TA15-120A: Securing End-to-End Communications

Original release date: April 30, 2015Systems Affected Networked systems Overview Securing end-to-end communications plays an important role in protecting privacy and preventing some forms of man-in-the-middle (MITM) attacks. Recently, researchers described a MITM attack used to inject code, causing unsecured web browsers around the world to become unwitting participants in a distributed denial-of-service attack. That same code can be employed to deliver an exploit for a particular vulnerability or to take other arbitrary actions. Description A MITM attack occurs when a third party inserts itself between the communications of a client and a server. MITM attacks as a general class are not new. Classic MITM attacks (e.g., ARP Spoofing) focus on redirecting network communications. By definition, network infrastructure under attacker control is vulnerable to MITM. However, as technology evolves, new methods for performing MITM attacks evolve as well.Currently, there is no single technology or configuration to prevent all MITM attacks. However, increasing the complexity with multiple layers of defense may raise the cost for the attacker. Increasing the attacker’s cost in time, effort, or money can be an effective deterrent to avoiding future network compromise.Generally, encryption and digital certificates provide an effective safeguard against MITM attacks, assuring both the confidentiality and integrity of communications. As a result, modern MITM attacks have focused on taking advantage of weaknesses in the cryptographic infrastructure (e.g., certificate authorities (CAs), web browser certificate stores) or the encryption algorithms and protocols themselves. Impact MITM attacks are critical because of the wide range of potential impacts—these include the exposure of sensitive information, modification of trusted data, and injection of data. Solution Employing multiple network and browser protection methods forces an attacker to develop different tactics, techniques, and procedures to circumvent the new security configuration.US-CERT recommends reviewing the following mitigations to reduce vulnerability to MITM attacks:Update Transport Layer Security and Secure Socket Layer (TLS/SSL)US-CERT recommends upgrading TLS to 1.1 or higher and ensuring TLS 1.0 and SSL 1, 2, 3.x are disabled, unless required. TLS 1.0 clients can fall back to version 3.0 of the SSL protocol, which is vulnerable to a padding oracle attack when Cypher-Block Chaining mode is used. This method is commonly referred to as the "POODLE" (Padding Oracle on Downgraded Legacy Encryption) attack. Vulnerable TLS implementations can be updated by applying the patch provided by the vendor. Vendor information is available in the National Vulnerability Database (NVD) entry for CVE-2014-3566 [1] or in CERT Vulnerability Note VU#577193 [2]. See US-CERT TA14-290A [3] for additional information on this vulnerability.Utilize Certificate PinningCertificate pinning [4] is a method of associating X.509 certificate and its public key to a specific CA or root. Typically, certificates are validated by checking a verifiable chain of trust back to a trusted root certificate. Certificate pinning bypasses this validation process and allows the user to trust “this certificate only” or “trust only certificates signed by this certificate.” Please use the following resources to configure your browser for certificate pinning:Microsoft Certificate TrustThe Microsoft Enhanced Mitigation Experience Toolkit (EMET) 5.2 employs a feature named "Certificate Trust" for SSL/TLS certificate pinning. This feature is intended to detect and stop MITM attacks that leverage Public Key Infrastructure. [5]To use the Certificate Trust, you must provide a list of websites you want to protect and certificate pinning rules applicable to those websites. In order to do this, work with the Certificate Trust Configuration feature of the graphical application or use the Configuration Wizard to automatically configure EMET with the recommended settings. [6] Also, ensure period defaults are updated through patching.Browser Certificate PinningGoogle Chrome and Mozilla Firefox, among others, perform certificate pinning. They conduct a variation of certificate pinning using the HTTP Strict Transport Security (HSTS), which pre-loads a specific set of public key hashes into the HSTS configuration, limiting valid certificates to only those with the specified indicated public key. Chrome uses HTTPS pins for most Google properties. It uses whitelisted public keys which include keys from Verisign, Google Internet Authority, Equifax, and GeoTrust. Thus, Chrome will not accept certificates for Google properties from other CAs.Firefox 32 on desktop and later (Firefox 34 and later on Android) has the ability to use certificate pinning. It also has the ability to enforce built-in pinsets (mapping of public keys) information to domains. Firefox will pin all sites that Chrome already does, pin their own sites after audit and cleansing, and pin other popular sites that are already in good standing. Please visit this site on How to Use Pinning [7] and for more information.Implement DNS-based Authentication of Named Entities (DANE)DANE is a protocol that allows certificates (X.509) commonly used for TLS. DANE is bound to DNS which uses Domain Name System Security Extensions (DNSSEC). A working group in the Internet Engineering Task Force of DANE developed a new type of DNS record that allows a domain itself to sign statements about which entities are authorized to represent it. [8]Google Chrome does not use DANE but uses an add-on [9] for support. Mozilla Firefox also uses an add-on [10] to check the existence and validity of DNSSEC.Use Network Notary ServersNetwork notary servers aim to improve the security of communications between computers and websites by enabling browsers to verify website authenticity without relying on CAs. CAs are often considered a security risk because they can be compromised. [11] As a result, browsers can deem fraudulent sites trustworthy and are left vulnerable to MITM attacks.Each network notary server, or group of servers, is public and can be operated by public/private organizations or individuals. These servers regularly monitor websites and build a history of each site’s certificate data over time. When a browser equipped with a network notary add-on communicates with a website and obtains its certificate information, a user-designated network notary server supplies the browser with historical certificate data for that site. If certificate information provided by the website is inconsistent with the notary’s historical data, a MITM attack could be at play. [12] References [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] Revision History April 30, 2015: Initial Release This product is provided subject to this Notification and this Privacy & Use policy.

