The following is this week’s sample of ThreatScape® Media Highlights – an email roundup of security headlines augmented by insights and analysis from iSIGHT Partners. Our cyber threat intelligence clients receive this update daily.
Wednesday, 26 August 2015
JOHN MCAFEE CLAIMS ASHLEY MADISION EMPLOYEE RESPONSIBLE FOR LEAKED DATA
FROM THE MEDIA
McAfee Founder, John McAfee, has publicly claimed that the Ashley Madison hack, which Impact Team claimed responsibility for, was actually the work of a female employee of the company. Mr. McAfee has based this assessment on the type of data that was selectively obtained and released, as well as the language Impact Team used.
Read the Story: Softpedia
iSIGHT PARTNERS ANALYST COMMENT
We cannot confirm John McAfee’s assessment at this time. However, it is certainly plausible, and an insider attack would explain how the attackers were able to identify, access and exfiltrate sensitive information undetected. Additionally, when the breach was first made public, Avid Media CEO Noel Biderman claimed in interviews that an insider caused the breach. McAfee’s assertion that the breach was perpetrated by a woman is much more speculative. The incident highlights insider threats, which can be more damaging because employees are granted greater access to sensitive information.
RELATED iSIGHT PARTNERS REPORTS
ThreatScape Media Highlights (Impact Team Claims to Have 300GB More Data from the Ashley Madison Leak), 24 Aug. 2015
15-00008538 (Review of Impact Team’s Large-Scale Data Leak on August 17, 2015), 18 Aug. 2015
IBM NOTES AN INCREASE IN MALICIOUS USE OF THE TOR NETWORK
FROM THE MEDIA
In a recent quarterly report, IBM noted an increase in Tor exit nodes and malicious traffic coming from the network. The most prominent malicious traffic types IBM observed were related to SQL injections, vulnerability scanning and DDoS attacks.
Read the Story: Softpedia
iSIGHT PARTNERS ANALYST COMMENT
Many types of malware and criminal schemes use the Tor network for command and control or other infrastructure in addition to the attack types noted by IBM, such as ransomware using TOR sites for ransom payments. Entities can mitigate some potential threats related to TOR traffic by blocking all TOR exit nodes, but as the list of nodes changes regularly and there are multiple methods (such as TOR bridge relays) that allow users to bypass the known exit nodes, blocking nodes is of limited use.
RELATED iSIGHT PARTNERS REPORTS
15-00003702 (Weekly Vulnerability and Network Activity Report), 8 May 2015
Intel-987949 (Brobot Botnet Performs to Limited DDoS Attacks on Non-Financial Targets in Probable Continuation of Reduced Activity Level), 31 Oct. 2013
APPLICATION EXPLOITING CERTIFI-GATE VULNERABILITY IDENTIFIED AND REMOVED FROM GOOGLE’S APPSTORE
FROM THE MEDIA
Google recently removed an app from the Google Play Store that was exploiting the Certifi-gate vulnerability. The vulnerability, disclosed at this year’s Blackhat conference, allows for remote control of a victim’s device through either a malicious app or SMS message.
Read the Story: Threatpost
iSIGHT PARTNERS ANALYST COMMENT
Although this vulnerability is already being exploited in the wild, we believe it poses only a limited threat to Android users in both the short and long term; only 16 percent of scanned devices were found vulnerable, and only 3 devices were confirmed to be exploited (it is unclear how many devices were scanned). Users with vulnerable devices must wait for their phone manufacturers to issue patches. The app removed by Google, Recordable Activator, was the only app known to exploit the vulnerability.
RELATED iSIGHT PARTNERS REPORTS
15-00008658 (Weekly Vulnerability Exploitation Report), 24 Aug. 2015
15-00007652 (Report for Recent Android Stagefright Vulnerability (CVE-2015-3824)), 5 Aug. 2015
AUTOIT FREEWARE BEING USED IN REMOTE-ACCESS TROJAN DISTRIBUTION
FROM THE MEDIA
Security researchers from CISCO recently stated that a malicious campaign has been utilizing the AUTOIT freeware to distribute remote-access Trojans. The campaign, impersonating a legitimate business, tries to convince victims to enable macros, which initiates the attack.
Read the Story: Threatpost
iSIGHT PARTNERS ANALYST COMMENT
Since Microsoft Word’s default setting is to disable macros, users must be socially engineered into enabling macros for the malicious schemes described to work. Users should be extremely cautious about enabling macros on a document, especially documents from an unknown person. Users should follow up with the sender regarding any documents requesting use of macros that they believe to be legitimate.
RELATED iSIGHT PARTNERS REPORTS
15-00006468 (TEMP.Beanie Reveals Expanded Scope, Scale and Persistence of Operational Capabilities; Ties to Ajax Team), 23 July 2015
15-00000436 (Dyre Credential Theft Malware: Capabilities and Observed Uses), 8 May 2015
15-00000498 (Sony Attack Leveraged in Lure Attempt Employing Malicious Macro by Fallout Team), 24 Feb. 2015
GITHUB MITIGATES DDOS ATTACK AGAINST THEIR SERVERS
FROM THE MEDIA
On August 25, 2015, around 5:30 a.m. EDT, the code repository site GitHub began experiencing connectivity issues. The site announced it was being targeted by DDoS attacks, but was able to return to service as normal around 9:00 a.m. EDT. While GitHub has not commented on the attack yet, the media is speculating possible links to the March 2015 Chinese-origin attack.
Read the Story: Threatpost
iSIGHT PARTNERS ANALYST COMMENT
Without evidence to link this incident to the March attack, speculating Chinese responsibility for the attack is premature. A wide range of entities could be responsible, as the barrier to entry for DDoS capability is fairly low. Because of its high profile in the development community, Github is often targeting by actors with a wide variety of motivations, many of whom could have conducted this attack.
RELATED iSIGHT PARTNERS REPORTS
15-00002380 (Anti-Censorship Tools Hosted on GitHub Prompt DDoS Attack), 3 April 2015
ThreatScape Media Highlights (US Coding Website GitHub Hit with High Intensity DDoS Attack), 30 March 2015
The post ThreatScape Media Highlights Update – Week Of August 26th appeared first on iSIGHT Partners.
