Thursday, May 23, 2013

US-CERT Technical Cyber Security Alert - Washington, DC Radio Station Web Site Compromises (TA13-141A)

Risks

or

US-CERT Technical Cyber Security Alert - Washington, DC Radio Station Web Site Compromises (TA13-141A)

National Cyber Awareness System:
 
 TA13-141A: Washington, DC Radio Station Web Site Compromises
 05/20/2013 05:59 PM EDT
 
 Original release date: May 20, 2013 | Last revised: May 21, 2013
 Systems Affected
 
 Microsoft Windows systems running Adobe Reader, Acrobat, or Oracle Java
 Overview
 
 On May 16, 2013, US-CERT was notified that both www.federalnewsradio[.]com and www.wtop[.]com had been compromised to redirect Internet Explorer users to an exploit kit. As of May 17, 2013, US-CERT analysis confirms that no malicious code remains on either site.
 
 Description
 
 The compromised websites were modified to contain a hidden iframe referencing a JavaScript file on a dynamic-DNS host. The file returned from this site was identified as the Fiesta Exploit Kit. The exploit kit script uses one of several known vulnerabilities to attempt to download an executable:
 
 CVE-2009-0927: Stack-based buffer overflow in Adobe Reader and Adobe Acrobat
 
 CVE-2010-0188: Unspecified vulnerability in Adobe Reader and Acrobat
 
 CVE-2013-0422: Multiple vulnerabilities in Oracle Java 7 before Update 11
 
 Any systems visiting running vulnerable versions of Adobe Reader or Acrobat or Oracle Java may have been compromised.
 
 Impact
 
 The exploit kit, once successful, delivers and executes a known variant of the ZeroAccess Trojan. Additionally, according to open source reporting, the malware also downloads and installs a variant of FakeAV/Kazy malware.
 
 The ZeroAccess Trojan attempts to beacon to one of two hardcoded command-and-control addresses, 194[.]165[.]17[.]3 and 209[.]68[.]32[.]176. The beaconing occurs using an HTTP GET using the Opera/10 user-agent string.
 
 After beaconing, the malware then downloads a custom Microsoft Cabinet file and the malware uses port UDP/16464 to connect to the peer-to-peer network. This cabinet file contains several lists of IP addresses, as well as a fake flash installer.
 
 Solution
 
 Apply Updates
 
 Adobe has provided updates for these vulnerabilities in Adobe Security Bulletin APSB09-04 and APSB10-07.
 Oracle has provided updates for this vulnerability in Oracle Security Alert for CVE-2013-0422.
 Identify Infected Systems
 
 Monitor activity to the following IPs as a potential indicator of infection where permitted and practical:
 
 209.68.32.176
 194.165.17.3
 
 References
 
 WTOP and Federal News Radio Websites Back After Cyber Attack
 APSB09-04
 Stack-based buffer overflow in Adobe Reader and Adobe Acrobat
 APSB10-07
 Unspecified vulnerability in Adobe Reader and Acrobat
 Multiple vulnerabilities in Oracle Java 7 before Update 11
 Oracle Security Alert for CVE-2013-0422
 K.I.A. ? WTOP.com, FedNewsRadio and Tech Blogger John Dvorak Blog Site Hijacked ? Exploits Java and Adobe to Distribute Fake A/V
 
 Revision History
 
 Initial release

Source: http://www.net-security.org/advisory.php?id=16102

Kyla Ross Montenegro Olympic Games Dana Vollmer Ryan Dempster Phelps NBC Olympics Live

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.