March 17, 2015 The IWC CIR is an OSINT resource focusing on advanced persistent threats and other digital dangers. APTs fit into a cybercrime category directed at both business and political targets. Attack vectors include system compromise, social engineering, and even traditional espionage. SuMMary Symantec ThreatCon Level 2 - Medium: Increased alertness

This condition applies when knowledge or the expectation of attack activity is present, without specific events occurring or when malicious code reaches a moderate risk rating.

Gotcha: WebSite DefaceMent

Time Notifier H M R L

Domain OS View 3/15/2015 term1n4l-Xroot H

www.dd.illinois.gov Win 2003 mirror

3/15/2015 term1n4l-Xroot H

governor.illinois.gov Win 2003 mirror

3/15/2015 term1n4l-Xroot H

inspectorgeneral.illinois.gov Win 2003 mirror

3/15/2015 term1n4l-Xroot H

www.idoc.illinois.gov Win 2003 mirror

3/15/2015 term1n4l-Xroot H

www.immigrants.illinois.gov Win 2003 mirror

3/15/2015 term1n4l-Xroot H

www.sell2.illinois.gov Win 2003 mirror

3/15/2015 term1n4l-Xroot H

www.sharedservices.illinois.gov Win 2003 mirror

3/15/2015 term1n4l-Xroot H

www2.illinois.gov Win 2003 mirror

3/15/2015 term1n4l-Xroot H

wwwb.illinois.gov Win XP mirror

3/15/2015 term1n4l-Xroot H

millenniumreserve.illinois.gov Win 2003 mirror

3/15/2015 term1n4l-Xroot H

www.digitalgov.gov Linux mirror

3/15/2015 term1n4l-Xroot H

kids.usa.gov Linux mirror

3/15/2015 term1n4l-Xroot H

www.dotgov.gov Linux mirror

3/15/2015 term1n4l-Xroot H

apps.illinois.gov Win 2003 mirror

3/15/2015 term1n4l-Xroot H

exports.illinois.gov Win 2003 mirror

3/15/2015 term1n4l-Xroot H

id.illinois.gov Win 2003 mirror

3/15/2015 term1n4l-Xroot H

payments.illinois.gov Win 2003 mirror

3/15/2015 term1n4l-Xroot H

bccs.illinois.gov Win 2003 mirror

3/14/2015 aymane mino H

ssl.arb.ca.gov Win 2008 mirror

NaSaH

otaywater.gov/Otay/default.aspx Win 2008 mirror

3/13/2015 NaSaH

yosemite.epa.gov/ochp/ochpweb.... Win 2003 mirror

3/12/2015 Nob0dy H R

www.vidol.gov F5 Big-IP mirror

3/12/2015 Suram-Crew

mdm.bpa.gov/mdmr/app/gaza.html Linux mirror

3/12/2015 d3b~X H

www.medicaid.ms.gov Unknown mirror

3/12/2015 NeT-DeViL R

www.goodyearaz.gov/Home/Compon... Win 2012 mirror

3/12/2015 NeT-DeViL

www.townofsmyrna-tn.gov/Home/C... Win 2012 mirror

3/12/2015 NeT-DeViL

www.tempe.gov/Home/Components/... Win 2012 mirror

3/11/2015 WhitePanda H

vote.mahoningcountyoh.gov Linux mirror

3/11/2015 Cyber Hats

www.ltcombudsman.ny.gov/CFIDE/ Win 2003 mirror

3/10/2015 Toxic Dz H R

calumettwp-in.gov Win 2012 mirror

InformationWarfareCenter.com 1 | P a g e

CIR

ScaDa/icS: the probleM.

SCADA and Industrial Control Systems help manage the infrastructures of the world. From traffic lights to water works to damns to nuclear power plants, these systems control everything that makes our lives easier. What would happen if the lights went out? What would happen if the water stopped flowing? What would happen if another three mile island were to occur? What if? You must ask yourself, is it possible if our way of life hinges on these SCADA/ICS systems? If they are, are these very systems connected to networks that are on the Internet, making them easy and open targets for those that want to destroy our way of life? Well… Many of them are on the Internet. Simple fact. There is no reasonable answer to why other than money. Those that make the discussions to cripple the defenses of our infrastructure do so with the intentions of making more with less. Some are not educated enough to understand their folly while others just don’t care.

• US Industrial Control Systems Attacked 245 Times In 12 Months. • Car hacked on 60 Minutes • Nuke Maker's Traffic Hijacked Through Ukraine.

