January 20, 2012 - Current Activity
This is an archived copy of current activity, if you would like to see the most recent version, please click here.
Best Practices for Recovery from the Malicious Erasure of Files
added January 19, 2012 at 04:12 pm | updated January 20, 2012 at 09:49 am
There are many ways in which cyber criminals can damage computer systems and data, including changing or deleting files, wiping hard drives, and erasing backups to hide their malicious activity.
Hard drives are wiped, or "zeroed out," when the original data is overwritten with zeros or different characters. This allows malicious actors to alter or even erase existing data. In addition to impeding the restoration of the original data, this type of criminal activity makes it difficult to determine whether criminals merely accessed the network, stole information, or altered network access and configuration files. Restoring networks and assessing the damage to a business can be hindered when the full extent of malicious activity is unclear.
DHS and the FBI encourage businesses and individuals to employ mitigation strategies and best practices to effectively recover maliciously erased files, such as:
- Implementing a data backup and recovery plan. A copy of the sensitive data should be kept in a separate and secure location. Make sure this backup copy is not readily accessible from local networks.
- Regularly mirroring and maintaining an image of critical system files.
- Encrypting and securing sensitive information.
- Using strong passwords, implementing a frequent schedule for changing passwords, and making sure passwords are not reused for multiple accounts.
- Enabling network monitoring and logging (when feasible).
- Being on guard against social engineering tactics aimed at obtaining sensitive information, such as phishing.
- Ensuring that sensitive files are securely eliminated from hard drives when no longer needed or required.
There are many resources available on the US-CERT website to protect users from this type of malicious activity, including these suggested readings from the National Cyber Alert System:
- Cyber Security Tip ST04-002: Choosing and protecting Passwords
- Cyber Security Tip ST04-014: Avoiding Social Engineering and Phishing Attacks
- Cyber Security Tip ST05-011: Effectively Erasing Files
Oracle Releases Critical Patch Update for January 2012
added January 18, 2012 at 10:58 am
Oracle has released its Critical Patch Update for January 2012 to address 78 vulnerabilities across multiple products. This update contains the following security fixes:
- 2 for Oracle Database Server
- 1 for Oracle Fusion Middleware
- 3 for Oracle E-Business Suite
- 1 for Oracle Supply Chain Products Suite
- 6 for Oracle PeopleSoft Products
- 8 for Oracle JD Edwards Products
- 17 for Oracle Sun Products Suite
- 3 for Oracle Virtualization
- 27 for Oracle MySQL
US-CERT encourages users and administrators to review the January 2012 Critical Patch Update and apply any necessary updates to help mitigate the risks.
Additional information regarding CVE-2012-0110 can be found in US-CERT Vulnerability Note VU#738961.
Phishing Campaign Using Spoofed US-CERT Email Addresses
added January 10, 2012 at 02:06 pm | updated January 12, 2012 at 08:34 am
On January 10, 2012, US-CERT received reports of a phishing campaign that is spoofing US-CERT email to deliver a variant of the Zeus/Zbot Trojan known as Ice-IX. This campaign appears to be targeting a large number of private sector
organizations as well as federal, state, and local governments.
US-CERT advises that users do not open the email or any of the attachments and promptly delete the email from their inboxes.
Reports indicate that SOC@US-CERT.GOV is the primary email address
being spoofed but other invalid email addresses are also being used.
The subject of the phishing email is: "Phishing incident report call number: PH000000XXXXXXX" with the "X" containing an incident report number that varies.
The attached zip file is titled "US-CERT Operation Center Report XXXXXXX.zip", with "X" indicating a random value or string. The zip attachment contains an executable file with the name "US-CERT Operation CENTER Reports.eml.exe", which is a variant of the Zeus/Zbot Trojan known as Ice-IX.
US-CERT encourages users to do the following to reduce the risks associated with this and other phishing campaigns.
- Do not open the attachments in email messages from unknown sources.
- Install anti-virus software and keep virus signatures files up to date.
- Refer to Recognizing and Avoiding Email Scams (pdf) documents for more information on avoiding email scams.
- Refer to the Avoiding Social Engineering and Phishing Attacks document for information on social engineering attacks.
- Refer to Recovering from Viruses, Worms, and Trojan Horses document for additional information on how to recover from malware.
