Prediktivní antimalwarovou ochranu s podporou hlubokého učení má Sophos

6.2.2018 SecurityWorld Zabezpečení
Technologie hlubokého učení, kterou Intercept X nově využívá, je podle výrobce výrazně účinnější než tradiční strojové učení. Sophos je tak prý schopen nabídnout vysokou míru detekce infekci při nízkém stupni falešně pozitivních zjištění.

Dostupnost svého produktu Intercept X, který pro detekci malware využívá neuronové sítě s technologií hlubokého učení, oznámil Sophos. Hluboké učení přináší masivně škálovatelnou detekci, která se učí na celém dostupném spektru hrozeb.

Díky svým schopnostem zpracovávat stovky miliónů vzorků může být technologie hlubokého učení – ve srovnání s tradičním strojovým učením – přesnější i rychlejší a také méně náchylnější na falešně pozitivní zjištění.

“Úspěšnost tradičních modelů strojového učení velmi silně závisí na výběru atributů použitých pro tréning a tím se do celého systémů vnáší vliv lidského faktoru. Přidáváním nových dat navíc složitost těchto modelů neustále roste, systémy opírající se o gigabajty dat jsou těžkopádné a pomalé. Problémem je i velká míra falešně pozitivních zjištění, díky kterým musí administrátoři posuzovat, zda je daný software legitimní nebo jde o malware. A důsledkem tohoto jejich vytížení je nižší produktivita IT oddělení,“ vysvětluje Tony Palmer, analytik společnosti Enterprise Strategy Group (ESG).

Neuronová síť v Intercept X podle něj využívá technologii hlubokého učení, která je oproti tradičním modelům navržená tak, aby se učila na základě zkušeností a hledala vzájemné souvislosti mezi pozorovaným chováním a malware.

Tyto korelace podle Palmera umožňují dosahovat vysoké přesnosti jak v případě identifikace již existujícího, tak i dosud nezveřejněného (zero-day) malware. Významným přínosem je prý i snížení výskytu falešně pozitivních zjištění.

Součástí nové verze Intercept X jsou I inovace v oblasti boje proti ransomwarU i ochrany proti zneužívání zranitelností. Nechybí ani mechanismy pro aktivní boj s hackerskými pokusy, jako je například ochrana proti krádežím přihlašovacích údajů.

Jde o důležitá vylepšení, protože právě krádeže identit jsou stále častějším nástrojem, který kybernetičtí zločinci využívají pro průnik do chráněné informační architektury, ve které se pak mohou pochybovat jako zcela legitimní uživatelé. Nový Intercept X umí tato podezřelá chování odhalit a předejít možným důsledkům.

Intercept X lze nasadit prostřednictvím cloudové konzole Sophos Central, a to vedle jakékoli stávající softwarové ochrany koncových bodů – míru bezpečnosti tak lze zvýšit prakticky okamžitě. Při použití ve spojení s firewally Sophos XG přináší Intercept X NAVÍC výhody synchronizované ochrany, které ještě více posílí bezpečnost dané informační architektury.

Nové funkce a vlastnosti Intercept X jsou podle výrobce ty níže uvedené.

Detekce malware pomocí strojového učení:

Hluboké učení umí odhalit známý i dosud neznámý malware i potenciálně nežádoucí aplikace ještě před jejich spuštěním, a to bez využívání identifikačních vzorů
Model si vystačí s méně než 20 MB a nevyžaduje časté aktualizace dat

Aktivní opatření

Ochrana před krádeží přihlašovacích údajů – nový Intercept X zabraňuje zjišťování hesel a dalších přihlašovacích informací z paměti, registrů i úložišť a předchází tak mechanismům, které využívá například nástroj Mimikatz.
Zjišťování přítomnosti cizích programových částí propašovaných do jiných aplikacích, což je technika využívaná pro přetrvávající hrozby a vyhýbání se antivirovým kontrolám.
Ochrana před zneužitím APC (Application Procedure Calls), tedy před útoky typu AtomBombing a mechanismy šíření, které byly využité například u hrozeb WannaCry a NotPetya. Útočníci tato volání zneužili prostřednictvím exploitů EternalBlue a DoublePulsar a mohli tak škodlivý kód provést pomocí jiného procesu.

