Over the course of the last few days we have been seeing a ton of traffic being exfiltrated to 101 Ave of the America's, 10th Floor (registrations in Whois and through some other utilities in our stack). When checking these host it appears as though they are mostly porn hosting and cloud computing computers. As we researched more we started finding certificates with strange references to legitimate Government organizations.
Would these people be so stupid to use real certificates on fake sites to collect data from suspects and users. In addition these same nodes are Tor exit nodes meaning that traffic on Tor could be sniffed as it exits the network.
A little more research is needed but it appears as though some of these host are being disquised albeit poorly to look like porn sites and other web servers when in fact their true purpose is not known. One IP that is sticking out in the ordeal is 37.139.6.7. This IP is showing up in all sorts of indicators and is also being picked up by multiple sensors on the Internet as Tor, Malicious, SSH Attacking, etc, etc.
Due to the nature of businesses being attacked from this IP and a few others that we are not currently disclosing it appears as though this is a concerted effort to get into the infrastructure of some heavy industry to include Healthcare, Communications Companies as well as Intelligence providers.
We will be keeping an eye on this and will let you know if anything changes as we are monitoring for any traffic to these host and alerting our SOC to review immediately.
The purpose of this page is to provide awareness to individuals and organizations that are leaking information and the information of their customers. The entities listed on this site are verified to be leaking personal information sometimes without the company even being aware. SLC Security is now owned and operated by Jigsaw Security Enterprise. We are currently in process and as such this blog will eventually be taken offline and merged with Jigsaw Security resources.
Sunday, February 22, 2015
Saturday, February 21, 2015
Defacement: We noted that cctec.cornell.edu was defaced
Our OSINT-X noted that cctec.cornell.edu was defaced by AnonSec. I'm sure this is only the begining. We have been reporting on many of these vulnerable universities for awhile now.
The message on the page stated that if Cornell would like to contact them through Twitter that they can be reached at www.twitter.com/Mrlele1337
The message on the page stated that if Cornell would like to contact them through Twitter that they can be reached at www.twitter.com/Mrlele1337
Thursday, February 19, 2015
Wall of Shame
Here's some of the latest traffic we are seeing today:
US Traffic
1. Boston University - Compromised System (Infiltrated Blacklist)
2. University of Washington - Compromised System (Infiltrated Blacklist, SLC Security Blacklist)
3. Utah State University - Compromised System (Infiltrated Blacklist, SLC Security Blacklist)
4. Yale University - Compromised System/SSH Attacks (Infiltrated Blacklist, Private Feed)
Foreign Traffic
No reports today
Analyst Notes:
We are seeing an increase in US colleges and Universities that may be related to recent hacking activities previously noted. While we have attempted to contact as many organizations as we can we have noted that many have not acknowledged the activity even though some data has been seen on Darknet and some forums.
In addition some recent Twitter activity shows that some of these hackers are posting specific information that was able to be verified. Many Universities have chosen not to report such issues.
The main attack vector at these organizations was mostly SQL injections according to the Twitter post. Specific intelligence is available by subscribing to our intelligence services. In addition we have started noting strange traffic on DNS ports specifically UDP 53 from some of these organizations.
US Traffic
1. Boston University - Compromised System (Infiltrated Blacklist)
2. University of Washington - Compromised System (Infiltrated Blacklist, SLC Security Blacklist)
3. Utah State University - Compromised System (Infiltrated Blacklist, SLC Security Blacklist)
4. Yale University - Compromised System/SSH Attacks (Infiltrated Blacklist, Private Feed)
Foreign Traffic
No reports today
Analyst Notes:
We are seeing an increase in US colleges and Universities that may be related to recent hacking activities previously noted. While we have attempted to contact as many organizations as we can we have noted that many have not acknowledged the activity even though some data has been seen on Darknet and some forums.
In addition some recent Twitter activity shows that some of these hackers are posting specific information that was able to be verified. Many Universities have chosen not to report such issues.
The main attack vector at these organizations was mostly SQL injections according to the Twitter post. Specific intelligence is available by subscribing to our intelligence services. In addition we have started noting strange traffic on DNS ports specifically UDP 53 from some of these organizations.
Wednesday, February 18, 2015
Dyre and Upatre Evolving - Emerging Threats gets it right
We were just reading a report from Emerging Threats concerning the development and frequent changes and variations to these malware products. What this indicates is that the malware is under active development making it extremely difficult to catch all the variants.
Read the original document here.
The article was well written and very concise and on point.
Read the original document here.
The article was well written and very concise and on point.
Tuesday, February 17, 2015
Spina & Lavelle Attorneys Trying to Penetrate our Infrastructure
Either these attorneys are owned or they are probing for information. Just letting you know we see you. Have a great day!
Monday, February 16, 2015
Traffic drops on our sensors
Last night our security engineers noted some very interesting things happening with our sensors. After midnight some coordinated attacks that we have been seeing for weeks suddenly dropped off. We have not see a single attack since midnight yesterday.
This is highly unusual since we have been under sustained attacks since 2005. What this may indicate is that the organized attackers are starting to realize that by attacking our infrastructure they are denying themselves access to many other targets. You see by attacking us you allow us to send out updates to thousands of Internet users thereby protecting them from attack.
Only time will tell if this strange, eerily silence continues. Keep in mind though Mr. Attacker that we have visibility on thousands of endpoints and we will continue to protect our customers regardless on who you decide to attack. If we see it, we will block you, end of story!
This is highly unusual since we have been under sustained attacks since 2005. What this may indicate is that the organized attackers are starting to realize that by attacking our infrastructure they are denying themselves access to many other targets. You see by attacking us you allow us to send out updates to thousands of Internet users thereby protecting them from attack.
