New Details Surface on Equifax Breach
12.2.2018 securityweek Incindent
Documents provided recently by Equifax to senators revealed that the breach suffered by the company last year may have involved types of data not mentioned in the initial disclosure of the incident.
In mid-May 2017, malicious actors exploited a known vulnerability in the Apache Struts development framework to gain unauthorized access to Equifax systems. The company said the breach affected roughly 145 million customers – mostly in the U.S., but also in Canada and the United Kingdom – including their social security numbers, dates of birth, addresses, and in some cases driver’s license numbers, payment cards, and dispute documents.
Confidential documents sent by Equifax to the Senate Banking Committee, copies of which were seen by CNN and The Wall Street Journal, show that hackers may have also stolen tax identification numbers, email addresses, and driver’s license information other than just license numbers.
In response to news reports, Equifax said its initial disclosure was never intended to include all the types of information that may have been compromised.
U.S. Senator Elizabeth Warren has called on Equifax to provide clarifications on what she has described as “conflicting, confusing and incomplete information” provided by the company to the public and Congress.
According to Sen. Warren, Equifax told the Banking Committee in early October that passport numbers had also been included in the database tables possibly accessed by the attackers, but now the credit reporting agency claims passports were not compromised.
“As your company continues to issue incomplete, confusing and contradictory statements and hide information from Congress and the public, it is clear that five months after the breach was publicly announced, Equifax has yet to answer this simple question in full: what was the precise extent of the breach?” Sen. Warren wroten in a letter to Equifax.
The senator has given Equifax one week to provide a full and complete list of data elements confirmed or believed to have been compromised in the breach, along with a timeline of its efforts to determine the full extent of the intrusion.
Sen. Warren last week published a 15-page report containing the findings of her own four-month investigation into Equifax’s failures. The lawmaker’s investigation found that the company had set up a flawed system to prevent data security incidents, it ignored numerous warning of risks to customer data, it failed to disclose the breach to stakeholders in a timely manner, and provided inadequate assistance and information to consumers. The report also said Equifax had taken advantage of federal contracting loopholes to force the IRS into signing a contract.
Earlier this year, senators Warren and Mark Warner introduced a bill that would provide the Federal Trade Commission (FTC) with punitive powers over the credit reporting industry for poor cybersecurity practices. The bill came in response to the Equifax breach.
Reuters reported earlier this month that Mick Mulvaney, the head of the Consumer Financial Protection Bureau (CFPB), had halted the probe into the Equifax breach. Following the news, 32 senators sent a letter CFPB asking for additional information on its investigation.
49% of crypto mining scripts are deployed on pornographic related websites
12.2.2018 securityaffairs CoinMine
The number of crypto mining scripts discovered by security experts continues to increase, especially those ones illegally deployed by hacking servers online.
The experts from Qihoo 360’s Netlab analyzed crypto mining scripts online by analyzing DNS traffic with its DNSMon system. The experts were able to determine which sites load the scripts from domains associated with in-browser mining services.
According to the researchers, 49% of crypto mining scripts are deployed on pornographic related websites.
The study revealed that cryptocurrency mining scripts are also deployed on fraud sites (8%), advertising domains (7%), and cryptocurrency mining (7%).
“0.2% of websites have web mining code embedded in the homepage : 241 (0.24%) in Alexa Top 100,000 websites, 629 (0.21%) in Alexa Top 300,000 websites” reads the analysis published by NetLab.
“Pornographic related websites are the main body , accounting for 49% of these websites. Others include fraud (8%), advertising (7%), mining (7%), film and television (6%) and other categories”
The most used crypto mining script is Coinhive (68%+10%), followed by JSEcoin (9%).
The fact that cryptocurrency mining scripts are most deployed on porn websites is not a surprise because they have a large number of visitors that used to spend a lot of time watching their content.
Mining activities online are rapidly increasing, the following graph shows the mining site DNS traffic trends:
Below the categories of new actors most involved in mining activities:
Advertisers : The mining activity of some websites is introduced by the advertisers’ external chains
Shell link : Some websites will use a “shell link” to obscure the mining site link in the source code
Short domain name service provider : goobo . COM .br Brazil is a short domain name service provider, the website home page, including a short domain name through the service generated when access to the link will be loaded coinhive mining
Supply chain contamination : the WWW . Midijs . NET is a JS-based MIDI file player, website source code used in mining to coinhive
Self-built pool : Some people in github open source code , can be used to build from the pool
Web users informed mining : authedmine . COM is emerging of a mining site, the site claims that only a clear case of known and authorized users, began mining
Thousands of websites worldwide hijacked by cryptocurrency mining code due Browsealoud plugin hack
12.2.2018 securityaffairs CoinMine
Thousands of websites worldwide hijacked by a cryptocurrency mining code due to the hack of the popular Browsealoud plugin.
A massive attack hit thousands of websites around the world, crooks deployed Coinhive scripts forcing them to secretly mine cryptocurrencies on visitors’ browsers.
The list of compromised websites (4275) includes the UK’s NHS, Information Commissioner’s Office (ICO) (ico.org.uk), the UK’s Student Loans Company (slc.co.uk), The City University of New York (cuny.edu), and the US government’s court system.
Once discovered the hack some sites web down, the ICO also took its website down.
