From security em unicamp.br Mon Jul 14 10:52:03 2014 From: security em unicamp.br (CSIRT - UNICAMP) Date: Mon, 14 Jul 2014 10:52:03 -0300 Subject: [SECURITY-L] =?iso-8859-1?q?=5Bcais=40cais=2Ernp=2Ebr=3A_CAIS-Ale?= =?iso-8859-1?q?rta=3A_Resumo_dos_Boletins_de_Seguran=E7a__Microsoft_-_Jul?= =?iso-8859-1?q?ho/2014=5D?= Message-ID: <20140714135203.GA2301@unicamp.br> ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- Date: Mon, 14 Jul 2014 09:28:36 -0300 (BRT) From: Centro de Atendimento a Incidentes de Seguranca To: pop-seg em cais.rnp.br, rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br cc: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Alerta: Resumo dos Boletins de Segurança Microsoft - Julho/2014 -----BEGIN PGP SIGNED MESSAGE----- Prezados, A Microsoft publicou 6 boletins de segurança em 08 de julho de 2014 que abordam ao todo 27 vulnerabilidades em produtos da empresa. A exploração destas vulnerabilidades permitem execução remota de código, elevação de privilégio e negação de serviço. Até o momento da publicação deste alerta não foram divulgados códigos de exploração para as vulnerabilidades listadas. SEVERIDADE . Crítica - - MS14-037 - Atualização de segurança cumulativa para o Internet Explorer - - MS14-038 - Vulnerabilidade no Windows Journal pode permitir a execução remota de código . Importante - - MS14-039 - Vulnerabilidade no Teclado virtual pode permitir a elevação de privilégio - - MS14-040 - Vulnerabilidade no Ancillary Function Driver (AFD) pode permitir elevação de privilégio - - MS14-041 - Vulnerabilidade no DirectShow pode permitir elevação de privilégio . Moderada - - MS14-042 - Vulnerabilidade no Microsoft Service Bus pode permitir negação de serviço . Baixa - - Nenhum boletim O sistema de classificação de severidade das vulnerabilidades adotado pelo CAIS neste resumo é o da própria Microsoft. O CAIS recomenda que se aplique, minimamente, as correções para vulnerabilidades classificadas como crítica e importante. No caso de correções para vulnerabilidades classificadas como moderadas o CAIS recomenda que ao menos as recomendações de mitigação sejam seguidas. . Crítica - Vulnerabilidades cuja exploração possa permitir a propagação de um worm sem a necessidade de interação com o usuário. . Importante - Vulnerabilidades cuja exploração possa resultar no comprometimento de confidencialidade, integridade ou disponibilidade de dados de usuários ou a integridade ou disponibilidade de recursos de processamento. . Moderada - exploração é mitigada significativamente por fatores como configuração padrão, auditoria ou dificuldade de exploração. . Baixa - uma vulnerabilidade cuja exploração seja extremamente difícil ou cujo impacto seja mínimo. CORREÇÕES DISPONÍVEIS Recomenda-se atualizar os sistemas para as versões disponíveis em: . Microsoft Update https://www.update.microsoft.com/microsoftupdate/ . Microsoft Download Center http://www.microsoft.com/en-us/download/default.aspx MAIS INFORMAÇÕES . Resumo do Boletim de Segurança da Microsoft de julho de 2014 https://technet.microsoft.com/library/security/ms14-jul . Microsoft TechCenter de Segurança http://technet.microsoft.com/pt-br/security/ . Microsoft Security Response Center - MSRC http://www.microsoft.com/security/msrc/ . Microsoft Security Research & Defense - MSRD http://blogs.technet.com/srd/ . Central de Proteção e Segurança Microsoft http://www.microsoft.com/brasil/security/ Identificador CVE (http://cve.mitre.org ): CVE-2014-1763, CVE-2014-1765, CVE-2014-2785, CVE-2014-2786, CVE-2014-2787, CVE-2014-2788, CVE-2014-2789, CVE-2014-2790, CVE-2014-2791, CVE-2014-2792, CVE-2014-2794, CVE-2014-2795, CVE-2014-2797, CVE-2014-2798, CVE-2014-2800, CVE-2014-2801, CVE-2014-2802, CVE-2014-2803, CVE-2014-2804, CVE-2014-2806, CVE-2014-2807, CVE-2014-2809, CVE-2014-2813, CVE-2014-1824, CVE-2014-2781, CVE-2014-1767, CVE-2014-2780 O CAIS recomenda que os administradores mantenham seus sistemas e aplicativos sempre atualizados, de acordo com as últimas versões e correções oferecidas pelos fabricantes. Os Alertas do CAIS também são oferecidos no formato RSS/RDF e no Twitter: http://www.rnp.br/cais/alertas/rss.xml Siga @caisrnp ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) # # Rede Nacional de Ensino e Pesquisa (RNP) # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel http://www.rnp.br/cais/cais-pgp.key # ################################################################ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Made with pgp4pine 1.76 iQCVAwUBU8PNBekli63F4U8VAQEJ9wP/QqALrvmjQPRso8/+IdwPX+IspA/bCn8F r0RFU4WjPWWDrg47dIcwM9xWdHnow4Njq+Hax661b4+GRR2aHhGOjdobFD2P4brO Uhs2aM20BFt1u336MQUM99joqvB8LetASxZJ0wkggo8ETqQSxrFfSHvCI8qhEnWe u4vPOstnvBk= =ImQP -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Thu Jul 31 10:55:39 2014 From: security em unicamp.br (CSIRT - UNICAMP) Date: Thu, 31 Jul 2014 10:55:39 -0300 Subject: [SECURITY-L] TA14-212A: Backoff Point-of-Sale Malware Message-ID: <20140731135539.GA3220@unicamp.br> -------- Original Message -------- Subject: TA14-212A: Backoff Point-of-Sale Malware Date: Thu, 31 Jul 2014 07:06:20 -0500 From: US-CERT Reply-To: US-CERT em ncas.us-cert.gov To: daniela em ccuec.unicamp.br TA14-212A: Backoff Point-of-Sale Malware NCCIC / US-CERT National Cyber Awareness System: TA14-212A: Backoff Point-of-Sale Malware 07/31/2014 07:30 AM EDT Original release date: July 31, 2014 Systems Affected Point-of-Sale Systems Overview This advisory was prepared in collaboration with the National Cybersecurity and Communications Integration Center (NCCIC), United States Secret Service (USSS), Financial Sector Information Sharing and Analysis Center (FS-ISAC), and Trustwave Spiderlabs, a trusted partner under contract with the USSS. The purpose of this release is to provide relevant and actionable technical indicators for network defense. Recent investigations revealed that malicious actors are using publicly available tools to locate businesses that use remote desktop applications. Remote desktop solutions like Microsoft's Remote Desktop [1] Apple Remote Desktop,[2] Chrome Remote Desktop,[3] Splashtop 2,[4] Pulseway[5], and LogMEIn Join.Me[6] offer the convenience and efficiency of connecting to a computer from a remote location. Once these applications are located, the suspects attempted to brute force the login feature of the remote desktop solution. After gaining access to what was often administrator or privileged access accounts, the suspects were then able to deploy the point-of-sale (PoS) malware and subsequently exfiltrate consumer payment data via an encrypted POST request. USSS, NCCIC/US-CERT and Trustwave Spiderlabs have been working together to characterize newly identified malware dubbed "Backoff", associated with several PoS data breach investigations. At the time of discovery and analysis, the malware variants had low to zero percent anti-virus detection rates, which means that fully updated anti-virus engines on fully patched computers could not identify the malware as malicious. Similar attacks have been noted in previous PoS malware campaigns [7] and some studies state that targeting the Remote Desktop Protocol with brute force attacks is on the rise.[8] A Mitigation and Prevention Strategies section is included to offer options for network defenders to consider. Description ?Backoff? is a family of PoS malware and has been discovered recently. The malware family has been witnessed on at least three separate forensic investigations. Researchers have identified three primary variants to the ?Backoff? malware including 1.4, 1.55 (?backoff?, ?goo?, ?MAY?, ?net?), and 1.56 (?LAST?). These variations have been seen as far back as October 2013 and continue to operate as of July 2014. In total, the malware typically consists of the following four capabilities. An exception is the earliest witnessed variant (1.4) which does not include keylogging functionality. Additionally, 1.55 ?net? removed the explorer.exe injection component: * Scraping memory for track data * Logging keystrokes * Command & control (C2) communication * Injecting malicious stub into explorer.exe The malicious stub that is injected into explorer.exe is responsible for persistence in the event the malicious executable crashes or is forcefully stopped. The malware is responsible for scraping memory from running processes on the victim machine and searching for track data. Keylogging functionality is also present in most recent variants of ?Backoff?. Additionally, the malware has a C2 component that is responsible for uploading discovered data, updating the malware, downloading/executing