Only time will tell if this strange, eerily silence continues. Keep in mind though Mr. Attacker that we have visibility on thousands of endpoints and we will continue to protect our customers regardless on who you decide to attack. If we see it, we will block you, end of story!
Hackers Steal Up To $1 Billion From Banks
Now that's a headline that will just reach out and grab your attention. The obvious question here is why did they do it and secondly what will they be using that money for to finance. Pay attention friends things are getting very interesting these days.
Original Article
Original Article
Wednesday, February 11, 2015
Memex Toolset Released...
DARPA has publicly presented for the first time a new set of search
tools called Memex which will improve also researches into the “Deep
Web”.
In 2014, the U.S. Defense Advance Research Projects Agency (DARPA) launched a the MEMEX project to design advanced search tools that could be also used to scan the deep web, which isn’t indexed by Google and other commercial search engines.
The Memex search engine was started to allow search of not indexed content, an operation that in the majority of cases is still run manually by Intelligence Agency.
Read the Full Article Here
In 2014, the U.S. Defense Advance Research Projects Agency (DARPA) launched a the MEMEX project to design advanced search tools that could be also used to scan the deep web, which isn’t indexed by Google and other commercial search engines.
The Memex search engine was started to allow search of not indexed content, an operation that in the majority of cases is still run manually by Intelligence Agency.
Read the Full Article Here
Obama Launches Cyberthreat Intel-Sharing Center
Long-awaited central repository for cyber threat information and intelligence created by The White House.
The concept of a federal government-led center for coordinating cyberthreat intelligence has been discussed by the Obama administration for some time, and that concept became a reality yesterday when the White House announced the formation of the Cyber Threat Intelligence Integration Center (CTIIC).
That's all fine and dandy but how do we integrate with this initiative? The last Google search we did showed NOTHING!
The concept of a federal government-led center for coordinating cyberthreat intelligence has been discussed by the Obama administration for some time, and that concept became a reality yesterday when the White House announced the formation of the Cyber Threat Intelligence Integration Center (CTIIC).
That's all fine and dandy but how do we integrate with this initiative? The last Google search we did showed NOTHING!
IMPORTANT NOTICE CONCERNING FEEDS
FOR IMMEDIATE RELEASE
Starting on 1 March 2015 SLC Security Services LLC will be moving our public indicator feeds to a paid subscription model. What this means is that if you are currently using our Indicators of Compromise you will be required to obtain and maintain a subscription and eligibility. The subscription model will be allow organizations of any size to subscribe to the service at an affordable rate and allow our company to add analyst to improve the service. We have been providing these indicators free as a public service for 3 years this coming March so it's time to improve our service offerings.
Subscription Pricing:
There are 4 levels of pricing and each level will require your organization to maintain eligibility for whatever pricing tier you are obtaining service.
Tier 1 (Non Profit - Research Tier): Free IOC's for use by not for profit organizations, associates, Government and small business users. Will require registration and a one time verification as well as a service agreement.
Tier 2 (Small End User): A nominal charge in which you will receive our SLC Security Client application license for use on up to 5 individual workstations or servers.
Tier 3 (Business Restricted Users): Business users with more than 5 individuals will be charged per user for access to our advanced indicators, SLC Security Client application (for workstations and servers), email alert service and access to formatted feeds for Fireeye, Symantec, Crowdstrike, Palo Alto Firewalls, IP Tables, Snort as well as several other platforms.
Tier 4 (Enterprise Site License): This model is designed for large corporations and entities that want to deploy and protect an unlimited number of workstations. In addition to the Tier 3 service you will also be provided with plugins and the SLC Connect middleware to allow your internal machines to mirror our IOC data, threat bulletins, blog and RSS post. You will also be granted access to our OSINT-X research platform for full text documentation. We will also provide additional services based on your contract terms to include 1 annual audit with full reporting and 16 hours of on site training to cover topics of interest with your security staff.
We will be phasing in this paid service over the next few weeks so please pay attention to our media outlet(s) and look for the subscription information.
Starting on 1 March 2015 SLC Security Services LLC will be moving our public indicator feeds to a paid subscription model. What this means is that if you are currently using our Indicators of Compromise you will be required to obtain and maintain a subscription and eligibility. The subscription model will be allow organizations of any size to subscribe to the service at an affordable rate and allow our company to add analyst to improve the service. We have been providing these indicators free as a public service for 3 years this coming March so it's time to improve our service offerings.
Subscription Pricing:
There are 4 levels of pricing and each level will require your organization to maintain eligibility for whatever pricing tier you are obtaining service.
Tier 1 (Non Profit - Research Tier): Free IOC's for use by not for profit organizations, associates, Government and small business users. Will require registration and a one time verification as well as a service agreement.
Tier 2 (Small End User): A nominal charge in which you will receive our SLC Security Client application license for use on up to 5 individual workstations or servers.
Tier 3 (Business Restricted Users): Business users with more than 5 individuals will be charged per user for access to our advanced indicators, SLC Security Client application (for workstations and servers), email alert service and access to formatted feeds for Fireeye, Symantec, Crowdstrike, Palo Alto Firewalls, IP Tables, Snort as well as several other platforms.
Tier 4 (Enterprise Site License): This model is designed for large corporations and entities that want to deploy and protect an unlimited number of workstations. In addition to the Tier 3 service you will also be provided with plugins and the SLC Connect middleware to allow your internal machines to mirror our IOC data, threat bulletins, blog and RSS post. You will also be granted access to our OSINT-X research platform for full text documentation. We will also provide additional services based on your contract terms to include 1 annual audit with full reporting and 16 hours of on site training to cover topics of interest with your security staff.
