46 replies to this topic

[AplusWebMaster]

FYI...

LivingSocial hacked - 50 million advised to change pwds...
- http://www.theregist...hacking_attack/
26 April 2013 - "Up to 50 million customers of the Amazon-funded daily deals site LivingSocial are getting an apologetic email from CEO Tim O'Shaughnessy explaining that their information may have been stolen. "LivingSocial recently experienced a cyber-attack on our computer systems that resulted in unauthorized access to some customer data from our servers. We are actively working with law enforcement to investigate this issue," he writes in an email... "The information accessed includes names, email addresses, date of birth for some users, and encrypted passwords – technically 'hashed' and 'salted' passwords. We never store passwords in plain text." At this stage, the company is saying that all credit card details for customers, and the financial accounts of operators that LivingSocial does deals with, are stored on a separate database and that this hasn't been hacked. Users are being asked to change their passwords and to ignore any emails claiming to be from LivingSocial that ask for financial information. Although the email doesn’t mention it, if your LivingSocial password was used for any other online accounts, then you'd be advised to change those, too..."

Also see:
- https://www.net-secu...ld.php?id=14833
29 April 2013
- http://h-online.com/-1851667
29 April 2013
___

Apache systems using cPanel compromised
- http://h-online.com/-1851442
29 April 2013 - "Researchers at web security firm Sucuri* have discovered modified binaries in the open source Apache web server. The binaries will load malicious code or other web content without any user interaction. Only files that were installed using the cPanel administration tool are currently thought to be affected. ESET says** that several hundred web servers have been compromised. The attack has been named Linux/Cdorked.A and is difficult to detect.."
* http://blog.sucuri.n...ed-servers.html
April 26, 2013
** http://www.welivesec...rves-blackhole/
April 26, 2013
- https://www.net-secu...ld.php?id=14836
29 April 2013

Apache binary backdoor adds malicious redirect to Blackhole
- https://isc.sans.edu...l?storyid=15710
Last Updated: 2013-04-30

> https://www.virustot...070c6/analysis/
File name: cdorked.a.httpd
Detection ratio: 13/44
Analysis date: 2013-04-30

Edited by AplusWebMaster, 30 April 2013 - 02:24 PM.

[AplusWebMaster]

FYI...

Media sites - mass compromise
- http://research.zsca...ed-in-mass.html
May 6, 2013 - "... Zscaler identified yet another mass website compromise, this one impacting a number of popular media sites, including two radio stations in Washington, DC - Federal News Radio and WTOP. It's not clear if all of the sites impacted were leveraging a common backend platform that may have led to the compromise... Attacks targeting end users generally involve some form of social engineering whereby the potential victim must be convinced to visit a site, download a file, etc. Attackers will therefore write a script designed to comb the web looking for popular sites exposing a common flaw and when identified, inject a single line of malicious code into the sites. In that way, any user visiting the otherwise legitimate (but now infected) site, can become a victim. This particular threat also displays another common trait - being dynamic in nature and only delivering content if the victim browser exhibits certain attributes. In this case, the injected content is only displayed when the browser's User Agent string reveals that Internet Explorer (IE) is being used... obfuscated JavaScript decodes to reveal an iFrame pointing to sites hosted at Dynamic DNS (DynDNS) hosting providers. Thus far, we have identified two DynDNS providers (myftp .biz and hopto .org) involved... Thus far, Zscaler has identified the following compromised sites:
Media Sites:
WTOP Radio (Washington, DC) - wtop .com
Federal News Radio (Washington, DC) - federalnewsradio .com
The Christian Post - christianpost .com
Real Clear Science - realclearscience .com
Real Clear Policy - realclearpolicy .com
Others:
scubaboard .com
mrsec .com
menupix .com
xaxor .com
gvovideo .com
At the time of posting, these compromised sites were still offering up malicious content."
___

- https://www.net-secu...ews.php?id=2485
May 7, 2013 - "... This particular mass compromise is targeting only Internet Explorer users, probably because the attackers are using exploits only for that particular software. Users who surf to the sites using any other browser don't trigger the redirection chain..."
___

The Onion/Twitter compromise...
- http://h-online.com/-1859850
9 May 2013

Edited by AplusWebMaster, 09 May 2013 - 09:21 AM.