I have been teaching SCADA/ICS security for years. This is not fear mongering, it is a simple plea for common sense. If you don’t believe the money angle, know that many third world countries with SCADA controlled infrastructure do not have these very issues. When I have asked why they don’t worry, they simply respond “because we do not connect our systems to the Internet”. Images from: http://www.shodanhq.com/

InformationWarfareCenter.com 2 | P a g e

CIR

neWS: inforMation Warfare Corporate espionage: Nothing concrete has yet emerged in the case, says... These are the silly URLs the NSA uses for cyber espionage - The Verge. Recidivism Among Espionage Act Convicts - Lawfare (blog). Corporate espionage: CBI summons senior RIL official - The Hindu. Secret surveillance at VIPs' residence unacceptable, similar to 'espionage ... - Zee News. Senate committee advances cyber threat information sharing bill - FierceGovernmentIT. MIT, Raytheon and others partner to combat cyber threats - Boston Business Journal (blog). State Department Toughens Up Computer Network Against Cyber Threats - Tech Times. The front line in war on cyber threats has moved - gulfnews.com. US spy chief James Clapper highlights cyber threats - BBC News. Cops Freaked Out Congress May Impose License Plate Reader Limits. A Cyber War Staged In Central London. Mozilla Peers Into Processes With Student-Built Forensics Probe. Yahoo Bypasses Standard Passwords With Smartphone Code. Swedish U-Turn On Assange Questioning. Psssst: Wanna Buy A Used Spy Domain?. Google Leaks Whois Data For 280,000 Domains. Kaspersky Finds NSA's Space Station Malware. CISA Cybersecurity Bill Advances Despite Security Concerns. Mattel's Barbie Found Spying On Your Children. EU Plans New Team To Tackle Cyber-Terrorism. 20% Of Net Neutrality Order Is Republican Dissent. Chicago Man Convicted For Skimming $5 Million From ATMs. Full Details On CVE-2015-0096 And The Failed MS10-046 Stuxnet Fix. Dropbox SDK Bug Leaves Android Users Open To Attack. Ad Bidding Network Caught Slinging Ransomware. Microsoft Supersized Patch Tuesday Plugs Freak Flaw. New Smoking Gun Further Ties NSA To Omnipotent "Equation Group" Hackers. NY Private Investigator Pleads Guilty To Computer Hacking. Banning Tor Unwise And Infeasible, MPs Told. Cutting-Edge DRAM Hack Gives Superuser Status. The CIA Campaign To Steal Apple's Secrets. neWS: hippa Esker Completes HIPAA/HITECH Security Assessment for Its On-Demand ... - Insurance News. Don't confuse EHR HIPAA compliance with total HIPAA compliance - Healthcare IT News. Will you top the HIPAA audit candidate list? - LifeHealthPro. HIPAA crackdown extends beyond health care providers - The Tennessean. Aptible helps healthcare startups leap HIPAA hurdles - Technical.ly Brooklyn. neWS: ScaDa Nuke Maker's Traffic Hijacked Through Ukraine. US Industrial Control Systems Attacked 245 Times In 12 Months. Terror Test Tasks Hackers With Saving London From Hacked Battleship. CeBIT Innovation: gateprotect Offers Unique New SCADA Protection for Energy ... - Virtual-Strategy

Magazine (press release).