We will be phasing in this paid service over the next few weeks so please pay attention to our media outlet(s) and look for the subscription information.
Tuesday, February 10, 2015
Wall of Shame
Here's some of the latest traffic we are seeing today:
US Traffic
1. New York University -Malicious Activity
2. Princeton University - Malicious Activity
3. University of Pennsylvania - Malicious Hacking Activity
4.Carnegie Mellon University - Botnets and Compromised Systems
Foreign Traffic
1. Imagen Y Sistemas - Malicious Activity
2. Blacksun Incorporated - Malicious Activity (Canada)
3. Almighty Power Ministries (Nigeria)
Analyst Notes:
We are seeing an increase in US colleges and Universities that may be related to recent hacking activities previously noted. While we have attempted to contact as many organizations as we can we have noted that many have not acknowledged the activity even though some data has been seen on Darknet and some forums.
In addition some recent Twitter activity shows that some of these hackers are posting specific information that was able to be verified. Many Universities have chosen not to report such issues.
The main attack vector at these organizations was mostly SQL injections according to the Twitter post. Specific intelligence is available by subscribing to our intelligence services.
US Traffic
1. New York University -Malicious Activity
2. Princeton University - Malicious Activity
3. University of Pennsylvania - Malicious Hacking Activity
4.Carnegie Mellon University - Botnets and Compromised Systems
Foreign Traffic
1. Imagen Y Sistemas - Malicious Activity
2. Blacksun Incorporated - Malicious Activity (Canada)
3. Almighty Power Ministries (Nigeria)
Analyst Notes:
We are seeing an increase in US colleges and Universities that may be related to recent hacking activities previously noted. While we have attempted to contact as many organizations as we can we have noted that many have not acknowledged the activity even though some data has been seen on Darknet and some forums.
In addition some recent Twitter activity shows that some of these hackers are posting specific information that was able to be verified. Many Universities have chosen not to report such issues.
The main attack vector at these organizations was mostly SQL injections according to the Twitter post. Specific intelligence is available by subscribing to our intelligence services.
NEWS ROUNDUP 2/10/2015
Twitter Request from the NSA top 1.9 Million Account Request
UPI posted a story today on the 190 million users on twitter stating that the NSA has requested the information on less than 1% of Twitter users. So that means they have received information on 1.9 million Twitter accounts. That's a little different than stating 1% huh?
Read the original article here.
US to unveil new Cyber Security Agency
The U.S. government is creating a cybersecurity agency that will monitor and share information about threats against the government and private businesses in the wake of high-profile cyberattacks at Sony Pictures, Anthem Inc. and several major retailers.
NCTC director who is now executive vice president at Leidos, a national security contractor.
In the wake of news-making attacks on Sony Pictures, Home Depot and
many others, the federal government is establishing a new information
integration center to focus on cyber threats. The center will analyze
intelligence contributed by several agencies, along with the private
sector, a model that will face some serious hurdles.
The proposed Cyber Threat Intelligence Integration Center will fall under the Office of the Director of National Intelligence and it will not be responsible for actually gathering any threat intelligence. Rather, it will serve as an aggregation point for information collected by intelligence agencies and, the Obama administration hopes, private companies.
Note
Please tell me on one hand you are looking to share information and the other hand you are increasing the penalties without excluding research and development? Doesn't make sense to our team.
UPI posted a story today on the 190 million users on twitter stating that the NSA has requested the information on less than 1% of Twitter users. So that means they have received information on 1.9 million Twitter accounts. That's a little different than stating 1% huh?
Read the original article here.
American hostage Mueller's death confirmed by Obama, family
US to unveil new Cyber Security Agency
The U.S. government is creating a cybersecurity agency that will monitor and share information about threats against the government and private businesses in the wake of high-profile cyberattacks at Sony Pictures, Anthem Inc. and several major retailers.
NCTC director who is now executive vice president at Leidos, a national security contractor.
CyberCaliphate at it again
The Twitter feeds of Newsweek and veterans' group Military Spouses of Strength were hacked Tuesday morning by a group identifying itself as CyberCaliphate, the same organization that was confirmed to have hacked the twitter account for U.S. Central Command earlier this year.
The Twitter feeds of Newsweek and veterans' group Military Spouses of Strength were hacked Tuesday morning by a group identifying itself as CyberCaliphate, the same organization that was confirmed to have hacked the twitter account for U.S. Central Command earlier this year.
Anthem Breach Prompts New York To Conduct Cybersecurity Reviews
Meanwhile, Anthem victims are now being harassed by scammers trying to collect even more personal information.
CFAA may stall cyber security research unless Government exempts security researchers
All of this at a time when we need to share information more than ever.
The proposed Cyber Threat Intelligence Integration Center will fall under the Office of the Director of National Intelligence and it will not be responsible for actually gathering any threat intelligence. Rather, it will serve as an aggregation point for information collected by intelligence agencies and, the Obama administration hopes, private companies.
Note
Please tell me on one hand you are looking to share information and the other hand you are increasing the penalties without excluding research and development? Doesn't make sense to our team.
Delay in actionable intelligence creating additional risk, additional malware seen
With the recent Anthem incident it goes without saying that organizations need to share information to protect other entities from similar attacks. In the case of Anthem the information has been shared with only 2 organizations and the information being put out by commercial vendors is incomplete and in some cases completely inaccurate. What we are seeing is that many people are making guesses as to what the actual threat is.
It seems like this recent issue and with the Sony issue that in both cases the information coming out of the analysis of these events is being withheld from commercial security vendors. This does nothing to protect others that may face similar attacks. It should be noted however that the attackers in this case have moved on to other attacks.
