#us-cert

Trump kowtows to Kim as Kim continues attacks. Yet Dotard declared Canada a National Security Threat #IdiotInChief

The first warning was on May 29.

The Singapore Summit between Trump and Kim Jong Un was on June 12. Trump cancels military "War Games”

The latest warning comes 2 days afterwards. DOTARD, how embarrassing. #DPRK #LazarusGroup #WannaCry

Kim has no respect for Trump #Laughingstock 💣

The United States Computer Emergency Readiness Team (US-CERT) has issued a warning about a new form of malware used by North Korea to compromise computers as part of the Hidden Cobra campaign.

Dubbed Typeframe, this malware can do pretty much the same things as other cyber-infections discovered earlier this year and allegedly used by the North Korean government, including downloading and installing other payloads, changing firewall rules, and waiting for instructions from a control center.

The Department of Homeland Security (DHS) says it has discovered 11 malware samples consisting of 32-bit and 64-bit Windows executable files and a Microsoft Word document containing macros that are being used to deploy the malware on target computers.

On May 29, a warning revealed that North Korea has been using two different families of malware called Joanap and Brambul since at least 2009 to track activity on the infected computers. Citing third-party reports, the US-CERT said North Korea used Hidden Cobra attacks against targets worldwide and in the United States, including the media, aerospace, financial, and other infrastructure sectors.

Countries like Argentina, Belgium, China, Spain, Saudi Arabia, Taiwan, and Sweden have been targeted, the US-CERT explained.

Texas flood: Beware of scammers, FBI warns donors

Two U.S agencies, along with the FBI, have warned  potential donors wishing to aid victims of Hurricane Harvey that unscrupulous scammers may set up shop in the storm’s wake.

The Federal Trade Commission (FTC) and the U.S. Computer Emergency Readiness Team (US-CERT)  warned that phishing scams and bogus e-mail solicitations may target potential givers. US-CERT warned users to be cautious when…

Man-in-the-middle (MITM) attacks occur when a third party intercepts and potentially alters communications between two different parties, unbeknownst to the two parties. MITM attacks can be used to inject malicious code, intercept sensitive information like protected health information (PHI), expose sensitive information, and modify trusted information.

Many organizations have implemented end-to-end connection security on their internet transactions using Secure Hypertext Transport Protocol, or “HTTPS.”  Additionally, some organizations use “HTTPS interception products” to detect malware over an HTTPS connection. HTTPS interception products, also known as “HTTPS inspection,” work by intercepting the HTTPS network traffic and decrypting it, reviewing it, then re-encrypting it.  To do so, HTTPS interception products must install trusted certificates on client devices to perform the HTTPS inspection without presenting warnings.

However, this process may leave organizations using HTTPS interception products vulnerable, because the organizations can no longer verify web servers’ certificates; view the protocols and ciphers that an HTTPS interception product negotiates with web servers, and, most importantly, independently validate the security of the end-to-end connection. In other words, the organizations that use these interception products are able to validate only the connection between themselves and the interception product, not between themselves and the server.  This is problematic, because many HTTPS interception products do not properly verify the certificate chain before re-encrypting and forwarding information to the organizations, which leaves the connection vulnerable to a malicious MITM attack.

The United States Computer Emergency Readiness Team (US-CERT) recommends that organizations verify that their HTTPS interception product properly validates certificate chains and passes any warnings or errors to the client. Organizations can find a partial list of products that may be affected at CERT Coordination Center’s The Risks of SSL Inspection. Also, organizations may use badssl.com as a method of determining if their HTTPS interception product properly validates certificates and prevents connections to sites using weak cryptography.

Securing end-to-end communications performs an important function in protecting the privacy of HTTPS traffic and preventing some forms of MITM attacks.  US-CERT recommends reviewing the following mitigations in Alert TA15-120A to reduce vulnerability to MITM attacks:

Update Transport Layer Security and Secure Socket Layer (TLS/SSL) US-CERT recommends upgrading TLS to 1.1 or higher and ensuring TLS 1.0 and SSL 1, 2, 3.x are disabled unless required. The continued use of TLS 1.0 and SSL 1, 2, 3.x is leading to increased cases affected by MITM attacks and session hijacks.