The compromised websites use the Browsealoud plugin which makes their content accessible for blind or partially sighted people by reading it.
In a time-window of roughly seven hours (between 0300 and 1145 UTC), all the websites using Browsealoud inadvertently ran the Monero cryptocurrency mining code.
The attackers injected an obfuscated version of the mining code in the plugin that once converted from hexadecimal back to ASCII allowed to load the mining code in the webpage.
The alarm was thrown by the security expert Scott Helme who was contacted by a friend who sent him antivirus software warnings received after visiting a UK ICO website.
“This type of attack isn’t new – but this is the biggest I’ve seen. A single company being hacked has meant thousands of sites impacted across the UK, Ireland and the United States.” said Helme.
“Someone just messaged me to say their local government website in Australia is using the software as well.”
Scott Helme
✔
@Scott_Helme
Ummm, so yeah, this is *bad*. I just had @phat_hobbit point out that @ICOnews has a cryptominer installed on their site... 😮
2:46 PM - Feb 11, 2018
739
789 people are talking about this
Twitter Ads info and privacy
The expert suggests using the Subresource Integrity (SRI) technique to block unwanted code injected in affected websites.
Texthelp, the company that developed the Browsealoud plugin, has removed its Browsealoud code from the web to stop the cryptocurrency mining operation.
“In light of other recent cyber attacks all over the world, we have been preparing for such an incident for the last year and our data security action plan was actioned straight away,” said Texthelp’s chief technology officer Martin McKay in a statement.
“Texthelp has in place continuous automated security tests for Browsealoud, and these detected the modified file and as a result the product was taken offline.”
Texthelp confirmed that “no customer data has been accessed or lost,” and “customers will receive a further update when the security investigation has been completed.”
Texthelp for Edu
@texthelp
Our Data security investigation underway at Texthelp, statement on our website: http://okt.to/EtJobI
Browsealoud was automatically removed from all our customers' websites in response. No action needed by our customers.
10:20 PM - Feb 11, 2018
3
See Texthelp for Edu's other Tweets
Twitter Ads info and privacy
The malicious code was removed by 1600 UTC today, the UK’s ICO is currently in a minimal “maintenance” mode as a precaution.
U.S. Spies Bilked for $100,000 by Russian Peddling Trump Secrets: Report
11.2.2018 securityweek BigBrothers
A Russian man promising stolen hacking tools and compromising information on President Donald Trump fleeced American spies for $100,000 last year, The New York Times reported Friday.
In a story worthy of a John le Carre novel that included secret USB-drive handovers in a small West Berlin bar and coded messages delivered over the National Security Agency's Twitter account, CIA agents reportedly spent much of last year trying to buy back from the Russian hacking programs stolen from the NSA.
The seller, who was not identified but had links to both cyber criminals and Russian intelligence, tantalized the US spies with an offer of the NSA hacking tools that had been advertised for sale online by a shady group called the Shadow Brokers.
Some of the tools, developed by the NSA to break into the computers of US rivals, were used by other hackers last year to break into computer systems around the world, including the global malware attack last May.
The seller, reached through a chain of intermediaries, wanted $1 million.
The $100,000, delivered in a cash-stuffed suitcase handed over in a Berlin hotel room, was an initial payment by US agents still dubious he really had what he was promising.
- Trump kompromat -
The seller also repeatedly pressed US agents with offers of compromising materials, or kompromat, on Trump, the Times said, citing US and European intelligence officials.
Although an investigation was already underway back in Washington on the link between Moscow and the Trump campaign, the agents did not want to get involved in anything that smelled of the politics back home.
The story -- which was also reported by The Intercept, an online magazine on nationals security matters -- paints a classic spy versus spy story where the US agents aren't ever certain about who they are dealing with and whether or not they are being baited and played by their Russian counterparts.
US intelligence officials say Russia interfered with the 2016 election to help elect Trump, and continues to use disinformation to sow confusion in the American political system.
The Intercept reported that the operation created rifts in the CIA, which is led by Trump loyalist Mike Pompeo but has many staffers still smarting over the president's repeated harsh comments about the intelligence community's role in the Russia meddling investigation.
The Russian's first delivery turned out to be hacking tools the Shadow Brokers had already released.
And he kept pushing his offer of kompromat on Trump, including shady financial records and a sex video that the US spies didn't really want.
In the end, the deal broke down last month -- the Russian did not come up with any of the unreleased NSA materials, and the Trump-related materials were either already known or untrustworthy.
The Russian was told by the Americans to leave Western Europe and not return, according to the Times.
South Korea Probes Cyber Shutdown During Olympics Ceremony
11.2.2018 securityweek BigBrothers
South Korea on Saturday investigated a mysterious internet shutdown during the Winter Olympics opening ceremony, which follows warnings of possible cyberattacks during the Pyeongchang Games.
Internal internet and wifi systems crashed at about 7:15 pm (1015 GMT) on Friday and were still not back to normal at midday on Saturday, Games organizers said.
Cyber-security teams and experts from South Korea's defence ministry, plus four other ministries, formed part of a taskforce investigating the shutdown, they said, adding that it didn't affect the high-tech opening ceremony.
Kim Yo Jong, the sister of North Korean leader Kim Jong Un, South Korean President Moon Jae-in and US Vice-President Mike Pence were among the VIPs at Pyeongchang Olympic Stadium late on Friday.