TA15-119A: Top 30 Targeted High Risk Vulnerabilities

Original release date: April 29, 2015Systems Affected Systems running unpatched software from Adobe, Microsoft, Oracle, or OpenSSL.  Overview Cyber threat actors continue to exploit unpatched software to conduct attacks against critical infrastructure organizations. As many as 85 percent of targeted attacks are preventable [1].This Alert provides information on the 30 most commonly exploited vulnerabilities used in these attacks, along with prevention and mitigation recommendations.It is based on analysis completed by the Canadian Cyber Incident Response Centre (CCIRC) and was developed in collaboration with our partners from Canada, New Zealand, the United Kingdom, and the Australian Cyber Security Centre. Description Unpatched vulnerabilities allow malicious actors entry points into a network. A set of vulnerabilities are consistently targeted in observed attacks. Impact A successful network intrusion can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include:Temporary or permanent loss of sensitive or proprietary information,Disruption to regular operations,Financial losses relating to restoring systems and files, andPotential harm to an organization’s reputation.Solution Maintain up-to-date softwareThe attack vectors frequently used by malicious actors such as email attachments, compromised “watering hole” websites, and other tools often rely on taking advantage of unpatched vulnerabilities found in widely used software applications. Patching is the process of repairing vulnerabilities found in these software components.It is necessary for all organizations to establish a strong ongoing patch management process to ensure the proper preventive measures are taken against potential threats. The longer a system remains unpatched, the longer it is vulnerable to being compromised. Once a patch has been publicly released, the underlying vulnerability can be reverse engineered by malicious actors in order to create an exploit. This process has been documented to take anywhere from 24-hours to four days. Timely patching is one of the lowest cost yet most effective steps an organization can take to minimize its exposure to the threats facing its network.Patch commonly exploited vulnerabilitiesExecutives should ensure their organization’s information security professionals have patched the following software vulnerabilities. Please see patching information for version specifics.MicrosoftCVEAffected ProductsPatching Information​CVE-2006-3227​Internet Explorer​Microsoft Malware Protection Encyclopedia Entry CVE-2008-2244Office WordMicrosoft Security Bulletin MS08-042CVE-2009-3129OfficeOffice for MacOpen XML File Format Converter for MacOffice Excel ViewerExcelOffice Compatibility Pack for Word, Excel, and PowerPointMicrosoft Security Bulletin MS09-067​CVE-2009-3674​Internet Explorer​Microsoft Security Bulletin MS09-072CVE-2010-0806​​Internet Explorer​Microsoft Security Bulletin MS10-018CVE-2010-3333OfficeOffice for MacOpen XML File Format Converter for MacMicrosoft Security Bulletin MS10-087CVE-2011-0101Excel Microsoft Security Bulletin MS11-021CVE-2012-0158OfficeSQL ServerBizTalk ServerCommerce ServerVisual FoxProVisual BasicMicrosoft Security Bulletin MS12-027CVE-2012-1856OfficeSQL ServerCommerce ServerHost Integration ServerVisual FoxPro Visual BasicMicrosoft Security Bulletin MS12-060​CVE-2012-4792​Internet Explorer​Microsoft Security Bulletin MS13-008CVE-2013-0074​​Silverlight and Developer Runtime​Microsoft Security Bulletin MS13-022CVE-2013-1347​Internet Explorer​Microsoft Security Bulletin MS13-038CVE-2014-0322​​​Internet Explorer​Microsoft Security Bulletin MS14-012CVE-2014-1761Microsoft WordOffice Word ViewerOffice Compatibility PackOffice for MacWord Automation Services on SharePoint ServerOffice Web AppsOffice Web Apps ServerMicrosoft Security Bulletin MS14-017​CVE-2014-1776​Internet Explorer​Microsoft Security Bulletin MS14-021 CVE-2014-4114​Windows​Microsoft Security Bulletin MS14-060  OracleCVEAffected ProductsPatching InformationCVE-2012-1723Java Development Kit, SDK, and JREOracle Java SE Critical Patch Update Advisory - June 2012CVE-2013-2465Java Development Kit and JREOracle Java SE Critical Patch Update Advisory - June 2013  AdobeCVEAffected ProductsPatching Information​CVE-2009-3953ReaderAcrobat ​Adobe Security Bulletin APSB10-02​​CVE-2010-0188​ReaderAcrobat​Adobe Security Bulletin APSB10-07​CVE-2010-2883ReaderAcrobat ​​Adobe Security Bulletin APSB10-21​CVE-2011-0611​Flash PlayerAIRReaderAcrobatAdobe Security Bulletin APSB11-07Adobe Security Bulletin APSB11-08​​CVE-2011-2462ReaderAcrobat ​​Adobe Security Bulletin APSB11-30​CVE-2013-0625ColdFusion​​Adobe Security Bulletin APSB13-03​CVE-2013-0632​ColdFusion​Adobe Security Bulletin APSB13-03​CVE-2013-2729​ReaderAcrobat​Adobe Security Bulletin APSB13-15​CVE-2013-3336​ColdFusion​Adobe Security Bulletin APSB13-13​CVE-2013-5326   ​ColdFusion​Adobe Security Bulletin APSB13-27CVE-2014-0564Flash PlayerAIRAIR SDK & CompilerAdobe Security Bulletin APSB14-22  OpenSSLCVEAffected ProductPatching InformationCVE-2014-0160OpenSSLCERT Vulnerability Note VU#720951  Implement the following four mitigation strategies.As part of a comprehensive security strategy, network administrators should implement the following four mitigation strategies, which can help prevent targeted cyber attacks.RankingMitigation StrategyRationale1Use application whitelisting to help prevent malicious software and unapproved programs from running.Application whitelisting is one of the best security strategies as it allows only specified programs to run, while blocking all others, including malicious software.2Patch applications such as Java, PDF viewers, Flash, web browsers and Microsoft Office.Vulnerable applications and operating systems are the target of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.3Patch operating system vulnerabilities.4Restrict administrative privileges to operating systems and applications based on user duties.Restricting these privileges may prevent malware from running or limit its capability to spread through the network.It is recommended that users review US-CERT Security Tip (ST13-003) and CCIRC’s Mitigation Guidelines for Advanced Persistent Threats for additional background information and to assist in the detection of, response to, and recovery from malicious activity linked to advance persistent threats [2, 3]. References [1] Canadian Cyber Incident Response Centre, Top 4 Strategies to Mitigate Targeted Cyber Intrusions [2] Canadian Cyber Incident Response Centre, TR11-002, Mitigation Guidelines for Advanced Persistent Threats [3] US-CERT Security Tip (ST13-003): Handling Destructive Malware Revision History April 29, 2015: Initial release This product is provided subject to this Notification and this Privacy & Use policy.