InformationWarfareCenter.com 3 | P a g e

CIR

neWS: cyber laWS & leGiSlation CISA Cybersecurity Bill Advances Despite Privacy Concerns - Wired. Federal law on cyber security is crucial - Seacoastonline.com. Draft of Senate Cyber Bill Tackles Retaliation Rules - Wall Street Journal. Senate intelligence panel approves cyber bill - FCW.com. Obama seeks reboot of China cyber laws - Financial Times. neWS: coMputer forenSicS Companies turn to forensic investigators to detect cyber crime - Channel News Asia. Karnataka Police commissions fully equipped cyber forensic lab - The Indian Express. Review: In 'CSI: Cyber,' CBS Digitizes the Forensics Formula - New York Times. UA to Launch Interdisciplinary Cyber Crime Minor - UA News. Real-life look at cyber crime investigations - CBS 8 San Diego. exploitS Jolla Phone URI Spoofing. X2Engine 5.0.4 Platinum Edition Cross Site Request Forgery. HostingTakip 3.0 Cross Site Scripting. IPass Control Pipe Remote Command Execution. Alkacon OpenCms 9.5.1 Cross Site Scripting. WordPress SEO By Yoast 1.7.3.3 SQL Injection. WordPress WPML XSS / Deletion / SQL Injection. Codiad 2.5.3 Local File Inclusion. iPass Mobile Client 2.4.2.15122 Privilege Escalation. Ckeditor 4.4.7 Shell Upload / Cross Site Scripting. Microsoft Windows Shell SMB LNK Code Execution. Microsoft Windows Shell File Format LNK Code Execution. ElasticSearch Search Groovy Sandbox Bypass. Raritan PowerIQ 4.1 / 4.2 / 4.3 Code Execution. WordPress Huge IT Slider 2.6.8 SQL Injection. 3d Cart Cross Site Scripting. Adobe Flash Player ByteArray UncompressViaZlibVariant Use After Free. Foxit Products GIF Conversion LZWMinimumCodeSize Memory Corruption. Foxit Products GIF Conversion DataSubBlock Memory Corruption. Android Media Integer Overflow. Google Android Integer Oveflow / Heap Corruption. ElasticSearch Unauthenticated Remote Code Execution. Microsoft Windows MS15-020 Memory Corruption. Windows Pass-Through Authentication Methods Improper Validation. GeniXCMS 0.0.1 Cross Site Request Forgery. ElasticSearch Search Groovy Sandbox Bypass. WordPress WPML - Multiple Vulnerabilities. IPass Control Pipe Remote Command Execution. [shellcode] - Shellcode - Linux/x86 - TCP Bind Shell (96 bytes). [shellcode] - Shellcode - Linux/x86 - Reverse TCP Shell (72 bytes). [shellcode] - Shellcode - linux/x86 - Obfuscated execve("/bin/sh") (40 bytes). [shellcode] - Shellcode - linux/x86 - Obfuscated - map google.com to 127.1.1.1 (98 bytes). [shellcode] - Shellcode - Linux/x86 - chmod 0777 /etc/shadow obfuscated (84 bytes). [dos] - Intel Network Adapter Diagnostic Driver - IOCTL Handling Vulnerability.

InformationWarfareCenter.com 4 | P a g e

CIR

aDviSorieS Ubuntu Security Notice USN-2532-1.

o Mon, 16 Mar 2015 15:43:18 GMT Ubuntu Security Notice 2532-1 - It was discovered that cups-browsed incorrectly filtered remote printer names and strings. A remote attacker could use this issue to possibly execute arbitrary commands.

Ubuntu Security Notice USN-2531-1. o Mon, 16 Mar 2015 15:43:10 GMT

Ubuntu Security Notice 2531-1 - Matthew Daley discovered that Requests incorrectly handled cookies without host values when being redirected. A remote attacker could possibly use this issue to perform session fixation or cookie stealing attacks.

Ubuntu Security Notice USN-2533-1. o Mon, 16 Mar 2015 15:42:59 GMT

Ubuntu Security Notice 2533-1 - Jakub Wilk and Stephane Chazelas discovered that Sudo incorrectly handled the TZ environment variable. An attacker with Sudo access could possibly use this issue to open arbitrary files, bypassing intended permissions.

Mandriva Linux Security Advisory 2015-061. o Mon, 16 Mar 2015 15:42:14 GMT

Mandriva Linux Security Advisory 2015-061 - Sibiao Luo discovered that QEMU incorrectly handled device hot-unplugging. A local user could possibly use this flaw to cause a denial of service. Michael S. Tsirkin discovered that QEMU incorrectly handled vmxnet3 devices. A local guest could possibly use this issue to cause a denial of service, or possibly execute arbitrary code on the host. Multiple integer overflow, input validation, logic error, and buffer overflow flaws were discovered in various QEMU block drivers. An attacker able to modify a disk image file loaded by a guest could use these flaws to crash the guest, or corrupt QEMU process memory on the host, potentially resulting in arbitrary code execution on the host with the privileges of the QEMU process. Various other issues have also been addressed.

Debian Security Advisory 3191-1. o Mon, 16 Mar 2015 15:42:06 GMT

Debian Linux Security Advisory 3191-1 - Multiple vulnerabilities have been discovered in GnuTLS, a library implementing the TLS and SSL protocols.

Debian Security Advisory 3189-1. o Mon, 16 Mar 2015 15:41:40 GMT

Debian Linux Security Advisory 3189-1 - Several security issues have been corrected in multiple demuxers and decoders of the libav multimedia library.