[AplusWebMaster]

FYI...

Name.com hacked...
- https://www.computer...security_breach
May 9, 2013 - "Domain registrar Name.com forced its customers to reset their account passwords on Wednesday following a security breach on the company's servers that might have resulted in customer information being compromised. Hackers might have gained access to usernames, email addresses, encrypted passwords as well as encrypted credit card information, the company said in an email message sent to customers that was later posted online by users. The credit card information was encrypted with private keys stored in a separate location that wasn't compromised, Name.com said in the email. The company did not specify the type of encryption used, but referred to it as being "strong." The alert email instructed recipients to click on a link in order to perform a password reset, a method that was criticized by some users and security researchers, because it resembles that used in phishing attacks... A hacker group called Hack the Planet (HTP) claimed earlier this week that they compromised Name.com in their attempt to hack into Linode, a virtual private server hosting firm. In a recently published "hacker zine," HTP said that they managed to acquire the domain login for Linode, as well as for Stack Overflow, DeviantArt and others from Name.com. Name.com did not immediately respond to an inquiry seeking confirmation of HTP's claims and other information about the attack..."

- http://www.welivesec...s-after-breach/
9 May 2013

Edited by AplusWebMaster, 10 May 2013 - 04:10 AM.

[AplusWebMaster]

FYI...

Cdorked.A malware redirection spreads ...
- https://atlas.arbor....index#-69874705
May 09, 2013 - "The previously reported Cdorked / Darkleech attack campaign, previously observed affecting Apache servers, has been observed to infect other webservers. The attack has been associated with the delivery of malware.
Analysis: Nginx and Lighttpd have also been seen to be infected as part of this campaign. Original exploitation vectors are not yet well known but past experience suggests that weak passwords and vulnerable web applications could be likely vectors.
ESET offers a tool to detect in-memory traces of this malware - please see: http://www.welivesec...dorked_config.c
Source: http://www.theregist...latest_details/

- http://www.welivesec...-also-affected/
7 May 2013 - "... We have observed more than 400 webservers infected with Linux/Cdorked.A. Out of these, 50 are ranked in Alexa’s top 100,000 most popular websites... In a typical attack scenario, victims are redirected to a malicious web server hosting a Blackhole exploit kit. We have discovered that this malicious infrastructure uses compromised DNS servers, something that is out of the ordinary... one point needs to be clear about Linux/Cdorked.A. We still don’t know for sure how this malicious software was deployed on the web servers. We believe the infection vector is not unique. It cannot be attributed solely to installations of cPanel because only a fraction of the infected servers are using this management software. One thing is clear, this malware does not propagate by itself and it does not exploit a vulnerability in a specific software. Linux/Cdorked.A is a backdoor, used by the malicious actor to serve malicious content from legitimate websites... we recommend keeping browsers, browser extensions, operating systems, and third party software like Java, PDF readers and Flash players fully up-to-date to avoid being infected by this on-going campaign. Use of an antivirus program is also recommended..."

Edited by AplusWebMaster, 11 May 2013 - 06:03 AM.

[AplusWebMaster]

FYI...

Drupal.org & group.drupal.org password disclosure
- https://isc.sans.edu...l?storyid=15905
Last Updated: 2013-05-30 04:12:54 UTC - "The Drupal security teams have identified a breach in the environment that has disclosed passwords. As their notification here*, states most of the passwords were salted and hashed, older passwords were not (although common practice is to store the salt value in the same table as the password, so that might not actually help much). According to the update they are still investigating what else may have been accessed. If you have one of those accounts happy password changing. If you use that password anywhere else (and of course you don't) you might want to change that while you are at it..."
* https://drupal.org/n...9SecurityUpdate
"The Drupal.org Security Team and Infrastructure Team has discovered unauthorized access to account information on Drupal.org and groups.drupal.org. This access was accomplished via third-party software installed on the Drupal.org server infrastructure, and was not the result of a vulnerability within Drupal itself. This notice applies specifically to user account data stored on Drupal.org and groups.drupal.org, and not to sites running Drupal generally. Information exposed includes usernames, email addresses, and country information, as well as hashed passwords. However, we are still investigating the incident and may learn about other types of information compromised, in which case we will notify you accordingly. As a precautionary measure, we've reset all Drupal.org account holder passwords and are requiring users to reset their passwords at their next login attempt..."
___