The outage follows warnings of malware phishing attacks targeting organizations working at the Olympics, and allegations of cyberattacks from Russia -- which has denied any involvement.
North Korea has also blamed for a series of cyber incidents including the WannaCry global ransomware attack, which infected 300,000 computers worldwide last May.
"We don't want to speculate because we're still trying to find out what the root source is," said Nancy Park, a spokeswoman for the Games organisers.
"We have some reports, we've been working all night trying to find out and working with our partners."
- WannaCry -
South Korea showed off its technical expertise with a dazzling gala opening ceremony on Friday which included state-of-the-art special effects and augmented reality to add extra impact for TV viewers.
While internet and wifi were affected across the Olympic site -- spread over two main venues in mountainous eastern South Korea -- organisers said there was no impact on competition, which got into full swing on Saturday.
"There were some issues that impacted some of our non-critical systems last night for a few hours," Games organizers said in a statement.
"These have not disrupted any events, or had any effect on the safety and security of any athletes or spectators," they added.
"All competitions are running as planned and the systems are working at the expected level."
Last month, cyber-security firm McAfee said it had uncovered an attack targeting organisations involved with the Olympics, using a malicious email attachment.
North Korea has been accused of involvement in a number of cyber incidents, including WannaCry -- although it has slammed that accusation as "absurd".
Russia has also denied launching any hacking attacks on the Pyeongchang Olympics, where its team is formally banned following the revelation of systemic doping.
While organizers wouldn't comment on the possibility that an attack was behind the shutdown, experts believe disrupting the Games would be seen as a coup for many hackers.
"The whole world’s watching. It's one of the largest stages you can possibly have to get a message out there," Ross Rustici, senior director for intelligence Boston-based Cybereason told the Tribune News Service.
"You got a lot of lower-tier guys going after these games. It's head-hunting, bragging rights," Rustici was quoted as saying.
Hackers are exploiting the CVE-2018-0101 CISCO ASA flaw in attacks in the wild
11.2.2018 securityaffairs Vulnerebility
Hackers are exploiting the CVE-2018-0101 CISCO ASA flaw in attacks in the wild and a Proof-of-concept exploit code is available online.
This week, Cisco has rolled out new security patches for a critical vulnerability, tracked as CVE-2018-0101, in its CISCO ASA (Adaptive Security Appliance) software.
This is the second the tech giant issued a security patch to fix the critical vulnerability in CISCO ASA, the first one released in January. The vulnerability could be exploited by a remote and unauthenticated attacker to execute arbitrary code or trigger a denial-of-service (DoS) condition causing the reload of the system.
The affected models are:
3000 Series Industrial Security Appliance (ISA)
ASA 5500 Series Adaptive Security Appliances
ASA 5500-X Series Next-Generation Firewalls
ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
ASA 1000V Cloud Firewall
Adaptive Security Virtual Appliance (ASAv)
Firepower 2100 Series Security Appliance
Firepower 4110 Security Appliance
Firepower 9300 ASA Security Module
Firepower Threat Defense Software (FTD)
Now the company confirmed that attackers are trying to exploit the vulnerability CVE-2018-0101 in attacks in the wild.
“The Cisco Product Security Incident Response Team (PSIRT) is aware of public knowledge of the vulnerability that is described in this advisory,” reads the security advisory published by CISCO. the update states. “Cisco PSIRT is aware of attempted malicious use of the vulnerability described in this advisory.”
The vulnerability was discovered by Cedric Halbronn and received a CVSS base score of 10.0, the highest one.
This week Halbronn presented its findings at the REcon conference in Brussels, in its speech titled ‘Robin Hood vs CISCO ASA Anyconnect.’ he highlighted that the vulnerability could be present up to seven years old because the AnyConnect Host Scan is available since 2011.
The new attack scenario covered with the new update sees an attacker exploiting the vulnerability by sending specially crafted XML packets to a webvpn-configured interface.
A “Cisco ASA CVE-2018-0101 Crash PoC” was already published by some users on Pastebin.
FSB arrested researchers at the Russian Federation Nuclear Center for using a supercomputer to mine Bitcoins
11.2.2018 securityaffairs CoinMine
Russian authorities have arrested some employees at the Russian Federation Nuclear Center facility because they are suspected for trying to using a supercomputer at the plant to mine Bitcoin.
The peaks reached by the values of principal cryptocurrencies is attracting criminal organizations, the number of cyber-attacks against the sector continues to increase, and VXers are focusing their efforts on the development of cryptocurrency/miner malware.
In a few days, security firms have spotted several huge botnets that were used by crooks to mine cryptocurrencies.
This week, security experts at Radiflow, a provider of cybersecurity solutions for critical infrastructure, have discovered in a water utility the first case of a SCADA network infected with a Monero cryptocurrency-mining malware.
“Radiflow, a provider of cybersecurity solutions for critical infrastructure, today announced that the company has revealed the first documented cryptocurrency malware attack on a SCADA network of a critical infrastructure operator.” reads the press release published by the company.
The Radiflow revealed that the cryptocurrency malware was designed to run in a stealth mode on a target system and even disable security software.
