Security Bulletin #100
European law enforcement takes down Darknet marketplace
Europol has supported the Slovak authorities in their investigation into a Slovak national who had been trading firearms, ammunition, and drugs on the Darknet. The law enforcement has seized the server running the darknet marketplace, experts are analyzing it searching for evidence and other information useful for the investigation. Europol supported Slovakia throughout the entire investigation by providing its analytical and financial intelligence capabilities. Also, across-check performed during the house searches generated a hit on Europol’s databases which helped investigators identify a Darknet vendor living in another EU country. Darknet market places are important facilitators of criminal activities, the monitoring of this ecosystem is crucial for law enforcement.
Malware warning for Mac users
A mirror download server for the popular tool HandBrake video file-transcoding app has been compromised by hackers, who replaced its Mac edition with malware. Up-date ESET security products detect the malicious download as OSX/Proton.A – a trojan horse which allows malicious attackers to remotely access infected Mac computers, opening up opportunities for hackers to take screenshots of infected computers, capture credit card details and passwords as they are entered on the keyboard, hijack the webcam, and steal files. Mac users are typically less likely to be running an anti-virus product than their Windows counterparts – making them a soft target for cybercriminals interested in targeting the platform. HandBrake advises that users check the SHA checksum when they download new versions of the app from its mirror site, but it’s hard to imagine that many people ever bother to do such a thing.
The Bondnet botnet- From China with Love
There’s a new botnet in town and it’s named after the spy with a license to kill – James Bond. The new Bondnet botnet “Bond007.01” was discovered coming out of China by researchers at Guardicore Labs and it has infected an estimated 15,000 Windows server computers worldwide. The infected systems make up a wide variety of government, corporate, university, city and hospital computers. The attacker can take full control of the servers to exfiltrate data, hold it for ransom, and use the server to stage further attacks and more. The prime targets for the Bondnet attacks seem to be Windows 2008 servers equipped with MySQL however, the creators have a wide variety of targets and exploits they employ to infect a targeted system. The primary attack surface appears to be Windows RDP combined with brute force attacks against weak credentials. The attackers also used a wide range of attacks against other web server software including JBoss, Oracle web apps, MSSQL and Apache Tomcat. Once the Bondnet intruder has broken through into the Windows system it then installs a series of Visual Basic programs, DLLs and Windows management programs to act as a Remote Access Trojan (RAT) and the crypto-currency mining system. The RAT allows back door access for the Bondnet controllers and the mining system reports back with its results so the controllers can profit from the stolen computer usage.
CERTFR-2017-ALE-008 : Vulnérabilité dans RDP pour Microsoft Windows XP et Windows Server 2003 (14 avril 2017)
CERTFR-2017-ALE-006 : Multiples vulnérabilités dans Siemens RUGGEDCOM ROX I (29 mars 2017)
CERTFR-2017-ALE-005 : Vulnérabilité dans les commutateurs Cisco (20 mars 2017)