The following is this week’s sample of ThreatScape® Media Highlights – an email roundup of security headlines augmented by insights and analysis from iSIGHT Partners. Our cyber threat intelligence clients receive this update daily.
Wednesday, 30 September 2015
NEWLY FOUND TRUECRYPT FLAW ALLOWS FULL SYSTEM COMPROMISE
FROM THE MEDIA
James Forshaw, a Google Project Zero team member, discovered two vulnerabilities (CVE-2015-7358 and CVE-2015-7359) on the driver that TrueCrypt, a disk and partition encryption tool, installs on Windows systems. The flaws can allow attackers to obtain elevated privileges on a target’s system. VeraCrypt, an open-source program continuing to improve the original TrueCrypt project, issued VeraCrypt 1.15, which contains patches for these two vulnerabilities.
Read the Story: PC World
iSIGHT PARTNERS ANALYST COMMENT
We consider the privilege escalation vulnerabilities discovered by James Forshaw to be medium-risk, as an attacker would need to already have access to a vulnerable system or exploit another flaw in conjunction with them. Although exploitation of the vulnerabilities does not pose a significant threat, we judge the continued use of software past its support life to be a legitimate concern for enterprise environments. There are several alternative options available for users looking to encrypt their hard drives, including integrated support in post-XP versions of Windows.
RELATED iSIGHT PARTNERS REPORTS
Intel-1129003 (TrueCrypt to Be Discontinued; Users Should Seek Alternatives), 30 May 2014
15-00010280 (Weekly Vulnerability Exploitation Report), 28 Sept. 2015
XOR: LINUX-BASED BOTNET PUSHING 20 ATTACKS A DAY
FROM THE MEDIA
Akamai recently released a report detailing several recent attacks from the XOR botnet. Akamai found that the vast majority of the botnet’s targets are organizations in Asia. The majority of attacks conducted by the botnet are DNS and SYN floods. The botnet attacks up to 20 targets per day, and one recent attack went as high as 179 Gbps. XOR is malware that infects Linux systems and turns them into bots.
Read the Story: CSO Online
iSIGHT PARTNERS ANALYST COMMENT
The XOR.DDoS malware appears to be of Chinese origin. Besides DNS and SYN, XOR has ACK flooding capabilities. The bot is also able to pull down additional configuration files to update its DDoS targets. Despite a history of less frequent abuse, Linux is often targeted by malicious actors and should still be subject to an update and patch management routine similar to that often applied to Windows systems.
RELATED iSIGHT PARTNERS REPORTS
15-00010216 (XOR.DDoS Linux DDoS Bot: Malware Behavior, Capabilities and Communications), 28 Sept. 2015
14-00000136 (Year-Long Elknot Linux Malware Campaign Most Likely Successful in Conducting Effective DDoS Attacks), 29 Dec. 2014
Intel-1076834 (Development of Threats to Individuals Using Linux and Unix-Like Operating Systems Through 2013), 31 March 2014
ARABIC THREAT GROUP TARGETS IT, INCIDENT RESPONSE TEAMS
FROM THE MEDIA
The Gaza Cybergang, aka Gaza Hackers Team, has recently been targeting information technology (IT) and incident response (IR) teams in the Middle East and North Africa (MENA) region. More specifically, the group appears to be mostly targeting government entities, particularly embassies of countries such as Yemen, the United Arab Emirates and Egypt. Attackers are focusing their efforts on IT and IR teams as their personnel usually have higher access and access to sensitive data.
Read the Story: Security Week
iSIGHT PARTNERS ANALYST COMMENT
This activity refers to operations conducted by Molerats Team, an espionage group that leverages publicly available tools against targets with Middle Eastern interests, and is consistent with the group’s targeting patterns. Recently we discovered a Molerats Team command and control server that indicated a collection effort was underway focused on the United Nations, Israeli academic institutions, media, researchers and influential social media personalities. It is likely Molerats Team is performing collection operations to facilitate a strategic campaign or future operations.
RELATED iSIGHT PARTNERS REPORTS
15-00008394 (Israel Country Profile), 4 Sept. 2015
15-00005666 (Molerats Targets UN, Journalists, Israel Supporters), 16 July 2015
15-00001878 (Molerats Team Targets), 27 March 2015
BANKING TROJAN SHIFU TURNS UP IN UK
FROM THE MEDIA
Shifu, a banking Trojan, has moved from Japan to the UK. The Trojan allegedly has 18 UK targets and is increasing activity to obtain higher infections. According to an IBM security researcher, the UK samples indicate that the Trojan’s authors are changing Shifu to ensure it continues to evade security detections. IBM has also noted that Shifu is likely to continue spreading, specifically to other parts of Europe and the United States.
Read the Story: Info Security Magazine
iSIGHT PARTNERS ANALYST COMMENT
Shifu is a new banking Trojan that shares some similarities with existing malware, such as Zeus and Shiz. We have no reason to doubt Shifu is targeting the UK. However, it is important to note that the additional targeting does not mean Shifu’s operators ceased operations against Japanese financial institutions. Other regions could also potentially be targeted by using easily customized configuration files.
RELATED iSIGHT PARTNERS REPORTS
ThreatScape Media Highlights (Japanese Banks Hit By New Trojan, ‘Shifu’), 2 Sept. 2015
14-29622 (Shiz Malware Modified to Include SAP Credential Theft), 14 Feb. 2014
15-00000226 (Angler Exploit Kit Overview), 23 April 2015
The post ThreatScape Media Highlights Update – Week Of September 30th appeared first on iSIGHT Partners.