TA15-105A: Simda Botnet

Original release date: April 15, 2015Systems Affected Microsoft Windows Overview The Simda botnet – a network of computers infected with self-propagating malware – has compromised more than 770,000 computers worldwide [1].The United States Department of Homeland Security (DHS), in collaboration with Interpol and the Federal Bureau of Investigation (FBI), has released this Technical Alert to provide further information about the Simda botnet, along with prevention and mitigation recommendations. Description Since 2009, cyber criminals have been targeting computers with unpatched software and compromising them with Simda malware [2]. This malware may re-route a user’s Internet traffic to websites under criminal control or can be used to install additional malware. The malicious actors control the network of compromised systems (botnet) through backdoors, giving them remote access to carry out additional attacks or to “sell” control of the botnet to other criminals [1]. The backdoors also morph their presence every few hours, allowing low anti-virus detection rates and the means for stealthy operation [3].     Impact A system infected with Simda may allow cyber criminals to harvest user credentials, including banking information; install additional malware; or cause other malicious attacks. The breadth of infected systems allows Simda operators flexibility to load custom features tailored to individual targets. Solution Users are recommended to take the following actions to remediate Simda infections:Use and maintain anti-virus software - Anti-virus software recognizes and protects your computer against most known viruses. It is important to keep your anti-virus software up-to-date (see Understanding Anti-Virus Software for more information).Change your passwords - Your original passwords may have been compromised during the infection, so you should change them (see Choosing and Protecting Passwords for more information).Keep your operating system and application software up-to-date - Install software patches so that attackers cannot take advantage of known problems or vulnerabilities. Many operating systems offer automatic updates. If this option is available, you should enable it (see Understanding Patches for more information).Use anti-malware tools - Using a legitimate program that identifies and removes malware can help eliminate an infection. Users can consider employing a remediation tool (examples below) that will help with the removal of Simda from your system.          Kaspersky Lab :          Microsoft:          Trend Micro: to see if your system is infected – The link below offers a simplified check for beginners and a manual check for experts.          Cyber Defense Institute: above are examples only and do not constitute an exhaustive list. The U.S. government does not endorse or support any particular product or vendor. References [1] INTERPOL Coordinates Global Operation to Take Down Simda Botnet [2] Microsoft partners with Interpol, industry to disrupt global malware attack affecting more than 770,000 PCs in past six mo [3] Botnet that Enslaved 770,000 PCs Worldwide Comes Crashing Down Revision History April 15, 2015: Initial Release This product is provided subject to this Notification and this Privacy & Use policy.

