Alert (TA14-300A) Phishing Campaign Linked with “Dyre” Banking Malware

Systems Affected

Microsoft Windows

Overview

Since mid-October 2014, a phishing campaign has targeted a wide variety of recipients while employing the Dyre/Dyreza banking malware. Elements of this phishing campaign vary from target to target including senders, attachments, exploits, themes, and payload(s).[1][2] Although this campaign uses various tactics, the actor’s intent is to entice recipients into opening attachments and downloading malware.

Description

The Dyre banking malware specifically targets sensitive user account credentials. The malware has the ability to capture user login information and send the captured data to malicious actors.[3](link is external) Phishing emails used in this campaign often contain a weaponized PDF attachment which attempts to exploit vulnerabilities found in unpatched versions of Adobe Reader.[4](link is external)[5](link is external) After successful exploitation, a user's system will download Dyre banking malware. All of the major anti-virus vendors have successfully detected this malware prior to the release of this alert.[6](link is external)

Please note, the below listing of indicators does not represent all characteristics and indicators for this campaign.

Phishing Email Characteristics:
•Subject: "Unpaid invoic" (Spelling errors in the subject line are a characteristic of this campaign)
•Attachment: Invoice621785.pdf

System Level Indicators (upon successful exploitation):
•Copies itself under C:\Windows\[RandomName].exe
•Created a Service named "Google Update Service" by setting the following registry keys:•HKLM\SYSTEM\CurrentControlSet\Services\googleupdate\ImagePath: "C:\WINDOWS\pfdOSwYjERDHrdV.exe"
•HKLM\SYSTEM\CurrentControlSet\Services\googleupdate\DisplayName: "Google Update Service"


Impact

A system infected with Dyre banking malware will attempt to harvest credentials for online services, including banking services.

Solution

Users and administrators are recommended to take the following preventive measures to protect their computer networks from phishing campaigns:
•Do not follow unsolicited web links in email. Refer to the Security Tip Avoiding Social Engineering and Phishing Attacks [7] for more information on social engineering attacks.
•Use caution when opening email attachments. For information on safely handling email attachments, see Recognizing and Avoiding Email Scams.[8]
•Follow safe practices when browsing the web. See Good Security Habits [9]and Safeguarding Your Data [10] for additional details.
•Maintain up-to-date anti-virus software.
•Keep your operating system and software up-to-date with the latest patches.

US-CERT collects phishing email messages and website locations so that we can help people avoid becoming victims of phishing scams.

You can report phishing to us by sending email to [email protected](link sends e-mail).

References

•[1] MITRE Summary of CVE-2013-2729, accessed October 16, 2014
•[2] MITRE Summary of CVE-2010-0188, accessed October 16, 2014
•[3] New Banking Malware Dyreza, accessed October 16, 2014(link is external)
•[4] Adobe Security Updates Addressing CVE-2013-2729, accessed October 16, 2014(link is external)
•[5] Adobe Security Updates Addressing CVE-2010-0188, accessed October 16, 2014(link is external)
•[6] VirusTotal Analysis, accessed October 16, 2014(link is external)
•[7] US-CERT Security Tip (ST04-014) Avoiding Social Engineering and Phishing Attacks
•[8]US-CERT Recognizing and Avoiding Email Scams
•[9] US-CERT Security Tip (ST04-003) Good Security Habits
•[10] US-CERT Security Tip (ST06-008) Safeguarding Your Data
.
Revisions

•October 27, 2014: Initial Release

Copy and Paste link below for more info:

https://www.us-cert.gov/ncas/alerts/TA14-300A

NIST Computer Security Division announce the release of Draft NIST Special Publication 800-125A, Security Recommendations for Hypervisor Deployment NIST Computer Security Division announce the release of Draft NIST Special Publication 800-125A, Security Recommendations for Hypervisor Deployment This...

Apple Releases Security Updates for QuickTime Apple has released QuickTime 7.7.6 for Windows 7, Vista, XP SP2 or later to address multiple vulnerabilities, some of which may allow remote attackers to execute arbitrary code or cause a denial of service. Users and administrators are encouraged to revi...

Alert (TA14-295A) Crypto Ransomware Systems Affected Microsoft Windows Overview Ransomware is a type of malicious software (malware) that infects a computer and restricts access to it until a ransom is paid to unlock it. This Alert is the result of Canadian Cyber Incident Response Centre (CCIRC) ana...

Microsoft Releases Advisory for Unpatched Windows Vulnerability Microsoft has released a security advisory to provide recommended mitigations for an unpatched vulnerability, (CVE-2014-6352) which affects all Microsoft Windows releases except Windows Server 2003. This vulnerability could allow an att...

