New Triton malware detected in attacks against a Critical Infrastructure operator
14.12.2017 securityaffairs ICS
Triton malware – A new strain of malware specifically designed to target industrial control systems (ICS) system has been spotted by researchers at FireEye
A new strain of malware dubbed Triton specifically designed to target industrial control systems (ICS) system has been spotted by researchers at FireEye.
The Triton malware has been used in attacks aimed at an unnamed critical infrastructure organization, experts speculate the involvement of a state-sponsored actor for sabotage purpose due to the lack of financial motivation and the level of sophistication of the attacks.
FireEye has not linked the Triton attack to any known APT group, the experts believe the activity they detected was part of the reconnaissance phase of a campaign, and it’s consistent with many attacks and reconnaissance activities carried out globally previously attributed to Russian, Iranian, U.S., North Korean and Israeli nation-state actors.
The Triton malware is designed to target Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers that are used in industrial environments to monitor the state of a process and restore it to a safe state or safely shut it down if parameters indicate a potentially hazardous situation.
“Mandiant recently responded to an incident at a critical infrastructure organization where an attacker deployed malware designed to manipulate industrial safety systems. The targeted systems provided emergency shutdown capability for industrial processes.” reads the analysis published by FireEye.
“We assess with moderate confidence that the attacker was developing the capability to cause physical damage and inadvertently shutdown operations. This malware, which we call TRITON, is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers.”
Once gained access to the SIS system, the threat actor deployed the TRITON malware, a circumstance that indicates that attackers had a knowledge of such systems. According to FireEye the attackers pre-built and tested the tool which would require access to hardware and software that is not widely available. TRITON is also designed to communicate using the proprietary TriStation protocol which is not publicly documented, this implies that the attackers reverse engineered the protocol to carry out the attack.
The Triton malware interacts with Triconex SIS controllers., it is able to read and write programs and functions to and from the controller.
“TRITON was deployed on an SIS engineering workstation running the Microsoft Windows operating system. The malware was named to masquerade as the legitimate Triconex Trilog application. This application is used for reviewing logs and is a part of the TriStation application suite.” continues FireEye.
“The malware was delivered as a Py2EXE compiled python script dependent on a zip file containing standard Python libraries, open source libraries, as well as the attacker-developed Triconex attack framework for interacting with the Triconex controllers. Along with the executable, two binary files, inject.bin (malicious function code) and imain.bin (malicious control logic), were deployed as the controller’s payload. These file names were hard coded in the Py2EXE compiled python script.”
The hackers deployed the Triton malware on a Windows-based engineering workstation, the malicious code added its own programs to the execution table. In case of a failure, the malware attempts to return the controller to a running state, it also overwrites the malicious program with junk data if the attempt fails, likely to delete any track of the attack.
The attack against a SIS controller is very dangerous, once it has been compromised, the attacker can reprogram the device to trigger a safe state with a dramatic impact on the operations of the targeted environment. Attackers could also reprogram the SIS controller to avoid triggering actions when parameters assume dangerous values.
“The attacker targeted the SIS suggesting an interest in causing a high-impact attack with physical consequences. This is an attack objective not typically seen from cyber-crime groups.” continues FireEye.
“If the SIS and DCS controls fail, the final line of defense is the design of the industrial facility, which includes mechanical protections on equipment (e.g. rupture discs), physical alarms, emergency response procedures and other mechanisms to mitigate dangerous situations.”
Back to the attack detected by FireEye, hackers shut down operations after causing the SIS controllers to initiate a safe shutdown, but experts believe they may have inadvertently triggered it during a reconnaissance phase.
Schneider Electric is investigating the attack to discover if the threat actors exploited any vulnerability in the Triconex product.
Schneider published a security advisory to warn its customers, it suggests to avoid leaving the front panel key position in “Program” mode when the controller is not being configured. The malicious code can only deliver its payload if the key switch is set to this mode.
“Schneider Electric is aware of a directed incident targeting a single customer’s Triconex Tricon safety shutdown system. We are working closely with our customer, independent cybersecurity organizations and ICSCERT to investigate and mitigate the risks of this type of attack.” reads the security advisory.
“The modules of this malware are designed to disrupt Triconex safety controllers, which are used widely in critical infrastructure. The malware requires the keyswitch to be in the “PROGRAM” mode in order to deliver its payload. Among others, the reported malware has the capability to scan and map the industrial control system environment to provide reconnaissance and issue commands directly to Tricon safety controllers.”
FireEye report included the Indicators of Compromise (IoCs) for the threat.
Signatures of the malware samples identified by FireEye have been provided to cybersecurity firms so security products should be able to detect at least some variants of the threat.
Despite a large number of infections reported for ICS systems across the years, at the time experts only detected four pieces of ICS tailored malware; Stuxnet, Havex, BlackEnergy2, and IRONGATE, and Industroyer.
US DoJ charges 3 Men with developing and running the Mirai Botnet
14.12.2017 securityaffairs BotNet
The US DoJ announced plea agreements for Paras Jha, Josiah White, and Dalton Norman, 21 for creating and operating the dreaded Mirai botnet.
