Original release date: November 03, 2014

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

• High – Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 – 10.0

• Medium – Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 – 6.9

• Low – Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 – 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

---

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: October 29, 2014 | Last revised: October 30, 2014

Drupal released a public service announcement to address active exploitations of a previously patched vulnerability found in Drupal core 7.x versions prior to 7.32.

US-CERT advises users and administrators to review Drupal’s Public Service announcement and apply the necessary updates or workarounds.

---

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: October 27, 2014 | Last revised: October 28, 2014

Systems Affected

Microsoft Windows

Overview

Since mid-October 2014, a phishing campaign has targeted a wide variety of recipients while employing the Dyre/Dyreza banking malware. Elements of this phishing campaign vary from target to target including senders, attachments, exploits, themes, and payload(s).[1][2] Although this campaign uses various tactics, the actor’s intent is to entice recipients into opening attachments and downloading malware.

Description

The Dyre banking malware specifically targets sensitive user account credentials. The malware has the ability to capture user login information and send the captured data to malicious actors.[3] Phishing emails used in this campaign often contain a weaponized PDF attachment which attempts to exploit vulnerabilities found in unpatched versions of Adobe Reader.[4][5] After successful exploitation, a user’s system will download Dyre banking malware. All of the major anti-virus vendors have successfully detected this malware prior to the release of this alert.[6]

Please note, the below listing of indicators does not represent all characteristics and indicators for this campaign.

Phishing Email Characteristics:

• Subject: “Unpaid invoic” (Spelling errors in the subject line are a characteristic of this campaign)
• Attachment: Invoice621785.pdf

System Level Indicators (upon successful exploitation):

• Copies itself under C:Windows[RandomName].exe
• Created a Service named “Google Update Service” by setting the following registry keys:
  • HKLMSYSTEMCurrentControlSetServicesgoogleupdateImagePath: “C:WINDOWSpfdOSwYjERDHrdV.exe”
  • HKLMSYSTEMCurrentControlSetServicesgoogleupdateDisplayName: “Google Update Service”[11]

Impact

A system infected with Dyre banking malware will attempt to harvest credentials for online services, including banking services.

Solution

Users and administrators are recommended to take the following preventive measures to protect their computer networks from phishing campaigns:

• Do not follow unsolicited web links in email. Refer to the Security Tip Avoiding Social Engineering and Phishing Attacks [7] for more information on social engineering attacks.
• Use caution when opening email attachments. For information on safely handling email attachments, see Recognizing and Avoiding Email Scams.[8]
• Follow safe practices when browsing the web. See Good Security Habits [9]and Safeguarding Your Data [10] for additional details.
• Maintain up-to-date anti-virus software.
• Keep your operating system and software up-to-date with the latest patches.

US-CERT collects phishing email messages and website locations so that we can help people avoid becoming victims of phishing scams.

You can report phishing to us by sending email to [email protected].

References

• [1] MITRE Summary of CVE-2013-2729, accessed October 16, 2014
• [2] MITRE Summary of CVE-2010-0188, accessed October 16, 2014
• [3] New Banking Malware Dyreza, accessed October 16, 2014
• [4] Adobe Security Updates Addressing CVE-2013-2729, accessed October 16, 2014
• [5] Adobe Security Updates Addressing CVE-2010-0188, accessed October 16, 2014
• [6] VirusTotal Analysis, accessed October 16, 2014
• [7] US-CERT Security Tip (ST04-014) Avoiding Social Engineering and Phishing Attacks
• [8]US-CERT Recognizing and Avoiding Email Scams
• [9] US-CERT Security Tip (ST04-003) Good Security Habits
• [10] US-CERT Security Tip (ST06-008) Safeguarding Your Data
• [11] MS-ISAC CIS CYBER ALERT

Revision History

• October 27, 2014: Initial Release
• October 28, 2014: Added Reference 11 in Description Section

---

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: October 27, 2014

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

• High – Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 – 10.0

• Medium – Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 – 6.9

• Low – Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 – 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

 

---

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: October 23, 2014

Apple has released QuickTime 7.7.6 for Windows 7, Vista, XP SP2 or later to address multiple vulnerabilities, some of which may allow remote attackers to execute arbitrary code or cause a denial of service.

Users and administrators are encouraged to review Apple Support Article HT6493 and apply any necessary updates.

---

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: October 22, 2014 | Last revised: October 23, 2014

Systems Affected

Microsoft Windows

Overview

Ransomware is a type of malicious software (malware) that infects a computer and restricts access to it until a ransom is paid to unlock it. This Alert is the result of Canadian Cyber Incident Response Centre (CCIRC) analysis in coordination with the United States Department of Homeland Security (DHS) to provide further information about crypto ransomware, specifically to:

• Present its main characteristics, explain the prevalence of ransomware, and the proliferation of crypto ransomware variants; and
• Provide prevention and mitigation information.

Description

WHAT IS RANSOMWARE?

Ransomware is a type of malware that infects a computer and restricts a user’s access to the infected computer. This type of malware, which has now been observed for several years, attempts to extort money from victims by displaying an on-screen alert. These alerts often state that their computer has been locked or that all of their files have been encrypted, and demand that a ransom is paid to restore access. This ransom is typically in the range of $100–$300 dollars, and is sometimes demanded in virtual currency, such as Bitcoin.

Ransomware is typically spread through phishing emails that contain malicious attachments and drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and malware is downloaded and installed without their knowledge. Crypto ransomware, a variant that encrypts files, is typically spread through similar methods, and has been spread through Web-based instant messaging applications.