Apple Releases Security Updates for iOS and Apple TV Apple has released security updates for iOS devices and Apple TV to address multiple vulnerabilities, one of which could allow an attacker to decrypt data protected by SSL. Updates available include: •iOS 8.1 for iPhone 4s and later, iPod touch 5t...

Bulletin (SB14-293) Vulnerability Summary for the Week of October 13, 2014 The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NV...

http://googlechromereleases.blogspot.com/2014/10/stable-channel-update_14.html

http://googlechromereleases.blogspot.com/2014/10/stable-channel-update-for-chrome-os_16.html

OpenSSL 3.0 Protocol Vulnerability
Alert (TA14-290A)

US-CERT is aware of a design vulnerability found in the way SSL 3.0 handles block cipher mode padding. Exploitation of this vulnerability may allow a remote attacker to decrypt and extract information from inside an encrypted transaction.

US-CERT recommends users and administrators review TA14-290A for additional information and apply any necessary updates to address this vulnerability.

Systems Affected

All systems and applications utilizing the Secure Socket Layer (SSL) 3.0 with cipher-block chaining (CBC) mode ciphers may be vulnerable. However, the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack demonstrates this vulnerability using web browsers and web servers, which is one of the most likely exploitation scenarios.

Overview

US-CERT is aware of a design vulnerability found in the way SSL 3.0 handles block cipher mode padding. The POODLE attack demonstrates how an attacker can exploit this vulnerability to decrypt and extract information from inside an encrypted transaction.

Description

The SSL 3.0 vulnerability stems from the way blocks of data are encrypted under a specific type of encryption algorithm within the SSL protocol. The POODLE attack takes advantage of the protocol version negotiation feature built into SSL/TLS to force the use of SSL 3.0 and then leverages this new vulnerability to decrypt select content within the SSL session. The decryption is done byte by byte and will generate a large number of connections between the client and server.

While SSL 3.0 is an old encryption standard and has generally been replaced by Transport Layer Security (TLS) (which is not vulnerable in this way), most SSL/TLS implementations remain backwards compatible with SSL 3.0 to interoperate with legacy systems in the interest of a smooth user experience. Even if a client and server both support a version of TLS the SSL/TLS protocol suite allows for protocol version negotiation (being referred to as the “downgrade dance” in other reporting). The POODLE attack leverages the fact that when a secure connection attempt fails, servers will fall back to older protocols such as SSL 3.0. An attacker who can trigger a connection failure can then force the use of SSL 3.0 and attempt the new attack. [1]

Two other conditions must be met to successfully execute the POODLE attack: 1) the attacker must be able to control portions of the client side of the SSL connection (varying the length of the input) and 2) the attacker must have visibility of the resulting ciphertext. The most common way to achieve these conditions would be to act as Man-in-the-Middle (MITM), requiring a whole separate form of attack to establish that level of access.

These conditions make successful exploitation somewhat difficult. Environments that are already at above-average risk for MITM attacks (such as public WiFi) remove some of those challenges.

Impact

The POODLE attack can be used against any system or application that supports SSL 3.0 with CBC mode ciphers. This affects most current browsers and websites, but also includes any software that either references a vulnerable SSL/TLS library (e.g. OpenSSL) or implements the SSL/TLS protocol suite itself. By exploiting this vulnerability in a likely web-based scenario, an attacker can gain access to sensitive data passed within the encrypted web session, such as passwords, cookies and other authentication tokens that can then be used to gain more complete access to a website (impersonating that user, accessing database content, etc.).

Solution

There is currently no fix for the vulnerability SSL 3.0 itself, as the issue is fundamental to the protocol; however, disabling SSL 3.0 support in system/application configurations is the most viable solution currently available.

Some of the same researchers that discovered the vulnerability also developed a fix for one of the prerequisite conditions; TLS_FALLBACK_SCSV is a protocol extension that prevents MITM attackers from being able to force a protocol downgrade. OpenSSL has added support for TLS_FALLBACK_SCSV to their latest versions and recommend the following upgrades: [2]
•OpenSSL 1.0.1 users should upgrade to 1.0.1j.
•OpenSSL 1.0.0 users should upgrade to 1.0.0o.
•OpenSSL 0.9.8 users should upgrade to 0.9.8zc.

Both clients and servers need to support TLS_FALLBACK_SCSV to prevent downgrade attacks.