This is a concerted effort to infiltrate many businesses and Government. As of yet we have not seen any real and meaningful cooperation between Anthem, Sony or the Government. If they really wanted to protect the masses clear and concise information would be put out for everyone.
This leads me to believe that nobody really knows the exact methods. I can tell you that there are zero day attacks being used as well as a known browser flaw that is not being fixed by vendors. If hackers know about it and vendors choose to ignore it there is really nothing the average person can do to protect themselves from the threats that loom.
I have predicted that the educational space will be the next to have issue based on what we have seen. Because of this we will offer educational institutions access to our blocklist in the hope that some will be proactive and save themselves some embarrassment. There have been several attackers on Twitter posting educational information and much of the stolen information is available on Darknet and being shared between hackers.
This open sharing initiative that everybody speaks of is non existent and probably will not come to pass. It's a shame really as there are power in numbers. We need a distributed protection system that can incorporate actual information between vendors in near real time. Until this happens we will continue to see disinformation. In addition the naming conventions between commercial products is horrible and confusing and interoperability between companies is horrible as well.
The additional malware being seen that is NOT being tracked by any of the major vendors was previously posted.
Indicator Information
IP Addresses Involved:
196.203.89.134
194.105.9.85
82.81.128.61
50.56.56.125
Also it goes without saying that certain file extensions should be dropped by your email gateways.
It seems like this recent issue and with the Sony issue that in both cases the information coming out of the analysis of these events is being withheld from commercial security vendors. This does nothing to protect others that may face similar attacks. It should be noted however that the attackers in this case have moved on to other attacks.
This is a concerted effort to infiltrate many businesses and Government. As of yet we have not seen any real and meaningful cooperation between Anthem, Sony or the Government. If they really wanted to protect the masses clear and concise information would be put out for everyone.
This leads me to believe that nobody really knows the exact methods. I can tell you that there are zero day attacks being used as well as a known browser flaw that is not being fixed by vendors. If hackers know about it and vendors choose to ignore it there is really nothing the average person can do to protect themselves from the threats that loom.
I have predicted that the educational space will be the next to have issue based on what we have seen. Because of this we will offer educational institutions access to our blocklist in the hope that some will be proactive and save themselves some embarrassment. There have been several attackers on Twitter posting educational information and much of the stolen information is available on Darknet and being shared between hackers.
This open sharing initiative that everybody speaks of is non existent and probably will not come to pass. It's a shame really as there are power in numbers. We need a distributed protection system that can incorporate actual information between vendors in near real time. Until this happens we will continue to see disinformation. In addition the naming conventions between commercial products is horrible and confusing and interoperability between companies is horrible as well.
The additional malware being seen that is NOT being tracked by any of the major vendors was previously posted.
Indicator Information
IP Addresses Involved:
196.203.89.134
194.105.9.85
82.81.128.61
50.56.56.125
Also it goes without saying that certain file extensions should be dropped by your email gateways.
Monday, February 9, 2015
NEWS ROUNDUP 2/9/2015
Hard to Tackle Malware being used in University Breaches:
Many security professionals including our company have been warning Universities to activity that indicate a large scale problem on their networks. Many of the Universities have chosen to ignore the issue. Earlier today at one of our client sites we saw for the first time a malware that was running completely in memory and that is not detected by any of the major anti-virus products. The malware is currently being studied but it appears to be related to earlier reports of activity that we have been picking up on our sensors. We believe that the malware probably will be used to perform farther damage in the future. We have submitted the memory dump to several anti-virus vendors and are awaiting additional details.
Company's Doing one of Two Things:
Either companies that we are notifying are acknowledging issues or they are quietly cleaning their issues. We noted several of the Universities originally on our University post that have since dropped off our sensors so that's good in that they are no longer infected. The bad part is that they may not know what information has been stolen or damaged on their respective networks. So companies or entities are either acknowledging they are in over their heads or covering it up completely.
Many security professionals including our company have been warning Universities to activity that indicate a large scale problem on their networks. Many of the Universities have chosen to ignore the issue. Earlier today at one of our client sites we saw for the first time a malware that was running completely in memory and that is not detected by any of the major anti-virus products. The malware is currently being studied but it appears to be related to earlier reports of activity that we have been picking up on our sensors. We believe that the malware probably will be used to perform farther damage in the future. We have submitted the memory dump to several anti-virus vendors and are awaiting additional details.
Company's Doing one of Two Things:
Either companies that we are notifying are acknowledging issues or they are quietly cleaning their issues. We noted several of the Universities originally on our University post that have since dropped off our sensors so that's good in that they are no longer infected. The bad part is that they may not know what information has been stolen or damaged on their respective networks. So companies or entities are either acknowledging they are in over their heads or covering it up completely.
FBI Online Agent Screenlocker
We have been seeing a ton of screen lockers lately. Just today one of our customer calls and states that they believe the FBI has locked out a machine. Upon inspection of course it's just a run of the mill screen locker claiming to be the FBI. I can tell you that the FBI would not tell you to go and get a moneypak to pay for unlocking your machine. In fact the FBI would just come and get the machine to perform forensics and be done with it.
When you see this message it is NOT the FBI. :-) Read r0cket's malware blog to learn how to remove the infection.
When you see this message it is NOT the FBI. :-) Read r0cket's malware blog to learn how to remove the infection.
Interesting Routing Anamalies on the Internet
We are currently researching some really interesting routing anomalies on the Internet. It seems that not only is the Great Firewall of China doing some really interesting things to Chinese users but some really strange routing is taking place on the US east cost the past few days.
Could be coincidence but we don't think so. Funny how some of these sites are doing redirects to phishing sites as well. Tell me again why we allow China to have root servers again?!
And that's only half of it.