“Cryptocurrency malware attacks involve extremely high CPU processing and network bandwidth consumption, which can threaten the stability and availability of the physical processes of a critical infrastructure operator,” explained Yehonatan Kfir, CTO at Radiflow. “While it is known that ransomware attacks have been launched on OT networks, this new case of a cryptocurrency malware attack on an OT network poses new threats as it runs in stealth mode and can remain undetected over time.”
A cryptocurrency malware infection could have e dramatic impact on ICS and SCADA systems because it could increase resources consumption affecting the response times of the systems used to control processes in the environments.
While the story was making the headlines, the Russian Interfax News Agency reported that several scientists at the Russian Federation Nuclear Center facility (aka All-Russian Research Institute of Experimental Physics) had been arrested by authorities charged for mining cryptocurrency with “office computing resources.”
The nuclear research plant is located in Sarov, in 2011, the Russian Federation Nuclear Center deployed on a new petaflop-supercomputer.
The scientists are accused to have abused the computing power of one of Russia’s most powerful supercomputers located in the Federal Nuclear Center to mine Bitcoins.
The supercomputer normally isolated from the Internet, but the researchers were discovered while attempting to connect it online. the Federal Security Service (FSB) has arrested the researchers.
“There has been an unsanctioned attempt to use computer facilities for private purposes including so-called mining,” Tatyana Zalesskaya, head of the Institute’s press service, told Interfax news agency.
“Their activities were stopped in time. The bungling miners have been detained by the competent authorities. As far as I know, a criminal case has been opened regarding them,”
Online Auction Safety Tips for Buyers and Sellers
11.2.2018 securityaffairs Security
Buying or selling goods through online auctions is more popular than ever. Which are the best practices to follow for buyers and sellers for an online auction?
Buying or selling goods through online auctions is more popular than ever. Today, there are a number of different auctions sites available where sellers can post new and used items for sale.
Buyers often flock to these marketplaces, largely because auction prices tend to be quite low. Additionally, buying through online auctions is a great way to find unique items or collectibles that you simply can’t buy through traditional retail stores.
The vast majority of transactions that take place through these sites go off without a hitch. Occasionally, however, problems do occur.
There are instances where unscrupulous buyers or sellers try to take advantage of other people on the auction site.
By following a few simple online auction safety tips, you can ensure that you don’t fall victim to a scam.
A good place to start is by familiarizing yourself with some of the common risks including the following:
Sellers sometimes try to scam buyers by failing to send out items after they have already been paid for. Buyers, on the other hand, sometimes take advantage of sellers by failing to pay for the item after the seller has already sent it to them or claiming that they never received the item in order to get a refund.
Hackers or online thieves can take control of your account if they get access to your password. Not only can they use your account to make purchases but they can also steal your identity.
Buyers or sellers can sometimes use the personal information that is exchanged during a sale to steal your identity. For instance, if you use a personal check to pay for an item, and unscrupulous seller may try to steal your identity based on the information printed on your check.
Sellers sometimes may try to sell you a knockoff or copy rather than the actual item you are interested in purchasing.
Phishing scams may try to get you to share your information by posing as the auction site or as your payment processor. In most cases, these scams are designed to try to gain access to your banking information or to your password so that the perpetrators can steal your identity.
online auction
Now that you have a better idea of all of the things that can go wrong when buying through an online auction, you can take steps to prepare yourself. A good place to start is by familiarizing yourself with how each auction site is set up. Before posting an item for sale or placing a bid, spend some time performing the following tasks:
Try to get a sense of how the auction site works by watching several items. Pay particular attention to what happens at the end of the auction to see if there is a lot of last-minute bidding. You can then put auction software to work for you on bidding and selling.
Familiarize yourself with the website’s Terms of Use. Make sure you have a clear understanding of the various fees that are charged to both sellers and buyers.
Additionally, find out what steps they take to help protect users in the event that something goes awry with a transaction. Make sure that you fully understand the site’s rules before buying or selling items through their platform.
Find out what forms of payment the website recommends. In most cases, the best option is to use a service like PayPal rather than relying on other payment methods. Personal checks, wire transfers, money orders, cash, and credit or debit cards can be risky for both buyers and sellers. Services such as PayPal provide protection against problems that are commonly experienced online.
Protect your identity when creating your profile. Avoid including personally identifiable information in your profile. Try to keep your screen name and user account as anonymous as possible.
Choose your password carefully. The last thing that you want is for someone to be able to guess your password or to break it easily using software tools. Make sure your password is a minimum of 10 characters long. Include upper and lowercase letters along with symbols and numbers. Avoid including personal information such as your birthdate, age, or name in your password. Additionally, choose a different password for every site that you are on.
That way, even if hackers figure out your password on one site, they won’t be able to access your profiles on other sites.
Online auction – Before making a purchase or listing an item for sale, be sure to do careful research.
Start by taking a closer look at the reputation of the seller or buyer. Typically, the best option is to buy from sellers who have been selling through the platform for a long period of time and who have good feedback from buyers. Make sure all the transactions are completed through the auction site. Don’t fall for the scam where a seller tries to offer you a lower price if you buy the item from them directly rather than buying through the auction site.
Learn as much as you can about the item you are selling or buying. Find out how much the item is currently worth. Make sure that it is authentic and figure out what type of condition it is in. Buyers may want to consider saving a screenshot of the description so that they have proof that they can turn to if the item doesn’t live up to the seller’s promises.