WHY IS IT SO EFFECTIVE?

The authors of ransomware instill fear and panic into their victims, causing them to click on a link or pay a ransom, and inevitably become infected with additional malware, including messages similar to those below:

• “Your computer has been infected with a virus. Click here to resolve the issue.”
• “Your computer was used to visit websites with illegal content. To unlock your computer, you must pay a $100 fine.”
• “All files on your computer have been encrypted. You must pay this ransom within 72 hours to regain access to your data.”

PROLIFERATION OF VARIANTS

In 2012, Symantec, using data from a command and control (C2) server of 5,700 computers compromised in one day, estimated that approximately 2.9 percent of those compromised users paid the ransom. With an average ransom of $200, this meant malicious actors profited $33,600 per day, or $394,400 per month, from a single C2 server. These rough estimates demonstrate how profitable ransomware can be for malicious actors.

This financial success has likely led to a proliferation of ransomware variants. In 2013, more destructive and lucrative ransomware variants were introduced including Xorist, CryptorBit, and CryptoLocker. Some variants encrypt not just the files on the infected device but also the contents of shared or networked drives. These variants are considered destructive because they encrypt user’s and organization’s files, and render them useless until criminals receive a ransom.

Additional variants observed in 2014 included CryptoDefense and Cryptowall, which are also considered destructive. Reports indicate that CryptoDefense and Cryptowall share the same code, and that only the name of malware itself is different. Similar to CryptoLocker, these variants also encrypt files on the local computer, shared network files, and removable media.

LINKS TO OTHER TYPES OF MALWARE

Systems infected with ransomware are also often infected with other malware. In the case of CryptoLocker, a user typically becomes infected by opening a malicious attachment from an email. This malicious attachment contains Upatre, a downloader, which infects the user with GameOver Zeus. GameOver Zeus is a variant of the Zeus Trojan that steals banking information and is also used to steal other types of data. Once a system is infected with GameOver Zeus, Upatre will also download CryptoLocker. Finally, CryptoLocker encrypts files on the infected system, and requests that a ransom be paid.

The close ties between ransomware and other types of malware were demonstrated through the recent botnet disruption operation against GameOver Zeus, which also proved effective against CryptoLocker. In June 2014, an international law enforcement operation successfully weakened the infrastructure of both GameOver Zeus and CryptoLocker.

Impact

Ransomware doesn’t only target home users; businesses can also become infected with ransomware, which can have negative consequences, including:

• Temporary or permanent loss of sensitive or proprietary information;
• Disruption to regular operations;
• Financial losses incurred to restore systems and files; and
• Potential harm to an organization’s reputation.

Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.

Solution

Infections can be devastating to an individual or organization, and recovery can be a difficult process that may require the services of a reputable data recovery specialist.

US-CERT and CCIRC recommend users and administrators take the following preventive measures to protect their computer networks from ransomware infection:

• Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
• Maintain up-to-date anti-virus software.
• Keep your operating system and software up-to-date with the latest patches.
• Do not follow unsolicited web links in email. Refer to the Security Tip Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
• Use caution when opening email attachments. For information on safely handling email attachments, see Recognizing and Avoiding Email Scams.
• Follow safe practices when browsing the web. See Good Security Habits and Safeguarding Your Data for additional details.

Individuals or organizations are not encouraged to pay the ransom, as this does not guarantee files will be released. Report instances of fraud to the FBI at the Internet Crime Complaint Center or contact the CCIRC .

References

• Kaspersky Lab, Kaspersky Lab detects mobile Trojan Svpeng: Financial malware with ransomware capabilities now targeting U.S.
• United States National Cybersecurity and Communications Integration Center, Cryptolocker Ransomware
• Sophos / Naked Security, What’s next for ransomware? CryptoWall picks up where CryptoLocker left off
• Symantec, CryptoDefence, the CryptoLocker Imitator, Makes Over $34,000 in One Month
• Symantec, Cryptolocker: A Thriving Menace
• Symantec, Cryptolocker Q&A: Menace of the Year
• Symantec, International Takedown Wounds Gameover Zeus Cybercrime Network

Revision History

• October 22, 2014: Initial Release

---

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: October 22, 2014

Microsoft has released a security advisory to provide recommended mitigations for an unpatched vulnerability, (CVE-2014-6352) which affects all Microsoft Windows releases except Windows Server 2003. This vulnerability could allow an attacker to take control of an affected system if a user opens a specially crafted Microsoft Office file.

US-CERT recommends users and administrators review the Microsoft Security Advisory and apply the recommended workarounds.

---

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: October 20, 2014

Apple has released security updates for iOS devices and Apple TV to address multiple vulnerabilities, one of which could allow an attacker to decrypt data protected by SSL.

Updates available include:

• iOS 8.1 for iPhone 4s and later, iPod touch 5th generation and later, and iPad 2 and later
• Apple TV 7.0.1 for Apple TV 3rd generation and later

Users and administrators are encouraged to review Apple security updates HT6541 and HT6542, and apply the necessary updates.

---

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: October 20, 2014

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

• High – Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 – 10.0

• Medium – Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 – 6.9

• Low – Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 – 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

---

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: October 17, 2014

US-CERT is aware of a design vulnerability found in the way SSL 3.0 handles block cipher mode padding. Exploitation of this vulnerability may allow a remote attacker to decrypt and extract information from inside an encrypted transaction.

US-CERT recommends users and administrators review TA14-290A for additional information and apply any necessary updates to address this vulnerability.

---

This product is provided subject to this Notification and this Privacy & Use policy.