Could be coincidence but we don't think so. Funny how some of these sites are doing redirects to phishing sites as well. Tell me again why we allow China to have root servers again?!
And that's only half of it.
Friday, February 6, 2015
Connecting the Dots... One breach at a time...
Take our big data analytics training and learn how to make sense of data in your enterprise. Learn how to connect the dots, build out your own OSINT intelligence mapping system, link analysis and lots more. Classes are being scheduled for the summer and customized training is available...
Analytics in action...
Private training available at your location or ours... Learn how to make sense of the data in your enterprise and beyond!
Analytics in action...
Private training available at your location or ours... Learn how to make sense of the data in your enterprise and beyond!
Collaboration in the Works
We wanted to let the readers know that we are working on a collaboration with several security providers to provide our intelligence products to help improve situational awareness against threats to infrastructure. We are currently working on integrating our data sources into several open source and commercial products to help make the security landscape of individual computer users (home users), business users (corporate users) and Government entities.
Stay tuned in the coming weeks as new service offerings are provided to existing commercial products and open source software and hardware products. Here are some of the things we are working on in the lab.
- Threat Feeds to Commercial Products - We will provide a list of products soon
- Threat Feeds to Open Source - Integration with Snort and Linux based systems as well as the release of our SLC Security Platform for Windows machines (coming spring 2015)
- Bulletin Service where we send out flash alerts directly to customers via the security platforms that we manage to include our OSINT-X platform and OSINT-X security appliance
- Open integration of our products (build a solution with our data)
- Security alert mailing list (Active now - You can subscribe from our website and blogs)
NEWS ROUNDUP 2/6/2015
Frederick
High School and West Frederick Middle School in Maryland were closed February 5
following a February 4 shooting outside the high school gymnasium during a
basketball game that left 2 students injured.
Former Inland Empire insurance agent pleads guilty to federal bank fraud and tax charges in scheme that netted nearly $6 million.
Flash Player 16.0.0.305 patches zero-day vulnerability.
Kovter trojan distributed via malvertising on Huffington Post.
Phone service restored in Forest Grove area after outage affects more than 1,200 customers. Phone service was restored to areas of Washington County after an outage that was reported by Frontier Communications February 4 kept customers in the areas of Gales Creek, Glenwood, and Tanner Creek from using a landline to call 9-1-1
Former Inland Empire insurance agent pleads guilty to federal bank fraud and tax charges in scheme that netted nearly $6 million.
Flash Player 16.0.0.305 patches zero-day vulnerability.
Kovter trojan distributed via malvertising on Huffington Post.
Phone service restored in Forest Grove area after outage affects more than 1,200 customers. Phone service was restored to areas of Washington County after an outage that was reported by Frontier Communications February 4 kept customers in the areas of Gales Creek, Glenwood, and Tanner Creek from using a landline to call 9-1-1
May just wanna disable flash until this situation becomes stable... Wait it's flash... Ugggghh
For the third time in two weeks, Adobe has issued an emergency security update for its Flash Player software to fix a dangerous zero-day vulnerability that hackers already are exploiting to launch drive-by download attacks.
Seriously consider disabling this until Adobe get's their issues resolved... You may be waiting awhile with this one.
Seriously consider disabling this until Adobe get's their issues resolved... You may be waiting awhile with this one.
Thursday, February 5, 2015
How we monitor for problems and detect issues before the attack...
Utilizing our cloud based computing platform we are able to see attack information as it happens in real time. We are able to monitor Dark Net, Usenet and OSINT sources for relevant information concerning the activity of hackers and cyber criminals. We have been warning companies and advising them on what to look for but they don't seem to take our warnings seriously. And months later we read about issues in the news once they finally figure out that we were right in the first place.
It has happened numerous times in the past and will happen in the future unless these entities take our alerts seriously. Companies are too busy looking at their perimeter's to really get an understanding of what is really taking place. All too often the information is available to indicate a problem because once a site is breached typically other attacks are launched from that same infrastructure to other organizations. Using link analysis between companies and attacks that are being reported is a smart way to connect the dots folks. These technologies exist for a reason and as systems evolve they get better and better at predictive analysis based on past activity.
We sincerely hope you start putting the pieces together because the time of breach until there are actual notifications are usually around 12 months out. Anthem just caught the problem in 4 months but that means that they are better than average at detecting the problem but not stopping it.
If any of these companies took their security seriously they would consider utilizing big data to highlight problems before they are nightmares for the companies involved.
Quite honestly our team of volunteers are extremely good at detecting issues but we simply do not have the resources to do our analysis on a large scale. If we had the funding and additional resources we could certainly assist with these investigations but as of now we will continue to do large data analysis and warn the companies that we note as having problems in the hope that at some point a company will notice that we are way ahead of the "average" and help us get to a place where we can really be effective and assist law enforcement in containing these issues and actually finding the entities responsible for these data breaches. Until that happens we will continue to research, blog and watch from the sidelines.
If the Government were to really fund the cyber security initiatives and get private industry to bring technologies that work to market we could be a much bigger help in these cases but until that happens we will sit back and watch.
It's a shame really.
So here's what we suggest to help prevent these large breaches in the future. Stop withholding data when it comes to cyber security. Provide a clearinghouse where we can report issues and use the indicators of compromise that we have developed. I'm sorry but 95% of the technologies in use are reactive. You need analytics that can find trends and identify suspicious activity over the entire Internet connected infrastructure.
Until we have a view of the entire Internet we are confined to our own little LAN connected world and chances are somebody has already infiltrated your infrastructure. If you want to wait 12 months while they steal your data be my guest or hire us to come in a get rid of the badness and save yourselves some major embarrassment.
