Thursday, August 27, 2015

CONFIRMED BREACHED: August Benefits Inc - Attack on SLC Security

The following host have been detected as being potentially breached based on data from SLC Security owned and operated sensors. We have decided that we would start publishing a daily list to help these organizations get their network under control. While we believe these host to be breached they may also be involved in hacking attempts on other entities or may be used by hackers as a jump point to conduct other attacks. The following list are the bad entities for the last 24 hours. Our volunteers have detected the following attackers:

Our Security Operations Center has detected a US company attempting to hack into our network. We believe this host to be compromised and have sent a notification to August Benefits to alert them of the situation.

173.220.57.150 - Observed in Attacks

Tuesday, August 25, 2015

Alert Posted

A new critical alert was posted for SLC Security clients in regards to a new unknown APT like activity that was detected by the SOC. This activity has been ongoing for over a year so if you received the bulletin it may be a good time to check your networks and infrastructure.


Friday, August 21, 2015

Why did Ashley Madison lie about the data breach initially and who was responsible for the fake torrents that appeared?

So it's been nothing short of an interesting week for Ashley Madison and the information that has come out of the breach. Initially we reported that the data was incomplete but that was because the information we obtained was an earlier "purported" breach that had bad data in it. So the question then becomes where did that information come from? Also during this same time the Avid Life Media stated that full credit card data was not leaked.

Upon researching with one of our partner firms the public data shows only partial card numbers but the fact that the CEO's email was leaked in the 2nd wave of leaked data shows that the hacker(s) more than likely had access to everything or that it was an inside job.

Surprisingly some media has decided to share the information without redaction. We are not sure of the legal ramifications of doing so but it's very interesting to watch this play out. I would be willing to bet that a jilted spouse is either responsible for this activity or is actively supporting this activity.

What is interesting is that many attorneys are sure to be dancing with Joy at the influx of new cases heading their way and law firms responsible for protecting Ashley Madison will have jobs for the foreseeable future when the legal drums start beating.

We still wonder who is responsible for the previous data that was leaked as there are some crossover of data indicating that this may not have been the first time the company had been breached.

We are watching this as it unfolds...

Wednesday, August 12, 2015

US Government and Military Hacked by ISIS?

Absolutely. It's the same information I posted yesterday.

See this article - Click Here

Now we have seen information being leaked and cannot name individual companies at this time but they are getting in through Government contractors. Information has been shared to confirm that they have actively stolen information on communications facilities and may have used that information in farther attacks. We have 6 days left in our notification wait period and then we will post the information we received in our Threat Intelligence Platform to our subscribers.

Government contracting companies should start looking through their systems and get real security vendors to help you protect your networks.

Here we go again...

BREACH: habbo.nl

The system at www.habbo.nl has been compromised and user information has since been posted to several forums. The information on this incident is available in the SLC Security Services LLC threat intelligence platform.


SLC Security HIDS Client

SLC Security Services has developed a HIDS client that works with the open source MISP system (www.misp-project.org). The platform was designed with business and point of sales terminals in mind and comes with some really useful features such as: IP Source and Destination monitoring, MD5, SHA256 and SHA1 malware hash checking as well as a feature to disconnect any compromised system or deny network access to any device that is detected going to any malicious sites present in the MISP platform.

The initial release will only be for our paying customers with an open source version planned that will connect to ANY MISP server allowing a company to use the open source product to protect their network assets. Currently the supported platforms are Windows 95,98, NT, XP, 2000, 2008, Windows 7/8/10 and Linux (via Wrapper that is not included in the Open Source Version). The open source version will be released on 1 September 2015 and the closed source version is now available to SLC Security Services LLC customers and business partners.

For more information please email the soc for a 30 day trial of our MISP platform with integrated Host Intrusion Detection client. The free open source version will be posted to our GITHUB account in early September.

Screenshot of threat detection (this was just a test)

Minimal Hardware Resources Required (4MB of RAM)




Tuesday, August 11, 2015

Large Telecommunications Company Appears to have been Breached

SLC Security researchers have located information indicating that a large telecommunications company servicing Government clients has had a database compromised. We are in the process of notifying the affected company and will wait our standard 7 days until we release the information that we have located.

Notifications Sent: 8-11-2015

After farther review it appears as though the information found may also impact a large Government contractor. Additional research is currently being performed but it appears as though the leaked information is confirmed based on OSINT research that was conducted earlier.

Related Article: http://www.nbcnews.com/storyline/isis-terror/isis-group-claims-have-hacked-information-military-personnel-n408236

8-12-2015: As of 8-12-2015 none of the notified entities have responded to our notification. We will wait 6 more days before posting the entities involved giving them time to perform remediation on any issues they may have discovered as part of this incident. 