Other SSL 3.0 implementations are most likely also affected by POODLE. Contact your vendor for details. Additional vendor information may be available in the National Vulnerability Database (NVD) entry for CVE-2014-3566. [3]

References

• [1] This Poodle Bites: Exploiting The SSL Fallback
• [2] OpenSSL Security Advisory [15 Oct 2014]
•[3] Vulnerability Summary for CVE-2014-3566
.
Revisions

•October 17, 2014 Initial Release

https://www.us-cert.gov/ncas/alerts/TA14-290A

Apple Releases Security Update 2014-005

SEE LINK:

https://support.apple.com/kb/HT6531

Apple Releases Security Update 2014-005

SEE LINK:

https://support.apple.com/kb/HT6531

SSL 3.0 Protocol Vulnerability and POODLE Attack

Systems Affected

All systems and applications utilizing the Secure Socket Layer (SSL) 3.0 with cipher-block chaining (CBC) mode ciphers may be vulnerable. However, the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack demonstrates this vulnerability using web browsers and web servers, which is one of the most likely exploitation scenarios.

Overview

US-CERT is aware of a design vulnerability found in the way SSL 3.0 handles block cipher mode padding. The POODLE attack demonstrates how an attacker can exploit this vulnerability to decrypt and extract information from inside an encrypted transaction.

Description

The SSL 3.0 vulnerability stems from the way blocks of data are encrypted under a specific type of encryption algorithm within the SSL protocol. The POODLE attack takes advantage of the protocol version negotiation feature built into SSL/TLS to force the use of SSL 3.0 and then leverages this new vulnerability to decrypt select content within the SSL session. The decryption is done byte by byte and will generate a large number of connections between the client and server.

While SSL 3.0 is an old encryption standard and has generally been replaced by Transport Layer Security (TLS) (which is not vulnerable in this way), most SSL/TLS implementations remain backwards compatible with SSL 3.0 to interoperate with legacy systems in the interest of a smooth user experience. Even if a client and server both support a version of TLS the SSL/TLS protocol suite allows for protocol version negotiation (being referred to as the “downgrade dance” in other reporting). The POODLE attack leverages the fact that when a secure connection attempt fails, servers will fall back to older protocols such as SSL 3.0. An attacker who can trigger a connection failure can then force the use of SSL 3.0 and attempt the new attack. [1]

Two other conditions must be met to successfully execute the POODLE attack: 1) the attacker must be able to control portions of the client side of the SSL connection (varying the length of the input) and 2) the attacker must have visibility of the resulting ciphertext. The most common way to achieve these conditions would be to act as Man-in-the-Middle (MITM), requiring a whole separate form of attack to establish that level of access.

These conditions make successful exploitation somewhat difficult. Environments that are already at above-average risk for MITM attacks (such as public WiFi) remove some of those challenges.

Impact

The POODLE attack can be used against any system or application that supports SSL 3.0 with CBC mode ciphers. This affects most current browsers and websites, but also includes any software that either references a vulnerable SSL/TLS library (e.g. OpenSSL) or implements the SSL/TLS protocol suite itself. By exploiting this vulnerability in a likely web-based scenario, an attacker can gain access to sensitive data passed within the encrypted web session, such as passwords, cookies and other authentication tokens that can then be used to gain more complete access to a website (impersonating that user, accessing database content, etc.).

Solution

There is currently no fix for the vulnerability SSL 3.0 itself, as the issue is fundamental to the protocol; however, disabling SSL 3.0 support in system/application configurations is the most viable solution currently available.

Some of the same researchers that discovered the vulnerability also developed a fix for one of the prerequisite conditions; TLS_FALLBACK_SCSV is a protocol extension that prevents MITM attackers from being able to force a protocol downgrade. OpenSSL has added support for TLS_FALLBACK_SCSV to their latest versions and recommend the following upgrades: [2]
•OpenSSL 1.0.1 users should upgrade to 1.0.1j.
•OpenSSL 1.0.0 users should upgrade to 1.0.0o.
•OpenSSL 0.9.8 users should upgrade to 0.9.8zc.

Both clients and servers need to support TLS_FALLBACK_SCSV to prevent downgrade attacks.

Other SSL 3.0 implementations are most likely also affected by POODLE. Contact your vendor for details. Additional vendor information may be available in the National Vulnerability Database (NVD) entry for CVE-2014-3566. [3]

References

• [1] This Poodle Bites: Exploiting The SSL Fallback
• [2] OpenSSL Security Advisory [15 Oct 2014]
•[3] Vulnerability Summary for CVE-2014-3566
.
Revisions

•October 17, 2014 Initial Release

https://www.us-cert.gov/ncas/alerts/TA14-290A

Apple Releases Security Update 2014-005

https://support.apple.com/kb/HT6531

OpenSSL Patches Four Vulnerabilities OpenSSL has released updates patching four vulnerabilities, some of which may allow an attacker to cause a Denial of Service (DoS) condition or execute man-in-the-middle attacks. The following updates are available: •OpenSSL 1.0.1 users should upgrade to 1.0.1j •...