TA15-103A: DNS Zone Transfer AXFR Requests May Leak Domain Information

Original release date: April 13, 2015 | Last revised: April 15, 2015Systems Affected Misconfigured Domain Name System (DNS) servers that respond to global Asynchronous Transfer Full Range (AXFR) requests. Overview A remote unauthenticated user may request a DNS zone transfer from a public-facing DNS server. If improperly configured, the DNS server may respond with information about the requested zone, revealing internal network structure and potentially sensitive information. Description AXFR is a protocol for “zone transfers” for replication of DNS data across multiple DNS servers. Unlike normal DNS queries that require the user to know some DNS information ahead of time, AXFR queries reveal resource records including subdomain names [1]. Because a zone transfer is a single query, it could be used by an adversary to efficiently obtain DNS data.  A well-known problem with DNS is that zone transfer requests can disclose domain information; for example, see CVE-1999-0532 and a 2002 CERT/CC white paper [2][3]. However, the issue has regained attention due to recent Internet scans still showing a large number of misconfigured DNS servers. Open-source, tested scripts are now available to scan for the possible exposure, increasing the likelihood of exploitation [4]. Impact A remote unauthenticated user may observe internal network structure, learning information useful for other directed attacks. Solution Configure your DNS server to respond only to zone transfer (AXFR) requests from known IP addresses. Many open-source resources give instructions on reconfiguring your DNS server. For example, see this AXFR article for information on testing and fixing the configuration of a BIND DNS server. US-CERT does not endorse or support any particular product or vendor. References [1] How the AXFR Protocol Works [2] Vulnerability Summary for CVE-1999-0532 [3] Securing an Internet Name Server [4] Scanning Alexa's Top 1M for AXFR Revision History April 13, 2015: Initial Release This product is provided subject to this Notification and this Privacy & Use policy.

TA14-318B: Microsoft Windows OLE Automation Array Remote Code Execution Vulnerability

Original release date: November 14, 2014Systems Affected Microsoft Windows Vista, 7, 8, 8.1, RT, and RT 8.1Microsoft Server 2003, Server 2008, Server 2008 R2, Server 2012, and Server 2012 R2Overview A vulnerability in Microsoft Windows Object Linking and Embedding (OLE) could allow remote code execution if a user views a specially-crafted web page in Internet Explorer.[1] Description The Microsoft Windows OLE OleAut32.dll library provides the SafeArrayRedim function that allows resizing of SAFEARRAY objects in memory.[2] In certain circumstances, this library does not properly check sizes of arrays when an error occurs. The improper size allows an attacker to manipulate memory in a way that can bypass the Internet Explorer Enhanced Protected Mode (EPM) sandbox as well as the Enhanced Mitigation Experience Toolkit (EMET).This vulnerability can be exploited using a specially-crafted web page utilizing VBscript in Internet Explorer. However, it may impact other software that makes use of OleAut32.dll and VBscript.Exploit code is publicly available for this vulnerability. Additional details may be found in CERT/CC Vulnerability Note VU#158647. Impact Arbitrary code can be run on the computer with user privileges. If the user is an administrator, the attacker may run arbitrary code as an administrator, fully compromising the system.  Solution An update is available from Microsoft.[3] Please see Microsoft Security Bulletin MS14-064 for more details and mitigation guidance, and apply the necessary updates. References [1] NIST Vulnerability Summary for CVE-2014-6332 [2] IBM X-Force Researcher Finds Significant Vulnerability in Microsoft Windows [3] Microsoft Security Bulletin MS14-064 Revision History November 14, 2014: Initial Release This product is provided subject to this Notification and this Privacy & Use policy.

TA14-318A: Microsoft Secure Channel (Schannel) Vulnerability (CVE-2014-6321)

Original release date: November 14, 2014 Systems Affected Microsoft Windows Server 2003 SP2Microsoft Windows Vista SP2Microsoft Windows Server 2008 SP2Microsoft Windows Server 2008 R2 SP1Microsoft Windows 7 SP1Microsoft Windows 8Microsoft Windo...