Nové a vylepšené techniky proti zneužívání zranitelností

Ochrana před migracemi škodlivých procesů, která detekuje vzdálené zneužívání dynamických knihoven, tedy techniky pro přesouvání mezi procesy běžícími na konkrétním systému.
Ochrana před zvyšováním oprávnění, která brání tomu, aby neprivilegované procesy získaly přístup k chráněným částem systému.

Pokročilejší omezování aplikací

Omezování aplikací na úrovni prohlížeče, které brání nežádoucímu spouštění příkazů PowerShell
Omezování HTA aplikací, které brání nežádoucímu chování stejně, jako by šlo o prohlížeč.


 

Gold Dragon Implant Linked to Pyeongchang Olympics Attacks
5.2.2018 securityweek APT
McAfee has discovered an implant that they believe was used as a second-state payload in the recent fileless attacks targeting organizations involved with the upcoming Olympics Games in Pyeongchang, South Korea.

In early January, McAfee's security researchers warned that hackers had already began targeting the Pyeongchang Olympic Games with malware-infected emails. The first such attacks reportedly took place on December 22, with the sender’s address spoofed to appear as if the messages came from the South Korea's National Counter-Terrorism Center.

The hackers were using a PowerShell implant to establish a channel to the attacker’s server and gather basic system-level data, but McAfee couldn’t immediately determine what the attackers did after gaining initial access to a victim’s system.

McAfee has since published a report detailing additional implants used in the attacks, which were used to gain persistence on targeted systems and for continued data exfiltration, including Gold Dragon, Brave Prince, Ghost419, and RunningRat.

Gold Dragon, a Korean-language implant observed on December 24, 2017, is believed to be the second-stage payload in the Olympics attack, with a much more robust persistence mechanism than the initial PowerShell implant.

Designed as a data-gathering implant, Gold Dragon has the domain golddragon.com hardcoded and acts as a reconnaissance tool and downloader for subsequent payloads. It also generates a key to encrypt data gathered from the system, which is then sent to the server ink.inkboom.co.kr.

Gold Dragon is not a full-fledged spyware, as it only has limited reconnaissance and data-gathering functionality. The malware, which had its first variant in the wild in South Korea in July 2017, features elements, code, and behavior similar to Ghost419 and Brave Prince, implants that McAfee has been tracking since May 2017.

The malware lists the directories in the user’s Desktop folder, in the user’s recently accessed files, and in the system’s %programfiles% folder, and gathers this information along with system details, the ixe000.bin file from the current user’s UserProfiles, and registry key and value information for the current user’s Run key, encrypts the data, and sends it to the remote server.

The malware can check the system for processes related to antivirus products and cleaner applications, which it can then terminate to evade detection. Furthermore, it supports the download and execution of additional components retrieved from the command and control (C&C) server.

Also a Korean-language implant featuring similarities to Gold Dragon, Brave Prince too was designed for system profiling, capable of gathering information on directories and files, network configuration, address resolution protocol cache, and systemconfig. The malware was first seen in December 13, 2017. It is also capable of terminating a process associated with a tool that can block malicious code.

First observed in the wild in December 18, 2017, Ghost419 is a Korean-language implant that can be traced to July 29, 2017, to a sample that only shares 46% of the code used in the December samples. This malware appears based on Gold Dragon and Brave Prince, featuring shared elements and code, especially related to system reconnaissance.

The attackers also used a remote access Trojan (RAT) in the Pyeongchang Olympics attacks, the security researchers say. Dubbed RunningRat, this tool operates with two DLLs, the first of which kills any antimalware solution on the system and unpacks and executes the main RAT DLL, in addition to gaining persistence.

