> Subject: 
>         ip: Large Criminal Hacker Attack on Windows NT E-Banking and E-Commerce Sites
>   Date: 
>         Thu, 8 Mar 2001 18:03:05 -0500
>   From: 
>         "R. A. Hettinga" <[EMAIL PROTECTED]>
>     To: 
>         Digital Bearer Settlement List <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
> --- begin forwarded text
> Date: Thu, 08 Mar 2001 15:47:41 -0600
> From: The SANS Institute <[EMAIL PROTECTED]> (by way of
> Subject: ip: Large Criminal Hacker Attack on Windows NT E-Banking and
>   E-Commerce Sites
> Hash: SHA1
> Large Criminal Hacker Attack on Windows NT E-Banking and E-Commerce
> Sites
> 3:00 PM EST, Thursday, March 8, 2001
> In the largest criminal Internet attack to date, a group of Eastern
> European hackers has spent a year systematically exploiting known
> Windows NT vulnerabilities to steal customer data. More than a million
> credit cards have been taken and more than 40 sites have been
> victimized.
> The FBI and Secret Service are taking the unprecedented step of
> releasing detailed forensic information from ongoing investigations
> because of the importance of the attacks.
> The information was released to the SANS community a short time before
> it was made available to the general public so that you can be sure your
> systems are safe.
> Within a day or two, the Center for Internet Security will release a
> small tool that you can use to check your systems for the
> vulnerabilities and also to look for files the FBI has found present on
> many compromised systems - indicating your system may have already been
> compromised by the attacker group.
> The Center's tools are normally available only to members, but because
> of the importance of this problem, the Center agreed to make the new
> tool, built for the Center by Steve Gibson of Gibson Research) available
> to all who need it.  Center members have already received an invitation
> to the conference call this afternoon to get more data on the attack.
> If your organization is not a member, we encourage you to join in this
> important initiative to fight back against computer crime. See
> www.cisecurity.org for a list of members and how to join.
> Alan
> Alan Paller
> Director of Research
> The SANS Institute
> Here's the data available so far.
> Over the past several months, the National Infrastructure Protection
> Center (NIPC) has been coordinating investigations into a series of
> organized hacker activities specifically targeting U.S. computer systems
> associated with e-commerce or e- banking.  Despite previous advisories,
> many computer owners have not patched their systems, allowing these
> kinds of attacks to continue, and prompting this updated release of
> information.
> More than 40 victims located in 20 states have been identified and
> notified in ongoing investigations in 14 Federal Bureau of Investigation
> Field Offices and 7 United States Secret Service Field Offices.  These
> investigations have been closely coordinated with foreign law
> enforcement authorities, and the private sector.  Specially trained
> prosecutors in the Computer and Telecommunication Coordinator program
> in U.S. Attorneys' Offices in a variety of districts have participated
> in the investigation, with the assistance of attorneys in the Computer
> Crime and Intellectual Property Section at the Department of Justice.
> The investigations have disclosed several organized hacker groups from
> Eastern Europe, specifically Russia and the Ukraine, that have
> penetrated U.S. e-commerce computer systems by exploiting
> vulnerabilities in unpatched Microsoft Windows NT operating systems.
> These vulnerabilities were originally reported and addressed in
> Microsoft Security Bulletins MS98-004 (re-released in MS99-025),
> MS00-014, and MS00-008.  As early as 1998, Microsoft discovered these
> vulnerabilities and developed and publicized patches to fix them.
> Computer users can download these patches from Microsoft for free.
> Once the hackers gain access, they download proprietary information,
> customer databases, and credit card information. The hackers
> subsequently contact the victim company through facsimile, email, or
> telephone.  After notifying the company of the intrusion and theft of
> information, the hackers make a veiled extortion threat by offering
> Internet security services to patch the system against other hackers.
> They tell the victim that without their services, they cannot guarantee
> that other hackers will not access the network and post the credit card
> information and details about the compromise on the Internet.  If the
> victim company is not cooperative in making payments or hiring the group
> for their security services, the hackers' correspondence with the victim
> company has become more threatening.  Investigators also believe that
> in some instances the credit card information is being sold to organized
> crime groups.   There has been evidence that the stolen information is
> at risk whether or not the victim cooperates with the demands of the
> intruders.  To date, more than one million credit card numbers have been
> stolen.
> The NIPC has issued an updated Advisory 01-003 at www.nipc.gov regarding
> these vulnerabilities being exploited.  The update includes specific
> file names that may indicate whether a system has been compromised.  If
> these files are located on your computer system, the NIPC Watch in
> Washington D.C. should be contacted at (202) 323-3204/3205/3206.
> Incidents may also be reported online at www.nipc.gov/incident/cirr.htm.
> For detailed information on the vulnerabilities that are being
> exploited, please refer to the NIPC Advisory 00-60, and NIPC Advisory
> 01- 003.
> This advisory is an update to the NIPC Advisory 00-060, "E- Commerce
> Vulnerabilities", dated December 1, 2000.   Since the advisory was
> published, the FBI has continued to observe hacker activity targeting
> victims associated with e-commerce or e- finance/banking businesses.
> In  many cases, the hacker activity had been ongoing for several months
> before the victim became aware of the intrusion.   The NIPC emphasizes
> the recommendation that all computer network systems administrators
> check relevant systems and consider applying the updated patches as
> necessary, especially for systems related to e-commerce or e-
> banking/financial businesses.  The patches are available on Microsoft=s
> web site, and users should refer to the URLs listed below.
> The following vulnerabilities have been previously reported:
> Unauthorized Access to IIS Servers through Open Database
> Connectivity (ODBC) Data Access with Remote Data Service (RDS):
> Systems Affected:  Windows NT running IIS with RDS enabled.
> Details: Microsoft Security Bulletin MS99-025, NIPC CyberNotes
> 99-22
> http://www.microsoft.com/technet/security/bulletin/ms99-025.asp
> http://www.nipc.gov/warnings/advisories/1999/99-027.htm,
> http://www.nipc.gov/cybernotes/cybernotes.htm
> Summary:  Allows unauthorized users to execute shell commands on the
> IIS system as a privileged use; Allows unauthorized access to secured,
> non-published files on the IIS system; On a multi-homed
> Internet-connected IIS systems, using Microsoft Data Access Components
> (MDAC), allows unauthorized users to tunnel Structured Query Language
> (SQL) and other ODBC data requests through the public connection to a
> private back-end network.
> SQL Query Abuse Vulnerability
> Affected Software Versions:  Microsoft SQL Server Version 7.0 and
> Microsoft Data Engine (MSDE) 1.0
> Details:  Microsoft Security Bulletin MS00-14, NIPC CyberNotes
> 20-05
> http://www.microsoft.com/technet/security/bulletin/ms00-014.asp
> http://www.nipc.gov/cybernotes/cybernotes.htm
> Summary:  The vulnerability could allow the remote author of a malicious
> SQL query to take unauthorized actions on a SQL Server or MSDE database.
> Registry Permissions Vulnerability
> Systems Affected:  Windows NT 4.0 Workstation, Windows NT 4.0
> Server
> Details:  Microsoft Security Bulletin MS00-008, NIPC CyberNotes
> 20-08 and 20-22
> http://www.microsoft.com/technet/security/bulletin/ms00-008.asp
> http://www.nipc.gov/cybernotes/cybernotes.htm
> Summary: Users can modify certain registry keys such that:
>         a malicious user could specify code to launch at
> system crash
>         a malicious user could specify code to launch at
> next login
>         an unprivileged user could disable security measures
> Web Server File Request Parsing
> While they have not been shown to be a vector for the current attacks,
> Microsoft has advised us that the vulnerabilities addressed by Microsoft
> bulletin MS00-086 are very serious, and we encourage web site operators
> to consider applying the patch provided with this bulletin as well as
> the three that are under active exploitation.
> http://www.microsoft.com/technet/security/bulletin/ms00-014.asp
> http://www.nipc.gov/cybernotes/cybernotes.htm
> Summary:  The vulnerability could allow a malicious user to run
> system commands on a web server.
> New Information:  In addition to the above exploits, several filenames
> have been identified in connection with the intrusions, specific to
> Microsoft Windows NT systems.  The presence of any of these files on
> your system should be reviewed carefully because they may indicate that
> your system has been compromised:
> ntalert.exe
> sysloged.exe
> tapi.exe
> 20.exe
> 21.exe
> 25.exe
> 80.exe
> 139.exe
> 1433.exe
> 1520.exe
> 26405.exe
> i.exe
> In addition, system administrators may want to check for the
> unauthorized presence of any of the following executable files, which
> are often used as hacking tools:
> lomscan.exe
> mslom.exe
> lsaprivs.exe
> pwdump.exe
> serv.exe
> smmsniff.exe
> Recipients of this Advisory are encouraged to report computer crime to
> the NIPC Watch at (202) 323-3204/3205/3206.  Incidents may also be
> reported online at  www.nipc.gov/incident/cirr.htm.
> Version: GnuPG v1.0.4 (BSD/OS)
> Comment: For info see http://www.gnupg.org
> iD8DBQE6p+mz+LUG5KFpTkYRApVrAKCd6rT++htahvzbxsIkbqMVa74fuACcDKaQ
> wsjk3kVpcNQP2fPrMR9IQSw=
> =WIaD
> --- end forwarded text
> -- 
> -----------------
> R. A. Hettinga <mailto: [EMAIL PROTECTED]>
> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
> 44 Farquhar Street, Boston, MA 02131 USA
> "... however it may deserve respect for its usefulness and antiquity,
> [predicting the end of the world] has not been found agreeable to
> experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'


Use gold as money. It's easy. Create a free e-gold account here:

ConstructionGigs.com's PGP public key is here:
3C4D A63F 3C8B 2D7B 7E1A FFE8 9A2E 4D78 CAD6 66B7

You are currently subscribed to e-gold-list as: archive@jab.org
To unsubscribe send a blank email to [EMAIL PROTECTED]

Reply via email to