Utilize Certificate Pinning

Implement DNS-based Authentication of Named Entities (DANE)

Use Network Notary Servers

Further, a recent security analysis (The Security Impact of HTTPS Interception) of HTTPS interception products found that poor implementation of many of these products may actually reduce end-to-end security and introduce new vulnerabilities.  US-CERT recently issued an Alert, TA17-075A, warning of the vulnerabilities that organizations expose themselves to when they use HTTPS interception products.

Covered entities and business associates using HTTPS interception products or considering their use should consider the risks presented to their electronic PHI transmitted over HTTPS, and intercepted with an HTTPS interception products, as part of their risk analysis, particularly considering the pros and cons discussed by the US-CERT alerts, and the increased vulnerability to malicious third-party MITM attacks.

In addition to reviewing recommendations from US-CERT, covered entities and business associates should also review recommendations from the National Institute of Standards and Technology (NIST) for securing end-to-end communications, especially regarding the configuration, use and updating of TLS/SSL implementations. OCR’s Guidance to Render Unsecured PHI Unusable, Unreadable, or Indecipherable to Unauthorized Individuals references NIST SP-800 series publications to describe the valid encryption processes to use to ensure that electronically transmitted PHI is not unsecured.

http://cyberparse.co.uk/2014/11/14/ta14-318a-microsoft-secure-channel-schannel-vulnerability-cve-2014-6321-2/ http://i0.wp.com/cyberparse.co.uk/wp-content/uploads/2016/04/cyber-security-concept-pd-4873407.jpg?fit=640%2C480

Original release date: November 14, 2014 Systems Affected Microsoft Windows Server 2003 SP2Microsoft Windows Vista SP2Microsoft Windows Server 2008 SP2Microsoft Windows Server 2008 R2 SP1Microsoft Windows 7 SP1Microsoft Windows 8Microsoft Windows 8.1Microsoft Windows Server 2012Microsoft Windows Server 2012 R2Microsoft Windows RTMicrosoft Windows RT 8.1Microsoft Windows XP and 2000 may also be affected. Overview A critical vulnerability in Microsoft Windows systems could allow a remote attacker to execute arbitrary code via specially crafted network traffic.[1] Description Microsoft Secure Channel (Schannel) is a security package that provides SSL and TLS on Microsoft Windows platforms.[2, 3] Due to a flaw in Schannel, a remote attacker could execute arbitrary code on both client and server applications.[1]It may be possible for exploitation to occur without authentication and via unsolicited network traffic.According to Microsoft MS14-066, there are no known mitigations or workarounds.[2]Microsoft patches are typically reverse-engineered and exploits developed in a matter of days or weeks.[4] An anonymous Pastebin user has threatened to publish an exploit on Friday, November 14, 2014.[5] Impact This flaw allows a remote attacker to execute arbitrary code and fully compromise vulnerable systems.[6] Solution Microsoft has released Security Bulletin MS14-066 to address this vulnerability in supported operating systems.[2] References

[1] NIST Vulnerability Summary for CVE-2014-6321 [2] Microsoft Security Bulletin MS14-066 – Critical [3] Microsoft, Secure Channel [4] Reddit, Microsoft Security Bulletin MS14-066 [5] Pastebin, SChannelShenanigans [6] Winshock.txt

Revision History

November 14, 2014: Initial Release

http://cyberparse.co.uk/2014/11/14/ta14-318a-microsoft-secure-channel-schannel-vulnerability-cve-2014-6321-2/ http://i0.wp.com/cyberparse.co.uk/wp-content/uploads/2016/04/cyber-security-concept-pd-4873407.jpg?fit=640%2C480