The second DLL, which employs anti-debugging techniques, is decompressed in memory, which results in a fileless attack, as it never touches the user’s file system. The malware gathers information about the operating system, along with driver and processor information, and starts capturing user keystrokes and sending them to the C&C server.

“From our analysis, stealing keystrokes is the main function of RunningRat; however, the DLL has code for more extensive functionality. Code is included to copy the clipboard, delete files, compress files, clear event logs, shut down the machine, and much more. However, our current analysis shows no way for such code to be executed,” McAfee reveals.

All of these implants can establish a permanent presence on the victim’s system, but they require a first-stage malware that provides the attacker with an initial foothold on the victim’s system. Some of the implants would only achieve persistence if Hangul Word (the South Korean-specific alternative to Microsoft Office) is running on the system.

“With the discovery of these implants, we now have a better understanding of the scope of this operation. Gold Dragon, Brave Prince, Ghost419, and RunningRat demonstrate a much wider campaign than previously known. The persistent data exfiltration we see from these implants could give the attacker a potential advantage during the Olympics,” McAffee concludes.


Alleged Kelihos Botnet Mastermind Extradited to U.S.
5.2.2018 securityweek BotNet
A 37-year-old Russian national accused of being the mastermind behind the notorious Kelihos botnet has been extradited from Spain to the United States.

The U.S. Justice Department announced that Peter Yuryevich Levashov, also known as Petr Levashov, Pyotr Levashov, Peter Severa, Petr Severa and Sergey Astakhov, of St. Petersburg, Russia, was arraigned on Friday in Connecticut. He has pleaded not guilty to the charges brought against him.

Levashov was arrested in April 2017 by Spanish authorities based on a U.S. warrant and has been in custody ever since. The suspect had been on holiday at the time of his arrest, which coincided with a takedown operation targeting the Kelihos botnet. He was indicted roughly two weeks later by a federal grand jury in Connecticut.

Russia had attempted to block his extradition to the United States. Levashov claimed that he had previously worked for President Vladimir Putin's United Russia party, and feared that he would be killed if extradited to the U.S. Initial media reports said his arrest may be linked to the U.S. election hacks, but officials denied there was any connection.

The suspect has been charged on eight counts, including causing intentional damage to a protected computer, conspiracy, accessing protected computers in furtherance of fraud, wire fraud, threatening to damage a protected computer, fraud in connection with email, and aggravated identity theft. He faces more than 50 years in prison for these charges.

According to U.S. authorities, Levashov controlled and operated the Kelihos botnet, using it to send spam, harvest personal information, and deliver other malware. At the time of his arrest, investigators said the botnet at times had ensnared as many as 100,000 computers, including many in the United States.

While some security firms track Kelihos as Waldac, many have classified it as a successor of Waledac, a botnet disrupted by authorities in 2010.

Another Russian national who will be extradited to the United States is Alexander Vinnik, owner of the cryptocurrency exchange BTC-e. Greece’s Supreme Court recently approved the extradition of Vinnik, who is said to have laundered $4 billion using bitcoins.

Yevgeni Nikulin, who U.S. authorities say hacked into the systems of LinkedIn, Formspring and Dropbox, will also soon be extradited after a high court in the Czech Republic upheld an earlier ruling authorizing his extradition.


Multiple Flaws Patched in WD MyCloud Device Firmware
5.2.2018 securityweek
Vulnerebility
Vulnerabilities that could allow unauthorized file deletion, unauthorized command execution and authentication bypass impacted WD (Western Digital) MyCloud devices, Trustwave reports.

The vulnerabilities were discovered in the MyCloud personal storage device and were reported to Western Digital last year. The company has already released a firmware update to address them.

All of the issue were found by Trustwave security researcher Martin Rakhmanov in the nas_sharing.cgi binary.

The first of them was the inclusion of hardcoded credentials in the binary, which could allow anyone to authenticate to the device.