TA14-317A: Apple iOS “Masque Attack” Technique

Original release date: November 13, 2014Systems Affected iOS devices running iOS 7.1.1, 7.1.2, 8.0, 8.1, and 8.1.1 beta. Overview A technique labeled “Masque Attack” allows an attacker to substitute malware for a legitimate iOS app under a limited set of circumstances. Description Masque Attack was discovered and described by FireEye mobile security researchers.[1] This attack works by luring users to install an app from a source other than the iOS App Store or their organizations’ provisioning system. In order for the attack to succeed, a user must install an untrusted app, such as one delivered through a phishing link.  This technique takes advantage of a security weakness that allows an untrusted app—with the same “bundle identifier” as that of a legitimate app—to replace the legitimate app on an affected device, while keeping all of the user’s data. This vulnerability exists because iOS does not enforce matching certificates for apps with the same bundle identifier. Apple’s own iOS platform apps, such as Mobile Safari, are not vulnerable. Impact An app installed on an iOS device using this technique may:Mimic the original app’s login interface to steal the victim’s login credentials.Access sensitive data from local data caches.Perform background monitoring of the user’s device.Gain root privileges to the iOS device.Be indistinguishable from a genuine app.Solution iOS users can protect themselves from Masque Attacks by following three steps:Don’t install apps from sources other than Apple’s official App Store or your own organization.Don’t click “Install” from a third-party pop-up when viewing a web page.When opening an app, if iOS shows an “Untrusted App Developer” alert, click on “Don’t Trust” and uninstall the app immediately.Further details on Masque Attack and mitigation guidance can be found on FireEye’s blog [1]. US-CERT does not endorse or support any particular product or vendor. References [1] FireEye Revision History November 13, 2014: Initial Release This product is provided subject to this Notification and this Privacy & Use policy.

TA14-310A: Microsoft Ending Support for Windows Server 2003 Operating System

Original release date: November 10, 2014Systems Affected Microsoft Windows Server 2003 operating system Overview Microsoft is ending support for the Windows Server 2003 operating system on July 14, 2015.[1] After this date, this product will no longer receive:Security patches that help protect PCs from harmful viruses, spyware, and other malicious softwareAssisted technical support from MicrosoftSoftware and content updatesDescription All software products have a lifecycle. End of support refers to the date when Microsoft will no longer provide automatic fixes, updates, or online technical assistance.[2] As of July 2014, there were 12 million physical servers worldwide still running Windows Server 2003.[3] Impact Computer systems running unsupported software are exposed to an elevated risk to cybersecurity dangers, such as malicious attacks or electronic data loss.Users may also encounter problems with software and hardware compatibility since new software applications and hardware devices may not be built for Windows Server 2003.Organizations that are governed by regulatory obligations may find they are no longer able to satisfy compliance requirements while running Windows Server 2003. Solution Computers running the Windows Server 2003 operating system will continue to work after support ends. However, using unsupported software may increase the risks of viruses and other security threats. Negative consequences could include loss of confidentiality, integrity, and or availability of data, system resources and business assets.The Microsoft "Microsoft Support Lifecycle Policy FAQ" page offers additional details.[2]Users have the option to upgrade to a currently supported operating system or other cloud-based services. There are software vendors and service providers in the marketplace who offer assistance in migrating from Windows Server 2003 to a currently supported operating system or SaaS (software as a service) / IaaS (infrastructure as a service) products and services.[4,5] US-CERT does not endorse or support any particular product or vendor. References [1] Microsoft Product Lifecycle Listing [2] Microsoft Support Lifecycle Policy FAQ [3] Redmond Magazine, Prepare for Windows Server 2003's End of Support [4] Windows Server 2003 Migration Support [5] TechTarget, Weighing next steps following Windows Server 2003 end-of-life Revision History November 10, 2014: Initial Release This product is provided subject to this Notification and this Privacy & Use policy.