Microsoft Releases January Security Bulletin
added January 10, 2012 at 01:24 pm | updated January 11, 2012 at 01:53 pm
Microsoft has released updates to address vulnerabilities in Microsoft Windows and Microsoft Developer Tools and Software as part of the Microsoft Security Bulletin Summary for January 2012. These vulnerabilities may allow an attacker to execute arbitrary code, operate with elevated privileges, obtain sensitive information, and bypass security restrictions.
US-CERT encourages users and administrators to review the bulletin and follow best practice security policies to determine which updates should be applied.
Adobe Releases Security Advisory for Adobe Reader and Acrobat
added January 10, 2012 at 04:40 pm
Adobe has released a Security Advisory for Adobe Reader and Acrobat to address multiple vulnerabilities affecting the following software versions:
- Adobe Reader X (10.1.1) and earlier 10.x versions for Windows and Macintosh
- Adobe Reader 9.4.7 and earlier 9.x versions for Windows
- Adobe Reader 9.4.6 and earlier 9.x versions for Macintosh
- Adobe Acrobat X (10.1.1) and earlier 10.x versions for Windows and Macintosh
- Adobe Acrobat 9.4.7 and earlier 9.x versions for Windows
- Acrobat 9.4.6 and earlier 9.x versions for Macintosh
US-CERT encourages users and administrators to review Adobe security advisory APSB12-01 and apply any necessary updates to help mitigate the risks.
Google Releases Chrome 16.0.912.75
added January 6, 2012 at 09:26 amGoogle has released Chrome 16.0.912.75 for Linux, Mac, Windows, and Chrome Frame to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code.
US-CERT encourages users and administrators to review the Google Chrome Releases blog entry and update to Chrome 16.0.912.75.
Multiple Programming Language Implementations Vulnerable to Hash Table Collision Attacks
added December 28, 2011 at 01:04 pm | updated December 29, 2011 at 01:35 pmUS-CERT is aware of reports stating that multiple programming language implementations, including web platforms, are vulnerable to hash table collision attacks. This vulnerability could be used by an attacker to launch a denial-of-service attack against websites using affected products.
The Ruby Security Team has updated Ruby 1.8.7. The Ruby 1.9 series is not affected by this attack. Additional information can be found in the ruby 1.8.7 patchlevel 357 release notes.
Microsoft has released an update for the .NET Framework to address this vulnerability and three others. Additional information can be found in Microsoft Security Bulletin MS11-100 and Microsoft Security Advisory 2659883.
More information regarding this vulnerability can be found in US-CERT Vulnerability Note VU#903934 and n.runs Security Advisory n.runs-SA-2011.004.
US-CERT will provide additional information as it becomes available.
Mozilla Releases Firefox 9 and 3.6.25
added December 21, 2011 at 10:56 am
The Mozilla Foundation has released Firefox 9 and Firefox 3.6.25 to
address multiple vulnerabilities. These vulnerabilities may allow an
attacker to execute arbitrary code, cause a denial-of-service condition,
or perform a cross-site scripting attack.
US-CERT encourages users and administrators to review the Mozilla Foundation Security Advisories for Firefox 9 and Firefox 3.6.25 and apply any necessary updates to help mitigate the risk.
USAA Phishing Scam and Malware Campaign
added December 20, 2011 at 01:14 pm
US-CERT is aware of public reports of an active spear-phishing attack via email messages directed at United Services Automobile Association (USAA) members. These messages contain the subject line "Deposit Posted" and contain a randomly generated four-digit number placed in the USAA security zone section. The messages ask users to open an attached file containing malicious software that if activated could provide access to a user's personal information.
US-CERT encourages users to do the following to help mitigate the risk:
- Review the alert posted by USAA regarding this issue.
- Do not open attachments in email messages from unknown sources.
- Refer to Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
- Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.
- Install anti-virus software and keep virus signature files up to date.
Personal Device Security During the Holiday Season
added December 19, 2011 at 01:30 pm
As the winter holiday travel season begins, US-CERT would like to remind users to be mindful of the security risks associated with portable devices such as smart phones, tablets, and laptops.
US-CERT would like to encourage users to review the following US-CERT Cyber Security Tips. Following the security practices suggested in each tip will help to keep your portable devices secure during the holiday season and throughout the year.