Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending October 31, 2014. Covers enterprise, controversies, reports and more.
This week, WalMart's answer to Apple Pay and Google wallet got spanked with a breach in development, the White House played down that its EOP network was infiltrated, FireEye dissected APT28, Popular Science served malicious code to readers, and the Shellshock attacks stacked up.
Apple Pay rival CurrentC, the WalMart, Sears, 7-Eleven and Best Buy-backed mobile payment system, became a laughing stock in security communities worldwide when it was hacked this week. The breach exposed an unknown amount of email addresses (and zip codes) of anyone who even expressed interest in participating in the pilot. After touting its strong security practices, now everyone knows who's a player in the Merchant Customer Exchange (MCX) — developers of the CurrentC system. MCX CEO Dekkers Davison defiantly stumbled through a press session about the breach, insisting that it was totally not a breach, perhaps thinking he could redefine the very meaning of a breach by doing so. To the reassurance of absolutely no one, Davison inadvertently slipped that "other information was stolen" and repeated, "This is not a breach. It was only email addresses." The admission of being pwned in its beginning testing phase comes before the service’s official launch, which is expected sometime next year.
The White Housetold the NYT this week that its EOP network was hacked two or three weeks ago, and played down the breach to press by emphasizing that it was on an unclassified network only — where the hackers conducted "fairly standard espionage." So basically, the intruders accessed the network that handled everything else that happens on unclassified computers in the Executive Office of the President, which indicates that this breach is very likely much more serious than is being reported. Mitigation included staffers having to change their passwords and intranet or VPN access being temporarily shut off. The Washington Post reported that Russian hackers may be to blame.
This report focuses on a threat group that we have designated as APT28. While APT28’s malware is fairly well known in the cybersecurity community, our report details additional information exposing ongoing, focused operations that we believe indicate a government sponsor based in Moscow.
In contrast with the China-based threat actors that FireEye tracks, APT28 does not appear to conduct widespread intellectual property theft for economic gain. Instead, APT28 focuses on collecting intelligence that would be most useful to a government.
Specifically, FireEye found that since at least 2007, APT28 has been targeting privileged information related to governments, militaries and security organizations that would likely benefit the Russian government.
Popular Science has been serving malicious code from its website: Websense posted earlier this week that PopSci's official website has been compromised to redirect visitors to malware injection sites. Websense's Security Labs contacted the team at Popular Science with notification of the compromise.
The Shellshock attacks are stacking up. Organizations are unable to keep up with Shellshock patching processes, and incident response practices are lagging: Security researchers released two new Shellshock-related attack warnings Thursday as they witness attackers take advantage of the Bash bug in UNIX and Linux systems.