8-19-2015: None of the notified entities have responded. SLC Security Services LLC has posted information concerning the release of proprietary information from Zayo concerning facilities in Northern Virginia. to our Threat Intelligence Platform. 

For a trial of of our threat intelligence platform please visit www.slcsecurity.com. 


Monday, August 10, 2015

Recent Attackers

Seems these attackers would like to be blocked on 400+ corporations networks.

Domain,IP,Subnet,"MX Hostname","MX IP",DNS,"IP ISP","ISP City","ISP Region","ISP Country","IP Organization","Org City","Org Region","Org Country"
125.ip-92-222-221.eu,92.222.221.125,92.222.221.0,-,,-,"OVH SAS",france,Unknown,FR,"OVH SAS",france,Unknown,FR
freelive.arvixevps.com,198.58.95.13,198.58.95.0,-,,-,"Arvixe, LLC","Santa Rosa",CA,US,"Arvixe, LLC","Santa Rosa",CA,US
101.212.67.21,101.212.67.21,101.212.67.0,-,,-,Unknown,gurgaon,Unknown,IN,AIRCEL-Kolakta-MobileBroadband-Customer,gurgaon,Unknown,IN
nairobi.pollmans.co.ke,196.207.30.180,196.207.30.0,smtpin.accesskenya.com.,127.255.255.255,-,"African Network Information Center",Ebene,Unknown,MU,NET-196-207-30-180,Unknown,Unknown,KE
89.121.207.234,89.121.207.234,89.121.207.0,-,,-,Unknown,vitan,Unknown,RO,"Romtelecom Data Network",vitan,Unknown,RO
199.58.185.178,199.58.185.178,199.58.185.0,-,,-,"Total Server Solutions L.L.C.",Atlanta,GA,US,"Total Server Solutions L.L.C.",Atlanta,GA,US
193.0.200.135,193.0.200.135,193.0.200.0,-,,-,Unknown,moscow,Unknown,RU,"MediaServicePlus Ltd",moscow,Unknown,RU
193.0.200.134,193.0.200.134,193.0.200.0,-,,-,Unknown,moscow,Unknown,RU,"MediaServicePlus Ltd",moscow,Unknown,RU
asco-78-120.dns-iol.com,195.200.78.120,195.200.78.0,-,,-,"INFORMATIQUE ON LINE SARL",france,Unknown,FR,"INFORMATIQUE ON LINE SARL",france,Unknown,FR
101.212.72.107,101.212.72.107,101.212.72.0,-,,-,Unknown,gurgaon,Unknown,IN,AIRCEL-Kolakta-MobileBroadband-Customer,gurgaon,Unknown,IN
185.40.4.32,185.40.4.32,185.40.4.0,-,,-,Hostgrad,ivanovo,Unknown,RU,Hostgrad,ivanovo,Unknown,RU
118.98.75.78,118.98.75.78,118.98.75.0,-,,-,"PT TELKOM INDONESIA",Unknown,Unknown,ID,"PT TELKOM INDONESIA",Unknown,Unknown,ID
190.144.93.54,190.144.93.54,190.144.93.0,-,,-,Unknown,bogota,Unknown,CO,"Telmex Colombia S.A.",bogota,Unknown,CO
50-193-219-125-static.hfc.comcastbusiness.net,50.193.219.125,50.193.219.0,-,,-,"Comcast Cable Communications Holdings, Inc","Mt Laurel",NJ,US,"Comcast Cable Communications Holdings, Inc","Mt Laurel",NJ,US
23.238.235.108,23.238.235.108,23.238.235.0,-,,-,"Psychz Networks",Walnut,CA,US,"Psychz Networks",Walnut,CA,US
ip-97-74-114-49.ip.secureserver.net,97.74.114.49,97.74.114.0,-,,-,"GoDaddy.com, LLC",Scottsdale,AZ,US,"GoDaddy.com, LLC",Scottsdale,AZ,US
cri8.ro,80.97.51.238,80.97.51.0,mx2.zohomail.com.,74.201.154.201,ns1.cri8.ro.,"SC Full Duplex SRL",lacul,Unknown,RO,"SC Full Duplex SRL",lacul,Unknown,RO
ns3006932.ip-151-80-35.eu,151.80.35.207,151.80.35.0,-,,-,"RIPE Network Coordination Centre",Amsterdam,Unknown,NL,"OVH SAS",france,Unknown,FR
124.2.53.233,124.2.53.233,124.2.53.0,-,,-,Unknown,seoul,Unknown,KR,"SK Networks co., Ltd",seoul,Unknown,KR
76.66.232.19,76.66.232.19,76.66.232.0,-,,-,"Bell Canada",Ottawa,ON,CA,"Medix School",Scarborough,ON,CA
201.137.62.171,201.137.62.171,201.137.62.0,-,,-,"Gesti?n de direccionamiento UniNet",mexico,Unknown,MX,"Gesti?n de direccionamiento UniNet",mexico,Unknown,MX
180.250.214.34,180.250.214.34,180.250.214.0,-,,-,Unknown,jakarta,Unknown,ID,"PT TELKOM INDONESIA",jakarta,Unknown,ID
75.126.79.105-static.reverse.softlayer.com,75.126.79.105,75.126.79.0,-,,-,"SoftLayer Technologies Inc.",Dallas,TX,US,"SoftLayer Technologies Inc.",Dallas,TX,US
119.94.3.26,119.94.3.26,119.94.3.0,-,,-,PLDT_JNEHUBS002_DHCP,makati,Unknown,PH,PLDT_JNEHUBS002_DHCP,makati,Unknown,PH
ns3007688.ip-151-80-97.eu,151.80.97.75,151.80.97.0,-,,-,"RIPE Network Coordination Centre",Amsterdam,Unknown,NL,"OVH SAS",france,Unknown,FR