Original release date: November 14, 2014 Systems Affected Microsoft Windows Server 2003 SP2Microsoft Windows Vista SP2Microsoft Windows Server 2008 SP2Microsoft Windows Server 2008 R2 SP1Microsoft Windows 7 SP1Microsoft Windows 8Microsoft Windows 8.1Microsoft Windows Server 2012Microsoft Windows Server 2012 R2Microsoft Windows RTMicrosoft Windows RT 8.1Microsoft Windows XP and 2000 may also be affected. Overview A critical vulnerability in Microsoft Windows systems could allow a remote attacker to execute arbitrary code via specially crafted network traffic.[1] Description Microsoft Secure Channel (Schannel) is a security package that provides SSL and TLS on Microsoft Windows platforms.[2, 3] Due to a flaw in Schannel, a remote attacker could execute arbitrary code on both client and server applications.[1]It may be possible for exploitation to occur without authentication and via unsolicited network traffic.According to Microsoft MS14-066, there are no known mitigations or workarounds.[2]Microsoft patches are typically reverse-engineered and exploits developed in a matter of days or weeks.[4] An anonymous Pastebin user has threatened to publish an exploit on Friday, November 14, 2014.[5] Impact This flaw allows a remote attacker to execute arbitrary code and fully compromise vulnerable systems.[6] Solution Microsoft has released Security Bulletin MS14-066 to address this vulnerability in supported operating systems.[2] References

[1] NIST Vulnerability Summary for CVE-2014-6321 [2] Microsoft Security Bulletin MS14-066 – Critical [3] Microsoft, Secure Channel [4] Reddit, Microsoft Security Bulletin MS14-066 [5] Pastebin, SChannelShenanigans [6] Winshock.txt

Revision History

November 14, 2014: Initial Release

http://cyberparse.co.uk/2014/11/14/ta14-318a-microsoft-secure-channel-schannel-vulnerability-cve-2014-6321-2/ http://i0.wp.com/cyberparse.co.uk/wp-content/uploads/2016/04/cyber-security-concept-pd-4873407.jpg?fit=640%2C480

Original release date: November 14, 2014 Systems Affected Microsoft Windows Server 2003 SP2Microsoft Windows Vista SP2Microsoft Windows Server 2008 SP2Microsoft Windows Server 2008 R2 SP1Microsoft Windows 7 SP1Microsoft Windows 8Microsoft Windows 8.1Microsoft Windows Server 2012Microsoft Windows Server 2012 R2Microsoft Windows RTMicrosoft Windows RT 8.1Microsoft Windows XP and 2000 may also be affected. Overview A critical vulnerability in Microsoft Windows systems could allow a remote attacker to execute arbitrary code via specially crafted network traffic.[1] Description Microsoft Secure Channel (Schannel) is a security package that provides SSL and TLS on Microsoft Windows platforms.[2, 3] Due to a flaw in Schannel, a remote attacker could execute arbitrary code on both client and server applications.[1]It may be possible for exploitation to occur without authentication and via unsolicited network traffic.According to Microsoft MS14-066, there are no known mitigations or workarounds.[2]Microsoft patches are typically reverse-engineered and exploits developed in a matter of days or weeks.[4] An anonymous Pastebin user has threatened to publish an exploit on Friday, November 14, 2014.[5] Impact This flaw allows a remote attacker to execute arbitrary code and fully compromise vulnerable systems.[6] Solution Microsoft has released Security Bulletin MS14-066 to address this vulnerability in supported operating systems.[2] References

[1] NIST Vulnerability Summary for CVE-2014-6321 [2] Microsoft Security Bulletin MS14-066 – Critical [3] Microsoft, Secure Channel [4] Reddit, Microsoft Security Bulletin MS14-066 [5] Pastebin, SChannelShenanigans [6] Winshock.txt

Revision History

November 14, 2014: Initial Release

http://cyberparse.co.uk/2014/11/14/ta14-318a-microsoft-secure-channel-schannel-vulnerability-cve-2014-6321-2/ http://i0.wp.com/cyberparse.co.uk/wp-content/uploads/2016/04/cyber-security-concept-pd-4873407.jpg?fit=640%2C480

