G-Data Reins In Regin: Top-tier Espionage Tool.

Regin is a full cyber espionage platform capable of complete remote control and monitoring on all possible levels. Attribution is difficult in cases like this however considering the complexity of development, G-Data suspects that this operation is supported by a nation-state, but not originating from Russia and not from China.

Kaspersky Lab has done some research on the Regin as well;

Perhaps one of the most publicly known victims of Regin is Jean Jacques Quisquater (https://en.wikipedia.org/wiki/Jean-Jacques_Quisquater), a well-known Belgian cryptographer. In February 2014, Quisquater announced he was the victim of a sophisticated cyber intrusion incident. We were able to obtain samples from the Quisquater case and confirm they belong to the Regin platform.

G-Data has created a tool to detect the trojan;

We identified the use of an encrypted virtual file system. In the version mentioned above, the file system is a fake .evt file in %System%\config. The header of the virtual file system is always the same:

typedef struct _HEADER {
  uint16_t SectorSize;
  uint16_t MaxSectorCount;
  uint16_t MaxFileCount;
  uint8_t FileTagLength;
  uint16_t crc32custom;
}

During our analysis, the checksum was a CRC32. A generic approach to detect the infection could be a detection of the existence of a virtual file system on the infected system by checking the custom CRC32 value at the beginning of the file system.

 Get the tool from G-Data

FBI Warns Business Of 'Destructive' Malware Attackes In The Wake Of Sony Hack.

According to Reuters, the FBI has warned businesses in the USA via a confidential report about new malicious software that can be used to launch "destructive" cyber attacks, which explains that U.S. businesses should remain vigilant. Last week Sony Pictures was hacked and and investigators are still at task.
The report does not directly connect the Sony incident but the five page FBI report mentions about the malware used in the attack. It advices business how to react to the Malware and to report any suspected malware to FBI.
The malware overrides all data on hard drives of computers, including the master boot record, which prevents them from booting up.The hard drives will need to be replaced or re imaged after such attacks and is very time consuming.
Reuters

New Critical Internet Explorer (IE) Vulnerabilities Discovered In IE versions 8, 9, 10 and 11 By Palo Alto Networks.

Palo Alto Networks researcher has discovered three new critical Internet Explorer (IE) vulnerabilities in IE versions 8, 9, 10 and 11. They include two IE Memory Corruption Vulnerabilities and an IE ASLR Bypass Vulnerability. All of these are a part of the November 2014 Security Bulletin and documented in Microsoft Security Bulletin MS14-065.
Palo Alto Networks continuously and proactively identifying these vulnerabilities (like the WireLurker discovered recently) which in turn are used to develop protection solutions for their customers, and as well as us by sharing them with Microsoft, Apple, other developers, or product owners for patching.
Palo Alto Networks.

USPS, Unites States Postal Service, Hacked, Possibly By Chinese.

USPS, Unites States Postal Service, Hacked, Possibly By Chinese.

Hackers originating from China are suspected of breaching the computer networks of the United States Postal Service, compromising the data of more than 800,000 employees. FBI is currently investigating the intrusion. The intrusion was initially discovered in mid-September and according to the officials, and is now secure.
The compromised data included names, dates of birth, Social Security numbers, addresses, dates of employment and other information, officials said. Every employee from the letter carrier to the postmaster general was exposed.
“It is an unfortunate fact of life these days that every organization connected to the Internet is a constant target for cyber intrusion activity, the United States Postal Service is no different. Fortunately, we have seen no evidence of malicious use of the compromised data and we are taking steps to help our employees protect against any potential misuse of their data.” Postmaster General Patrick Donahoe said in a statement.
Washington Post
USPS Press Release

WireLurker, Infects Apple OS X And iOS, Check If Yours Is.

Palo Alto Networks, a security research group discovered WireLurker, a malware that could find its way in to even non rooted iPhones and iPads via Mac OS X. There is a tool to detect if your Mac is infected, follow the link.
WireLurker, Apple OS X And iOS Malware Detected.

Revamped BlackEnergy Covers All, Windows, Linux And Cisco routers!

