February 19, 2015 The IWC CIR is an OSINT resource focusing on advanced persistent threats and other digital dangers. APTs fit into a cybercrime category directed at both business and political targets. Attack vectors include system compromise, social engineering, and even traditional espionage.

Summary Symantec ThreatCon Level 2 - Medium: Increased alertness

This condition applies when knowledge or the expectation of attack activity is present, without specific events occurring or when malicious code reaches a moderate risk rating.

There has been a rash of espionage and cyber-attack news leaks over the last few weeks. • Kaspersky found malware in the firmware of hard drives around the world. They issue with

this is that at this point, no forensic tools can look at the system area or the code on the drive’s board. It takes special data recovery tools to get to that area, so this make it extremely difficult to detect. Some say this malware has ties to Stuxnet and the NSA.

• The hacking group designated “Equation”has been infecting systems since at least 2001. The group’s attacks are some of the most sophisticated attacks seen so far. Some say there are ties to the NSA.

• Last year, over 1 billion customer recordswere stolen from across the industries.

• Hackers were reported to have stolen over1 billion from US & European banks.

• Encryption in America could be at risk.Department of Justice is a 1789 'All Writs Act' to try to force vendors into placing back doors into products so law enforcement can access them.

extra tipS and videoS The first episode of CIR Special Report was released covering Anthem’s loss of 80 million customer medical records. This can come with possible HIPAA ramifications. The video focuses on responsibility while explaining some of the components of the HIPAA regulation dealing with securing sensitive data. You can view the video here: http://youtu.be/mc3oRBoR2jE.

InformationWarfareCenter.com 1 | P a g e

CIR

newS: inFormation warFare

Report Exposes US Computer-Espionage Tactics - Wall Street Journal (blog).

Stephen Kim Spoke to a Reporter. Now in Jail. This Is His Story. The Intercept - First Look Media.

Hygiene, Honey Pots, Espionage: 3 Approaches To Defying Hackers - NPR (blog).

Iran upset by cyber espionage tied to US - The Hill.

Cyber espionage group 'Desert Falcons' stole over 1 mn files from 50 countries ... - Zee News.

Post reporter and his wife accused of espionage, Iranian hard-liner says - Washington Post.

Researchers identify advanced espionage team, the 'Equation' group - SC Magazine.

X Company tells true tales of Canadian espionage in World War II (with video) - Canada.com.

Newly Discovered 'Master' Cyber Espionage Group Trumps Stuxnet - Dark Reading.

Mi-Clos Studio Reveals Espionage Epic Sigma Theory - Gamezebo.

What we know about the bank hacking ring - and who's behind it - CNNMoney.

Google warns of US government 'hacking any facility' in the world - The Guardian.

Accused 'Blackshades' Mastermind Alex Yucel Pleads Guilty to Hacking - NBCNews.com.

Russian national accused in largest-ever hacking scheme due in federal court ... - NJ.com.

Game Lets You Hack the Mainframe Just Like in Jurassic Park - Gizmodo.

Life Hacking Enterprise Mobility - Forbes.

Private Eye Is Said to Face Prosecution in a Hacking - New York Times.

The Equation Group's Sophisticated Hacking and Exploitation Tools - Lawfare (blog).

New Study Exposes Visual Hacking as Under-Addressed Corporate Risk - Business Wire.

Hackers Steal Up To $1 Billion From Banks - Huffington Post.

Obama Turns Back On Spooks: "I'm On The Side Of Strong Encryption".

Jamie Oliver's Site Was Dishing Up Malware.

Desert Falcons Hackers Infect Thousands Of Windows And Android Devices.

Lizard Squad DDoSes Xbox Live Again.

Suite Of Sophisticated Nation-State Attack Tools Found With Connection To Stuxnet.

Fight Back Against Illegal GCHQ Spying With Paperwork!.

Mozilla's Flash-Killer 'Shumway' Appears In Firefox Nightlies.

Windows 10 To Adopt Fido Post-Password Protection.

Russian Researchers Expose Breakthrough U.S. Spying Program.

Big Telecom Tried To Kill Net Neutrality Before It Was Even A Concept.

Hackers Fear Arms Control Pact Makes Exporting Flaws Illegal.

InformationWarfareCenter.com 2 | P a g e

CIR

Google Amends Bug Disclosure Policy Following Apple And Microsoft Ordeal.

Carbanak Hackers Steal $1bn From Over 100 Banks.

Yet Another Ransomware Variant.

Apple Adds Two-Step Verification Security To iMessage And FaceTime Apps.

Obama To Urge Tech Firms To Share Data With Government.

Biter Bitten As Hacker Leaks Source Code For Popular Exploit Kit.

Bypassing Windows' 10 Protections Using A Single Bit.

Security Flaw Could've Potentially Deleted Every Photo On FB.

Crypto Trick That Makes Reverse Engineering Hard.