US authorities charge three men with developing and running the dreaded Mirai botnet that was involved in several massive DDoS attacks.
According to documents released by the US Department of Justice (DOJ), the three men are Paras Jha, Josiah White, and Dalton Norman.
According to the plea agreements, White developed the Telnet scanner component used by Mirai, Jha created the botnet’s core infrastructure and the malware’s remote control features, while Norman developed new exploits.
Jha, who goes online with the moniker “Anna-senpai” leaked the source code for the Mirai malware on a criminal forum, allowing other threat actors to use it and making hard the attribution of the attacks.
Jha also pleaded guilty to carrying out multiple DDoS attacks against his alma mater Rutgers University between November 2014 and September 2016, before creating the Mirai botnet.
The Mirai bot was first spotted by the malware researchers MalwareMustDie in August 2016, the malicious code was developed to target IoT devices.
The IoT malware runs a brute force password attack via telnet using a list of default credentials to gain access to the target device.
Once the Mirai component gains access to the target IoT device, it connects out to download the full virus and runs it. Then it starts sending out SYN packets at a high rate of speed, looking for other potential victims.
The Mirai botnet peaked a size of over 300,000 infected devices, mainly composed of DVRs, security cameras, and routers.
The three men advertised the botnet on hacking forums, as a DDoS-for-hire service, but only Jha also used it to blackmail a hosting company.
According to court documents, the three men used the Mirai botnet to make money through “click fraud” activity. The botnet was used to emulate the behavior of real users clicking on an advertisement for the purpose of artificially generating profits for operators.
The three also generated some $180,000 from the scheme in bitcoin.
The Mirai botnet was also used against the website of the popular investigator Brian Krebs that was able to identify Jha and White as the operators of the botnet.
The three face possible prison terms and monetary fines.
Experts disclosed an unpatched zero-day vulnerability in the firmware of AT&T DirecTV WVB kit
14.12.2017 securityaffairs Vulnerebility
Security researchers at Trend Micro have publicly disclosed an unpatched zero-day flaw in the firmware of AT&T DirecTV WVB kit after manufactured failed to patch it
Security researchers at Trend Micro have discovered an unpatched zero-day vulnerability in the firmware of AT&T DirecTV WVB kit after the manufacturer failed to patch this flaw over the past few months.
The issue affects a core component of the Genie DVR that’s shipped free of cost with DirecTV. The flaw can be easily exploited by attackers to gain root access to the device, posing millions DirecTV service users at risk.
The vulnerability resides in WVBR0-25, a Linux-powered wireless video bridge manufactured by Linksys.
DirecTV Wireless Video Bridge WVBR0-25 allows the Genie DVR to communicate over the air with customers’ Genie client boxes that are plugged into their TVs in the same home.
The Trend Micro expert Ricky Lawshae analyzed the kit and discovered that Linksys WVBR0-25 doesn’t implement any authentication to access internal diagnostic information from the device’s web server.
The expert discovered that accessing the wireless bridge’s web server on the device it was possible to see a text streaming.
“I started out by trying to browse to the web server on the device. I expected to find a login page of some sort. What I found instead was a wall of text streaming before my eyes.” wrote Ricky Lawshae.
The output of several diagnostic scripts was containing a lot of information about the DirecTV Wireless Video Bridge, including the WPS pin, running processes, connected clients, and much more.
A deeper analysis of the scripts revealed that the device was accepting commands remotely with a “root” access, meaning that an attacker could have taken full control over it.
“The return value also showed the device had happily executed my new commands and executed them as the root user, too! No login prompt. No input sanitization.” continues the analysis.
“It literally took 30 seconds of looking at this device to find and verify an unauthenticated, remote root command injection vulnerability. It was at this point that I became pretty frustrated,”
“The vendors involved here should have had some form of secure development to prevent bugs like this from shipping. More than that, we as security practitioners have failed to affect the changes needed in the industry to prevent these simple yet impactful bugs from reaching unsuspecting consumers.”
Lawshae also published a video PoC demonstrating how to easily get a root shell on the DirecTV wireless box in less a few seconds.
The vulnerability was promptly reported by the ZDI Initiative to Linksys more than six months ago, but the vendor had yet not fixed the problem, for this reason, the expert opted to publicly disclose the zero-day vulnerability.
Trump signed a bill prohibiting the use of Kaspersky Lab product and services
14.12.2017 securityaffairs BigBrothers
The US President Donald Trump signed a bill that bans the use of Kaspersky Lab products and services in federal agencies.
Section 1634 of the bill prohibits the use of security software and services provided by security giant Kaspersky Lab, the ban will start from October 1, 2018.
Below the details of the ban included in the section 1634 of the National Defense Authorization Act for Fiscal Year 2018.
“SEC. 1634. Prohibition on use of products and services developed or provided by Kaspersky Lab.