They will also be able to say, Mission Impossible : This System Will Self Destruct to the tune of,,,,, Mission Impossible. Researchers from Kaspersky Labs have discovered new capabilities in the BlackEnergy crimeware tool that are beyond what believed to be. The new varients of BE, are able  to run on network devices, DDoS attacks, stealing passwords, scanning ports, logging IP sources, covertly taking screenshots, gaining persistent access to command and control channels, and destroying hard drives, just to name a few.
The article written by the researchers is pretty scary as it reveals the capabilities of BE2, and BE3. Hiding their paths with 'dstr' command;
"By all appearances, the attackers pushed the 'dstr' module when they understood that they were revealed, and wanted to hide their presence on the machines. Some machines already launched the plugin, lost their data and became unbootable."

• "BlackEnergy2 and BlackEnergy3 are known tools. Initially, cybercriminals used BlackEnergy custom plugins for launching DDoS attacks. There are no indications of how many groups possess this tool. BlackEnergy2 was eventually seen downloading more crimeware plugins - a custom spam plugin and a banking information stealer custom plugin. Over time, BlackEnergy2 was assumed into the toolset of the BE2/Sandworm actor. While another crimeware group continues to use BlackEnergy to launch DDoS attacks, the BE2 APT appears to have used this tool exclusively throughout 2014 at victim sites and included custom plugins and scripts of their own. To be clear, our name for this actor has been the BE2 APT, while it has been called "Sandworm Team" also."

If you are security conscious or even not, this paper is a must read. 

Kaspersky Labs via ARS

nogotofail, A Tools From Google To Test And Secure SSL.

Google's Android Security Team has built and for a while has been using a tool, called nogotofail, to verify that the devices or applications them and us using are safe against known TLS/SSL vulnerabilities and misconfigurations. Nogotofail works for most OS' in the use today like, Android, iOS, Linux, Windows, Chrome OS, OSX, basically any device you use today to connect to the Internet. nogotofail also comes with an easy-to-use client to configure the settings and get notifications on Android and Linux. There is an attack engine which can be deployed as a router, VPN server, or proxy.

To make TLS/SSL more secure and usable, Google released the tool as an open source project.OSS brings best of the industry together and makes projects like these even more versatile. Thanks to Google and the Android Security team, now anyone can test their applications, contribute new features, provide support for more platforms, and help improve the security of the Internet. Getting started instructions are here.

Google Online Security Blog: Introducing nogotofail—a network traffic security testing tool

Drupal SQL Injection Vulnerability : Drupal Core - Highly Critical

CORE-2014-005 - Drupal core 
PSA-2014-003SA

This Public Service Announcement is a follow up to SA-CORE-2014-005 - Drupal core - SQL injection. This is not an announcement of a new vulnerability in Drupal.
Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 - Drupal core - SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.
Simply updating to Drupal 7.32 will not remove backdoors.
If you have not updated or applied this patch, do so immediately, then continue reading this announcement; updating to version 7.32 or applying the patch fixes the vulnerability but does not fix an already compromised website. If you find that your site is already patched but you didn’t do it, that can be a symptom that the site was compromised - some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site.

Data and damage control

Attackers may have copied all data out of your site and could use it maliciously. There may be no trace of the attack.
Take a look at our help documentation, ”Your Drupal site got hacked, now what”

Recovery

Attackers may have created access points for themselves (sometimes called “backdoors”) in the database, code, files directory and other locations. Attackers could compromise other services on the server or escalate their access.
Removing a compromised website’s backdoors is difficult because it is not possible to be certain all backdoors have been found.
The Drupal security team recommends that you consult with your hosting provider. If they did not patch Drupal for you or otherwise block the SQL injection attacks within hours of the announcement of Oct 15th, 4pm UTC, restore your website to a backup from before 15 October 2014:

1. Take the website offline by replacing it with a static HTML page
2. Notify the server’s administrator emphasizing that other sites or applications hosted on the same server might have been compromised via a backdoor installed by the initial attack
3. Consider obtaining a new server, or otherwise remove all the website’s files and database from the server. (Keep a copy safe for later analysis.)
4. Restore the website (Drupal files, uploaded files and database) from backups from before 15 October 2014
5. Update or patch the restored Drupal core code
6. Put the restored and patched/updated website back online
7. Manually redo any desired changes made to the website since the date of the restored backup
8. Audit anything merged from the compromised website, such as custom code, configuration, files or other artifacts, to confirm they are correct and have not been tampered with.

While recovery without restoring from backup may be possible, this is not advised because backdoors can be extremely difficult to find. The recommendation is to restore from backup or rebuild from scratch.
For more information, please see our FAQ on SA-CORE-2014-005.