Sunday, August 9, 2015

OMB Credit Monitoring Failure

It has come to our attention that many of the affected individuals have not been able to sign up for credit monitoring. As part of the CSID program that was setup after the OMB breach potentially thousands of former contractors and employees are not being covered or have not received a PIN number to register for credit monitoring. In addition the system is a best effort attempt to reach affected individuals.

Several of our staff members who are active duty and reserve, employees and contractors have not been notified even though the addresses last used on SF-86's are up to date.

This is troubling in that unless you are still contracting they seem to have forgotten or have failed to notify said individuals.

Some people that have never had clearances or have never even applied for a clearance have been notified and are also scratching their heads.

One individual that has held at least a secret clearance since 1992 through this year has not received a notification. The question then becomes how are they determining if your information was stolen or if you are affected. Based on the provided time frame put out by the media this individual should have been affected since not only did they hold a DOD clearance but were also a former Federal Employee as well as active duty military and subsequently an Active Ready Reservist during the times indicated by OMB.

It seems as though OMB has turned their backs on some people either in an attempt to save money or because they simply don't care. This looks all too familiar to how private industry has handled breaches and is quite alarming.




Wednesday, August 5, 2015

Are we tired of this already??? - A look at the notorious Inbound Fax Messages

As most of you already know the incoming fax messages that show up in your email are infected. Many admins already block the content (as do we). Over the past few years we have noted several different malware variants being emailed into organizations in this way so we wanted to revisit it.

Let's look at the message (some items redacted)
From hqkojrw@brainspinepro.com Thu Jul 30 12:05:30 2015
Received: from [116.58.202.20] (port=52406 helo=banglalinkgsm.com)
 by www.slcsecurity.com with esmtp (Exim 4.85)
 (envelope-from <hqkojrw@brainspinepro.com>)
 id 1ZKqKh-0003xS-Pv; Thu, 30 Jul 2015 12:05:29 -0400
Received: from 9197.slcsecurity.com (10.34.222.15) by slcsecurity.com (10.0.0.89) with Microsoft SMTP Server id 2Z31JORQ; Thu, 30 Jul 2015 21:11:59 +0600
Date: Thu, 30 Jul 2015 21:11:59 +0600
From: "Incoming Fax" <Incoming.Fax@slcsecurity.com>
X-MS-Has-Attach: yes
X-MS-Exchange-Organization-SCL: -1
X-MS-TNEF-Correlator: <31DA69X079P7LBBJSZI4VZ7CIPTWMO758HB32B@slcsecurity.com>
X-MS-Exchange-Organization-AuthSource: N1H9TKQAUB454EE@slcsecurity.com
X-MS-Exchange-Organization-AuthAs: Internal
X-MS-Exchange-Organization-AuthMechanism: 08
X-MS-Exchange-Organization-AVStamp-Mailbox: MSFTFF;8;0;0 0 0
X-Priority: 3 (Normal)
Message-ID: <M3GL0YSLTX1N4Q9Q9OBT1X1PMHSYE0S37QZ6GW@slcsecurity.com>
To: docs8@slcsecurity.com
Subject: Incoming Fax
MIME-Version: 1.0
Content-Type: multipart/mixed;
  boundary="----=_Next_13154_4863437313.0814823955998"
X-Spam-Status: No, score=0.3
X-Spam-Score: 3
X-Spam-Bar: /
X-Ham-Report: Spam detection software, running on the system "www.slcsecurity.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 root\@localhost for details.
 