(a) Prohibition.—No department, agency, organization, or other element of the Federal Government may use, whether directly or through work with or on behalf of another department, agency, organization, or element of the Federal Government, any hardware, software, or services developed or provided, in whole or in part, by—
(1) Kaspersky Lab (or any successor entity);
(2) any entity that controls, is controlled by, or is under common control with Kaspersky Lab; or
(3) any entity of which Kaspersky Lab has majority ownership.
(b) Effective date.—The prohibition in subsection (a) shall take effect on October 1, 2018.”
Senator Jeanne Shaheen joyed for the news, asserting that the US Government gathered all necessary evidence to motivate such decision.
“The case against Kaspersky is well-documented and deeply concerning. This law is long overdue, and I appreciate the urgency of my bipartisan colleagues on the Senate Armed Services Committee to remove this threat from government systems.” commented Shaheen.
Sen. Shaheen is the author of a letter recently sent to the Trump administration asking that information on Kaspersky Lab be declassified “to raise public awareness regarding the serious threat that the Moscow-based software company poses to the United States’ national security.”
12 Dec
Sen. Jeanne Shaheen
✔
@SenatorShaheen
The defense bill also provides funding for a nationwide health study on the impact of contaminants in drinking water. Seacoast families deserve peace of mind and I’m glad that we can finally move forward with this study. http://bit.ly/2l3833k https://twitter.com/SenatorShaheen/status/940668478704537601 …
Sen. Jeanne Shaheen
✔
@SenatorShaheen
Also included is my amendment to ban the use of Kaspersky Lab software on all government computers. The case against Kaspersky is well-documented & deeply concerning, & I’ll continue to advocate for measures to strengthen our nation’s cybersecurity. http://bit.ly/2BFJ6SG
8:47 PM - Dec 12, 2017
3 3 Replies 15 15 Retweets 32 32 likes
Twitter Ads info and privacy
Kaspersky Lab issued the following statement about the Section 1634.
“Kaspersky Lab continues to have serious concerns about Section 1634 of the National Defense Authorization Act due to its geographic-specific approach to cybersecurity, singling out Kaspersky Lab, which we maintain, does little to mitigate information security risks affecting government networks.” reads the statement issued by Kaspersky.
“Nevertheless, Kaspersky Lab is assessing its options, while continuing to protect its customers from cyber threats, and collaborating globally with the IT security community to fight cybercrime.”
In September, the U.S. DHS ordered federal agencies to stop using Kaspersky software and service.
The ban was the response to the concerns about possible ties between Kaspersky and Russian intelligence agencies.
According to The Washington Post, which first reported the news, the order applies to all civilian government networks, but not the military ones.
Recently the UK’s National Cyber Security Center (NCSC) has also issued a warning regarding the use of Kaspersky software and services by government agencies.
The CEO of the UK National Cyber Security Centre (NCSC), Ciaran Martin, wrote to permanent secretaries regarding the issue of supply chain risk in cloud-based products, including anti-virus (AV) software.
The NCSC is a branch of the UK Government Communications Headquarters (GCHQ), the UK intelligence and security agency.
The letter warns against software made in hostile states, specifically Russia, as the Prime Minister’s Guildhall speech set out, the Government of Moscow is acting against the UK’s national interest in cyberspace.
Kaspersky has repeatedly denied the accusations and it announced the launch of a transparency initiative that involves giving partners access to the source code of its solutions.
FortiClient improper access control exposes users’ VPN credentials
14.12.2017 securityaffairs Vulnerebility
FortiClient for Linux, Mac OSX and Windows stores encrypted VPN authentication credentials in improperly secured locations.
Fortinet provided security updates for its next-generation endpoint protection FortiClient product that address a serious information disclosure vulnerability.
The flaw, tracked as CVE-2017-14184, could be exploited by an attacker to obtain VPN authentication credentials.
FortiClient is a powerful product that includes many components and features such as web filtering, application firewall, vulnerability assessment, anti-malware, and SSL and IPsec VPN features.
Experts at SEC Consult discovered security flaws that can be exploited to access VPN authentication credentials associated with the product.
“FortiClient for Linux, Mac OSX and Windows stores encrypted VPN authentication credentials in improperly secured locations; regular users may therefore be able to see each other’s encrypted credentials. This is an issue, because the key used to encrypt the aforementioned credentials may be retrieved from the binary.” reads the project description published by SEC Consult.
SEC Consult rated the issue as “high severity”, while Fortinet has assigned it a 4/5 risk rating.
The first issue is related to the fact that the VPN credentials are stored in a configuration file, on both Linux and macOS systems, and in the registry on Windows. This means that for an attacker the configuration files are easily accessible.
The second issue is related to the fact that decryption key for credentials is hardcoded in the application and it’s the same for all the Fortinet installs. An attacker can find the key and decrypt the passwords.
“FortiClient stores the VPN authentication credentials in a configuration file (on Linux or Mac OSX) or in registry (on Windows). The credentials are encrypted but can still be recovered since the decryption key is hardcoded in the program and the same on all installations. Above all, the aforementioned storage is world readable, which actually lays the foundation for the credential recovery.” continues the analysis published by SEC Consult.