US Creates Cyber Threat Center In Face Of Mounting Attacks.

EU Parliament Bans Outlook App Over Cloudy Security.

How Infosec Hiring Lost Its Way: Harsh Findings In Leviathan Report.

DDoS Attack Takes Down Dutch Govt Sites.

Anthem Accused Of Failure To Inform Customers Hit By Hack. newS: Hippa

Law professors: HIPAA 'not extraordinarily' protective of personal info ... - Legal News Line.

Preparing for Phase 2 HIPAA Audits: It's All About Documentation - The National Law Review.

Longview man guilty of HIPAA violations for personal gain - Tyler Morning Telegraph.

Anthem hack: Does HIPAA federal health privacy law have a gap? - NOLA.com.

Reminder: March 1, 2015 Deadline for Reporting HIPAA Breaches - The National Law Review.

Letter: Now that HIPAA has failed us, what are we to do? - Roanoke Times.

HIPAA Compliance Trends For 2015 - Mondaq News Alerts (registration). newS: SCada

"Cyber Dome" for the SCADA Environment - IsraelDefense.

The Impact of Piracy on SCADA - Automation World.

Siemens sighs: SCADA bugs abound - The Register.

Banking Trojans Disguised As ICS/SCADA Software Infecting Plants - EE Times.

Hard-Coded FTP Credentials Found in Schneider Electric SCADA Gateway - Threatpost.

B-Scada's Fiscal Year-End 2014 Results Include Record-Setting Quarter - Equities.com.

InformationWarfareCenter.com 3 | P a g e

CIR

exploitS

Hybris Commerce Software Suite 5.x File Disclosure / Traversal.

jQuery jui_filter_rules PHP Code Execution.

InstantASP InstantForum.NET 3.x / 4.x Cross Site Scripting.

Piwigo 2.7.3 SQL Injection.

WordPress Duplicator 0.5.8 Privilege Escalation.

DLGuard 4.5 SQL Injection.

DLGuard 4.5 / 4.6 Cross Site Scripting.

CrushFTP 7.2.0 Cross Site Request Forgery / Cross Site Scripting.

GLPI 0.85.2 Shell Upload / Privilege Escalation.

CMS Piwigo 2.7.3 Cross Site Scripting / SQL Injection.

Ilch CMS Cross Site Request Forgery.

DLGuard 4.5 Path Disclosure.

Agora Marketplace Cross Site Request Forgery.

X360 VideoPlayer ActiveX Control Buffer Overflow.

WordPress Image Metadata Cruncher CSRF / XSS.

D-Link DSL-2640B Unauthenticated Remote DNS Changer.

Ebay Magento Script Insertion.

ES File Explorer 3.2.4.1 Path Traversal.

Fat Free CRM 0.13.5 Cross Site Request Forgery.

AOL Search Reflected File Download.

WordPress Image Metadata Cruncher Cross Site Scripting.

Cosmoshop Cross Site Scripting.

Duplicator 0.5.8 Privilege Escalation.

Java JMX Server Insecure Configuration Java Code Execution.

GuppY CMS 5.0.9 & 5.00.10 Multiple CSRF Vulnerabilities.

Guppy CMS 5.0.9 & 5.00.10 Authentication Bypass/Change Email.

eTouch SamePage 4.4.0.0.239 - Multiple Vulnerabilities.

Wordpress Video Gallery 2.7.0 - SQL Injection Vulnerability.

Exponent CMS 2.3.1 - Multiple XSS Vulnerabilities.

IBM Endpoint Manager - Stored XSS Vulnerability.

InformationWarfareCenter.com 4 | P a g e

CIR

Cve adviSorieS

CVE-2015-1579 2015-02-11

Directory traversal vulnerability in the Elegant Themes Divi theme for WordPress allows remote

attackers to read arbitrary files via a .. (dot dot) in the img parameter in a revslider_show_image

action to wp-admin/admin-ajax.php. (CVSS:5.0) (Last Update:2015-02-12)

CVE-2015-1577 2015-02-11

Directory traversal vulnerability in u5admin/deletefile.php in u5CMS before 3.9.4 allows remote

attackers to write to arbitrary files via a (1) .. (dot dot) or (2) full pathname in the f parameter.