The hardcoded username was "mydlinkBRionyg" and represents an issue that other security researchers observed as well. Earlier this year, GulfTech’s James Bercegay revealed that this admin user can be used with password “abc12345cba” as a backdoor that could be turned into a root shell. D-Link devices were previously impacted by the same issue.

The nas_sharing.cgi binary, Rakhmanov discovered, would also allow any user to execute shell commands as root. An attacker looking to exploit the issue can use the “artist” parameter to execute a command to create a file, for example.

The same faulty binary can be used for arbitrary file deletion, an operation possible through manipulating the “path” parameter, the security researcher says. A command using the “path” parameter can be passed using base64 encoding, the same as with the “artist” parameter.

Rakhmanov explains that “usually on embedded systems many processes run unrestricted (i.e. as root) so no security checks are performed at all once a command (file deletion in this case) is about to execute.”

Trustwave’s researcher also published proof of concept code that combines the hardcoded credential issue with command execution and arbitrary file deletion, respectively.

Western Digital apparently resolved these issues with the release of firmware version 2.30.172 a couple of months ago.

The update patched a SMB server (samba) security vulnerability (CVE-2017-7494), along with “critical security vulnerabilities that potentially allowed unauthorized file deletion, unauthorized command execution and authentication bypass,” the company revealed in the release notes (PDF).


UK Judges Block US Extradition of Alleged Hacker Lauri Love
5.2.2018 securityweek Crime
British judges on Monday rejected a US request for the extradition of a man accused of hacking into thousands of US government computers in a ruling that could set a precedent for similar pending cases.

Lauri Love, 33, faces charges in the United States for allegedly hacking into the networks of the US Federal Reserve, US Army and NASA, among others, in 2012 and 2013.

"The reason I've gone through this ordeal is not just to save myself from being kidnapped and locked up for 99 years in a country I've never visited, said Love, who has dual British and Finnish citizenship.

Love suffers from Asperger's syndrome and has also been diagnosed with depression. He was arrested at his home in Britain in October 2013.

"But it's to set a precedent whereby this will not happen to other people in the future," Love told reporters outside High Court in London.

"If there is suspected criminality then it will be tried here in the UK and America will not try to exercise exorbitant extra-territorial jurisdiction." Kaim Todner, the law firm representing Love, hailed what it called a "landmark judgement".

"The British justice system has taken the stance that we should deal with the matter ourselves, rather than accept the US government's demands," it said.

"It has also been recognised that mental health provisions in US prisons are not adequate to satisfy us that Lauri would not have come to serious harm if he were extradited," the firm said in a statement.

Judge Ian Burnett handed down the ruling, to cheers from people in the court's public gallery.

The defense said the United States now has 14 days in which to appeal the ruling at the UK Supreme Court.

Love had appealed against a 2016 British court ruling that he could be extradited to the United States to face the charges.


Hackers Linked to Luminosity RAT Targeted by Law Enforcement
5.2.2018 securityweek CyberCrime
Europol’s European Cybercrime Centre (EC3) and the UK’s National Crime Agency (NCA) on Monday released the details of an international law enforcement operation targeting sellers and users of the Luminosity Trojan.

Over a dozen law enforcement agencies from Europe, the US and Australia took part in a joint campaign carried out in September 2017 – details are made public only now due to operational reasons.

Authorities in the United Kingdom learned of Luminosity, also known as LuminosityLink, back in September 2016 when they arrested an individual suspected of hacking-related offences as part of a separate investigation.

That individual’s arrest led to an international operation that, according to Europol and the NCA, resulted in Luminosity no longer being available and no longer working for those who purchased it.

Since September, law enforcement agencies executed arrests, search warrants, and cease and desist notifications across Europe, America and Australia, targeting both sellers and users of Luminosity. The NCA said a small network of individuals in the UK was responsible for the distribution of the remote access trojan (RAT) to more than 8,600 buyers across 78 countries.

Luminosity first emerged in May 2015 and it had been available for purchase for as little as $40. The RAT allowed hackers to easily take complete control of infected computers, including disable security software, log keystrokes, steal passwords and other data, and spy on victims via the device’s webcam.

