GMail quirk used to subvert website spam tracking
Yesterday while reviewing our logs here at the SANS Internet Storm Center I stumbled upon these:
login failed for s.ervic.d.157.6@gmail.com
login failed for se.rv.icd.15.76@gmail.com
login failed for r.a.mo.s.odalys.33.3@gmail.com
login failed for sho.ppin.g48service@gmail.com
The reason this caught my eye is because I recall reading that GMail ignores periods in email addresses. For example, if I register alexs12345@gmail.com but then begin sending email to a.l.e.x.s.1.2.3.4.5@gmail.com, it will arrive in my new inbox despite the additional periods.
Many blog and forum platforms have functionality for banning by email address. Spammers can use the periods in GMail addresses to subvert such banning controls by registering again without having to produce a truly new email address. Do your systems and/or websites allow for registering multiple accounts this way?
Where this becomes more interesting is that these logs indicate visitors that tried to log in using these email addresses without having even attempted to register them first. None of the above logs come from a single IP address, though the first two do come from a single IP range. Is this due to a poorly programmed bot, or is it indicative of something else?
Let us know what you think in the comments!
--
Alex Stanford - GIAC GWEB & GSEC,
Research Operations Manager,
SANS Internet Storm Center
/in/alexstanford
Odd new ssh scanning, possibly for D-Link devices
I noticed it in my own logs overnight and also had a couple of readers (both named Peter) report some odd new ssh scanning overnight. The scanning involves many sites, likely a botnet, attempting to ssh in as 3 users, D-Link, admin, and ftpuser. Given the first of those usernames, I suspect that they are targetting improperly configured D-Link routers or other appliances that have some sort of default password. The system that I have at home was not running kippo, so I didn't get the passwords that they were guessing and was not able to see what they might do if they succeed in ssh-ing in. If anyone out there has any more info on what exactly they are targetting, please let us know by e-mail, via the contact page, or by commenting on this post. I'll try to reconfigure a couple of kippo honeypots to see if I can capture the bad guys there and may update this post later.
---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu
Two VMWare Security Updates for vCloud Automation Center and Airwatch
We got two security updates from VMWare this week:
VMWare ID | CVE | Product | Details |
VMSA-2014-0013 | CVE-2014-8373 | VMware vCloud Automation Center | Remote privilege escalation vulnerability. Authenticated remote users may obtain administrative privileges. Mitigated by turning off "Connect (by) Using VMRC" |
VMSA-2014-0014 | CVE-2014-8372 | AirWatch | A direct object reference vulnerability allows users to see each others information. |
VMSA-2014-0013 (CVE: http://www.vmware.com/security/advisories/VMSA-2014-0013.html
Malware Signed With Valid SONY Certificate (Update: This was a Joke!)
Update: Turns out that the malware sample that Kaspersky was reporting on was not actual malware from a real incident. But the story isn't quite "harmless" and the certificate should still be considered compromised. A researcher found the certificate as part of the SONY data that was widely distributed by the attackers. The filename for the certificate was also the password for the private key. The researcher then created a signed copy of an existing malware sample retrieved from Malwr, and uploaded it to Virustotal to alert security companies. Kaspersky analyzed the sample, and published the results, not realizing that this was not an "in the wild" sample. [1] The certificate has been added to respective CRLs.
--- original story ---
We haven't really mentioned the ongoing SONY compromise here. In part, because there is very little solid information public (and we don't want to just speculate), and also, without a good idea about what happened, it is difficult to talk about lessons learned.
However, one facet of he attack may have wider implications. Securelist is reporting that they spotted malware that is signed with a valid SONY certificate. It is very likely that the secret key used to create the signature was part of the loot from the recent compromise. Having malware that is signed by a major corporation will make it much more likely for users to install the malware. It also emphasizes again the depth at which SONY was (or is) compromised. [2]
An effort is underway to revoke the certificate. But certificate revocation lists are notoriously unreliable and slow to update so it may take a while for the revocation to propagate.
Stolen certificate serial number: 01 e2 b4 f7 59 81 1c 64 37 9f ca 0b e7 6d 2d ce
Thumbprint: 8d f4 6b 5f da c2 eb 3b 47 57 f9 98 66 c1 99 ff 2b 13 42 7a
[2] https://twitter.com/afreak/status/542539515500298240
[1] http://securelist.com/blog/security-policies/68073/destover-malware-now-digitally-signed-by-sony-certificates/
Adobe December Patch Tuesday
Adobe today released two new bulletins, and updaed the Reader/Acrobat bulletin that was published a week ago.
APSB14-27: Security Update for Adobe Flash Player
This update fixes 6 vulnerabilities, some of which can lead to remote code execution. Adobe rates this patch with a priority of "1", indicating that the vulnerability has already been exploited in targeted attacks.
APSB14-28: Security Update for Adobe Reader and Acrobat
This updates fixes 20 different vulnerabilities. The bulletin has a rating of 1.
APSB14-29: Hotfixes for ColdFusion
This bulletin applies to ColdFusion 10 and 11 and fixes a denial of service vulnerability (CVE-2014-9166). The vulnerability has not been used in any exploits so far.
http://helpx.adobe.com/security.html
Comments