- http://h-online.com/-1873388
30 May 2013

Edited by AplusWebMaster, 30 May 2013 - 06:25 AM.

[AplusWebMaster]

FYI...

Hetzner web hosting service hacked, customer data copied
- http://h-online.com/-1884574
7 June 2013 - "Web hosting service Hetzner has fallen victim to an attack during which hackers managed to harvest customer data. Among other things, the intruders had access to password hashes and customers' payment information. Apparently, a previously unknown server rootkit was used for the attack. In an email sent to customers on Thursday afternoon, the company said that unknown intruders had compromised several Hetzner systems. Apparently, the incident was discovered at the end of last week... although this data is encrypted asymmetrically, it can't be ruled out at this point that the private crypto keys that are required for decryption were copied as well. The attackers were also able to access customers' credit card data (the last three digits of credit card numbers, the expiry date and the card type) as well as salted SHA256 password hashes... current information suggests that the manipulated Apache instances were not used to deploy malware. It remains unclear who is behind the attack. How the hackers intruded into the server has yet to be established as well. The hosting company said that the German Federal Criminal Police Office (BKA) has been informed."

[AplusWebMaster]

FYI...

Facebook - potential leak of User Data
- https://isc.sans.edu...l?storyid=16043
Last Updated: 2013-06-22 - "Facebook recently received a report that may have allowed some user information (email or phone number) to be accessed by people who either had some contact information about that person or some connection to them. Based on their analysis, they estimate that approximately 6 million users had their email addresses or telephone numbers shared. However, they don't have any evidence this bug was exploited because they have not received any user complaints or seen strange activity related to this bug. The complete Facebook message to users is posted here*..."
* https://www.facebook...151437074840766

[AplusWebMaster]

FYI...

Mass-login attack hijacks accounts...
- http://arstechnica.c...24000-accounts/
July 8 2013 - "Almost 24,000 user accounts on Nintendo's main fan site have been hijacked in a sustained mass-login attack that began early last month, the company said. The wave of attacks on Club Nintendo exposed personal information associated with 23,926 compromised accounts, including users' real names, addresses, phone numbers and e-mail addresses, according to a press release Nintendo issued over the weekend. The campaign began on June 9 and attempted more than 15.5 million logins over the following month. Attackers likely relied on a list of login credentials taken from a site unrelated to Nintendo. Club Nintendo offers rewards to Nintendo customers in exchange for having them register their products, answer surveys, and provide personal data. The site operates internationally and has about four million users in Japan, the primary region of most affected users. Things came to a head on July 2, when the wave of logins crested. By Friday, July 5, Nintendo had reset passwords on the site. "There were scattered illicit attempts to log in since June 9, but we became aware of the issue after the mass attempts on July 2," company spokesman Yasuhiro Minagawa told IDG News.
Other game companies recently hit by security problems include Ubisoft, which last week warned that customer user names, e-mail addresses and cryptographically hashed passwords were illegally accessed from an account database that had been breached. More recently, the alpha launch of a new indie game called Cube World has been reportedly disrupted by denial-of-service attacks."

[AplusWebMaster]

FYI...

.NL Registrar compromise
- https://isc.sans.edu...l?storyid=16138
Last Updated: 2013-07-10 20:00:51 UTC - "Based on a note on the website of SIDN [1], an SQL injection vulnerability was used to compromise the site and place malicious files in the document root. SIDN is the registrar for the .NL country level domain (Netherlands). As a result of the breach, updates to the zone file are suspended. There is no word as to any affects to the zone files, or if the attackers where able to manipulate them."