further malware, and uninstalling the malware. *_Variants_* Based on compiled timestamps and versioning information witnessed in the C2 HTTP POST requests, ?Backoff? variants were analyzed over a seven month period. The five variants witnessed in the ?Backoff? malware family have notable modifications, to include: */1.55 ?backoff? /* * Added Local.dat temporary storage for discovered track data * Added keylogging functionality * Added ?gr? POST parameter to include variant name * Added ability to exfiltrate keylog data * Supports multiple exfiltration domains * Changed install path * Changed User-Agent */1.55 ?goo? /* * Attempts to remove prior version of malware * Uses 8.8.8.8 as resolver */1.55 ?MAY? /* * No significant updates other than changes to the URI and version name */1.55 ?net? /* * Removed the explorer.exe injection component */1.56 ?LAST? /* * Re-added the explorer.exe injection component * Support for multiple domain/URI/port configurations * Modified code responsible for creating exfiltration thread(s) * Added persistence techniques *_Command & Control Communication_* All C2 communication for ?Backoff? takes place via HTTP POST requests. A number of POST parameters are included when this malware makes a request to the C&C server. * op : Static value of ?1? * id : randomly generated 7 character string * ui : Victim username/hostname * wv : Version of Microsoft Windows * gr (Not seen in version 1.4) : Malware-specific identifier * bv : Malware version * data (optional) : Base64-encoded/RC4-encrypted data The ?id? parameter is stored in the following location, to ensure it is consistent across requests: * HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier If this key doesn?t exist, the string will be generated and stored. Data is encrypted using RC4 prior to being encoded with Base64. The password for RC4 is generated from the ?id? parameter, a static string of ?jhgtsd7fjmytkr?, and the ?ui? parameter. These values are concatenated together and then hashed using the MD5 algorithm to form the RC4 password. In the above example, the RC4 password would be ?56E15A1B3CB7116CAB0268AC8A2CD943 (The MD5 hash of ?vxeyHkSjhgtsd7fjmytkrJosh @ PC123456). *_File Indicators:_* The following is a list of the Indicators of Compromise (IOCs) that should be added to the network security to search to see if these indicators are on their network. */1.4/* *Packed MD5:* 927AE15DBF549BD60EDCDEAFB49B829E *Unpacked MD5:* 6A0E49C5E332DF3AF78823CA4A655AE8 *Install Path:* %APPDATA%\AdobeFlashPlayer\mswinsvc.exe *Mutexes: * uhYtntr56uisGst uyhnJmkuTgD *Files Written: * %APPDATA%\mskrnl %APPDATA%\winserv.exe %APPDATA%\AdobeFlashPlayer\mswinsvc.exe *Static String (POST Request):* zXqW9JdWLM4urgjRkX *Registry Keys:* HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier HKCU\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service *User-Agent:* Mozilla/4.0 *URI(s):* /aircanada/dark.php */1.55 ?backoff?/* *Packed MD5:* F5B4786C28CCF43E569CB21A6122A97E *Unpacked MD5:* CA4D58C61D463F35576C58F25916F258 *Install Path:* %APPDATA%\AdobeFlashPlayer\mswinhost.exe *Mutexes: * Undsa8301nskal uyhnJmkuTgD *Files Written: * %APPDATA%\mskrnl %APPDATA%\winserv.exe %APPDATA%\AdobeFlashPlayer\mswinhost.exe %APPDATA%\AdobeFlashPlayer\Local.dat %APPDATA%\AdobeFlashPlayer\Log.txt *Static String (POST Request):* ihasd3jasdhkas *Registry Keys:* HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier HKCU\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service *User-Agent:* Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0 *URI(s):* /aero2/fly.php */1.55 ?goo?/* *Pa cked MD5:* 17E1173F6FC7E920405F8DBDE8C9ECAC *Unpacked MD5:* D397D2CC9DE41FB5B5D897D1E665C549 *Install Path:* %APPDATA%\OracleJava\javaw.exe *Mutexes: * nUndsa8301nskal nuyhnJmkuTgD *Files Written: * %APPDATA%\nsskrnl %APPDATA%\winserv.exe %APPDATA%\OracleJava\javaw.exe %APPDATA%\OracleJava\Local.dat %APPDATA%\OracleJava\Log.txt *Static String (POST Request):* jhgtsd7fjmytkr *Registry Keys:* HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier HKCU\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service *User-Agent: * *URI(s):* /windows/updcheck.php */1.55 ?MAY?