Luminosity RAT was one of the pieces of malware used last year by Nigerian cybercriminals in attacks aimed at industrial firms.

Investigators have identified passwords, photos, videos and other data stolen from thousands of victims, but the number is expected to increase significantly as devices seized from suspects continue to be analyzed. The NCA said police seized more than 100 devices during the operation in the UK.

“The sale and deployment of this hacking tool were uncovered following a single arrest and the subsequent forensic examination of the computer,” said Detective Inspector Ed Heath, head of the South West Regional Cyber Crime Unit, which led the investigation. “More than a year’s complex work with international policing partners led us to identify a large number of offenders.”


Booz Allen Hamilton Awarded $621 Million DHS Cyber Contract
5.2.2018 securityweek IT
Technology consulting firm Booz Allen has been awarded a $621 million contract by the Department of Homeland Security (DHS) to support the government-wide Continuous Diagnostics and Mitigation (CDM) Dynamic and Evolving Federal Enterprise Network Defense (DEFEND) Program.

Created help defend Federal IT networks from cyber threats, the CDM program was designed to provide continuous monitoring sensors (tools), diagnosis, mitigation tools, dashboards, and Continuous Monitoring as a Service (CMaaS).

The program is the result of the executive order from President Barack Obama which requires the DHS to ensure unclassified government networks are scanned constantly for threats, defended from attacks, and regularly audited to be compliant with computer security rules.

For more than two years, Booz Allen says that it has helped 13 Federal Agencies deploy cybersecurity tools to protect four million computers through DHS CDM efforts.

According to Booz Allen, the new contract will extend across the three current and possible future CDM Phases and is part of the larger DEFEND Program, which has a total value of up to $3.4 billion.

McLean, Virginia-based Booz Allen has more than 24,000 employees globally, and annual revenue of approximately $5.8 billion.


MacUpdate Distributes Mac Crypto-Mining Malware
5.2.2018 securityweek Apple
Maliciously modified versions of popular applications distributed via the MacUpdate site were observed installing crypto-mining malware on Mac computers, Malwarebytes reports.

The issue was observed on Friday, one day after maliciously modified versions of Firefox, OnyX, and Deeper applications started being distributed via the website. MacUpdate was quick to acknowledge the issue, and revealed in a comment that it was their fault and that the legitimate apps weren’t compromised.

What led to this situation is pretty straightforward: instead of linking to the applications’ official download websites, MacUpdate ended up linking to fake domains that resembled the legitimate ones.

Thus, instead of titanium-software.fr, it listed titaniumsoftware.org (registered on January 23) for the download URLs of OnyX and Deeper (both products made by Titanium Software). The download link for Firefox was even more crafty, using the domain download-installer.cdn-mozilla.net, instead of mozilla.net.

For all three applications, however, users ended up downloading disk image files (.dmg) that looked pretty convincing, Malwarebytes says. They also asked the user to drag the file into the Applications folder, just as the legitimate apps would.

The fake applications were created by Platypus, a developer tool used to build macOS software from scripts such as shell or Python.

Once installed, the fake apps download and install a payload from public.adobecc.com (a legitimate site owned by Adobe), after which it attempts to open a copy of the legitimate app as decoy. This operation, however, isn’t always successful, due to various errors the actor behind the fake apps made.

The security researchers discovered that the malicious OnyX app would run on Mac OS X 10.7 and up, but the decoy app requires macOS 10.13 and up, which means that only the malware is executed on systems with previous platform versions.

When it comes to the fake Deeper app, things are similar, but the reason is laughable. The actor included an OnyX app instead of Deeper as decoy, which clearly results the decoy not executing to cover the malicious behavior.

Upon execution, a script in the fake app checks whether it already runs and, if not, it downloads the malware and unzips it into the Library folder, which is hidden by default. A malicious launch agent file named MacOSupdate.plist is installed, designed to recurrently run another script.