The flaws are very insidious especially in enterprise environments when an insider with valid domain credentials can then harvest all credentials of all other VPN users and gain access to their domain user account.
“FortiClient for Linux, Mac OSX and Windows stores encrypted VPN authentication credentials in improperly secured locations; regular users may therefore be able to see each other’s encrypted credentials. This is an issue, because the key used to encrypt the aforementioned credentials may be retrieved from the binary.” reads the advisory published by Fortinet.
SEC Consult has developed a proof-of-concept (PoC) tool that leverages on these issued to recover passwords, the company plans to release it in the future giving the users the time to update their FortiClient installs.
According to Fortinet the flaw affects FortiClient 5.6.0 and earlier for Windows and Mac, and version 4.4.2334 and earlier of the SSL VPN client for Linux. Android and iOS apps are not impacted.
Versions FortiClient 5.6.1 for Windows and Mac, and FortiClient 4.4.2335 for Linux, running FortiOS 5.4.7 fixed the problems.
Below the Vendor contact timeline:
2017-08-30: Contacting vendor through psirt@fortinet.com
2017-09-19: Contacting vendor again due to lost message
2017-09-20: Vendor confirmed and assigned CVE-2017-14184 to the issues
2017-10-19: Vendor requested to postpone the release date
2017-11-02: Vendor informed the fix for Windows and OS X was done
2017-11-22/23: Vendor released 5.6.1 for OS X and 5.6.2 for Windows
2017-12-08: Vendor informed that the fix for Linux is available together with FortiOS release version 5.4.7
2017-12-13: Public disclosure of advisory
Three Plead Guilty in Mirai Botnet Attacks
13.12.2017 securityweek BotNet
US officials unveiled criminal charges Wednesday against a former university student and two others in the Mirai botnet attacks which shut down parts of the internet in several countries starting in mid-2016.
The Justice Department announced plea agreements for Paras Jha, 21 -- a former Rutgers University computer science student who acknowledged writing the malware code -- and Josiah White, 20, and Dalton Norman, 21, who helped profit from the attacks.
In documents unsealed Wednesday, Jha admitted writing the code for the botnet which harnessed more than 100,000 "internet of things" (IoT) devices such as cameras, light bulbs and appliances to launch the attacks.
By commanding an army of bots -- or computers under control of the attackers -- the malware shut down networks and websites in the United States, Germany, Liberia and elsewhere.
Jha admitted he "set up and managed command and control servers to manage the infected computers" in the scheme.
Officials said the three used the botnet "to conduct a number of powerful distributed denial-of-service" attacks which flood the internet and can shut down networks.
Later, Jha posted the source code for the Mirai malware on a criminal forum, allowing other groups to use it.
The malware was used to make money through "click fraud," a scheme that makes it appear that a real user has clicked on an advertisement for the purpose of artificially generating revenue, according to officials.
The three generated some $180,000 from the scheme in bitcoin, Justice officials added.
Jha was identified as a suspect earlier this year by security blogger Brian Krebs -- who was himself a victim of the attacks.
Krebs said Jha used the online moniker Anna-Senpai, who had claimed responsibility for earlier denial of service attacks using various versions of Mirai -- including some targeting Rutgers University, the school in New Jersey where Jha was studying.
In January 2017, "Jha and his co-conspirators leased access to their botnet to other criminals in exchange for payment," according to the plea agreement in federal court.
According to Krebs, Jha and White operated ProTraf Solutions LLC, which masqueraded as a security firm that dealt with "denial of service" attacks it created.
The three face possible prison terms and monetary fines as a result of the conspiracy and fraud charges.
Jha pleaded guilty separately to a series of attacks which shut down the Rutgers computer networks from 2014 to 2016, officials said.
Patchwork Cyberspies Adopt New Exploit Techniques
13.12.2017 securityweek CyberSpy
Malware campaigns attributed to the Patchwork cyberespionage group have been using a new delivery mechanism and exploiting recently patched vulnerabilities, Trend Micro warns.
Also known as Dropping Elephant or Chinastrats and believed to be operating out of the Indian subcontinent, the group is said to have been active since 2014. Initially focused on government-associated organizations that have connections to Southeast Asia and the South China Sea, the actor has expanded its target list to include entities in a broad range of industries.
In a new report (PDF) on Patchwork’s latest operations, Trend Micro says that the group has added businesses to its list of targets and that its use of numerous infection vectors and payloads makes it a credible threat.
Campaigns that security researchers have associated with the group over the course of 2017 revealed diverse methods (social engineering hooks, attack chains, and backdoors), along with the adoption of Dynamic Data Exchange (DDE), Windows Script Component (SCT), and exploits for recently reported vulnerabilities.
“These imply they’re at least keeping an eye on other threats and security flaws that they can repurpose for their own ends. Also of note are its attempts to be more cautious and efficient in their operations,” Trend Micro notes.