Debian Security Advisory 3190-1. o Mon, 16 Mar 2015 15:41:33 GMT

Debian Linux Security Advisory 3190-1 - Patrick Coleman discovered that the Putty SSH client failed to wipe out unused sensitive memory.

Debian Security Advisory 3188-1. o Mon, 16 Mar 2015 15:41:26 GMT

Debian Linux Security Advisory 3188-1 - Mateusz Jurczyk discovered multiple vulnerabilities in Freetype. Opening malformed fonts may result in denial of service or the execution of arbitrary code.

Debian Security Advisory 3187-1. o Mon, 16 Mar 2015 15:41:18 GMT

Debian Linux Security Advisory 3187-1 - Several vulnerabilities were discovered in the International Components for Unicode (ICU) library.

InformationWarfareCenter.com 5 | P a g e

CIR

Mandriva Linux Security Advisory 2015-060. o Mon, 16 Mar 2015 15:40:59 GMT

Mandriva Linux Security Advisory 2015-060 - Florian Weimer of the Red Hat Product Security Team discovered a heap-based buffer overflow flaw in LibYAML, a fast YAML 1.1 parser and emitter library. A remote attacker could provide a YAML document with a specially-crafted tag that, when parsed by an application using libyaml, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. Ivan Fratric of the Google Security Team discovered a heap-based buffer overflow vulnerability in LibYAML, a fast YAML 1.1 parser and emitter library. A remote attacker could provide a specially-crafted YAML document that, when parsed by an application using libyaml, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. An assertion failure was found in the way the libyaml library parsed wrapped strings. An attacker able to load specially crafted YAML input into an application using libyaml could cause the application to crash.

Mandriva Linux Security Advisory 2015-059. o Mon, 16 Mar 2015 15:40:11 GMT

Mandriva Linux Security Advisory 2015-059 - Multiple vulnerabilities has been found and corrected in the Mozilla NSS and NSPR packages. The updated packages provides a solution for these security issues.

Gentoo Linux Security Advisory 201503-07. o Mon, 16 Mar 2015 15:40:04 GMT

Gentoo Linux Security Advisory 201503-7 - An out-of-bounds error in hivex may result in execution of arbitrary code or Denial of Service. Versions less than 1.3.11 are affected.

Gentoo Linux Security Advisory 201503-06. o Mon, 16 Mar 2015 15:39:09 GMT

Gentoo Linux Security Advisory 201503-6 - Multiple vulnerabilities have been found in ICU, possibly resulting in Denial of Service. Versions less than 54.1-r1 are affected.

Debian Security Advisory 3186-1. o Fri, 13 Mar 2015 17:11:26 GMT

Debian Linux Security Advisory 3186-1 - It was discovered that the Mozilla Network Security Service library (nss) incorrectly handled certain ASN.1 lengths. A remote attacker could possibly use this issue to perform a data-smuggling attack.

HP Security Bulletin HPSBMU03262 1. o Fri, 13 Mar 2015 17:11:21 GMT

HP Security Bulletin HPSBMU03262 1 - A potential security vulnerability has been identified with the HP Version Control Agent running OpenSSL on Linux and Windows. This vulnerability is the SSLv3 vulnerability known as "Padding Oracle on Downgraded Legacy Encryption" or "POODLE", which could be exploited remotely to allow disclosure of information. A second vulnerability could be exploited to cause a Denial of Service (Dos). Revision 1 of this advisory.

InformationWarfareCenter.com 6 | P a g e

CIR

Zone-h attack StatiSticS: N° Notifier Single def. Mass def. Total def. Homepage def. Subdir def.

1. Barbaros-DZ 3449 157 3606 1223 2383

2. Ashiyane Digital Security Team 2857 4111 6968 1315 5653

3. Hmei7 2850 1510 4360 775 3585

4. LatinHackTeam 1438 1266 2704 2254 450

5. iskorpitx 1324 955 2279 786 1493

6. Fatal Error 1112 1724 2836 2456 380

7. HighTech 939 3694 4633 3711 922

8. chinahacker 889 1344 2233 4 2229

9. MCA-CRB 854 626 1480 374 1106

10. By_aGReSiF 758 1428 2186 802 1384

InformationWarfareCenter.com 7 | P a g e

CIR

InformationWarfareCenter.com 8 | P a g e