(CVSS:6.4) (Last Update:2015-02-12)

CVE-2015-1575 2015-02-11

Multiple cross-site scripting (XSS) vulnerabilities in u5CMS before 3.9.4 allow remote attackers to

inject arbitrary web script or HTML via the (1) c, (2) i, (3) l, or (4) p parameter to index.php; the

(5) a or (6) b parameter to u5admin/cookie.php; the name parameter to (7) copy.php or (8)

delete.php in u5admin/; the (9) f or (10) typ parameter to u5admin/deletefile.php; the (11) n

parameter to u5admin/done.php; the (12) c parameter to u5admin/editor.php; the (13) uri

parameter to u5admin/meta2.php; the (14) n parameter to u5admin/notdone.php; the (15)

newname parameter to u5admin/rename2.php; the (16) l parameter to u5admin/sendfile.php;

the (17) s parameter to u5admin/characters.php; the (18) page parameter to

u5admin/savepage.php; or the (19) name parameter to u5admin/new2.php. (CVSS:4.3) (Last

Update:2015-02-12)

CVE-2015-1518 2015-02-11

SQL injection vulnerability in the search_post function in includes/search.php in Redaxscript

before 2.3.0 allows remote attackers to execute arbitrary SQL commands via the search_terms

parameter. (CVSS:7.5) (Last Update:2015-02-12)

CVE-2015-1482 2015-02-04

Ansible Tower (aka Ansible UI) before 2.0.5 allows remote attackers to bypass authentication and

obtain sensitive information via a websocket connection to socket.io/1/. (CVSS:5.0) (Last

Update:2015-02-05)

CVE-2015-1481 2015-02-04

Ansible Tower (aka Ansible UI) before 2.0.5 allows remote organization administrators to gain

privileges by creating a superuser account. (CVSS:6.5) (Last Update:2015-02-05)

InformationWarfareCenter.com 5 | P a g e

CIR

Cve adviSorieS

CVE-2015-1480 2015-02-04

ZOHO ManageEngine ServiceDesk Plus (SDP) before 9.0 build 9031 allows remote authenticated

users to obtain sensitive ticket information via a (1) getTicketData action to servlet/AJaxServlet

or a direct request to (2) swf/flashreport.swf, (3) reports/flash/details.jsp, or (4)

reports/CreateReportTable.jsp. (CVSS:4.0) (Last Update:2015-02-04)

CVE-2015-1479 2015-02-04

SQL injection vulnerability in reports/CreateReportTable.jsp in ZOHO ManageEngine

ServiceDesk Plus (SDP) before 9.0 build 9031 allows remote authenticated users to execute

arbitrary SQL commands via the site parameter. (CVSS:6.5) (Last Update:2015-02-06)

CVE-2015-1478 2015-02-04

Cross-site scripting (XSS) vulnerability in the CMSJunkie J-ClassifiedsManager component for

Joomla! allows remote attackers to inject arbitrary web script or HTML via the view parameter to

/classifieds. (CVSS:4.3) (Last Update:2015-02-04)

CVE-2015-1477 2015-02-04

SQL injection vulnerability in the CMSJunkie J-ClassifiedsManager component for Joomla! allows

remote attackers to execute arbitrary SQL commands via the id parameter in a viewad task to

classifieds/offerring-ads. (CVSS:7.5) (Last Update:2015-02-04)

CVE-2015-1476 2015-02-04

Multiple SQL injection vulnerabilities in xlinkerz ecommerceMajor allow remote attackers to

execute arbitrary SQL commands via the (1) productbycat parameter to product.php, or (2)

username or (3) password parameter to __admin/index.php. (CVSS:7.5) (Last Update:2015-02-04)

CVE-2015-1428 2015-02-03

Multiple SQL injection vulnerabilities in Sefrengo before 1.6.2 allow (1) remote attackers to

execute arbitrary SQL commands via the sefrengo cookie in a login to backend/main.php or (2)

remote authenticated users to execute arbitrary SQL commands via the value_id parameter in a

save_value action to backend/main.php. (CVSS:7.5) (Last Update:2015-02-04)

InformationWarfareCenter.com 6 | P a g e

CIR

Zone-H attaCk StatiStiCS:

N° Notifier Single def. Mass def. Total def. Homepage def. Subdir def.

1. Barbaros-DZ 3449 157 3606 1223 2383 2. Hmei7 2843 1510 4353 774 3579 3. Ashiyane Digital Security Team 2836 4100 6936 1313 5623 4. LatinHackTeam 1438 1266 2704 2254 450 5. iskorpitx 1324 955 2279 786 1493 6. Fatal Error 1105 1722 2827 2447 380 7. HighTech 923 3217 4140 3251 889 8. chinahacker 889 1344 2233 4 2229 9. MCA-CRB 854 626 1480 374 1106 10. By_aGReSiF 757 1427 2184 802 1382

InformationWarfareCenter.com 7 | P a g e

CIR

InformationWarfareCenter.com 8 | P a g e

Links: DC3 DISPATCH: dispatch@dc3.mil FBI In the New: fbi@subscriptions.fbi.gov Zone-h: www.zone-h.org Xssed: www.xssed.com Packet Storm Security: www.packetstormsecurity.org Sans Internet Storm Center: isc.sans.org Exploit Database: www.exploit-db.com Hack-DB: www.hack-db.com Infragard: www.infragard.org ISSA: www.issa.org CyberForensics360: www.cyberforensics360.org netSecurity: www.netsecurity.com Tor Network Cyber Secrets: www.informationwarfarecenter.com/Cyber-Secrets.html

reSourCeS