The launch agent downloads a new MacOS.plist file and installs it, but first removes the previous MacOS.plist file, supposedly to update it. The downloaded MacOS.plist file was observed loading a malicious sysmdworker process and passing in arguments, including an email address.

“That sysmdworker process will then do the work of mining the Monero cryptocurrency, using a command-line tool called minergate-cli, and periodically connecting to minergate.com, passing in the above email address as the login,” Malwarebytes explains.

To stay protected from this and similar threats, users are advised to always download applications from the legitimate websites only, such as the developer’s site or the Mac App Store.

As Malwarebytes points out, this is not the first time MacUpdate has been abused for malicious purposes. A couple of years ago, it fell to a similar hack and ended up distributing the OSX.Eleanor malware.


Cisco and FireEye Pointing Finger at North Korea Hacking Group For Adobe Flash 0-Day In The Wild
5.2.2018 securityaffairs BigBrothers

According to security researchers at Cisco and FireEye a North Korea Hacking Group is behind the attacks that exploited the recently discovered Adobe Flash 0-Day vulnerability.
There have been over 1,000 Adobe Flash vulnerabilities since it was released. Designed to make website development easier and providing additional features not supported by standard web browsers, it also adds complexity and a much broader attack surface. Web browsers no longer support Flash by default, but users often re-enable it for convenience. And just having it installed on your system may be enough for this latest zero-day Adobe Player vulnerability to be exploited.

KISA, the South Korean CERT issued a security bulletin on January 31, 2018, warning of a “use-after-free” vulnerability in Adobe Flash Player being actively exploited in the wild. The following day, Adobe issued Security Advisory APSA18-01 confirming CVE-2018-4878 as a potential remote code vulnerability and announcing plans to release a security patch on February 5, 2018. The attack is carried out with a malicious SWF file embedded inside a Microsoft Office or Hancom Hangul document or spreadsheet. Once opened, the victim’s computer executes the malicious SWF through Adobe Flash if it is installed.

“Upon opening and successful exploitation, a decryption key for an encrypted embedded payload would be downloaded from compromised third-party websites hosted in South Korea,” according to FireEye.

The embedded payload is likely to be DOGCALL malware which facilitates the installation of ROKRAT command and control trojan which gives the remote attackers access to the victim’s system.

Experts warn that while waiting for the patch from Adobe on February 5th, users should be very cautious opening unexpected spreadsheets and document files. In reality, one should always be wary of any unexpected or suspicious document, especially ones that support embedding since they can hide all kinds of malware. You should also strongly consider uninstalling Adobe Flash. Even if it is disabled in your browser, having it installed on your system is enough for this latest exploit to execute successfully. Chances are you don’t need Adobe Flash any more. As explained by Sophos,

“The most common “need” we hear for Flash is to watch web videos, but almost all websites will use HTML5 for videos if you don’t have Flash. If you uninstall it, your browser will use its built-in video player instead – so you probably don’t need Flash after all.”

Cisco and FireEye have both been investigating, and warn that a North Korean group that they have been following for a while are likely behind this latest attack. Called TEMP.Reaper by FireEye and Group 123 by Cisco, the group with ties to North Korea was very active in 2017.

According to FireEye: “Historically, the majority of their targeting has been focused on the South Korean government, military, and defense industrial base; however, they have expanded to other international targets in the last year.”

In addition to expanding their targets, the hacking group appears to have been expanding its skills, utilizing a variety of different techniques to deploy destructive wiper malware and the command and control trojans.

There have been many hacking accusations pointed at North Korea in the past few years. With tensions rising in 2017 and the impending Olympics in South Korea this month there is a lot of opportunities and potential motivation for something significant. This latest attack shows that this hacking group is poised to take advantage of these opportunities.

As described by Cisco’s Talos security team, “Group 123 have now joined some of the criminal elite with this latest payload of ROKRAT. They have used an Adobe Flash 0 day which was outside of their previous capabilities – they did use exploits in previous campaigns but never a net new exploit as they have done now. This change represents a major shift in Group 123s maturity level, we can now confidentially assess Group 123 has a highly skilled, highly motivated and highly sophisticated group.”