TA14-300A: Phishing Campaign Linked with “Dyre” Banking Malware

Original release date: October 27, 2014Systems Affected Microsoft Windows Overview Since mid-October 2014, a phishing campaign has targeted a wide variety of recipients while employing the Dyre/Dyreza banking malware. Elements of this phishing campaign vary from target to target including senders, attachments, exploits, themes, and payload(s).[1][2] Although this campaign uses various tactics, the actor’s intent is to entice recipients into opening attachments and downloading malware. Description The Dyre banking malware specifically targets sensitive user account credentials. The malware has the ability to capture user login information and send the captured data to malicious actors.[3] Phishing emails used in this campaign often contain a weaponized PDF attachment which attempts to exploit vulnerabilities found in unpatched versions of Adobe Reader.[4][5] After successful exploitation, a user's system will download Dyre banking malware. All of the major anti-virus vendors have successfully detected this malware prior to the release of this alert.[6]Please note, the below listing of indicators does not represent all characteristics and indicators for this campaign.Phishing Email Characteristics:Subject: "Unpaid invoic" (Spelling errors in the subject line are a characteristic of this campaign)Attachment: Invoice621785.pdfSystem Level Indicators (upon successful exploitation):Copies itself under C:Windows[RandomName].exeCreated a Service named "Google Update Service" by setting the following registry keys:HKLMSYSTEMCurrentControlSetServicesgoogleupdateImagePath: "C:WINDOWSpfdOSwYjERDHrdV.exe"HKLMSYSTEMCurrentControlSetServicesgoogleupdateDisplayName: "Google Update Service"Impact A system infected with Dyre banking malware will attempt to harvest credentials for online services, including banking services. Solution Users and administrators are recommended to take the following preventive measures to protect their computer networks from phishing campaigns:Do not follow unsolicited web links in email. Refer to the Security Tip Avoiding Social Engineering and Phishing Attacks [7] for more information on social engineering attacks.Use caution when opening email attachments. For information on safely handling email attachments, see Recognizing and Avoiding Email Scams.[8]Follow safe practices when browsing the web. See Good Security Habits [9]and Safeguarding Your Data [10] for additional details.Maintain up-to-date anti-virus software.Keep your operating system and software up-to-date with the latest patches.US-CERT collects phishing email messages and website locations so that we can help people avoid becoming victims of phishing scams.You can report phishing to us by sending email to References [1] MITRE Summary of CVE-2013-2729, accessed October 16, 2014 [2] MITRE Summary of CVE-2010-0188, accessed October 16, 2014 [3] New Banking Malware Dyreza, accessed October 16, 2014 [4] Adobe Security Updates Addressing CVE-2013-2729, accessed October 16, 2014 [5] Adobe Security Updates Addressing CVE-2010-0188, accessed October 16, 2014 [6] VirusTotal Analysis, accessed October 16, 2014 [7] US-CERT Security Tip (ST04-014) Avoiding Social Engineering and Phishing Attacks [8]US-CERT Recognizing and Avoiding Email Scams [9] US-CERT Security Tip (ST04-003) Good Security Habits [10] US-CERT Security Tip (ST06-008) Safeguarding Your Data Revision History October 27, 2014: Initial Release This product is provided subject to this Notification and this Privacy & Use policy.

TA14-295A: Crypto Ransomware

Original release date: October 22, 2014Systems Affected Microsoft Windows Overview Ransomware is a type of malicious software (malware) that infects a computer and restricts access to it until a ransom is paid to unlock it. This Alert is the result of Canadian Cyber Incident Response Centre (CCIRC) analysis in coordination with the United States Department of Homeland Security (DHS) to provide further information about crypto ransomware, specifically to:Present its main characteristics, explain the prevalence of ransomware, and the proliferation of crypto ransomware variants; andProvide prevention and mitigation information.Description WHAT IS RANSOMWARE?Ransomware is a type of malware that infects a computer and restricts a user’s access to the infected computer. This type of malware, which has now been observed for several years, attempts to extort money from victims by displaying an on-screen alert. These alerts often state that their computer has been locked or that all of their files have been encrypted, and demand that a ransom is paid to restore access. This ransom is typically in the range of $100–$300 dollars, and is sometimes demanded in virtual currency, such as Bitcoin.Ransomware is typically spread through phishing emails that contain malicious attachments and drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and malware is downloaded and installed without their knowledge. Crypto ransomware, a variant that encrypts files, is typically spread through similar methods, and has been spread through Web-based instant messaging applications.WHY IS IT SO EFFECTIVE?The authors of ransomware instill fear and panic into their victims, causing them to click on a link or pay a ransom, and inevitably become infected with additional malware, including messages similar to those below:“Your computer has been infected with a virus. Click here to resolve the issue.”“Your computer was used to visit websites with illegal content. To unlock your computer, you must pay a $100 fine.”“All files on your computer have been encrypted. You must pay this ransom within 72 hours to regain access to your data.”PROLIFERATION OF VARIANTSIn 2012, Symantec, using data from a command and control (C2) server of 5,700 computers compromised in one day, estimated that approximately 2.9 percent of those compromised users paid the ransom. With an average ransom of $200, this meant malicious actors profited $33,600 per day, or $394,400 per month, from a single C2 server. These rough estimates demonstrate how profitable ransomware can be for malicious actors.This financial success has likely led to a proliferation of ransomware variants. In 2013, more destructive and lucrative ransomware variants were introduced including Xorist, CryptorBit, and CryptoLocker. Some variants encrypt not just the files on the infected device but also the contents of shared or networked drives. These variants are considered destructive because they encrypt user’s and organization’s files, and render them useless until criminals receive a ransom.Additional variants observed in 2014 included CryptoDefense and Cryptowall, which are also considered destructive. Reports indicate that CryptoDefense and Cryptowall share the same code, and that only the name of malware itself is different. Similar to CryptoLocker, these variants also encrypt files on the local computer, shared network files, and removable media.LINKS TO OTHER TYPES OF MALWARESystems infected with ransomware are also often infected with other malware. In the case of CryptoLocker, a user typically becomes infected by opening a malicious attachment from an email. This malicious attachment contains Upatre, a downloader, which infects the user with GameOver Zeus. GameOver Zeus is a variant of the Zeus Trojan that steals banking information and is also used to steal other types of data. Once a system is infected with GameOver Zeus, Upatre will also download CryptoLocker. Finally, CryptoLocker encrypts files on the infected system, and requests that a ransom be paid.The close ties between ransomware and other types of malware were demonstrated through the recent botnet disruption operation against GameOver Zeus, which also proved effective against CryptoLocker. In June 2014, an international law enforcement operation successfully weakened the infrastructure of both GameOver Zeus and CryptoLocker. Impact Ransomware doesn’t only target home users; businesses can also become infected with ransomware, which can have negative consequences, including:Temporary or permanent loss of sensitive or proprietary information;Disruption to regular operations;Financial losses incurred to restore systems and files; andPotential harm to an organization’s reputation.Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed. Solution Infections can be devastating to an individual or organization, and recovery can be a difficult process that may require the services of a reputable data recovery specialist.US-CERT and CCIRC recommend users and administrators take the following preventive measures to protect their computer networks from ransomware infection:Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.Maintain up-to-date anti-virus software.Keep your operating system and software up-to-date with the latest patches.Do not follow unsolicited web links in email. Refer to the Security Tip Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.Use caution when opening email attachments. For information on safely handling email attachments, see Recognizing and Avoiding Email Scams.Follow safe practices when browsing the web. See Good Security Habits and Safeguarding Your Data for additional details.Individuals or organizations are not encouraged to pay the ransom, as this does not guarantee files will be released. Report instances of fraud to the FBI at the Internet Crime Complaint Center or contact the CCIRC. References Kaspersky Lab, Kaspersky Kab detects mobile Trojan Svpeng: Financial malware with ransomware capabilities now targeting U.S. United States National Cybersecurity and Communications Integration Center, Cryptolocker Ransomware Sophos / Naked Security, What’s next for ransomware? Cryptowall picks up where CryptoLocker left off Symantec, CryptoDefence, the CryptoLocker Imitator, Makes Over $34,000 in One Month Symantec, Cryptolocker: A Thriving Menace Symantec, Cryptolocker Q&A: Menace of the Year Symantec, International Takedown Wounds Gameover Zeus Cybercrime Network Revision History Initial Publication This product is provided subject to this Notification and this Privacy & Use policy.