Facebook Increases Bug Bounty Payout After Audit
10.2.2018 securityweek Social
Facebook decided to increase a researcher’s bug bounty payout after discovering that that a bug he reported could lead to account takeover.
In September 2017, security researcher Josip Franjkoviæ discovered an issue with Facebook’s partners portal, which leaked users’ email addresses. The bug was discovered after one of the researcher’s sites was approved to participate in the Free Basics project by Facebook.
What the researcher discovered was a medium-high impact privacy bug where adding a new admin user would leak their email address in subsequent notification emails.
Basically, for a newly added admin, the notifications emails would contain the admin's primary Facebook email through a parameter in one of the links, the security researcher discovered.
To reproduce the bug, one would simply head to the Settings section at https://partners.facebook.com/fbs/settings/, add a name, and enter an email they control in the email field.
Next, they should simply hit the “Add” button, intercept the POST request to /mobile/settings/requirements/save/, and modify the values [settings.users.userstablecontainer.user_id] GET parameter to the ID of the victim whose email they would like to reveal, then forward the request.
Thus, the email Facebook sends to the user’s controlled address contains the victim's primary mail as part of <a href link >, the security researcher found.
Franjkoviæ reported the discovery on September 30, 2017, and Facebook informed him a couple of days later that they fixed an account takeover vulnerability in their platform. The original privacy leak bug, however, was resolved only in late October, after the researcher informed the company the exploit would still work.
After requesting more information from Facebook, the researcher found that the bug he discovered could result in the leaking of login codes. One other parameter in the email link could “potentially be used to login to the user's account (with some restrictions),” the researcher explains.
The feature, however, wasn’t enabled for the researcher’s account, so he could not notice it in the first place.
“Thank you Facebook's security team for being (more than) fair - they could have awarded only the email leak bug, and I would never know this was an account takeover,” the researcher notes.
Facebook too has confirmed that, after analyzing the bug reported by Franjkoviæ internally, the security team discovered that it could potentially allow an attacker to gain access to another account.
“We did a complete review and we determined that there is no evidence that these tactics were used or that personal information was exposed,” a post by the Facebook Bug Bounty team reads.
Franjkoviæ confirmed in an email discussion with SecurityWeek that Facebook increased the paid bounty to reward him for the more important vulnerability. While he wouldn’t reveal the exact amount he received, he did say it was his biggest bounty to date.
Lenovo patches critical flaws that affect Broadcom’s chipsets in dozens of Lenovo ThinkPad
10.2.2018 securityaffairs Vulnerebility
According to a security advisory issued by Lenovo, two critical vulnerabilities in Broadcom chipsets affects at least 25 models of Lenovo ThinkPad.
The affected models are ThinkPad 10, ThinkPad L460, ThinkPad P50s, ThinkPad T460, ThinkPad T460p, ThinkPad T460s, ThinkPad T560, ThinkPad X260 and ThinkPad Yoga 260.
One of the flaws was discovered in June by Google that publicly disclosed it in September. Google also published a proof-of-concept exploit for a Wi-Fi firmware vulnerability affecting Broadcom chipsets in iOS 10 and earlier.
The flaw tracked as CVE-2017-11120, is a memory corruption vulnerability that could be exploited by attackers to execute code and establish a backdoor on a targeted device. T
The flaw initially reported affecting specific Broadcom chipsets used in Apple iPhones, Apple TV, and Android devices was patched in the same month.
The vulnerability, tracked as CVE-2017-11120, is a memory corruption vulnerability, Apple addressed it in the security update for the release of iOS 11.
Now Lenovo warns of the presence of the flaw in two dozen ThinkPad models that use Broadcom’s BCM4356 Wireless LAN Driver for Windows 10.
The Broadcom Wi-Fi chipsets used by Lenovo ThinkPad devices are affected by the CVE-2017-11120 flaw and also by the CVE-2017-11121 vulnerability, both issue are rated as “critical” and received a CVSS 10 score.
“Broadcom has issued an advisory for certain Broadcom WiFi controllers used by many computer and device makers, which contain buffer overflow vulnerabilities on the adapter (not the system CPU).“reads the security advisory.” Broadcom initially did not plan to remediate these issues, but when the WPA2 KRACK issue also emerged, Broadcom combined both fixes in to a single set of driver updates. Lenovo received the first of these near the end of 2017, and continues releasing fixes as integration and testing is completed.”
The flaws can be exploited by remote attackers to execute arbitrary code on the adapter (not the system’s CPU) of the target system.
The CVE-2017-11121 vulnerability was also discovered by Google experts, it is a buffer overflow vulnerability caused by improper validation of Wi-Fi signals.
“Properly crafted malicious over-the-air Fast Transition frames can potentially trigger internal Wi-Fi firmware heap and/or stack overflows, leading to denial of service or other effects,” reads the description for the flaw.
Lenovo users urge to update the Wi-Fi driver for their ThinkPad models.
fail0verflow hackers found an unpatchable flaw in Nintendo Switch bootROM and runs Linux OS
10.2.2018 securityaffairs Hacking
The group of hackers known as ‘fail0verflow’ has discovered a vulnerability in the gaming console Nintendo Switch that could be exploited to install a Linux distro.