Later this week we will for the first time every compile a list of all of the organizations that we are more than 80% confident that have issues that need to be addressed. Our system is reporting on real world attacks and since we report on these attacks we are a major target. One good thing about being a target is that it forces attackers to show their infrastructure that they are using to attack us (and many others). Using this data we can quite quickly build out a clear picture of bad activity being directed at us and others.
Have a great week and we look forward to working with the ones that value their security posture.
It has happened numerous times in the past and will happen in the future unless these entities take our alerts seriously. Companies are too busy looking at their perimeter's to really get an understanding of what is really taking place. All too often the information is available to indicate a problem because once a site is breached typically other attacks are launched from that same infrastructure to other organizations. Using link analysis between companies and attacks that are being reported is a smart way to connect the dots folks. These technologies exist for a reason and as systems evolve they get better and better at predictive analysis based on past activity.
We sincerely hope you start putting the pieces together because the time of breach until there are actual notifications are usually around 12 months out. Anthem just caught the problem in 4 months but that means that they are better than average at detecting the problem but not stopping it.
If any of these companies took their security seriously they would consider utilizing big data to highlight problems before they are nightmares for the companies involved.
Quite honestly our team of volunteers are extremely good at detecting issues but we simply do not have the resources to do our analysis on a large scale. If we had the funding and additional resources we could certainly assist with these investigations but as of now we will continue to do large data analysis and warn the companies that we note as having problems in the hope that at some point a company will notice that we are way ahead of the "average" and help us get to a place where we can really be effective and assist law enforcement in containing these issues and actually finding the entities responsible for these data breaches. Until that happens we will continue to research, blog and watch from the sidelines.
If the Government were to really fund the cyber security initiatives and get private industry to bring technologies that work to market we could be a much bigger help in these cases but until that happens we will sit back and watch.
It's a shame really.
So here's what we suggest to help prevent these large breaches in the future. Stop withholding data when it comes to cyber security. Provide a clearinghouse where we can report issues and use the indicators of compromise that we have developed. I'm sorry but 95% of the technologies in use are reactive. You need analytics that can find trends and identify suspicious activity over the entire Internet connected infrastructure.
Until we have a view of the entire Internet we are confined to our own little LAN connected world and chances are somebody has already infiltrated your infrastructure. If you want to wait 12 months while they steal your data be my guest or hire us to come in a get rid of the badness and save yourselves some major embarrassment.
Later this week we will for the first time every compile a list of all of the organizations that we are more than 80% confident that have issues that need to be addressed. Our system is reporting on real world attacks and since we report on these attacks we are a major target. One good thing about being a target is that it forces attackers to show their infrastructure that they are using to attack us (and many others). Using this data we can quite quickly build out a clear picture of bad activity being directed at us and others.
Have a great week and we look forward to working with the ones that value their security posture.
Wednesday, February 4, 2015
BREACH: Anthem breach is the mother of all Healthcare Data Breaches!
We knew ahead of time but waited until the CEO of Anthem made a public statement. The Anthem breach will prove to be one of the biggest breaches in Healthcare history. The breach is being investigated by the FBI and several large new organizations leaked information on the breach prior to an official announcement earlier today.
We will make this a sticky post and follow the developments.
2/4/2015: Official Notification Came Out Today but was proceeded by news media leaks of details.
2/4/2015: WSJ appears to have been the first news media organization to break the story.
2/5/2015: DataBreaches also posted information they have compiled here.
2/5/2015: Major News continues to report on the issue.
2/5/2015: LA Times reporting really specific information on the case.
From the LA Times:
Suspicious activity was first noticed and reported Jan. 27. Two days later, an internal investigation verified that the company was a victim of a cyber attack, the company said. The unauthorized access to the vast database goes back to Dec. 10.
Cybersecurity analysts warned that the thieves may attack Anthem again using the employee data they took. Anthem said it’s working to strengthen security and identify any potential gaps.
“It is highly possible that they are preparing for another attack, such as a social engineering or phishing attack, that may give them access to systems that they were unable to reach,” said Tom DeSot, chief information officer of cybersecurity firm Digital Defense Inc. in San Antonio.
Previously Reported:
Anthem Blue Cross Data Breach (Nov 2014) - Our Previous Report
From Krebs:
Bloomberg reports that U.S. federal investigators probing the theft of 80 million Social Security records and other sensitive data from insurance giant Anthem Inc. are pointing the finger at state-sponsored hackers from China. Although unconfirmed, that suspicion would explain a confidential alert the FBI circulated last week warning that Chinese hackers were targeting personally identifiable information from U.S. commercial and government networks.
We will make this a sticky post and follow the developments.
2/4/2015: Official Notification Came Out Today but was proceeded by news media leaks of details.
2/4/2015: WSJ appears to have been the first news media organization to break the story.
2/5/2015: DataBreaches also posted information they have compiled here.
2/5/2015: Major News continues to report on the issue.
2/5/2015: LA Times reporting really specific information on the case.
From the LA Times:
Suspicious activity was first noticed and reported Jan. 27. Two days later, an internal investigation verified that the company was a victim of a cyber attack, the company said. The unauthorized access to the vast database goes back to Dec. 10.
Cybersecurity analysts warned that the thieves may attack Anthem again using the employee data they took. Anthem said it’s working to strengthen security and identify any potential gaps.
“It is highly possible that they are preparing for another attack, such as a social engineering or phishing attack, that may give them access to systems that they were unable to reach,” said Tom DeSot, chief information officer of cybersecurity firm Digital Defense Inc. in San Antonio.
