February 23, 2015 The IWC CIR is an OSINT resource focusing on advanced persistent threats and other digital dangers. APTs fit into a cybercrime category directed at both business and political targets. Attack vectors include system compromise, social engineering, and even traditional espionage. Summary Symantec ThreatCon Level 2 - Medium: Increased alertness

This condition applies when knowledge or the expectation of attack activity is present, without specific events occurring or when malicious code reaches a moderate risk rating.

There has been a rash of espionage and cyber-attack news leaks over the last few weeks. • Kaspersky found malware in the firmware of hard drives around the world. They issue with

this is that at this point, no forensic tools can look at the system area or the code on the drive’s board. It takes special data recovery tools to get to that area, so this make it extremely difficult to detect. Some say this malware has ties to Stuxnet and the NSA.

• The hacking group designated “Equation” has been infecting systems since at least 2001. The group’s attacks are some of the most sophisticated attacks seen so far. Some say there are ties to the NSA.

• Last year, over 1 billion customer records were stolen from across the industries.

• Hackers were reported to have stolen over 1 billion from US & European banks.

• Encryption in America could be at risk. Department of Justice is a 1789 'All Writs Act' to try to force vendors into placing back doors into products so law enforcement can access them.

extra tipS and videoS The first episode of CIR Special Report was release covering Anthem’s loss of 80 million customer medical records. This can come with possible HIPAA ramifications. The video focuses on responsibility while explaining some of the components of the HIPAA regulation dealing with securing sensitive data. You can view the video here: http://youtu.be/mc3oRBoR2jE.

InformationWarfareCenter.com 1 | P a g e

CIR

newS: inFormation warFare

--news-- newS: Hippa

Law professors: HIPAA 'not extraordinarily' protective of personal info ... - Legal News Line.

Preparing for Phase 2 HIPAA Audits: It's All About Documentation - The National Law Review.

Longview man guilty of HIPAA violations for personal gain - Tyler Morning Telegraph.

Anthem hack: Does HIPAA federal health privacy law have a gap? - NOLA.com.

Reminder: March 1, 2015 Deadline for Reporting HIPAA Breaches - The National Law Review.

Letter: Now that HIPAA has failed us, what are we to do? - Roanoke Times.

HIPAA Compliance Trends For 2015 - Mondaq News Alerts (registration). newS: SCada

"Cyber Dome" for the SCADA Environment - IsraelDefense.

The Impact of Piracy on SCADA - Automation World.

Siemens sighs: SCADA bugs abound - The Register.

Banking Trojans Disguised As ICS/SCADA Software Infecting Plants - EE Times.

Hard-Coded FTP Credentials Found in Schneider Electric SCADA Gateway - Threatpost.

B-Scada's Fiscal Year-End 2014 Results Include Record-Setting Quarter - Equities.com. exploitS

Hybris Commerce Software Suite 5.x File Disclosure / Traversal.

jQuery jui_filter_rules PHP Code Execution.

InstantASP InstantForum.NET 3.x / 4.x Cross Site Scripting.

Piwigo 2.7.3 SQL Injection.

WordPress Duplicator 0.5.8 Privilege Escalation.

DLGuard 4.5 SQL Injection.

DLGuard 4.5 / 4.6 Cross Site Scripting.

CrushFTP 7.2.0 Cross Site Request Forgery / Cross Site Scripting.

GLPI 0.85.2 Shell Upload / Privilege Escalation.

CMS Piwigo 2.7.3 Cross Site Scripting / SQL Injection.

Ilch CMS Cross Site Request Forgery.

InformationWarfareCenter.com 2 | P a g e

CIR

DLGuard 4.5 Path Disclosure.

Agora Marketplace Cross Site Request Forgery.

X360 VideoPlayer ActiveX Control Buffer Overflow.

WordPress Image Metadata Cruncher CSRF / XSS.

D-Link DSL-2640B Unauthenticated Remote DNS Changer.

Ebay Magento Script Insertion.

ES File Explorer 3.2.4.1 Path Traversal.

Fat Free CRM 0.13.5 Cross Site Request Forgery.

AOL Search Reflected File Download.

WordPress Image Metadata Cruncher Cross Site Scripting.

Cosmoshop Cross Site Scripting.

Duplicator 0.5.8 Privilege Escalation.

Java JMX Server Insecure Configuration Java Code Execution.

GuppY CMS 5.0.9 & 5.00.10 Multiple CSRF Vulnerabilities.

Guppy CMS 5.0.9 & 5.00.10 Authentication Bypass/Change Email.

eTouch SamePage 4.4.0.0.239 - Multiple Vulnerabilities.

Wordpress Video Gallery 2.7.0 - SQL Injection Vulnerability.

Exponent CMS 2.3.1 - Multiple XSS Vulnerabilities.

IBM Endpoint Manager - Stored XSS Vulnerability.