The hackers announced their discovery in a post on Twitter, the published an image of a console running the Debian Linux distro after the hack.
fail0verflow
@fail0verflow
🐧🐧🐧🐧 #switch
4:16 PM - Feb 6, 2018
4,917
2,269 people are talking about this
Twitter Ads info and privacy
The fail0verflow group revealed that the exploit triggers a flaw in the boot ROM process of the Nvidia Tegra X1 chip that powers the console, if confirmed the issue cannot be solved with a software o firmware update.
When asked if they have built the hack on nvtboot the group No closed-source boot chain components were involved.
Discovery of a flaw in the Boot ROM opens the door to the hack of the console for other purposes, for example to the piracy.
In a next future, hackers could find a way to install homebrew apps and pirated games on the Nintendo Switch.
On the other side, Nintendo could work with Nvidia on new secure Tegra X1 chips, as a temporary solution it could ban users with hacked consoles to ban these users from online play.
VMware releases temporary mitigations for Meltdown and Spectre flaws
10.2.2018 securityaffairs Vulnerebility
VMware has provided detailed instruction on how to mitigate the Meltdown and Spectre vulnerabilities in several of its products.
VMware is releasing patches and workarounds for its Virtual Appliance products affected by the Meltdown and Spectre vulnerabilities.
The Meltdown and Spectre attacks could be exploited by attackers to bypass memory isolation mechanisms and access target sensitive data.
The mitigations measures could be applied to vCloud Usage Meter, Identity Manager (vIDM), vCenter Server, vSphere Data Protection, vSphere Integrated Containers and vRealize Automation (vRA).
“VMware Virtual Appliance updates address side-channel analysis due to speculative execution” states the advisory published by the company.
The company acknowledged problems for its virtual appliances and opted to release workarounds to protect its customers. The proposed solutions are only temporary waiting for a permanent fix that will be released as soon as they are available.
The complete list of workarounds is available here, in some cases, admins can mitigate the issue by launching a few commands as a privileged user, in other cases the procedure to deploy mitigations is more complex.
DDoS attacks in Q4 2017
10.2.2018 Kaspersky Analysis Attack
News overview
In terms of news about DDoS attacks, the last quarter of 2017 was livelier than the previous one. Some major botnets were discovered and destroyed. For instance, early December saw the FBI, Microsoft, and Europol team up to knock out the Andromeda botnet, in operation since 2011. In late October, the Indian Computer Emergency Response Team (CERT) issued a warning about a massive botnet being assembled by a hacker group using the Reaper and IoTroop malware; earlier that same month, the spread of Sockbot through infected Google Play apps was detected and terminated.
Besides the various battles with Trojan-infested botnets, the last three months of 2017 were dominated by three main DDoS trends: politically motivated attacks, attempts to cash in on the soaring price of Bitcoin, and tougher law enforcement.
Politically motivated DDoS attacks remain eye-catching, but fairly ineffective. In late October again, during parliamentary elections in the Czech Republic, the country’s statistical office was hit by a DDoS attack in the middle of the vote count. The attack was a nuisance, but nothing more, and the results of the elections were duly announced on time.
Another DDoS-based political protest was aimed at the Spanish government in connection with the Catalan question. Hacktivists from the Anonymous group managed to take down the website of Spain’s Constitutional Court, and defaced the Ministry of Public Works and Transport’s website with the message “Free Catalonia.”
But politics is politics, and business is, well, just that. As we noted in the previous quarter, Bitcoin and everything associated with it has hit peak commercial popularity — not surprising, considering the explosive growth in its value. No sooner had Bitcoin spawned a new kind of cryptocurrency in the shape of Bitcoin Gold (BTG) than BTG sites immediately came under DDoS fire. After the price of the cryptocurrency took off in November, DDoS attacks rained down on the Bitfinex exchange — apparently with the aim of profiting from Bitcoin price fluctuations caused by denial of service. Still punch-drunk from the November attack, Bitfinex was paralyzed by two more onslaughts in early December.
On the topic of total failure, it would be amiss not to mention the shutdown of four shadow markets in the deep web used for all kinds of illegal trade: Trade Route, Tochka, Wall Street Market, and Dream Market. They have been operating erratically ever since October. It wasn’t clear at first what was behind these massive, well-coordinated attacks: the law enforcement agencies (as in the recent destruction of AlphaBay and Hansa) or competitors attempting to encroach on their territory. The subsequent attacks on all other trading platforms in early December dispelled most analysts’ doubts that it was a full-scale cyberwar between drug cartels.
However, the law — in particular, the judicial system — is not sitting idly by. Q4 saw a whole host of charges and sentences handed down in DDoS-related cases. The US judicial system was the most active: in mid-December, three defendants, Paras Jha, Josiah White, and Dalton Norman, confessed to being the brains behind the Mirai botnet.
And in late December, the founders of the notorious hacker groups Lizard Squad and PoodleCorp — Zachary Buchta of the U.S. and Bradley Jan Willem van Rooy of the Netherlands — were convicted.
In Britain, the high-profile case of young hacker Alex Bessell from Liverpool went to trial. Bessell was recently jailed for having launched a series of major cyber attacks in the period 2011-2013 against such giants as Skype, Google, and Pokemon. An even younger British hacker who targeted NatWest Bank, the National Crime Agency, Vodafone, the BBC, and Amazon was handed 16 months’ detention, suspended for two years.