TA14-290A: SSL 3.0 Protocol Vulnerability and POODLE Attack

Original release date: October 17, 2014Systems Affected All systems and applications utilizing the Secure Socket Layer (SSL) 3.0 with cipher-block chaining (CBC) mode ciphers may be vulnerable. However, the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack demonstrates this vulnerability using web browsers and web servers, which is one of the most likely exploitation scenarios. Overview US-CERT is aware of a design vulnerability found in the way SSL 3.0 handles block cipher mode padding. The POODLE attack demonstrates how an attacker can exploit this vulnerability to decrypt and extract information from inside an encrypted transaction. Description The SSL 3.0 vulnerability stems from the way blocks of data are encrypted under a specific type of encryption algorithm within the SSL protocol. The POODLE attack takes advantage of the protocol version negotiation feature built into SSL/TLS to force the use of SSL 3.0 and then leverages this new vulnerability to decrypt select content within the SSL session. The decryption is done byte by byte and will generate a large number of connections between the client and server.While SSL 3.0 is an old encryption standard and has generally been replaced by Transport Layer Security (TLS) (which is not vulnerable in this way), most SSL/TLS implementations remain backwards compatible with SSL 3.0 to interoperate with legacy systems in the interest of a smooth user experience. Even if a client and server both support a version of TLS the SSL/TLS protocol suite allows for protocol version negotiation (being referred to as the “downgrade dance” in other reporting). The POODLE attack leverages the fact that when a secure connection attempt fails, servers will fall back to older protocols such as SSL 3.0. An attacker who can trigger a connection failure can then force the use of SSL 3.0 and attempt the new attack. [1]Two other conditions must be met to successfully execute the POODLE attack: 1) the attacker must be able to control portions of the client side of the SSL connection (varying the length of the input) and 2) the attacker must have visibility of the resulting ciphertext. The most common way to achieve these conditions would be to act as Man-in-the-Middle (MITM), requiring a whole separate form of attack to establish that level of access.These conditions make successful exploitation somewhat difficult. Environments that are already at above-average risk for MITM attacks (such as public WiFi) remove some of those challenges. Impact The POODLE attack can be used against any system or application that supports SSL 3.0 with CBC mode ciphers. This affects most current browsers and websites, but also includes any software that either references a vulnerable SSL/TLS library (e.g. OpenSSL) or implements the SSL/TLS protocol suite itself. By exploiting this vulnerability in a likely web-based scenario, an attacker can gain access to sensitive data passed within the encrypted web session, such as passwords, cookies and other authentication tokens that can then be used to gain more complete access to a website (impersonating that user, accessing database content, etc.). Solution There is currently no fix for the vulnerability SSL 3.0 itself, as the issue is fundamental to the protocol; however, disabling SSL 3.0 support in system/application configurations is the most viable solution currently available.Some of the same researchers that discovered the vulnerability also developed a fix for one of the prerequisite conditions; TLS_FALLBACK_SCSV is a protocol extension that prevents MITM attackers from being able to force a protocol downgrade. OpenSSL has added support for TLS_FALLBACK_SCSV to their latest versions and recommend the following upgrades: [2]OpenSSL 1.0.1 users should upgrade to 1.0.1j.OpenSSL 1.0.0 users should upgrade to 1.0.0o.OpenSSL 0.9.8 users should upgrade to 0.9.8zc.Both clients and servers need to support TLS_FALLBACK_SCSV to prevent downgrade attacks.Other SSL 3.0 implementations are most likely also affected by POODLE. Contact your vendor for details. Additional vendor information may be available in the National Vulnerability Database (NVD) entry for CVE-2014-3566. [3] References [1] This Poodle Bites: Exploiting The SSL Fallback [2] OpenSSL Security Advisory [15 Oct 2014] [3] Vulnerability Summary for CVE-2014-3566 Revision History October 17, 2014 Initial Release This product is provided subject to this Notification and this Privacy & Use policy.