Previously Reported:
Anthem Blue Cross Data Breach (Nov 2014) - Our Previous Report
From Krebs:
Bloomberg reports that U.S. federal investigators probing the theft of 80 million Social Security records and other sensitive data from insurance giant Anthem Inc. are pointing the finger at state-sponsored hackers from China. Although unconfirmed, that suspicion would explain a confidential alert the FBI circulated last week warning that Chinese hackers were targeting personally identifiable information from U.S. commercial and government networks.
BREACH: capdm.ca Breached - Updated
See http://pastebin.com/9Lu68fMi to see if your account is compromised.
2/3/2015: Reached out to the organization to get additional detail.
2/3/2015: Received the following response.
2/3/2015: Reached out to the organization to get additional detail.
2/3/2015: Received the following response.
We are actively investigating and will follow-up shortly. Please feel free to contact me directly should you have further requests for information.
2/3/2015: Additional intelligence being collected on this incident from third parties. Our network security operations center is collecting relevant claims and information from Darknet and third party data providers. Noted additional detail. If calling in to obtain information reference INC2015-005.
Type: Healthcare Area: Disclosure First Noted: 12 Dec 2014 Location: Canada Total Records: 1500+ and data on Darknet Status: Not Monitoring for Follow Up (Not a client of SLC Security Services LLC)
Krebs Post about Physical Attack
Yeah hackers are changing their tactics. Like I said last week while everybody is concentrating on the network hackers are actively using hardware and physical attacks. Read my original post here.
If you want a firm that can actually find problems and not just give you a false sense of security contact our SOC by email to schedule a no obligation audit. If we don't find problems you don't pay...
Kreb's story can be read here.
We have seen everything you can imagine over the last 25 years. Cell phones are still one of the biggest threats as they are cheap, can be untraceable and have long battery lives but attacking corporations is even easier since they rely on old technologies that are not even checked during most audits. Our audits are complete and concise and when you companies realize that we can actually give you piece of mind instead of just talking about it give us a call and let us prove to you that security is our main business.
If you want a firm that can actually find problems and not just give you a false sense of security contact our SOC by email to schedule a no obligation audit. If we don't find problems you don't pay...
Kreb's story can be read here.
We have seen everything you can imagine over the last 25 years. Cell phones are still one of the biggest threats as they are cheap, can be untraceable and have long battery lives but attacking corporations is even easier since they rely on old technologies that are not even checked during most audits. Our audits are complete and concise and when you companies realize that we can actually give you piece of mind instead of just talking about it give us a call and let us prove to you that security is our main business.
ATTACKER: The Preston Law Firm of Houston Texas
Hey guys you may want to check out your systems because we have been seeing attacks from you all day. As some of you know that fact that we report on breaches in advance of some people really causes them to get angry. Either this law firm is owned by hackers or they have hired hackers to try and infiltrate our infrastructure.
It started out as simple SMTP probes but we are starting to see web server probes. We hope you like playing with our honeypot systems because that's what your hitting folks.
Next time please try and do your homework before blatantly just attacking what you think is our infrastructure. Thanks and have a great day.
Maybe you didn't like us reporting on the Texas A&M activity or some other such nonsense but this is a free country, we have data to back up our claims so if you want to play this game please by all means let's do this...
I would love to be able to put out all of the information we have and then charge you for your resource usage today since it was so extensive and you achieved absolutely NOTHING!
It started out as simple SMTP probes but we are starting to see web server probes. We hope you like playing with our honeypot systems because that's what your hitting folks.
Next time please try and do your homework before blatantly just attacking what you think is our infrastructure. Thanks and have a great day.
Maybe you didn't like us reporting on the Texas A&M activity or some other such nonsense but this is a free country, we have data to back up our claims so if you want to play this game please by all means let's do this...
I would love to be able to put out all of the information we have and then charge you for your resource usage today since it was so extensive and you achieved absolutely NOTHING!
ATTACKS: Harvard, MIT and Others
We have noted an uptick in the number of brute force and email probes from MIT and Harvard. In addition we have noted that Boston University, Hampshire College and Harvard are all on our blocklist due to malicious activity. MIT is involved with cyber security and has partnerships with the Government for research so this may explain why we are seeing an uptick on our sensors and reported attempts to compromise email accounts.
DISCLOSURE: UMass Memorial Medical Group
The UMass Memorial Medical Group is working with law-enforcement personnel after it learned a former employee allegedly accessed private patient billing information that contained credit-card and debit-card numbers, Social Security numbers, and birth dates, according to hospital personnel.
Anthony Berry, the director of media and public relations for UMass, said the group is continuing to work with law enforcement, but there is "nothing concrete" to report yet.
Read more: http://www.lowellsun.com/todaysheadlines/ci_27447491/scope-data-breach-unknown#ixzz3Qkube1ms
Analyst Research: We have checked our OSINT-X system and have not seen any traffic from UMass on our sensor network. This may indicate that the issue was localized. If we note any activity we will update the blog with additional information.
Tuesday, February 3, 2015
D-Link Router Vulnerability - CONFIRMED
D-Link’s popular DSL2740R wireless router is vulnerable to domain
name system (DNS) hijacking exploits that requiring no authentication to
access its administrative interface.
According to Todor Donev of the Belgian security firm Ethical Hacker, a number of other D-Link routers are affected by this bug as well, particularly the DLS-320B. PCWorld is reporting that the vulnerability exists in a widely deployed piece of router firmware called ZynOS, which is developed by ZuXEL Communications Corporation.
The troubling part of this issue is that it appears as though this and a few other bugs are allowing law enforcement to monitor the activities of individuals utilizing this hardware. We previously reported on similar vulnerabilities with Linksys hardware that allows similar interception without the end user being aware and allows Cisco to monitor customer usage of devices. For this reason we do not allow Cisco or Linksys hardware in our secured networking environment.