Original release date: November 14, 2014 Systems Affected Microsoft Windows Server 2003 SP2Microsoft Windows Vista SP2Microsoft Windows Server 2008 SP2Microsoft Windows Server 2008 R2 SP1Microsoft Windows 7 SP1Microsoft Windows 8Microsoft Windows 8.1Microsoft Windows Server 2012Microsoft Windows Server 2012 R2Microsoft Windows RTMicrosoft Windows RT 8.1Microsoft Windows XP and 2000 may also be affected. Overview A critical vulnerability in Microsoft Windows systems could allow a remote attacker to execute arbitrary code via specially crafted network traffic.[1] Description Microsoft Secure Channel (Schannel) is a security package that provides SSL and TLS on Microsoft Windows platforms.[2, 3] Due to a flaw in Schannel, a remote attacker could execute arbitrary code on both client and server applications.[1]It may be possible for exploitation to occur without authentication and via unsolicited network traffic.According to Microsoft MS14-066, there are no known mitigations or workarounds.[2]Microsoft patches are typically reverse-engineered and exploits developed in a matter of days or weeks.[4] An anonymous Pastebin user has threatened to publish an exploit on Friday, November 14, 2014.[5] Impact This flaw allows a remote attacker to execute arbitrary code and fully compromise vulnerable systems.[6] Solution Microsoft has released Security Bulletin MS14-066 to address this vulnerability in supported operating systems.[2] References

[1] NIST Vulnerability Summary for CVE-2014-6321 [2] Microsoft Security Bulletin MS14-066 – Critical [3] Microsoft, Secure Channel [4] Reddit, Microsoft Security Bulletin MS14-066 [5] Pastebin, SChannelShenanigans [6] Winshock.txt

Revision History

November 14, 2014: Initial Release

http://cyberparse.co.uk/2015/12/03/ta15-337a-dorkbot-2/ http://i0.wp.com/cyberparse.co.uk/wp-content/uploads/2016/04/cyber-security-concept-pd-4873407.jpg?fit=640%2C480

Original release date: December 03, 2015 Systems Affected Microsoft Windows Overview Dorkbot is a botnet used to steal online payment, participate in distributed denial-of-service (DDoS) attacks, and deliver other types of malware to victims’ computers.According to Microsoft, the family of malware used in this botnet “has infected more than one million personal computers in over 190 countries over the course of the past year.” The United States Department of Homeland Security (DHS), in collaboration with the Federal Bureau of Investigation (FBI) and Microsoft, is releasing this Technical Alert to provide further information about Dorkbot. Description Dorkbot-infected systems are used by cyber criminals to steal sensitive information (such as user account credentials), launch denial-of-service (DoS) attacks, disable security protection, and distribute several malware variants to victims’ computers.Dorkbot is commonly spread via malicious links sent through social networks instant message programs or through infected USB devices.In addition, Dorkbot’s backdoor functionality allows a remote attacker to exploit infected system.According to Microsoft’s analysis, a remote attacker may be able to:Download and run a file from a specified URL;Collect logon information and passwords through form grabbing, FTP, POP3, or Internet Explorer and Firefox cached login details; orBlock or redirect certain domains and websites (e.g., security sites). Impact A system infected with Dorkbot may be used to send spam, participate in DDoS attacks, or harvest users’ credentials for online services, including banking services. Solution Users are advised to take the following actions to remediate Dorkbot infections:Use and maintain anti-virus software – Anti-virus software recognizes and protects your computer against most known viruses.Even though Dorkbot is designed to evade detection, security companies are continuously updating their software to counter these advanced threats.Therefore, it is important to keep your anti-virus software up-to-date.If you suspect you may be a victim of Dorkbot, update your anti-virus software definitions and run a full-system scan. (See Understanding Anti-Virus Software for more information.)Change your passwords – Your original passwords may have been compromised during the infection, so you should change them. (See Choosing and Protecting Passwords for more information.)Keep your operating system and application software up-to-date – Install software patches so that attackers cannot take advantage of known problems or vulnerabilities. You should enable automatic updates of the operating system if this option is available. (See Understanding Patches for more information.)Use anti-malware tools – Using a legitimate program that identifies and removes malware can help eliminate an infection. Users can consider employing a remediation tool (see example below) to help remove Dorkbot from their systems.Disable Autorun­ – Dorkbot tries to use the Windows Autorun function to propagate via removable drives (e.g., USB flash drive). You can disable Autorun to stop the threat from spreading.Microsofthttp://www.microsoft.com/security/scanner/en-us/default.aspxThe above example does not constitute an exhaustive list.The U.S.Government does not endorse or support any particular product or vendor. References

Microsoft Malware Protection Center – Worm: Win32/Dorkbot Microsoft Malware Protection Center – Microsoft assists law enforcement to help disrupt Dorkbot botnets

Revision History

December 3, 2015: Initial Publication