/* *Packed MD5:* 21E61EB9F5C1E1226F9D69CBFD1BF61B *Unpacked MD5:* CA608E7996DED0E5009DB6CC54E08749 *Install Path:* %APPDATA%\OracleJava\javaw.exe *Mutexes: * nUndsa8301nskal nuyhnJmkuTgD *Files Written: * %APPDATA%\nsskrnl %APPDATA%\winserv.exe %APPDATA%\OracleJava\javaw.exe %APPDATA%\OracleJava\Local.dat %APPDATA%\OracleJava\Log.txt *Static String (POST Request):* jhgtsd7fjmytkr *Registry Keys:* HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier HKCU\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service *User-Agent: * *URI(s):* /windowsxp/updcheck.php */1.55 ?net?/* *Packed MD5:* 0607CE9793EEA0A42819957528D92B02 *Unpacked MD5:* 5C1474EA275A05A2668B823D055858D9 *Install Path:* %APPDATA%\AdobeFlashPlayer\mswinhost.exe *Mutexes: * nUndsa8301nskal *Files Written: * %APPDATA%\AdobeFlashPlayer\mswinhost.exe %APPDATA%\AdobeFlashPlayer\Local.dat %APPDATA%\AdobeFlashPlayer\Log.txt *Static String (POST Request*): ihasd3jasdhkas9 *Registry Keys:* HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier HKCU\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service *User-Agent: * *URI(s):* /windowsxp/updcheck.php */1.56 ?LAST?/* *Packed MD5:* 12C9C0BC18FDF98189457A9D112EEBFC *Unpacked MD5:* 205947B57D41145B857DE18E43EFB794 *Install Path:* %APPDATA%\OracleJava\javaw.exe *Mutexes: * nUndsa8301nskal nuyhnJmkuTgD *Files Written: * %APPDATA%\nsskrnl %APPDATA%\winserv.exe %APPDATA%\OracleJava\javaw.exe %APPDATA%\OracleJava\Local.dat %APPDATA%\OracleJava\Log.txt *Static String (POST Request):* jhgtsd7fjmytkr *Registry Keys:* HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier HKCU\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service HKLM\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components\{B3DB0D62-B481-4929-888B-49F426C1A136}\StubPath HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{B3DB0D62-B481-4929-888B-49F426C1A136}\StubPath *User-Agent:* Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0 *URI(s):* /windebug/updcheck.php Impact The impact of a compromised PoS system can affect both the businesses and consumer by exposing customer data such as names, mailing addresses, credit/debit card numbers, phone numbers, and e-mail addresses to criminal elements. These breaches can impact a business? brand and reputation, while consumers? information can be used to make fraudulent purchases or risk compromise of bank accounts. It is critical to safeguard your corporate networks and web servers to prevent any unnecessary exposure to compromise or to mitigate any damage that could be occurring now. Solution At the time this advisory is released, the variants of the ?Backoff? malware family are largely undetected by anti-virus (AV) vendors. However, shortly following the publication of this technical analysis, AV companies will quickly begin detecting the existing variants. It?s important to maintain up?to?date AV signatures and engines as new threats such as this are continually being added to your AV solution. Pending AV detection of the malware variants, network defenders can apply indicators of compromise (IOC) to a variety of prevention and detection strategies.[9],[10],[11] IOCs can be found above. The forensic investigations of compromises of retail IT/payment networks indicate that the network compromises allowed the introduction of memory scraping malware to the payment terminals. Information security professionals recommend a defense in depth approach to mitigating risk to retail payment systems. While some of the risk mitigation recommendations are general in nature, the following strategies provide an approach to minimize the possibility of an attack and mitigate the risk of data compromise: *_Remote Desktop Access _* * Configure the account lockout settings to lock a user account after a period of time or a specified number of failed login attempts. This prevents unlimited unauthorized attempts to login whether from an unauthorized user or via automated attack types like brute force.[12] * Limit the number of users and workstation who can log in using Remote Desktop. * Use firewalls (both software and hardware where available) to restrict access to remote desktop listening ports (default is TCP 3389).[13] * Change the default Remote Desktop listening port. * Define complex password parameters. Configuring an expiration time and password length and complexity can decrease the amount of time in which a successful attack can occur.