Hacking Amazon Key – Hacker shows how to access a locked door after the delivery
5.2.2018 securityaffairs Hacking

Other problems for the Amazon Key technology, a hacker posted a video on Twitter to show how to access a locked door after a delivery worker’s one-time code has been used.
Earlier in November, Amazon announced for its Prime members the Amazon Key, a program that would allow a delivery person to enter your home under video surveillance, securely drop off the package, and leave with the door locking behind them. The system could also be used to grant access to the people you trust, like your family, friends, or house cleaner.

A few days after the announcement, researchers with Rhino Security Labs demonstrated how to disable the camera on Amazon Key, which could let a rogue courier access the customers’ home.

Amazon Key app.png

Unfortunately, the technology seems to be totally secure, a hacker has in fact demonstrated another attack on the Amazan Key.

The hacker posted a video on Twitter to show how to access a locked door after a delivery worker’s one-time code has been used.

MG
@_MG_
I call this the "Break & Enter dropbox" and it pairs well with my Amazon Key (smartlock & smartcam combo).

It's all current software. Amazon downplayed the last attack on this product because it needed an evil delivery driver to execute. This doesn't.

10:50 PM - Feb 4, 2018
39 39 Replies 1,035 1,035 Retweets 1,187 1,187 likes
Twitter Ads info and privacy
Technical details of the attack are not available, the hacker used a “dropbox” device that appears as tiny PC with Wi-Fi connectivity that is able to control the Amazon Key.

The Dropbox can be used to unlock the Amazon Key or to trigger a DoS condition in which the Amazon’s device is not able to lock the door after a courier accessed the customers’ home.


Almost all WordPress websites could be taken down due to unpatched CVE-2018-6389 DoS flaw
5.2.2018 securityaffairs
Vulnerebility

The Israeli security researcher Barak Tawily a vulnerability tracked as CVE-2018-6389 that could be exploited to trigger DoS condition of WordPress websites.
The expert explained that the CVE-2018-6389 flaw is an application-level DoS issued that affects the WordPress CMS and that could be exploited by an attacker even without a massive amount of malicious traffic.

“In this article I am going to explain how Denial of Service can easily be caused to almost any WordPress website online, and how you can patch your WordPress website in order to avoid this vulnerability being exploited.” reads the analysis of the expert.

Tawily revealed that the flaw exists in almost all versions of WordPress released in last nine years, including the latest one (Version 4.9.2).
The flaw affects the “load-scripts.php” WordPress script, it receives a parameter called load[] with value is ‘jquery-ui-core’. In the response, the CMS provides the JS module ‘jQuery UI Core’ that was requested.

CVE-2018-6389 WordPress flaw

As you know, WordPress is open-source project, for this reason, it was easy for the expert to perform code review and analyzed the feature in detail.

The load-scripts.php file was designed for WordPress admins and allows to load multiple JavaScript files into a single request, but the researcher noticed that that is is possible to call the function before login allowing anyone to invoke it.

The response provided by the WordPress CMS depends upon the installed plugins and modules. It is possible to load them by simply passing the module and plugin names, separated by a comma, to the load-scripts.php file through the “load” parameter.
https://your-wordpress-site.com/wp-admin/load-scripts.php?c=1&load%5B%5D=eutil,common,wp-a11y,sack,quicktag,colorpicker,editor,wp-fullscreen-stu,wp-ajax-response,wp-api-request,wp-pointer,autosave,heartbeat,wp-auth-check,wp-lists,prototype,scriptaculous-root,scriptaculous-builder,scriptaculous-dragdrop,scriptaculous-effects,scriptaculous-slider,scriptaculous-sound,scriptaculous-controls,scriptaculous

The ‘load-scripts.php’ finds the JavaScript files included in the URL and appends their content into a single file and then send back it to the user’s web browser.