According to Todor Donev of the Belgian security firm Ethical Hacker, a number of other D-Link routers are affected by this bug as well, particularly the DLS-320B. PCWorld is reporting that the vulnerability exists in a widely deployed piece of router firmware called ZynOS, which is developed by ZuXEL Communications Corporation.
The troubling part of this issue is that it appears as though this and a few other bugs are allowing law enforcement to monitor the activities of individuals utilizing this hardware. We previously reported on similar vulnerabilities with Linksys hardware that allows similar interception without the end user being aware and allows Cisco to monitor customer usage of devices. For this reason we do not allow Cisco or Linksys hardware in our secured networking environment.
BREACHED: Texas A&M University
Seeing indicators that this entity has been breached for over a month and does not realize it. It appears as though their infrastructure is being used to launch farther attacks on other educational institutions.
They also appear on Emerging Threats for malicious activity since at lease the 11th of December, 2014. You would think these large organizations would do something to get themselves off the blacklist but as of today we are still detecting malicious activity.
Update: Our sensors are still seeing traffic originating from Texax A&M and they still have not closed off the vulnerable systems. Seeing additional reports from additional locations that they are being attacked by this entity. Over 200+ external IP's are reporting attempted breaches and brute forces from the Texas A&M network.
They also appear on Emerging Threats for malicious activity since at lease the 11th of December, 2014. You would think these large organizations would do something to get themselves off the blacklist but as of today we are still detecting malicious activity.
Update: Our sensors are still seeing traffic originating from Texax A&M and they still have not closed off the vulnerable systems. Seeing additional reports from additional locations that they are being attacked by this entity. Over 200+ external IP's are reporting attempted breaches and brute forces from the Texas A&M network.
Monday, February 2, 2015
Hardware Hacking and Physical Attacks Largely Being Ignored
One of the recurring issues that we are seeing on audits are the lack of knowledge on physical attacks to infrastructure. Most of the companies we are working with do not check physical path of network connections as well as security systems. We have seen many companies that are either ignoring physical attacks or they feel as though they are not important. It should be noted that while your watching your network, attackers are building hardware, buying hardware and exploiting things such as your camera's, network security appliances, security systems, networks and communications systems such as telephone and hard wired infrastructure.
Find out today if hackers and bypass your defenses. Email SLC Security Services LLC SOC and ask for a free no obligation security audit. The findings are confidential. Let us show you why our audits are the best in the industry.
Find out today if hackers and bypass your defenses. Email SLC Security Services LLC SOC and ask for a free no obligation security audit. The findings are confidential. Let us show you why our audits are the best in the industry.
University of Chicago Still Leaking Information and Vulnerable
During a recent review of some incidents being covered by databreaches.net I was able to do some additional research and confirm that even as recent as an hour ago that information is still being offered in the underground community. In addition server IP addresses owned by the organization are attacking other colleges and universities in the US and elsewhere.
In Addition:
The following organizations are also compromised.
Illinois Institute of Technology
Northwestern University
In Addition:
The following organizations are also compromised.
Illinois Institute of Technology
Northwestern University
Sunday, February 1, 2015
TECHNOLOGY WATCH: British Government to Receive US Company Technologies
The British government has selected Northrop Grumman to provide it with
engineering, development and other cyber-security solutions services.
Solutions under the seven-year framework contract, which was competitively awarded, will specifically support data security and information assurance.
"As a long-standing partner with the U.K. government, we are proud to have been selected to support the security of their digital domain and the protection of its citizens," said Kathy Warden, corporate vice president and president, Northrop Grumman Information Systems. "With more than 30 years of cyber-security expertise that has been developed and deployed around the world, we look forward to continuing our work with some of the brightest industry and academic minds to deliver world class operational performance, scaled to the mission, and to increase our U.K.-based workforce that will support cyber innovators of the future."
It should also be noted that other companies were also involved in the bidding and have been awarded contracts but Northrop Grumman is the only company to publicly acknowledge the contract award.
Solutions under the seven-year framework contract, which was competitively awarded, will specifically support data security and information assurance.
"As a long-standing partner with the U.K. government, we are proud to have been selected to support the security of their digital domain and the protection of its citizens," said Kathy Warden, corporate vice president and president, Northrop Grumman Information Systems. "With more than 30 years of cyber-security expertise that has been developed and deployed around the world, we look forward to continuing our work with some of the brightest industry and academic minds to deliver world class operational performance, scaled to the mission, and to increase our U.K.-based workforce that will support cyber innovators of the future."
It should also be noted that other companies were also involved in the bidding and have been awarded contracts but Northrop Grumman is the only company to publicly acknowledge the contract award.
Malware: tinba is gonna be the end of Suntrust, Regions Bank and a few others... wait for it! (Dyre Banking Trojan) - Updated
If your monitoring infections and malware traffic it goes without saying that banking targets are high on the priority watch list. I'm making this prediction based on intelligence that we are seeing in the SOC. Let's see how this plays out.
My prediction is that the following banks are gonna get nailed by tinba:
1.Suntrust
2. Regions Bank
3. Credit One Bank
4. Netteller
5. TD Bank
6. JP Morgan Chase
7. PNC Bank
8. RBC Bank
Since this campaign is targeting customers there is little that the banks can do to stop it. Most of the issue is being caused by anonymous proxies and some very interesting MITM traffic.
My prediction is that the following banks are gonna get nailed by tinba:
1.Suntrust
2. Regions Bank
3. Credit One Bank
4. Netteller
5. TD Bank
6. JP Morgan Chase
7. PNC Bank
8. RBC Bank
Since this campaign is targeting customers there is little that the banks can do to stop it. Most of the issue is being caused by anonymous proxies and some very interesting MITM traffic.