FBI Press Release
Over the past several months, the National Infrastructure
Protection Center (NIPC) has been coordinating investigations
into a series of organized hacker activities specifically
targeting U.S. computer systems associated with e-commerce or e-
banking. Despite previous advisories, many computer owners have
not patched their systems, allowing these kinds of attacks to
continue, and prompting this updated release of information.
More than 40 victims located in 20 states have been identified
and notified in ongoing investigations in 14 Federal Bureau of
Investigation Field Offices and 7 United States Secret Service
Field Offices. These investigations have been closely
coordinated with foreign law enforcement authorities, and the
private sector. Specially trained prosecutors in the Computer
and Telecommunication Coordinator program in U.S. Attorneys'
Offices in a variety of districts have participated in the
investigation, with the assistance of attorneys in the Computer
Crime and Intellectual Property Section at the Department of
Justice.
The investigations have disclosed several organized hacker groups
from Eastern Europe, specifically Russia and the Ukraine, that
have penetrated U.S. e-commerce computer systems by exploiting
vulnerabilities in unpatched Microsoft Windows NT operating
systems. These vulnerabilities were originally reported and
addressed in Microsoft Security Bulletins MS98-004 (re-released
in MS99-025), MS00-014, and MS00-008. As early as 1998,
Microsoft discovered these vulnerabilities and developed and
publicized patches to fix them. Computer users can download
these patches from Microsoft for free.
Once the hackers gain access, they download proprietary
information, customer databases, and credit card information. The
hackers subsequently contact the victim company through
facsimile, email, or telephone. After notifying the company of
the intrusion and theft of information, the hackers make a veiled
extortion threat by offering Internet security services to patch
the system against other hackers. They tell the victim that
without their services, they cannot guarantee that other hackers
will not access the network and post the credit card information
and details about the compromise on the Internet. If the victim
company is not cooperative in making payments or hiring the group
for their security services, the hackers' correspondence with the
victim company has become more threatening. Investigators also
believe that in some instances the credit card information is
being sold to organized crime groups. There has been evidence
that the stolen information is at risk whether or not the victim
cooperates with the demands of the intruders. To date, more than
one million credit card numbers have been stolen.
The NIPC has issued an updated Advisory 01-003 at www.nipc.gov
regarding these vulnerabilities being exploited. The update
includes specific file names that may indicate whether a system
has been compromised. If these files are located on your
computer system, the NIPC Watch in Washington D.C. should be
contacted at (202) 323-3204/3205/3206. Incidents may also be
reported online at www.nipc.gov/incident/cirr.htm. For detailed
information on the vulnerabilities that are being exploited,
please refer to the NIPC Advisory 00-60, and NIPC Advisory 01-
003.
NIPC ADVISORY 01-003
This advisory is an update to the NIPC Advisory 00-060, "E-
Commerce Vulnerabilities", dated December 1, 2000. Since the
advisory was published, the FBI has continued to observe hacker
activity targeting victims associated with e-commerce or e-
finance/banking businesses. In many cases, the hacker activity
had been ongoing for several months before the victim became
aware of the intrusion. The NIPC emphasizes the recommendation
that all computer network systems administrators check relevant
systems and consider applying the updated patches as necessary,
especially for systems related to e-commerce or e-
banking/financial businesses. The patches are available on
Microsoft=s web site, and users should refer to the URLs listed
below.
The following vulnerabilities have been previously reported:
Unauthorized Access to IIS Servers through Open Database
Connectivity (ODBC) Data Access with Remote Data Service (RDS):
Systems Affected: Windows NT running IIS with RDS enabled.
Details: Microsoft Security Bulletin MS99-025, NIPC CyberNotes
99-22
http://www.microsoft.com/technet/security/bulletin/ms99-025.asp
http://www.nipc.gov/warnings/advisories/1999/99-027.htm,
http://www.nipc.gov/cybernotes/cybernotes.htm
Summary: Allows unauthorized users to execute shell commands on
the IIS system as a privileged use; Allows unauthorized access to
secured, non-published files on the IIS system; On a multi-homed
Internet-connected IIS systems, using Microsoft Data Access
Components (MDAC), allows unauthorized users to tunnel Structured
Query Language (SQL) and other ODBC data requests through the
public connection to a private back-end network.
SQL Query Abuse Vulnerability
Affected Software Versions: Microsoft SQL Server Version 7.0 and
Microsoft Data Engine (MSDE) 1.0
Details: Microsoft Security Bulletin MS00-14, NIPC CyberNotes
20-05
http://www.microsoft.com/technet/security/bulletin/ms00-014.asp
http://www.nipc.gov/cybernotes/cybernotes.htm
Summary: The vulnerability could allow the remote author of a
malicious SQL query to take unauthorized actions on a SQL Server
or MSDE database.
Registry Permissions Vulnerability
Systems Affected: Windows NT 4.0 Workstation, Windows NT 4.0
Server
Details: Microsoft Security Bulletin MS00-008, NIPC CyberNotes
20-08 and 20-22
http://www.microsoft.com/technet/security/bulletin/ms00-008.asp
http://www.nipc.gov/cybernotes/cybernotes.htm
Summary: Users can modify certain registry keys such that:
" a malicious user could specify code to launch at
system crash
" a malicious user could specify code to launch at
next login
" an unprivileged user could disable security
measures
Web Server File Request Parsing
While they have not been shown to be a vector for the current
attacks, Microsoft has advised us that the vulnerabilities
addressed by Microsoft bulletin MS00-086 are very serious, and we
encourage web site operators to consider applying the patch
provided with this bulletin as well as the three that are under
active exploitation.
http://www.microsoft.com/technet/security/bulletin/ms00-014.asp
http://www.nipc.gov/cybernotes/cybernotes.htm
Summary: The vulnerability could allow a malicious user to run
system commands on a web server.
New Information: In addition to the above exploits, several
filenames have been identified in connection with the intrusions,
specific to Microsoft Windows NT systems. The presence of any of
these files on your system should be reviewed carefully because
they may indicate that your system has been compromised:
ntalert.exe
sysloged.exe
tapi.exe
20.exe
21.exe
25.exe
80.exe
139.exe
1433.exe
1520.exe
26405.exe
i.exe
In addition, system administrators may want to check for the
unauthorized presence of any of the following executable files,
which are often used as hacking tools:
lomscan.exe
mslom.exe
lsaprivs.exe
pwdump.exe
serv.exe
smmsniff.exe
Recipients of this Advisory are encouraged to report computer
crime to the NIPC Watch at (202) 323-3204/3205/3206. Incidents
may also be reported online at www.nipc.gov/incident/cirr.htm.
|
|