A curious incident concerned 46-year-old John Gammell of Minnesota, who was charged with hiring three hacking services to create problems for his former employers, the websites of the judicial system of the district where he lived, and several other companies where he was once a contractor. The sponsors of DDoS attacks are often hard to track down, but Gammel couldn’t resist the temptation to tease his targets with emails — which led to his capture. As the investigators reported, the hacking services dealt with Gammel very professionally and cordially, thanking him for procuring their services and even upgrading his membership.
Quarter trends
Q4 demonstrated that DDoS attacks can be categorized as persistent online “crosstalk.” Junk traffic has become so widespread that server failure from too many requests might not be attack-related, but the accidental result of botnet side activities. For instance, in December we logged a huge number of requests to non-existent 2nd and 3rd level domains, which created an abnormal load on DNS servers in the RU zone. A modification of the Lethic Trojan turned out to be the culprit. This long-known malware comes in many different flavors, its main task being to allow spam traffic to pass through infected devices, basically like a proxy server.
The version we discovered was unlike most modifications in that it operates in multiple threads to create a huge number of requests to non-existent domains. The study found that this behavior was an attempt to mask the command-and-control (C&C) server addresses behind numerous junk requests, and the excessive load on the DNS servers was simply the result of the malware’s poor design. Nevertheless, DDoS attacks on DNS servers using junk requests are quite common and easy to implement. Our experts have assisted clients in many such instances. What’s interesting here is the method employed, as well as the perhaps unintended effect.
Statistics for botnet-assisted DDoS attacks
Methodology
Kaspersky Lab has extensive experience of combating cyber threats, including DDoS attacks of various complexity types and ranges. Company experts track the actions of botnets by using the DDoS Intelligence system.
Being part of the Kaspersky DDoS Prevention solution, the DDoS Intelligence system intercepts and analyzes commands sent to bots from C&C servers and requires neither the infection of any user devices, nor the actual execution of cybercriminals’ commands.
This report contains DDoS Intelligence statistics for Q4 2017.
In the context of this report, it is assumed that an incident is a separate (single) DDoS-attack if the interval between botnet activity periods does not exceed 24 hours. For example, if the same web resource was attacked by the same botnet with an interval of 24 hours or more, then this incident is considered as two attacks. Also, bot requests originating from different botnets but directed at one resource count as separate attacks.
The geographical locations of DDoS-attack victims and C&C servers used to send commands are determined by their respective IP addresses. The number of unique targets of DDoS attacks in this report is counted by the number of unique IP addresses in the quarterly statistics.
DDoS Intelligence statistics are limited only to those botnets detected and analyzed by Kaspersky Lab. It should also be noted that botnets are just one of the tools for performing DDoS attacks; thus, the data presented in this report do not cover every single DDoS attack that occurred during the specified period.
Quarter results
In Q4 2017, DDoS attacks were registered against targets in 84 countries (98 in Q3). However, as in the previous quarter, the overwhelming majority of attacks occurred in the top ten countries in the list (94.48% vs. 93.56%).
More than half of all attacks in Q4 (51.84%) were aimed at targets in China — almost unchanged since Q3 (51.56%).
In terms of both number of attacks and number of targets, South Korea, China, and the US remain out in front. But in terms of number of botnet C&C servers, Russia pulled alongside this trio: its relative share matched China’s.
The longest DDoS attack of Q4 2017 lasted 146 hours (just over six days). This is significantly shorter than the previous quarter’s record of 215 hours (almost nine days). 2017’s longest attack (277 hours) was registered in Q2.
The days before and after Black Friday and Cyber Monday saw increased activity on dummy Linux servers (honeypot traps), which lasted right up until the beginning of December.
SYN DDoS remains the most common attack method, while the least popular is ICMP DDoS. According to Kaspersky DDoS Protection data, the frequency of multi-method attacks rose.
In Q4 2017, the share of Linux botnets climbed slightly to 71.19% of all attacks.
Geography of attacks
In Q4 2017, DDoS attacks affected 84 countries, which represents a slight improvement over the previous quarter, when 98 countries were hit. Traditionally, China is most in the firing line, although the country’s share of attacks decreased slightly (from 63.30% to 59.18%), approaching the Q2 level. The figures for the US and South Korea, which retained second and third place, went up slightly to 16.00% and 10.21%, respectively.
Fourth place went to Britain (2.70%), which climbed 1.4% to overtake Russia. Although Russia’s share of attacks dropped insignificantly (by 0.3%), that was enough to push it into sixth place behind Vietnam (1.26%), which made a return to the leaderboard, squeezing Hong Kong out of the top ten.
The percentage of attacks directed against targets in the top ten countries grew in the last quarter (but not by much) to almost 92.90% vs. 91.27% in Q3 2017. The landscape is much the same as before.
About half of all targets are still in China (51.84%), followed by the US (19.32%), where the number of targets is again nearing 20% after a slight dip in Q3; South Korea is third with 10.37%. Vietnam again ousted Hong Kong from the top ten, taking ninth place with a 1.13% share, while Russia (1.21%) came seventh with a loss of 1%, making way for Britain (3.93%), France (1.60%), Canada (1.24%), and the Netherlands (1.22%), whose figures did not change much against the previous quarter.