TA14-268A: GNU Bourne-Again Shell (Bash) ‘Shellshock’ Vulnerability (CVE-2014-6271, CVE-2014-7169)

Original release date: September 25, 2014 | Last revised: September 26, 2014Systems Affected GNU Bash through 4.3.Linux and Mac OS X systems, on which Bash is part of the base operating system.Any BSD or UNIX system on which GNU Bash has been installed as an add-on.Any UNIX-like operating system on which the /bin/sh interface is implemented as GNU Bash.Overview A critical vulnerability has been reported in the GNU Bourne-Again Shell (Bash), the common command-line shell used in many Linux/UNIX operating systems and Apple’s Mac OS X. The flaw could allow an attacker to remotely execute shell commands by attaching malicious code in environment variables used by the operating system [1]. The United States Department of Homeland Security (DHS) is releasing this Technical Alert to provide further information about the GNU Bash vulnerability. Description GNU Bash versions 1.14 through 4.3 contain a flaw that processes commands placed after function definitions in the added environment variable, allowing remote attackers to execute arbitrary code via a crafted environment which enables network-based exploitation. [2, 3]Critical instances where the vulnerability may be exposed include: [4, 5]Apache HTTP Server using mod_cgi or mod_cgid scripts either written in bash, or spawn GNU Bash subshells, or on any system where the /bin/sh interface is implemented using GNU Bash.Override or Bypass ForceCommand feature in OpenSSH sshd and limited protection for some Git and Subversion deployments used to restrict shells and allows arbitrary command execution capabilities. This data path is vulnerable on systems where the /bin/sh interface is implemented using GNU Bash.Allow arbitrary commands to run on a DHCP client machine.Impact This vulnerability is classified by industry standards as “High” impact with CVSS Impact Subscore 10 and “Low” on complexity, which means it takes little skill to perform. This flaw allows attackers who can provide specially crafted environment variables containing arbitrary commands to execute on vulnerable systems. It is especially dangerous because of the prevalent use of the Bash shell and its ability to be called by an application in numerous ways. Solution Patches have been released to fix this vulnerability by major Linux vendors for affected versions. Solutions for CVE-2014-6271 do not completely resolve the vulnerability. It is advised to install existing patches and pay attention for updated patches to address CVE-2014-7169.Many UNIX-like operating systems, including Linux distributions and Apple Mac OS X include Bash and are likely to be affected. Contact your vendor for updated information. A list of vendors can be found in CERT Vulnerability Note VU#252743 [6].US-CERT recommends system administrators review the vendor patches and the NIST Vulnerability Summary for CVE-2014-7169, to mitigate damage caused by the exploit. References Ars Technica, Bug in Bash shell creates big security hole on anything with *nix in it; DHS NCSD; Vulnerability Summary for CVE-2014-6271 DHS NCSD; Vulnerability Summary for CVE-2014-7169 Red Hat, CVE-2014-6271 Red Hat, Bash specially-crafted environment variables code injection attack CERT Vulnerability Note VU#252743 Revision History September 25, 2014 - Initial Release September 26, 2014 - Minor Revisions This product is provided subject to this Notification and this Privacy & Use policy.