BF-SIRT Newsletter 2014-17

Welcome to this week’s newsletter! Due to vacations, the SIRT newsletter will be put on hold until the middle of August when vacations ends.
Those of you who are using Struts in your environments should make sure you read how Apache warns of faulty zero-day patch for struts.

Top 5 Security links
Apache warns of faulty zero-day patch for struts
Romanian Man Arrested for Stealing Card Data, Attempting to Hack Presidency Site
Merchants, Buyers on Dark Web Get Their Own Search Engine
Mounties always get their man: Heartbleed ‘hacker’, 19, CUFFED
Japan airport staff dash to replace passcodes after security cock-up

Top 5 Business Intelligence links
Most But Not All Sites Have Fixed Heartbleed Flaw
Amplification, reflection DDoS attacks increase 35 percent in Q1 2014
Nine patterns make up 92 percent of security incidents
HD manufacturer Lacie admits yearlong data breach
POS Malware, RATs and Banking Trojans Used by Cybercrime Group

BF-SIRT Newsletter 2014-16

This week, news is arriving early! This is due to the easter holidays. As always during holidays, it’s important to keep some security awareness when it comes to devices you bring with you on your travels.
When it comes to the news, we can see that a lot of posts are still about Heartbleed, and another interesting post can be found about TrueCrypt and how Advanced attackers go undetected for 229 days

Top 5 Security links
German space centre endures cyber attack
Trio charged with hacking, stealing data from U.S. Army, Microsoft and more
Israeli Hackers Claim to Have Exposed Individuals Behind OpIsrael
Indictment charges ‘Jabber Zeus Crew’ with using malware to steal millions
So far, so good for TrueCrypt: Initial Audit phase turns up no backdoors

Top 5 Business Intelligence links
Advanced attackers go undetected for 229 days
First sites admit data loss through Heartbleed attacks
Tests Confirm Heartbleed Bug Can Expose Server’s Private Key
Akamai Admits its OpenSSL Patch Was Faulty, Reissues Keys
Heartbleed exploit, inoculation, both released

BF-SIRT Newsletter 2014-15

The biggest news of the week have without a doubt been about Heartbleed. We wrote a bit of information on how we handled it at Basefarm which you can read about Here
Microsoft and Adobe also had their monthly Patch Tuesday, and those running Cisco VPN equipment should take a look at This post.

Top 5 Security links
Anatomy of OpenSSL’s Heartbleed: Just four bytes trigger horror bug
Not just websites hit by OpenSSL’s Heartbleed – PCs, phones and more under threat
When two-factor authentication is not enough
How I Hacked Your Router
One of World’s Largest Websites Hacked: Turns Visitors into “DDoS Zombies”

Top 5 Business Intelligence links
Study reveals only 56 percent of employees get awareness training
6 Ways the Internet of Things Will Transform Enterprise Security
Security Pros Talk About Playing Defense Against Cybercrime
Emerging trends in cyber-attack methodology
Advanced Attacks Are The New Norm, Study Says

Basefarm Posts
Vulnerability in Cisco ASA
Critical OpenSSL Vulnerability (Heartbleed)
Patch Tuesday April 2014

Vulnerability in Cisco ASA

Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities:
Cisco ASA ASDM Privilege Escalation Vulnerability
Cisco ASA SSL VPN Privilege Escalation Vulnerability
Cisco ASA SSL VPN Authentication Bypass Vulnerability
Cisco ASA SIP Denial of Service Vulnerability
These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others.

Successful exploitation of the Cisco ASA ASDM Privilege Escalation Vulnerability and the Cisco ASA SSL VPN Privilege Escalation Vulnerability may allow an attacker or an unprivileged user to elevate privileges and gain administrative access to the affected system.

Successful exploitation of the Cisco ASA SSL VPN Authentication Bypass Vulnerability may allow an attacker to obtain unauthorized access to the internal network via SSL VPN.

It is recommended to upgrade as soon as possible in order to avoid breaches.

More information and upgrade information:

Critical OpenSSL vulnerability

A security vulnerability in OpenSSL was published on April 7. With this vulnerability, an attacker is able to remotely dump the memory contents of a process using OpenSSL.
This exposes both the content of SSL/TLS encrypted communications, and the associated private keys. This is a major issue as OpenSSL is a critical component of most encrypted Internet services.