Dynamics of the number of DDoS attacks
Statistical analysis of specially prepared Linux servers — so-called honeypot traps — shows that peak botnet activity this quarter occurred during the pre- and post-holiday sales. Feverish cybercriminal activity was clearly observed around Black Friday and Cyber Monday, dying down by the second third of December.
The most significant peaks occurred on November 24 and 29, when the number of individual IPs storming our resources doubled. Some increase in activity was also observed in late October — most likely Halloween-related.
Such fluctuations point to attempts by cybercriminals to boost their botnets in the run-up to major sales. Pre-holiday periods are incubators of cybercriminal growth for two reasons: first, users are less discerning and more likely to “surrender” their devices to intruders; second, the prospect of a fast buck makes it possible to blackmail Internet companies with lost profits or to offer one’s services in the cut-throat struggle online.
Dynamics of the number of Linux-based attacks in Q4 in 2017*
*Shows changes in the number of unique IPs per 24 hours
Types and duration of DDoS attacks
In Q4, the share of SYN DDoS attacks decreased (from 60.43% to 55.63%) due to less activity by the Linux-based Xor DDoS botnet. These attacks still rank first, however. The percentage of ICMP attacks (3.37%), still the least common, also fell. The relative frequency of other types of attacks increased, but whereas in the previous quarter TCP attacks ranked second after SYN, UDP overshadowed both these types, rising from second-to-last to second-from-top (in Q4 UDP DDoS accounted for 15.24% of all attacks).
Kaspersky DDoS Protection annual statistics show a decline in the popularity of DDoS attacks involving only pure HTTP and HTTPS flooding. The frequency of multi-method attacks rose accordingly. Nevertheless, one in three mixed attacks contained an HTTP or HTTPS flood. This may be due to the fact that HTTP(S) attacks are quite expensive and complex, while in a mixed attack they can be used by cybercriminals to increase the overall effectiveness without additional costs.
Correlation between attack types according to Kaspersky DDoS Protection, 2016 and 2017
The longest attack in Q4 was significantly shorter than its Q3 counterpart: 146 hours (about 6 days) vs. 215 (about 9). That’s barely half the Q2 and 2017 record of 277 hours. Overall, the share of longish attacks continues to decline, albeit insignificantly. This also applies to attacks lasting 100-139 hours and 50-99 hours (the shares of these categories are so small that even a change of 0.01% is news). The most common are still micro-attacks, lasting no more than four hours: their share rose slightly to 76.76% (vs. 76.09% in Q3). Also up was the proportion of attacks lasting 10-49 hours, but again not by much — about 1.5%.
Distribution of DDoS attacks by duration (hours), Q3 and Q4 2017
C&C servers and botnet types
The top three countries by number of C&C servers remained as before: South Korea (46.63%), the US (17.26%), China (5.95%). Yet although the figures for the latter two climbed slightly against Q3, China had to share third place with Russia, which gained 2%, the reason being that despite the fact that the leaders’ share changed insignificantly percentage-wise, in absolute terms the number of C&C servers detected in all three countries almost halved. This is at least partially due to the termination of many Nitol botnet admin servers and the less active Xor botnet. On a separate note, this category’s top ten welcomed Canada, Turkey, and Lithuania (1.19% each), while Italy, Hong Kong, and Britain departed the list.
Distribution of botnet C&C servers by country, Q4 2017
The steady increase in the number of Linux-based botnets continued this quarter: their share now stands at 71.19% against Q3’s 69.62%. Accordingly, the share of Windows-based botnets fell from 30.38% to 28.81%.
Correlation between Windows- and Linux-based botnet attacks, Q4 2017
Conclusion
Q4 2017 represented something of a lull: both the number and duration of DDoS attacks were down against the previous quarter. The final three months of 2017 were even calmer than the first three. Alongside the rising number of multicomponent attacks involving various combinations of SYN, TCP Connect, HTTP flooding, and UDP flooding techniques, the emerging pattern suggests a backsliding for DDoS botnets in general. Perhaps the economic climate or tougher law enforcement has made it harder to maintain large botnets, causing their operators to switch tactics and start combining components from a range of botnets.
At the same time, the increase in the number of attacks on honeypot traps in the runup to holiday sales indicates that cybercriminals are keen to expand their botnets at the most opportune moment, looking to grab a slice of the pie by pressuring owners of online resources and preventing them from making a profit. In any event, the DDoS spikes around Black Friday and Cyber Monday were a salient feature of this quarter.
Another aspect of the late fall/early winter period was the continued attacks on cryptocurrency exchanges in line with the trends of the past months. Such fervor on the part of cybercriminals is not surprising given the explosive growth in the price of Bitcoin and Monero. Barring a collapse in the exchange rate (short-term fluctuations that only encourage speculators do not count), these exchanges are set to remain a prime target throughout 2018.
What’s more, the last quarter showed that not only are DDoS attacks a means to make financial or political gain, but can produce accidental side effects, as we saw last December with the junk traffic generated by the Lethic spam bot. Clearly, the Internet is now so saturated with digital noise that an arbitrary resource can be hit by botnet activity without being the target of the attack or representing any value whatsoever to the attackers.