 Content preview:  INCOMING FAX REPORT Date/Time: Thu, 30 Jul 2015 21:11:59
   +0600 Speed: 4393bps Connection time: 03:07 Pages: 5 Resolution: Normal Remote
    ID: 496-347-5344 Line number: 2 DTMF/DID: Description: Internal only [...]
    
 
 Content analysis details:   (0.3 points, 5.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
                             domains are different
  0.0 SPF_HELO_FAIL          SPF: HELO does not match SPF record (fail)
 [SPF failed: Please see http://www.openspf.org/Why?s=helo;id=banglalinkgsm.com;ip=116.58.202.20;r=www.slcsecurity.com]
 -1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
                             [score: 0.0000]
  0.0 RCVD_IN_MSPIKE_BL      Mailspike blacklisted
  0.8 RDNS_NONE              Delivered to internal network by a host with no rDNS
  1.4 RCVD_IN_MSPIKE_ZBI     No description available.
X-Spam-Flag: NO
X-BoxTrapper-Match: white: 99: incoming.fax@slcsecurity.com

------=_Next_13154_4863437313.0814823955998
Content-Type: text/plain; 
Content-Transfer-Encoding: 8bit

*********************************************************
INCOMING FAX REPORT
*********************************************************

Date/Time: Thu, 30 Jul 2015 21:11:59 +0600
Speed: 4393bps
Connection time: 03:07
Pages: 5
Resolution: Normal
Remote ID: 496-347-5344
Line number: 2
DTMF/DID:
Description: Internal only

To download / view please download attached file

*********************************************************

------=_Next_13154_4863437313.0814823955998
Content-Type: application/zip; name="Incoming Fax_496-347-5344.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="Incoming Fax_496-347-5344.zip"


As you can see the message makes it through the spam filter. It also makes it by boxtrapper without detection because of the spoofed domain. So let's have a look and see what we can find out about the incoming "fax" message. 

A phone number appears as 496-347-5344. Well we can tell you right off that if this is an SLC Security Services employee we must have an office in cyberspace somewhere because area code 496 doesn't exist. This just goes to show that these actors are blindly making up information to try and make it look legit. Normally I would just stop here but let's keep going and have a closer look. 

The source of the message is 116.58.202.20 so let's look and see what SLC Security Services LLC Threat Intelligence Platform knows about this IP. 

So after a quick search by IP source here is what we find:

Event ID 454  
Org SLC Security Services LLC   
Email
soc@slcsecurity.com  
Tags
TLP:AMBER 
Source Malware   
Description
Upatre Sample Received by Customers

So as you can see it's not the first time we have seen this particular malware from this source. 

Let's look at the binary attachment:

When sending this to the sandbox immediately the file is identified as a threat:
Incoming Fax_496-347-5344.zip
Submitted on August 3rd 2015 17:27:24 (CDT) with target system Windows 7 32 bit
Report generated by VxStream Sandbox v2.10 © Payload Security

41/55 Antivirus vendors marked sample as malicious (74% detection rate)

Filename Incoming Fax_496-347-5344.zip
Size 47KiB (47616 bytes)
Type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Architecture 32 Bit
MD5 7e01d9705da0a983af63906edffb5b08
SHA1 63433b4a2ced77ed330327b0cdb6704edc811654
SHA256 e11575f7d8abee81f345f6a754d0d42b2bf42f6b05b3a9c64b531830b4268d24
SHA512 436f98941b3627bf1eb38a992aee58e3c2a1122ff3fd566a53847e5aba87fad4d287f4545a43edfbf4f9b6ab008d6bb5fbe42cce124680763e562ef58ea390f9
SSDEEP 768:OpVuoqbBLfCei7s8sOY5JvW5JxVIAA3FLH6UVrx:OqPbA1sOwJvW5JvIAA3dH
IMPHASH b477cb958ff28fadb9e15660c99a77fe

We are so over these incoming fax messages...

Monday, August 3, 2015

AshleyMadison data appearing in the underground

Our researchers have started uncovering large amounts of information possibly from the AshleyMadison breach. We have identified several files containing the name, phone number and billing information as well as profile locations on the Ashley Madison website over the last several hours.

It appears as though some of the high frequency users of the systems information is starting to be posted so we are watching to see if a full dump of the stolen data appears.

UPDATE 8/5/2015:
As of today we have not seen a full dump of data on very specific information on high frequency users of the system. We are seeing some additional personal information being posted as well such as employment information which may be an attempt to ruin the persons reputation. This makes sense as the attacker had stated via Twitter that he wanted to get back at the immoral use of these sites.

If we see any additional information we will be posting it to our Threat Intelligence Platform. If you would like to get access to our threat intelligence platform please goto http://ui.slcsecurity.com/ and click on create an account. This service is only available to paid subscribers or trusted industry partners.