Basefarm’s Security Incident Response Team, together with other Basefarm personnel, investigated which of the servers hosted by us were affected, and to what extent. Those services which were managed by Basefarm were then patched and affected customers were notified. This was completed Tuesday afternoon.

There is unfortunately no way of knowing for certain which information has been stolen during the attack window, so we recommend anyone being affected by this vulnerability to assume that your SSL/TLS private keys have been stolen, even if we have no concrete indication of this.
This means that you will need a new key pair and certificate for any exposed SSL/TLS keys and certificates. Basefarm will help you with this if we manage the keys for you. Your old certificates will also need to be revoked.

Any other information passed over a vulnerable SSL/TLS connection may also have been captured, including usernames, passwords, credit card numbers and other personally identifiable information.
We recommend that you initiate a password change for any account where the password has been passed over av vulnerable SSL/TLS connection over the last day or so.

Please note that if Personally Identifiable Information, credit card or cardholder data, or other sensitive data may have been compromised, you probably have an obligation to alert the proper authorities.
Unfortunately, there is no way of knowing exactly which data has been compromised.

Here are the mitigation steps in detail
1. Emergency fix the vulnerability itself by patching, reconfiguring, or both, on all exposed servers.
2. Generate a new key pair following best practice guidelines.
3. Purchase a new certificate using the new key pair. Without a new key pair, the old and possibly stolen key pair could be abused, e.g. to eavesdrop or to impersonate the service.
4. Switch to the new certificate on all relevant servers.
5. Revoke the old certificate. This is important, as otherwise a stolen private key could still be used to impersonate the web server until the old certificate expires.
6. Consider initiating a change of all passwords etc. that have been sent over SSL/TLS using the old key pair, at least those sent over the last day or so. If someone has an old “recording” of an encrypted conversation, and also gets hold of the old keys, they can now decrypt that conversation. There’s nothing to be done about that in itself, but any reusable credentials could be stolen this way and abused if they are not changed.

Step 6 really is up to you and/or your end users. High-profile and/or high-value sites would be well advised to at least recommend that their users change their passwords, and could use this as an opportunity to convey a strong message that they care about the security of their users.
We have previously written a note in our security tips section of this newsletter about passwords:

So what are the lessons learned?
Things can always be done faster and automated better and that’s something we’re always working towards, and in this case we should have focused a bit more on communication – actually been better at informing the customers that we were working with patching their services.

Patch Tuesday April 2014

Microsoft and Adobe have had their regular Patch tuesday for the month.


Today, we release four bulletins to address 11 CVEs in Microsoft Windows, Internet Explorer and Microsoft Office. The update for Microsoft Word addresses the issues described in Microsoft Security Advisory 2953095. For those who prioritize, we recommend this bulletin as well as the update for Internet Explorer be on the top of your list.

We would be remiss if we did not mention another end; the end of support for Windows XP and Office 2003. The updates provided by MS14-018 and MS14-019 will be the final security updates for Windows XP; MS14-017 and MS14-020 are the final update for Office 2003.


Adobe has released security updates for Adobe Flash Player and earlier versions for Windows and Macintosh and Adobe Flash Player and earlier versions for Linux. These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe recommends users update their product installations to the latest versions

More information:

BF-SIRT Newsletter 2014-14

As some of you noticed, last week’s newsletter was unfortunately delayed due to unforeseen issues, but we’re back again in strenght with some interesting stories! It turns out that China’s Unsupported XP Machines Hold the Potential to Become a Massive Botnet Army, which can be troubling considering 50% of all computers in China runs Windows XP. You may also be interested in Who Built the ID Theft Service and if Russians framed Ukrainian hacktivists for alleged leak of 7 million credit, debit cards.

Top 5 Security links
Who Built the ID Theft Service
China’s CERT blames US for a THIRD of all attacks on Middle Kingdom PCs
China’s Unsupported XP Machines Hold the Potential to Become a Massive Botnet Army
Did Russians frame Ukrainian hacktivists for alleged leak of 7 million credit, debit cards?
ATM Malware, Controlled By a Text Message, Spews Cash

Top 5 Business Intelligence links
Basecamp gets DDoSed and blackmailed
Analysis of three billion attacks reveals SQL injections cost $196,000
Your files held hostage by CryptoDefense? Don’t pay up! The decryption key is on your hard drive
OUCH! April 2014
Breaches, malware to cost $491 billion in 2014, study says