Targets and attack vectors
The observed campaigns focused on multiple sectors in China and South Asia, but also hit organizations in the U.K., Turkey, and Israel. Using spear-phishing emails, the cyberespionage group targeted high-profile personalities, business-to-consumer (B2C) online retailers, telecommunications and media companies, aerospace researchers, and financial institutions. The United Nations Development Programme was targeted as well.
The spear-phishing emails contained website redirects, direct links, or malicious attachments. Some emails contained direct links to malicious documents hosted on the attacker-owned servers. The group spoofed a news site and used it to divert visitors to socially engineered, malware-ridden documents and was also observed misusing email and newsletter distribution services.
A fake Youku Tudou website (a social video platform popular in China) was used for drive-by downloads. The victim was tricked into downloading and executing a fake Adobe Flash Player update that was, in fact, a variant of the xRAT Trojan.
Patchwork was also observed phishing for credentials to take over a target’s emails and other online accounts. One attack copied a webpage from a legitimate web development company and displayed the fake page to victims alone.
Using Rich Text Format (RTF) documents, the group exploited vulnerabilities such as CVE-2012-1856 – a remote code execution (RCE) in the Windows common control MSCOMCTL, or CVE-2015-1641 – a memory corruption in Microsoft Office. They also exploited the CVE-2014-4114 Sandworm RCE vulnerability in Windows’ Object Linking and Embedding (OLE) via PowerPoint (PPSX) files.
More recent vulnerabilities the actor has been abusing include CVE-2017-0199 – an RCE in Microsoft Office’s Windows OLE, patched in April 2017, and CVE-2017-8570 – an RCE in Microsoft Office patched in July 2017. They were exploited via PowerPoint (PPT) and PPSX files.
The malicious PPSX files exploiting CVE-2017-8570 downloaded a Windows Script Component (SCT) file from a Patchwork-owned server to eventually deliver the xRAT malware.
“Apart from exploit-laden documents, Patchwork also misused DDE to retrieve and execute xRAT in the infected machine. They also sent a document embedded with an executable, which downloads a decoy document and a backdoor, then executes the latter,” Trend Micro explains.
Malware and infrastructure
In addition to using a variety of malicious documents for their nefarious purposes, the Patchwork hackers also deployed a miscellany of backdoors and information stealers onto their victims’ machines. Some of these tools appear to be used solely by this group, the security researchers say.
The threat actor was observed dropping malware such as the NDiskMonitor custom backdoor (believed to be Patchwork’s own, it can list files and logical drives and download and execute files from specified URLs); and Socksbot, which can start Socket Secure (SOCKS) proxy, take screenshots, and run executables and PowerShell scripts.
Malware such as the xRAT remote access tool (its source code is available online) and the Badnews backdoor (potent information-stealing and file-executing malware) were also associated with the group’s activities, as well as a series of file stealers (Taskhost Stealer and Wintel Stealer targeting .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pdf, and RTF files, along with .eml and .msg email messages; as well as versions of file stealers written in AutoIt).
Trend Micro has discovered 30 to 40 IP addresses and domain names used by the group in 2017 and says that each of the servers has had a different purpose. While some were only meant as command and control (C&C) servers that would collect data from the used stealers, others were used only to host phishing websites.
In some cases, the same server was being used for both C&C communication and to host distributing malware (or malicious documents) through hosting content copied from legitimate websites.
The group has been using publicly available PHP scripts for retrieving files from the server without disclosing their real paths, likely to prevent security researchers from finding open directories. Trend Micro also observed the group temporarily removing a file so it could not be retrieved or replacing it with a legitimate one. Sometimes they would display “a fake 302 redirection page to trick researchers into thinking the files are gone.”
“Patchwork is in a vicious cycle, given the group’s habit of rehashing tools and malware. The more those are used, the likelier that they’d be incorporated in the group’s arsenal. The takeaway for enterprises? The gamut of tools and techniques at Patchwork’s disposal highlights the significance of defense in depth: arraying proactive defense to thwart threats at each level—from the gateways, endpoints, and networks to servers,” Trend Micro notes.
Golduck Malware Infects Classic Android Games
13.12.2017 securityweek Android
Several classic game applications in Google Play have been silently downloading and installing a malicious APK file onto Android devices, Appthority reports.
The malicious code was downloaded from a "Golduck" server and installed on devices using a technique called Java reflection. The offending applications, the security company says, were also observed running shell commands and sending SMS messages.
Appthority describes the malicious applications as high quality classic games, including Tank and Bomber. Rated high on Google Play, the games had up to 10.5 million downloads when their nefarious behavior was exposed.
The extra APK was being fetched from hxxp://golduck.info/pluginapk/gp.apk, after which the original game app would load the downloaded code via the /system/bin/dex2oat command.
Appthority's security researchers discovered three folders inside the loaded gp.apk file, each featuring seemly benign names, such as “google.android”, “startapp.android.unity.ads,” and “unity.ads.” The malicious code was hidden inside the google.android folder.