The researcher highlighted that the wp_scripts list is hard-coded and is defined in the script-loader.php file, so he decided to send a request that in response will get all the JS module of the WordPress instance.

“There is a well-defined list ($wp_scripts), that can be requested by users as part of the load[] parameter. If the requested value exists, the server will perform an I/O read action for a well-defined path associated with the supplied value from the user.”

“I wondered what would happen if I sent the server a request to supply me every JS module that it stored? A single request would cause the server to perform 181 I/O actions and provide the file contents in the response.”

Tawily developed a proof-of-concept (PoC) python script called doser.py that he used to makes large numbers of concurrent requests to the same URL to saturate the resources of the servers.

An attacker with a good bandwidth or a limited number of bots can trigger the CVE-2018-6389 vulnerability to target popular WordPress websites.

Below a video PoC of the attack.

Tawily reported this DoS vulnerability to the WordPress team through HackerOne platform, but the company refused to acknowledge the flaw.

“After going back and forth about it a few times and my trying to explain and provide a PoC, they refused to acknowledge it and claimed that:
“This kind of thing should really be mitigated at the server or network level rather than the application level, which is outside of WordPress’s control.“” Tawily wrote.

The expert has implemented the mitigation against this vulnerability in a forked version of WordPress, he has also released a bash script that addresses the issue.


Flash Zero-Day Attacks Analyzed by FireEye, Cisco
5.2.2018 securityweek
Vulnerebility
FireEye and Cisco have analyzed the attacks involving a recently disclosed Flash Player zero-day vulnerability and linked them to a group known for targeting South Korean entities.

South Korea’s Internet & Security Agency (KISA) warned last week of a zero-day flaw in Flash Player. Some local security experts said the vulnerability had been exploited by North Korean hackers since mid-November 2017 in attacks aimed at individuals in South Korea.

Adobe has confirmed the existence of the flaw, which affects Flash Player 28.0.0.137 and earlier, and it plans on patching it sometime this week. The security hole, tracked as CVE-2018-4878, is a use-after-free issue that can allow a remote attacker to execute arbitrary code.

FireEye has launched an investigation following the alert from KISA and linked the attack to a group it tracks as TEMP.Reaper. This threat actor is believed to be operating out of North Korea based on the fact that it has been spotted interacting with command and control (C&C) servers from IP addresses associated with Star JV, the North Korean-Thai joint venture that connects the country to the Internet.

“Historically, the majority of their targeting has been focused on the South Korean government, military, and defense industrial base; however, they have expanded to other international targets in the last year. They have taken interest in subject matter of direct importance to the Democratic People's Republic of Korea (DPRK) such as Korean unification efforts and North Korean defectors,” FireEye said.

FireEye said its researchers spotted a new wiper malware, dubbed “RUHAPPY,” being developed by the Reaper group in the past year. North Korean threat actors have been known to use wiper malware, but Reaper has not been seen using RUHAPPY in attacks.

The security firm’s analysis showed that the hackers have exploited the Flash Player zero-day vulnerability using malicious Office documents and spreadsheets containing a specially crafted SWF file. If the flaw is exploited successfully, a piece of malware named by FireEye “DOGCALL” is delivered.

Cisco Talos has published several reports in the past months on this remote access trojan (RAT), which it tracks as ROKRAT.

The company has attributed the Flash Player zero-day attacks to an actor it has named “Group 123.” Talos last month detailed several campaigns conducted by this group against South Korean targets, but researchers have refrained from explicitly attributing the operations to North Korea.

“Group 123 have now joined some of the criminal elite with this latest payload of ROKRAT,” Talos researchers said in a blog post on Friday. “They have used an Adobe Flash 0 day which was outside of their previous capabilities - they did use exploits in previous campaigns but never a net new exploit as they have done now. This change represents a major shift in Group 123s maturity level, we can now confidentially assess Group 123 has a highly skilled, highly motivated and highly sophisticated group.”