been the victim of several breaches from the looks of it.

JP Morgan in earlier press releases has stated that the attackers were linked to Italy or Southern Europe. If you remember that was the second disclosure by JP Morgan and came after the first disclosure. There appears to be some shuffling going on concerning this story and it's quite interesting to watch how this is playing out. Conflicting news and information. Statements and then retractions.

Wouldn't it be better if they just said look we know the machines were located in these countries but we do not know who is behind the attacks?

Cyber-attacks on JPMorgan Chase & Co. (JPM) and 13 other financial companies may have been carried out by hackers from a foreign government moonlighting as criminals, a senior Federal Bureau of Investigation official said.
The FBI is investigating the possibility that hackers who raided the data banks of JPMorgan to steal customer information from 76 million households and 7 million small businesses did so with the knowledge and consent of a foreign government, Joseph Demarest, assistant director of the bureau’s cyber division, said.


AND THIS ONE - Full Story from Bank Info Security

But an FBI spokesperson told ISMG: "There hasn't been a person, group or nation state who we've definitively attributed anything to." As a result, the possibility is "still open" that the Russian government could, in fact, have played a role in the bank attacks, the spokesperson said.
We see the story changing day by day from "officials". I would hate to be in JP Morgan Chase security right now. Interestingly enough I just close out a Chase account. I wonder if they will notify previous customers of a data breach or if they will only notify current customers. With this delay in information it appears as though many consumers are on their own but we already knew that was the case. We are all pretty much responsible for our own security of our own personal information. We cannot rely on companies to do it for us. And that's a fact.

Monday, October 20, 2014

BREACH: Healthcare entity has fallen victim

We received word today that a health care entity is investigating an internal breach of their systems. This is a medical breach and is tied to a much larger healthcare entity. It appears as though this smaller entity was purchased by a larger medical provider and the breach was discovered during the transition process and integration of the two companies by internal security staff.

It appears as though insurance information may have been stolen but the exact nature of the breach is still being investigated at this hour. The entity is located in California. Looking through our data sources we noted that the entity first started appearing on spam blacklist about 10 days ago and was reported the past 6 days by others as performing malicious attacks on networked devices at other organizations.

We are awaiting a copy of the malware samples that were recovered as well as some of the logs. We are not able to name the entity but you can expect an announcement this week once more information is known on the scope of the attack.

We will see during this incident if the new California notification laws have any effect on how the information is reported.

Type: PHI
Area: Healthcare Services
First Noted: 20 October 2014
Location: California
Total Records: NA

Status: Not Monitoring for Follow Up (Not a client of SLC Security Services LLC)

While this entity is not a client they have provided information and requested assistance in looking through our data set to see if we have any indicators that would point to a time frame for this intrusion. 

POTENTIAL BREACH - STAPLES investigating potential data breach via OSINT-X

Word has come in that Staples is investigating a potential data breach. News is spotty but they are stating that it appears to be confined to North East US Stores. We will update upon receiving additional information.

Krebs first reported on the incident around 10PM EST today. 

Patient Disclosure Monitoring - 20 Oct 2014

Today's Naughty List - 20 Oct 2014   Canada (CAN)   n/a n/a   Indonesia (IDN)   Jakarta Raya Jakarta   United States (USA)   Florida Miami   Indonesia (IDN)   Jakarta Raya Jakarta