By analyzing the content of the folders, Appthority found code (PackageUtils.class) designed to silently install applications using system permissions.
“These malicious apps seem to be at their initial stage and the code is not obfuscated,” the company notes.
The downloaded payload also contains code for sending SMS messages to users’ contacts. These messages contained game information, thus potentially increasing the chances that the malware would spread to other users.
The Golduck malware, the security company says, could allow attackers to completely compromise the infected device, especially if root is available. The threat also sets the stage for adware-related attacks.
Appthority found two Golduck-infected applications in Google Play and informed Google on the matter on Nov. 20, 2017. All of the offending applications have been taken down by the Android Security team.
To stay protected from the Golduck malware, users are advised to keep an eye on unusual activity on their mobile devices, such as the availability of root access without their intent. SMS charges from unknown sources would also indicate possible infection.
Users are also advised to avoid installing applications from unknown developers and from unofficial app stores.
The applications Appthority has found infected with Golduck include Classic Block Puzzle, Classic Bomber, and Classic Tank vs Super Bomber. Users are advised to uninstall these as soon as possible.
Adobe Patches 'Business Logic Error' in Flash Player
13.12.2017 securityweek Vulnerebility
The only security update released by Adobe this Patch Tuesday addresses a moderate severity regression issue affecting Flash Player.
The vulnerability, tracked as CVE-2017-11305 and described as a “business logic error,” can lead to the unintended reset of the global settings preference file.
There is no evidence of exploitation in the wild and Adobe appears to have discovered the bug on its own.
The flaw affects version 27.0.0.187 and earlier of Flash Player on Windows, Mac, Linux and Chrome OS, and it has been patched with the release of version 28.0.0.126. Microsoft has also updated the Flash Player components used by its software in order to address this issue.
Last month, Adobe addressed a total of 80 vulnerabilities across Flash Player, Photoshop, Connect, Acrobat and Reader, DNG Converter, InDesign, Digital Editions, Shockwave Player, and Experience Manager. Five of the security holes affected Flash.
In October, the company initially announced that it had no Patch Tuesday updates, but a few days later it was forced to release an out-of-band update for Flash Player after Kaspersky Lab researchers noticed that a Middle Eastern threat actor named BlackOasis had been exploiting a zero-day vulnerability to deliver spyware.
The number of flaws found in Flash Player in the past months has decreased considerably, which may be a result of the decision to kill Flash Player by 2020. Nevertheless, as long as the software is still widely utilized, zero-day exploits are highly valuable to malicious actors.
Millions Impacted by Credential-Stealers in Google Play
13.12.2017 securityweek Android
During October and November 2017, Kaspersky Lab researchers discovered 85 applications in Google Play that were designed to steal credentials for Russian social network VK.com. One of the malicious applications had more than a million downloads.
While most of the applications were listed in the marketplace in October and gathered fewer than 1,000 installations, some were uploaded in July and proved to be highly popular among users. Seven of the apps had between 10,000 and 100,000 downloads, while nine had between 1,000 and 10,000 installations.
The most popular of the apps masqueraded as a game. It was submitted to Google Play in April 2017 without malicious code in it, but an update in October 2017 added the information stealing capabilities. The game gathered more than 1 million downloads in the seven months it was active on Google Play.
Most of the offending applications were designed to look like apps for the VK.com social platform, supposedly allowing users to listen to music or monitor user page visits. Because apps of this type normally ask for the user to log into their account, they didn’t raise suspicion. Some of the programs were game apps.
The campaign was targeted at VK users only. The platform is highly popular in CIS countries, and the malicious apps first checked the device language and only asked for login credentials if Russian, Ukrainian, Kazakh, Armenian, Azerbaijani, Belarusian, Kyrgyz, Romanian, Tajik, and Uzbek were in use, Kaspersky has discovered.
The actors behind these apps had been publishing their malicious applications in Google Play for over two years, so they had to modify their code to bypass detection, Kaspersky's researchers say.
The recently observed apps used a modified VK SDK with tricky code, which served the standard login page to the user, relied on malicious JS code to steal credentials from the login page and pass them back to the app. The stolen credentials were encrypted and then uploaded to a remote server.
Most of the malicious apps had the described functionality, but some were slightly different: they also used malicious JS code from the OnPageFinished method for extracting credentials and for uploading them.
“We think that cybercriminals use stolen credentials mostly for promoting groups in VK.com. They silently add users to promote various groups and increase their popularity by doing so. We have reason to think so because there were complaints from some infected users that their accounts had been silently added to such groups,” Kaspersky says.
The researchers also note that other Google Play apps submitted by these miscreants were published as unofficial clients for popular messaging app Telegram. Built using an open source Telegram SDK, these apps would work just as any other such software, but they would also add users to promoted groups/chats (based on a list received from the server).
The credential-stealing apps are detected as Trojan-PSW.AndroidOS.MyVk.o. Kaspersky reported 72 of the apps to Google, all of which were removed (13 apps had been removed before). The malicious Telegram clients are detected as not-a-virus:HEUR:RiskTool.AndroidOS.Hcatam.a. They too were removed from Google Play.