InformationWarfareCenter.com 3 | P a g e

CIR

Cve adviSorieS

CVE-2015-1579 2015-02-11

Directory traversal vulnerability in the Elegant Themes Divi theme for WordPress allows remote

attackers to read arbitrary files via a .. (dot dot) in the img parameter in a revslider_show_image

action to wp-admin/admin-ajax.php. (CVSS:5.0) (Last Update:2015-02-12)

CVE-2015-1577 2015-02-11

Directory traversal vulnerability in u5admin/deletefile.php in u5CMS before 3.9.4 allows remote

attackers to write to arbitrary files via a (1) .. (dot dot) or (2) full pathname in the f parameter.

(CVSS:6.4) (Last Update:2015-02-12)

CVE-2015-1575 2015-02-11

Multiple cross-site scripting (XSS) vulnerabilities in u5CMS before 3.9.4 allow remote attackers to

inject arbitrary web script or HTML via the (1) c, (2) i, (3) l, or (4) p parameter to index.php; the

(5) a or (6) b parameter to u5admin/cookie.php; the name parameter to (7) copy.php or (8)

delete.php in u5admin/; the (9) f or (10) typ parameter to u5admin/deletefile.php; the (11) n

parameter to u5admin/done.php; the (12) c parameter to u5admin/editor.php; the (13) uri

parameter to u5admin/meta2.php; the (14) n parameter to u5admin/notdone.php; the (15)

newname parameter to u5admin/rename2.php; the (16) l parameter to u5admin/sendfile.php;

the (17) s parameter to u5admin/characters.php; the (18) page parameter to

u5admin/savepage.php; or the (19) name parameter to u5admin/new2.php. (CVSS:4.3) (Last

Update:2015-02-12)

CVE-2015-1518 2015-02-11

SQL injection vulnerability in the search_post function in includes/search.php in Redaxscript

before 2.3.0 allows remote attackers to execute arbitrary SQL commands via the search_terms

parameter. (CVSS:7.5) (Last Update:2015-02-12)

CVE-2015-1482 2015-02-04

Ansible Tower (aka Ansible UI) before 2.0.5 allows remote attackers to bypass authentication and

obtain sensitive information via a websocket connection to socket.io/1/. (CVSS:5.0) (Last

Update:2015-02-05)

CVE-2015-1481 2015-02-04

Ansible Tower (aka Ansible UI) before 2.0.5 allows remote organization administrators to gain

privileges by creating a superuser account. (CVSS:6.5) (Last Update:2015-02-05)

InformationWarfareCenter.com 4 | P a g e

CIR

CVE-2015-1480 2015-02-04

ZOHO ManageEngine ServiceDesk Plus (SDP) before 9.0 build 9031 allows remote authenticated

users to obtain sensitive ticket information via a (1) getTicketData action to servlet/AJaxServlet

or a direct request to (2) swf/flashreport.swf, (3) reports/flash/details.jsp, or (4)

reports/CreateReportTable.jsp. (CVSS:4.0) (Last Update:2015-02-04)

CVE-2015-1479 2015-02-04

SQL injection vulnerability in reports/CreateReportTable.jsp in ZOHO ManageEngine

ServiceDesk Plus (SDP) before 9.0 build 9031 allows remote authenticated users to execute

arbitrary SQL commands via the site parameter. (CVSS:6.5) (Last Update:2015-02-06)

CVE-2015-1478 2015-02-04

Cross-site scripting (XSS) vulnerability in the CMSJunkie J-ClassifiedsManager component for

Joomla! allows remote attackers to inject arbitrary web script or HTML via the view parameter to

/classifieds. (CVSS:4.3) (Last Update:2015-02-04)

CVE-2015-1477 2015-02-04

SQL injection vulnerability in the CMSJunkie J-ClassifiedsManager component for Joomla! allows

remote attackers to execute arbitrary SQL commands via the id parameter in a viewad task to

classifieds/offerring-ads. (CVSS:7.5) (Last Update:2015-02-04)

CVE-2015-1476 2015-02-04

Multiple SQL injection vulnerabilities in xlinkerz ecommerceMajor allow remote attackers to

execute arbitrary SQL commands via the (1) productbycat parameter to product.php, or (2)

username or (3) password parameter to __admin/index.php. (CVSS:7.5) (Last Update:2015-02-04)

CVE-2015-1428 2015-02-03

Multiple SQL injection vulnerabilities in Sefrengo before 1.6.2 allow (1) remote attackers to

execute arbitrary SQL commands via the sefrengo cookie in a login to backend/main.php or (2)

remote authenticated users to execute arbitrary SQL commands via the value_id parameter in a

save_value action to backend/main.php. (CVSS:7.5) (Last Update:2015-02-04)

InformationWarfareCenter.com 5 | P a g e

CIR

reSourCeS

Links: DC3 DISPATCH: dispatch@dc3.mil FBI In the New: fbi@subscriptions.fbi.gov Zone-h: www.zone-h.org Xssed: www.xssed.com Packet Storm Security: www.packetstormsecurity.org Sans Internet Storm Center: isc.sans.org Exploit Database: www.exploit-db.com Hack-DB: www.hack-db.com Infragard: www.infragard.org ISSA: www.issa.org CyberForensics360: www.cyberforensics360.org netSecurity: www.netsecurity.com Tor Network

Cyber Secrets: www.informationwarfarecenter.com/Cyber-Secrets.html

InformationWarfareCenter.com 6 | P a g e