The following is this week’s sample of ThreatScape® Media Highlights – an email roundup of security headlines augmented by insights and analysis from iSIGHT Partners. Our cyber threat intelligence clients receive this update daily.
Wednesday, 16 December 2015
Apple Mac Security: MacKeeper Exposes 13 Million User Account Details
From The Media
A security researcher discovered an unsecured database containing 13 million MacKeeper users’ account details. MacKeeper is a software package for maintaining and protecting Mac OS X systems. MacKeeper has since secured the open database and indicated that no customer payment information was exposed. Exposed customer information included credentials, product orders and usernames.
Read the Story: ZDNet
iSIGHT Partners Analyst Comment
While there is no indication that malicious actors had access to the available information, there is also no specific information regarding the full nature of the exposure. However, as iSIGHT Partners has observed malicious actors using the Shodan search engine, one of these actors could have come across MacKeeper’s information.
Related iSIGHT Partners Reports
Intel-908169 (Low-Level Iranian Cyber Activist Seeks Shodan Alternatives), 12 Aug. 2013
Intel-889008 (Actors on Romanian Forum Claim to Have Accessed Satellites in Brazil and Romania), 19 July 2013
Intel-1032844 (Updates to Maltego/Shodan Integration Transforms May Facilitate Faster Footprinting), 11 Feb. 2014
![]()
Joomla Patches Critical Remote Execution Bug
From the Media
The Joomla content management system (CMS) was patched for a vulnerability actively being exploited in the wild. The security company Sucuri has indicated that attackers have been attempting to exploit the vulnerability for the past two days. Sucri stated that the flaw, which affects Joomla versions 1.5 to 3.4.5, enabled attackers to obtain remote code execution.
Read the Story: CSO Online
iSIGHT Partners Analyst Comment
iSIGHT Partners judges the vulnerability to be high-risk, due to the ease of exploitation without user interaction or authentication. Joomla is widely used but does not offer as wide a target set as vulnerabilities we have previously rated as critical. While we believe Sucuri’s claims that exploitation is actively occurring in the wild, it is possible their claims of widespread exploitation could be overstated, as security researchers sometimes conflate profiling and targeting activities with malicious exploitation.
Related iSIGHT Partners Reports
15-00014306 (Joomla Vulnerability CVE-2015-8562), 15 Dec. 2015
15-00014310 (Joomla Vulnerability CVE-2015-8564), 15 Dec. 2015
15-00014308 (Joomla Vulnerability CVE-2015-8565), 15 Dec. 2015
‘Devastating Flaws’ In Kerberos Authentication Protocol
From The Media
Kerberos, used by default in the Windows operating system for client/server authentication, possesses a flaw that could allow attackers to grant themselves administrative access to a system. The flaw resides in how the system creates authentication keys. Specifically, Kerberos uses passwords associated with disabled usernames, which are not often changed.
Read the Story: The Register
iSIGHT Partners Analyst Comment
As stated in the researcher’s blog post that prompted this media coverage, this is not a new issue. In fact, this design flaw has been publicly known since at least August 2010, and iSIGHT Partners reported on cyber espionage actors leveraging the flaw for attacks in July 2012. Since this issue is the result of Kerberos’s basic design, the issue is not fixable without breaking the authentication protocol’s functionality. Numerous resources exist regarding suggested mitigation options, including official resources provided by Microsoft.
Related iSIGHT Partners Reports
12-20829 (Cyber Espionage Rootkit Targets Kerberos Flaw), 13 July 2012
Intel-464466 (Comment Team Utilized Pass the Hash Techniques in Attacks), 29 Sept. 2011
Android.ZBot Banking Trojan Steals Card Details Via Web Injections![On Target]()
From The Media
Android banking Trojan Android.ZBot, first discovered in February 2015, has been increasingly targeting a wider set of victims. According to security researchers with Dr. Web, Android.ZBot disguises itself as the official Google Play store app. The app requests administrative privileges upon being downloaded. If denied, it then requests information via a fake payment form.
Read the Story: Softpedia
iSIGHT Partners Analyst Comment
Mobile banking Trojans are becoming more sophisticated as users migrate to banking on mobile devices. Russia and China have higher mobile malware infection rates than many other countries, including the US, likely due to higher rates of unofficial app store use, as these app stores often lack security checks to prevent malware distribution. It is also worth noting that there is no indication that Android.ZBot is linked to the Zeus Trojan, which is also sometimes called ZBot.
Related iSIGHT Partners Reports
15-00008832 (Mobile Threats: Overview of Current Trends and Predictions), 30 Oct. 2015
Intel-1234226 (Overview of Common Types of Mobile Malware), 10 Sept. 2014
15-00000616 (New Mobile Malware Offered by ‘Al’Capone’ Includes Credit Card Harvesting and SMS Interception Capabilities), 5 March 2015
The Sweeping OPM Hack Also Compromised White House Journalists
From The Media
Journalists accredited by federal agencies have received notice that their information may have been compromised in the U.S. Office of Personnel Management (OPM) breach. Individuals, such as journalists, who are not government employees but require special access to secure government facilities are among those being notified.
Read the Story: Motherboard
iSIGHT Partners Analyst Comment
This incident showcases the continuing fallout of the OPM compromise and does not represent a new breach. We previously tied the compromise to TEMP.Avengers, a China-nexus team first reported on by iSIGHT Partners in May 2015. We believe this team has also targeted the healthcare and aviation sectors in search of personally identifiable information to identify US Government employees and associated contacts for counterintelligence purposes.
Related iSIGHT Partners Reports
15-00004452 (TEMP.Avengers, Cyber Espionage Actors Linked to Anthem, Inc. Breach, Tied to Additional Infrastructure), 21 May 2015
15-00006974 (ThreatScape Media Highlights Month in Review: June 2015), 28 July 2015
The post ThreatScape Media Highlights Update – Week Of December 16th appeared first on iSIGHT Partners.