SAP Becomes CVE Numbering Authority
13.12.2017 securityweek Vulnerebility
Released this week with fixes for 11 vulnerabilities, SAP’s Security Patch Day for December 2017 marks a change in the history of SAP patches: it also includes CVE numbers in the titles of the security notes.
The change is a result of SAP becoming a CVE Numbering Authority (CNA) and now being authorized to assign CVE's to vulnerabilities in their products. The company has the goal of disclosing the CVE numbers of addressed vulnerabilities on its Security Patch day, in an effort to increase “transparency and facilitate faster patch consumption for all SAP customers.”
Of the security notes the company included in this month’s Security Patch day, one was Hot News, or Very High priority, featuring a CVSS score of 9.1. The flaw, an OS Command Injection vulnerability in Report for Terminology Export impacting SAP Netweaver Documentation and Translation tools, is an update to a security note released in November 2017.
The note, Onapsis says, is actually a re-released version, as it was initially published one year ago. At the time, SAP removed the affected lines of code, as they were obsolete. All the code that used to run when the report was executed in background was removed, but the original patch apparently failed to properly solve the issue.
In the re-release, SAP added a new step toward solving the bug. Thus, in addition to implementing the correction instructions referenced by the SAP note, impacted customers also need to follow the manual steps in the document Manual instructions for creating GUI status related to note 2357141.pdf, which is available on the SAP customer portal.
“Onapsis Research Labs has tested the component and discovered that the previous patch properly solves the bug. Despite securing the vulnerability, it introduced a little malfunction in the SAP software. Even though the relevant report is secure, after installing the patch the report interface then breaks in the SAP GUI by being unresponsive to interactions such as button clicks,” Onapsis explains.
The new instructions provide information on how to manually correct the issue to execute the report and also remain secure. According to Onapsis, there are no additional security concerns related to the re-released security note and those who have already applied the original patch are protected. Those who haven’t should apply the note as soon as possible, considering that it is Hot News.
The new set of SAP security patches also include three High priority notes. One addresses an Additional Authentication check in Trusted RFC on same system (CVE-2017-16689), another fixes a Missing Authentication check in SAP BI Promotion Management Application (CVE-2017-16684), while the third updates an August 2014 patch note: SBOP solution for Apache Struts1.x vulnerability (CVE-2014-0094).
The rest of the flaws addressed this month were Medium priority. The most important of them include a Cross-Site Scripting (XSS) vulnerability in SAP BW Universal Data Integration (CVE-2017-16685), Server-Site Request Forgery (SSRF) vulnerability in SAP NetWeaver Knowledge Management Configuration Service (CVE-2017-16678), Denial of service (DOS) in SAP BusinessObjects Platform (CVE-2017-16683), and an XSS vulnerability in BI Promotion Management Application (CVE-2017-16681).
The 11 security notes released as part of the December 2017 Security Patch day are accompanied by 4 updates to previously released notes and 4 support package notes, for a total of 19 security notes, ERPScan reveals. 6 of the notes were released after the second Tuesday of the previous month and before the second Tuesday of this month.
Implementation flaw was the most common type of vulnerability addressed this month (5 flaws), followed by XSS (2 bugs), Information Disclosure (2), Missing Authorization Check (2), Denial of Service (2), OS command execution (2), Remote Command Execution (1), Open Redirect (1), SSRF (1), and Log injection (1).
The Log injection vulnerability (CVE-2017-16687) impacts SAP HANA XS classic user self-service and features a CVSS Base Score of 5.3. By exploiting the flaw, an attacker could inject arbitrary data in the audit log. By flooding it with a large amount of illegal data, the audit log can no longer be easily analyzed. The operation could also result in a rapid depletion of disk space and in damage to the event log.
Stealthy Admin Accounts Found in Hybrid Office 365 Deployments
13.12.2017 securityweek Hacking
Vulnerability in Azure AD Connect Software Can Provide Stealthy Admins With Full Domain Control
One term used for privileged Admin accounts that exist outside of protected groups is 'stealthy admins'. They are less protected and less monitored than those within protected groups, and can consequently provide a major security risk.
The team at Preempt Security has discovered an automatically generated stealthy admin account in hybrid on-premise/Azure Microsoft Office 365 (O365) deployments.
One aspect of the Preempt Platform's operation is to investigate and prevent insider threats, and this in turn involves detecting insider opportunities for escalating privileges. Escalation involves acquiring the rights of or using a privileged administrator account; and for this reason admin accounts should always be given greater protection.
"Organizations have well-defined groups for administrators, where they can be monitored and protected," explains Ajit Sancheti, CEO and co-founder of Preempt; "but sometimes users are given administrator rights without the account being placed into an administrator group. That's what we call a 'stealthy administrator'. Part of our job is to detect these."
Researchers from Preempt discovered that a stealthy admin is created as a matter of course during the normal use of Microsoft's Azure AD Connect. AD Connect is a tool used by organizations with hybrid on premise and cloud Office 365 deployments. It integrates on premise Active Directory with Azure AD, so that users can have a common identity throughout.