[14] * Require two-factor authentication (2FA) for remote desktop access.[15 ] * Install a Remote Desktop Gateway to restrict access.[16 ] * Add an extra layer of authentication and encryption by tunneling your Remote Desktop through IPSec, SSH or SSL.[17],[18] * Require 2FA when accessing payment processing networks. Even if a virtual private network is used, it is important that 2FA is implemented to help mitigate keylogger or credential dumping attacks. * Limit administrative privileges for users and applications. * Periodically review systems (local and domain controllers) for unknown and dormant users. *_Network Security _* * Review firewall configurations and ensure that only allowed ports, services and Internet protocol (IP) addresses are communicating with your network. This is especially critical for outbound (e.g., egress) firewall rules in which compromised entities allow ports to communicate to any IP address on the Internet. Hackers leverage this configuration to exfiltrate data to their IP addresses. * Segregate payment processing networks from other networks. * Apply access control lists (ACLs) on the router configuration to limit unauthorized traffic to payment processing networks. * Create strict ACLs segmenting public-facing systems and back-end database systems that house payment card data. * Implement data leakage prevention/detection tools to detect and help prevent data exfiltration. * Implement tools to detect anomalous network traffic and anomalous behavior by legitimate users (compromised credentials). *_Cash Register and PoS Security _* * Implement hardware-based point-to-point encryption. It is recommended that EMV-enabled PIN entry devices or other credit-only accepting devices have Secure Reading and Exchange of Data (SRED) capabilities. SRED-approved devices can be found at the Payment Card Industry Security Standards website. * Install Payment Application Data Security Standard-compliant payment applications. * Deploy the latest version of an operating system and ensure it is up to date with security patches, anti-virus software, file integrity monitoring and a host-based intrusion-detection system. * Assign a strong password to security solutions to prevent application modification. Use two-factor authentication (2FA) where feasible. * Perform a binary or checksum comparison to ensure unauthorized files are not installed. * Ensure any automatic updates from third parties are validated. This means performing a checksum comparison on the updates prior to deploying them on PoS systems. It is recommended that merchants work with their PoS vendors to obtain signatures and hash values to perform this checksum validation. * Disable unnecessary ports and services, null sessions, default users and guests. * Enable logging of events and make sure there is a process to monitor logs on a daily basis. * Implement least privileges and ACLs on users and applications on the system. References * [1] Windows Remote Desktop * [2] Apple Remote Desktop * [3] Chrome Remote Desktop * [4] Splashtop * [5] Windows Pulseway * [6] Windows Join.me * [7] Attacker?s brute-force POS systems utilizing RDP in global botnet operation * [8] Brute force RDP attacks depend on your mistakes * [9] Understanding Indicators of Compromise (IOC) * [10] Using Indicators of Compromise in Malware Forensics * [11] Indicators of Compromise: The Key to Early Detection * [12] Configuring Account Lockout * [13] Securing Remote Desktop for System Administrators * [14] Account Lockout and Password Concepts * [15] NIST Guide to Enterprise Telework and Remote Access Security * [16] Installing RD Gateway * [17] Networking and Access Technologies * [18] Secure RDS Connections with SSL Revision History * July, 31 2014 - Initial Release ------------------------------------------------------------------------ This product is provided subject to this Notification and this Privacy & Use policy. ------------------------------------------------------------------------ OTHER RESOURCES: Contact Us | Security Publications | Alerts and Tips | Related Resources STAY CONNECTED: Sign up for email updates SUBSCRIBER SERVICES: Manage Preferences | Unsubscribe | Help ------------------------------------------------------------------------ ----- End forwarded message -----