Drupal Releases Security Advisory Drupal has released a security advisory to address an application program interface (API) vulnerability (CVE-2014-3704) that could allow an attacker to execute arbitrary SQL commands on an affected system. This vulnerability affects all Drupal core 7.x versions prio...

Google Releases Security Updates for Chrome and Chrome OS

Google has released security updates to address multiple vulnerabilities in Chrome and Chrome OS, one of which could potentially allow an attacker to take control of the affected system.

Updates available include:
•Chrome 38.0.2125.104 for Windows, Mac and Linux
•Chrome OS 38.0.2125.108 for all Chrome OS devices except Chromeboxes

Users and administrators are encouraged to review the Google Chrome blog entries 1(link is external), and 2(link is external), and apply the necessary updates.

Copy and paste:

https://www.us-cert.gov/ncas/current-activity/2014/10/16/Google-Releases-Security-Updates-Chrome-and-Chrome-OS

Ebola Phishing Scams and Malware Campaigns US-CERT reminds users to protect against email scams and cyber campaigns using the Ebola virus disease (EVD) as a theme. Phishing emails may contain links that direct users to websites which collect personal information such as login credentials, or contain...

Mozilla Releases Security Updates for Firefox and Thunderbird The Mozilla Foundation has released security updates to address multiple vulnerabilities in Firefox and Thunderbird. Exploitation of these vulnerabilities may allow an attacker to obtain sensitive information, bypass same-origin policy an...

Mozilla Releases Security Updates for Firefox and Thunderbird

The Mozilla Foundation has released security updates to address multiple vulnerabilities in Firefox and Thunderbird. Exploitation of these vulnerabilities may allow an attacker to obtain sensitive information, bypass same-origin policy and key pinning, cause an exploitable crash, conduct a man-in-the-middle attack, or execute arbitrary code.

The following updates are available:
•Firefox 33
•Firefox ESR 31.2
•Thunderbird 31.2

Users and administrators are encouraged to review the Security Advisories for Firefox, Firefox ESR and Thunderbird to determine which updates should be applied to mitigate these risks.

Copy and Paste following link:
https://www.us-cert.gov/ncas/current-activity/2014/10/15/Mozilla-Releases-Security-Updates-Firefox-and-Thunderbird

Microsoft Releases October 2014 Security Bulletin

Microsoft has released updates to address vulnerabilities in Windows, Office, Office Services and Web Apps, Developer Tools, .NET Framework, and Internet Explorer as part of the Microsoft Security Bulletin Summary for October 2014. These vulnerabilities could allow remote code execution, elevation of privilege, or security feature bypass.

US-CERT encourages users and administrators to review the bulletin(link is external) and apply the necessary updates.

Cut and Paste:

https://technet.microsoft.com/library/security/ms14-oct

Oracle Releases October 2014 Security Advisory Oracle has released its Critical Patch Update for October 2014 to address 154 vulnerabilities across multiple products. US-CERT encourages users and administrators to review the Oracle October 2014 Critical Patch Update(link is external) and apply the n...

Adobe Releases Security Updates for ColdFusion and Flash Player

Adobe has released security updates to address multiple vulnerabilities in ColdFusion and Flash Player. Exploitation could allow attackers to take control of a vulnerable system.

Users and administrators are encouraged to review Adobe Security Bulletins APSB 14-23(link is external) and APSB 14-22(link is external) and apply the necessary updates.

Cut and Paste link below for further information:

https://www.us-cert.gov/ncas/current-activity/2014/10/14/Adobe-Releases-Security-Updates-ColdFusion-and-Flash-Player

Vulnerability Summary for the Week of October 6, 2014

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
•
High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0

•
Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9

•
Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

SEE LINK BELOW:

https://www.us-cert.gov/ncas/bulletins/SB14-286

I will try,

Be specific and advise your platform.
Try to let me know about what you want to accomplish.

Talk soon.

Master Mage

adnan nasir wrote:hi
friend' how are you
i want to know about some softwears can you help me?

Cisco Releases Security Advisory for ASA Software

Cisco has released an advisory to address multiple vulnerabilities in the Cisco Adaptive Security Appliance (ASA) Software that could result in a denial of service condition. Cisco has released free software updates that address these vulnerabilities.

Users and administrators are encouraged to review the Cisco Advisory(link is external) and apply the necessary updates.

Copy and Paste to CISCO link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa