> Subject: > ip: Large Criminal Hacker Attack on Windows NT E-Banking and E-Commerce Sites > Date: > Thu, 8 Mar 2001 18:03:05 -0500 > From: > "R. A. Hettinga" <[EMAIL PROTECTED]> > To: > Digital Bearer Settlement List <[EMAIL PROTECTED]>, [EMAIL PROTECTED] > > > --- begin forwarded text > > > Date: Thu, 08 Mar 2001 15:47:41 -0600 > To: [EMAIL PROTECTED] > From: The SANS Institute <[EMAIL PROTECTED]> (by way of > [EMAIL PROTECTED]) > Subject: ip: Large Criminal Hacker Attack on Windows NT E-Banking and > E-Commerce Sites > Cc: [EMAIL PROTECTED] > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Large Criminal Hacker Attack on Windows NT E-Banking and E-Commerce > Sites > > 3:00 PM EST, Thursday, March 8, 2001 > > In the largest criminal Internet attack to date, a group of Eastern > European hackers has spent a year systematically exploiting known > Windows NT vulnerabilities to steal customer data. More than a million > credit cards have been taken and more than 40 sites have been > victimized. > > The FBI and Secret Service are taking the unprecedented step of > releasing detailed forensic information from ongoing investigations > because of the importance of the attacks. > > The information was released to the SANS community a short time before > it was made available to the general public so that you can be sure your > systems are safe. > > Within a day or two, the Center for Internet Security will release a > small tool that you can use to check your systems for the > vulnerabilities and also to look for files the FBI has found present on > many compromised systems - indicating your system may have already been > compromised by the attacker group. > > The Center's tools are normally available only to members, but because > of the importance of this problem, the Center agreed to make the new > tool, built for the Center by Steve Gibson of Gibson Research) available > to all who need it. Center members have already received an invitation > to the conference call this afternoon to get more data on the attack. > If your organization is not a member, we encourage you to join in this > important initiative to fight back against computer crime. See > www.cisecurity.org for a list of members and how to join. > > > Alan > Alan Paller > Director of Research > The SANS Institute > > > Here's the data available so far. > > Over the past several months, the National Infrastructure Protection > Center (NIPC) has been coordinating investigations into a series of > organized hacker activities specifically targeting U.S. computer systems > associated with e-commerce or e- banking. Despite previous advisories, > many computer owners have not patched their systems, allowing these > kinds of attacks to continue, and prompting this updated release of > information. > > More than 40 victims located in 20 states have been identified and > notified in ongoing investigations in 14 Federal Bureau of Investigation > Field Offices and 7 United States Secret Service Field Offices. These > investigations have been closely coordinated with foreign law > enforcement authorities, and the private sector. Specially trained > prosecutors in the Computer and Telecommunication Coordinator program > in U.S. Attorneys' Offices in a variety of districts have participated > in the investigation, with the assistance of attorneys in the Computer > Crime and Intellectual Property Section at the Department of Justice. > > The investigations have disclosed several organized hacker groups from > Eastern Europe, specifically Russia and the Ukraine, that have > penetrated U.S. e-commerce computer systems by exploiting > vulnerabilities in unpatched Microsoft Windows NT operating systems. > These vulnerabilities were originally reported and addressed in > Microsoft Security Bulletins MS98-004 (re-released in MS99-025), > MS00-014, and MS00-008. As early as 1998, Microsoft discovered these > vulnerabilities and developed and publicized patches to fix them. > Computer users can download these patches from Microsoft for free. > > Once the hackers gain access, they download proprietary information, > customer databases, and credit card information. The hackers > subsequently contact the victim company through facsimile, email, or > telephone. After notifying the company of the intrusion and theft of > information, the hackers make a veiled extortion threat by offering > Internet security services to patch the system against other hackers. > They tell the victim that without their services, they cannot guarantee > that other hackers will not access the network and post the credit card > information and details about the compromise on the Internet. If the > victim company is not cooperative in making payments or hiring the group > for their security services, the hackers' correspondence with the victim > company has become more threatening. Investigators also believe that > in some instances the credit card information is being sold to organized > crime groups. There has been evidence that the stolen information is > at risk whether or not the victim cooperates with the demands of the > intruders. To date, more than one million credit card numbers have been > stolen. > > The NIPC has issued an updated Advisory 01-003 at www.nipc.gov regarding > these vulnerabilities being exploited. The update includes specific > file names that may indicate whether a system has been compromised. If > these files are located on your computer system, the NIPC Watch in > Washington D.C. should be contacted at (202) 323-3204/3205/3206. > Incidents may also be reported online at www.nipc.gov/incident/cirr.htm. > For detailed information on the vulnerabilities that are being > exploited, please refer to the NIPC Advisory 00-60, and NIPC Advisory > 01- 003. > > > NIPC ADVISORY 01-003 > > This advisory is an update to the NIPC Advisory 00-060, "E- Commerce > Vulnerabilities", dated December 1, 2000. Since the advisory was > published, the FBI has continued to observe hacker activity targeting > victims associated with e-commerce or e- finance/banking businesses. > In many cases, the hacker activity had been ongoing for several months > before the victim became aware of the intrusion. The NIPC emphasizes > the recommendation that all computer network systems administrators > check relevant systems and consider applying the updated patches as > necessary, especially for systems related to e-commerce or e- > banking/financial businesses. The patches are available on Microsoft=s > web site, and users should refer to the URLs listed below. > > The following vulnerabilities have been previously reported: > > Unauthorized Access to IIS Servers through Open Database > Connectivity (ODBC) Data Access with Remote Data Service (RDS): > Systems Affected: Windows NT running IIS with RDS enabled. > Details: Microsoft Security Bulletin MS99-025, NIPC CyberNotes > 99-22 > > http://www.microsoft.com/technet/security/bulletin/ms99-025.asp > http://www.nipc.gov/warnings/advisories/1999/99-027.htm, > http://www.nipc.gov/cybernotes/cybernotes.htm > > Summary: Allows unauthorized users to execute shell commands on the > IIS system as a privileged use; Allows unauthorized access to secured, > non-published files on the IIS system; On a multi-homed > Internet-connected IIS systems, using Microsoft Data Access Components > (MDAC), allows unauthorized users to tunnel Structured Query Language > (SQL) and other ODBC data requests through the public connection to a > private back-end network. > > SQL Query Abuse Vulnerability > Affected Software Versions: Microsoft SQL Server Version 7.0 and > Microsoft Data Engine (MSDE) 1.0 > Details: Microsoft Security Bulletin MS00-14, NIPC CyberNotes > 20-05 > > http://www.microsoft.com/technet/security/bulletin/ms00-014.asp > http://www.nipc.gov/cybernotes/cybernotes.htm > > Summary: The vulnerability could allow the remote author of a malicious > SQL query to take unauthorized actions on a SQL Server or MSDE database. > > Registry Permissions Vulnerability > Systems Affected: Windows NT 4.0 Workstation, Windows NT 4.0 > Server > Details: Microsoft Security Bulletin MS00-008, NIPC CyberNotes > 20-08 and 20-22 > > > http://www.microsoft.com/technet/security/bulletin/ms00-008.asp > http://www.nipc.gov/cybernotes/cybernotes.htm > Summary: Users can modify certain registry keys such that: > a malicious user could specify code to launch at > system crash > a malicious user could specify code to launch at > next login > an unprivileged user could disable security measures > > Web Server File Request Parsing > > While they have not been shown to be a vector for the current attacks, > Microsoft has advised us that the vulnerabilities addressed by Microsoft > bulletin MS00-086 are very serious, and we encourage web site operators > to consider applying the patch provided with this bulletin as well as > the three that are under active exploitation. > > http://www.microsoft.com/technet/security/bulletin/ms00-014.asp > http://www.nipc.gov/cybernotes/cybernotes.htm > > Summary: The vulnerability could allow a malicious user to run > system commands on a web server. > > New Information: In addition to the above exploits, several filenames > have been identified in connection with the intrusions, specific to > Microsoft Windows NT systems. The presence of any of these files on > your system should be reviewed carefully because they may indicate that > your system has been compromised: > ntalert.exe > sysloged.exe > tapi.exe > 20.exe > 21.exe > 25.exe > 80.exe > 139.exe > 1433.exe > 1520.exe > 26405.exe > i.exe > > In addition, system administrators may want to check for the > unauthorized presence of any of the following executable files, which > are often used as hacking tools: > lomscan.exe > mslom.exe > lsaprivs.exe > pwdump.exe > serv.exe > smmsniff.exe > > Recipients of this Advisory are encouraged to report computer crime to > the NIPC Watch at (202) 323-3204/3205/3206. Incidents may also be > reported online at www.nipc.gov/incident/cirr.htm. > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.4 (BSD/OS) > Comment: For info see http://www.gnupg.org > > iD8DBQE6p+mz+LUG5KFpTkYRApVrAKCd6rT++htahvzbxsIkbqMVa74fuACcDKaQ > wsjk3kVpcNQP2fPrMR9IQSw= > =WIaD > -----END PGP SIGNATURE----- > > --- end forwarded text > > > -- > ----------------- > R. A. Hettinga <mailto: [EMAIL PROTECTED]> > The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> > 44 Farquhar Street, Boston, MA 02131 USA > "... however it may deserve respect for its usefulness and antiquity, > [predicting the end of the world] has not been found agreeable to > experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' > -- http://www.constructiongigs.com/ Use gold as money. It's easy. Create a free e-gold account here: http://www.e-gold.com/e-gold.asp?cid=101670 ConstructionGigs.com's PGP public key is here: http://www.constructiongigs.com/assets/DH-DSSkey.txt Fingerprint: 3C4D A63F 3C8B 2D7B 7E1A FFE8 9A2E 4D78 CAD6 66B7 --- You are currently subscribed to e-gold-list as: archive@jab.org To unsubscribe send a blank email to [EMAIL PROTECTED]