1] Precautionary action taken to ensure security
* https://www.sidn.nl/...elen-genomen-2/
10 July 2013 - "On Tuesday, it came to light that malicious files were present on a number of SIDN websites – files that should not have been there. In order to prevent abuse, SIDN immediately took a number of precautionary measures: the DRS web application was shut down and zone file publication was temporarily suspended. As a result of our precautionary action, some areas of the website that registrars use to download registrarship-related data have been unavailable since Tuesday evening. We believe that the attack began with an SQL injection on the website 25jaarvan .nl. That site is therefore inaccessible for the time being. The precise nature of the vulnerability is currently being investigated. Further information about the security alert will continue to be made available on the site you are now viewing*."

[AplusWebMaster]

FYI...

Tumblr critical security update ...
- http://staff.tumblr....hone-ipad-users
July 16, 2013 - "We have just released a very important security update for our iPhone and iPad apps addressing an issue that allowed passwords to be compromised in certain circumstances¹. Please download the update now*. If you’ve been using these apps, you should also update your password on Tumblr and anywhere else you may have been using the same password... Please know that we take your security very seriously and are tremendously sorry for this lapse and inconvenience.
¹ "Sniffed" in transit on certain versions of the app

* https://itunes.apple...d305343404?mt=8
___

- https://secunia.com/advisories/54205/
Release Date: 2013-07-18
Where: From remote
Impact: Exposure of sensitive information
... security issue is reported in versions prior to 3.4.1.
Solution: Update to version 3.4.1.
Original Advisory:
http://staff.tumblr....hone-ipad-users
https://itunes.apple...d305343404?mt=8

Edited by AplusWebMaster, 18 July 2013 - 05:42 AM.

[AplusWebMaster]

FYI...

Network Solutions Outage...
- https://isc.sans.edu...l?storyid=16180
Last Updated: 2013-07-17 15:28:23 UTC - "Network Solutions appears to be experiencing an extended outage. Based on a note posted to Facebook, the note indicates that the outage may be related to a larger compromise of customer sites.
"Network Solutions is experiencing a Distributed Denial of Service (DDOS) attack that is impacting our customers as well as the Network Solutions site. Our technology team is working to mitigate the situation... check back for updates." *
The referenced blog website is currently responding slowly as well (it redirects to a networksolutions.com site, which may be affected by the overall outage of "networksolutions.com" ). After a couple minutes, the blog post loaded for me...
"On July 15, some Network Solutions customer sites were compromised. We are investigating the cause of this situation, but our immediate priority is restoring the sites as quickly as possible. If your site has been impacted and you have questions, please call us at 1-866-391-4357."
Various web sites hosting DNS with Network Solutions appear to be down as well as a result. The outage appears to be diminishing over the last 15-30 min or so (4pm GMT) with some affected sites returning back to normal. This outage comes about 3-4 weeks after the bad DDoS mitigation incident that redirected a large number of Network Solution Hosted sites to an IP in Korea**..."

- http://blogs.cisco.c...mises-and-ddos/
July 17, 2013

* https://www.networks...2A1D38E0000V100
July 16, 2013

** http://blogs.cisco.c...work-solutions/
June 20, 2013

Edited by AplusWebMaster, 17 July 2013 - 05:13 PM.

[AplusWebMaster]

FYI...

Ubuntu Forums - Security Breach
- https://isc.sans.edu...l?storyid=16201
Last Updated: 2013-07-21 15:28:48 UTC - "Ubuntu forums are currently down because they have been breached. According to their post, "the attackers have gotten -every- user's local username, password, and email address from the Ubuntu Forums database."* They have advised their users that if they are using the same password with other services, to change their password immediately. Other services such as Ubuntu One, Launchpad and other Ubuntu/Canonical services are not affected. Their current announcement is can be read here*."
* http://ubuntuforums.org/announce.html

- http://arstechnica.c...tu-forum-users/
July 21 2013

Edited by AplusWebMaster, 22 July 2013 - 10:33 AM.

[AplusWebMaster]

FYI...

Apple Developer site Breach
- https://isc.sans.edu...l?storyid=16210
Last Updated: 2013-07-22 10:24:34 UTC - "Apple closed access to it's developer site after learning that it had been compromised and developers personal information had been breached [1]. In the notice posted to the site, Apple explained that some developers personal information like name, e-mail address and mailing address may have been accessed. The note does not mention passwords, or if password hashes were accessed. One threat often forgotten in these breaches is phishing. If an attacker has access to some personal information associated with a site, it is fairly easy to craft a reasonably convincing phishing e-mail using the fact that the site was breached to trick users to reset their password. These e-mail may be more convincing if they include the user's user name, real name or mailing address as stored with the site. A video on YouTube claims to show records obtained in the compromise [2] . The video states that 100,000 accounts were accessed to make Apple aware of the vulnerability in its site and that the data will be deleted."

[1] http://devimages.app...om/maintenance/
[2]

- http://arstechnica.c...ge-on-intruder/
July 21 2013

- https://www.sans.org...issue=59#sID300
July 25, 2013
___

- https://developer.ap.../system-status/
Jul 29 2013 - Updated 5:13 AM PDT

Edited by AplusWebMaster, 29 July 2013 - 06:19 AM.

[AplusWebMaster]

FYI...

OVH hacked ...
- http://blog.dynamoo....ovh-hacked.html
22 July 2013 - "A bad thing to happen, but kudos to OVH for being transparent about this issue* ...":
* http://status.ovh.ne...details&id=5070
"... A few days ago, we discovered that the security of our internal network at our offices in Roubaix had been compromised. After internal investigations, it appeared that a hacker was able to obtain access to an email account of one of our system administrators. With this email access, they was able to gain access to the internal VPN of another employee. Then with this VPN access, they was able to compromise the access of one of the system administrators who handles the the internal backoffice...
Immediately following this hack, we changed the internal security rules:
- Passwords of all employees were regenerated for all types of access.
- We set up a new VPN in a secure PCI-DSS room with highly restricted access
- Consulting internal emails is now only possible from the office / VPN
- All those who have critical access now have 3 verification levels:
- Ip source
- Password
- Staff's USB security token (YubiKey)...
The European customer database includes personal customer information such as: surname, first name, nic, address, city, country, telephone, fax and encrypted password.
The encryption password is "Salted" and based on SHA-512, to avoid brute-force attacks. It takes a lot of technical means to find the word password clearly. But it is possible. This is why we advise you to change the password for your user name. An email will be sent today to all our customers explaining these security measures and inviting them to change their password.
No credit card information is stored at OVH. Credit card information was not viewed or copied...
Overall, in the coming months the back office will be under PCI-DSS which will allow us to ensure that the incident related to a specific hack on specific individuals will have no impact on our databases...
We also filed a criminal complaint about this to the judicial authorities. In order not to disrupt the work of investigators, we will not give other details before the final conclusions..."

- https://en.wikipedia.org/wiki/OVH
"OVH is a privately owned web hosting service company in France that provides dedicated servers, mutual hosting, domain names and VOIP telephony services..."

[AplusWebMaster]

FYI...

SERT Q2-2013 Threat Report
- http://www.darkreadi...endly=this-page
Jul 23, 2013 - "... In addition to OpUSA and PRISM investigations, the SERT Q2 Threat Report summarizes the significant increase in malicious Domain Name System (DNS) requests and denial of service (DoS) activity...
Key Findings:
· 73% of sites -compromised- during OpUSA were hosted on Microsoft IIS web servers
· 17% of the compromised OpUSA targets hosted on Microsoft IIS platforms are running IIS versions 5.0 and 5.1, which are over 10 years old and no longer supported by Microsoft
· 68% of sites compromised by OpUSA attacks were hosted -outside- of the United States
· Increased -malicious- DNS-request traffic was observed originating from global sources
· NSA PRISM has heightened concerns about privacy and data access by the United States Government ..."
* http://www.solutiona...report-q2-2013/