The default express use of AD Connect creates a Microsoft On Line account (MSOL) that has domain admin privileges but exists outside of any protected admin group; that is, it lives in the built-in Users Group. In order to synchronize passwords between on premise accounts and cloud, it has the ability to replicate the domain.
"Most Active Directory audit systems easily alert on excessive privileges, but will often miss users who have elevated domain privileges indirectly through domain discretionary access control list (DACL) configuration," said Roman Blachman, CTO and co-founder at Preempt. "We refer to these users as stealthy admins. The majority of our customers have Office 365 hybrid deployments and almost every one of them were vulnerable to this because Azure AD Connect was installed in express settings and created this flaw." Blachman has also explained the issue in a blog posted today.
Anyone with access to User accounts could gain access through these to the MSOL account and acquire high level domain privileges. This could be an attacker already on the network looking to escalate privilege, or a 'rogue' employee. In the latter instance, Preempt gives the example of a help desk that uses a contract employee. That employee would be a domain user, but also an account operator for help desk functional purposes.
The help desk staff is effectively part of the supply chain but with direct -- and legitimate -- access to user accounts, plus one account with domain level privileges. If compromised -- or simply rogue -- the help desk operator's account could get access to every admin account on the domain via the MSOL account. Since the MSOL account is not in a protected admin group, it will not be tracked or monitored like other admin accounts -- and its use by an attacker will not trigger the alerts that it should.
The MSOL account will exist as a stealthy admin as a matter of course for any organization that has used AD Connect to synchronize user passwords between on premise and cloud deployments of Office 365.
Preempt reported the issue to Microsoft, which has today issued an advisory and fix. "Suppose there is a malicious on-premises AD administrator with limited access to customer's on-premises AD but has Reset-Password permission to the AD DS account," explains the advisory. "The malicious administrator can reset the password of the AD DS account to a known password value. This in turn allows the malicious administrator to gain unauthorized, privileged access to the customer's on-premises AD."
Microsoft's solution going forward is an 'improvement' to Azure AD Connect that ensures that the account it creates will in future have the recommended permissions. For Azure users who have already used AD Connect, Microsoft says, "You can use the PowerShell script available at Prepare Active Directory Forest and Domains for Azure AD Connect Sync to help you implement the permission changes on the AD DS account."
The Microsoft fix is not a patch for existing implementations. AD Connect will be updated so that its future use will not lead to a stealthy MSOL account. For existing implementations, it is releasing a script that will find and move the MSOL account to a safe location.
It is worth noting, however, that MSOL is unlikely to be the only stealthy admin on a network. While this Microsoft fix will detect the MSOL stealthy admin, it will not solve the problem of other stealthy accounts.
"We're seeing this in almost all of our customers," commented Sancheti. "We have never installed product with any customer without finding at least one or more stealthy admins -- usually anything between 5 to 100. Because of the complexity of Active Directory, it is quite common for one account to be given access to another account without ever realizing what permissions are quietly inherited in the process."
Preempt has developed and released a free tool called Preempt Inspector. "It's purpose is to detect all stealthy accounts, that are often innocently created through configuration errors -- but that create a hidden risk for the network."
Microsoft Patches 19 Critical Browser Vulnerabilities
13.12.2017 securityweek Vulnerebility
Microsoft’s Patch Tuesday updates for December 2017 address more than 30 vulnerabilities, including 19 critical flaws affecting the company’s Internet Explorer and Edge web browsers.
The critical vulnerabilities are memory corruption issues that can be exploited for remote code execution in the context of the targeted user. The security holes – in most cases related to the browser’s scripting engine – can be exploited by getting the target to visit a specially crafted website or a site that serves malicious ads (i.e. malvertising).
These flaws were reported to Microsoft by researchers at Google, Palo Alto Networks, McAfee and Qihoo 360. The Google Project Zero researcher known as Lokihardt has again been credited for finding many of the weaknesses.
Trend Micro’s Zero Day Initiative (ZDI) pointed out that one interesting vulnerability, albeit rated only “important,” is CVE-2017-11927, an information disclosure flaw in Windows that “takes us all the way back to the early days of Internet Explorer and CHM (compressed help) files.” The issue affects the Windows its:// protocol handler – ITS, or InfoTech Storage Format, is the storage format used in CHM files.
“In theory, you shouldn’t be able to access remote content using ITS outside of the Local Machine Zone thanks to a 2005 update,” ZDI explained in a blog post. “It appears that has been circumvented by this bug, as it allows attackers who trick users into browsing to a malicious website or to malicious SMB destinations to leak info. If an attacker can get the target to disclose the user's NTLM hash, they could then attempt a brute-force attack to obtain the corresponding password.”
The list of vulnerabilities fixed this month also includes information disclosure flaws in Office, a spoofing issue in Exchange, a privilege escalation bug in SharePoint, and a remote code execution vulnerability in Excel.
According to Microsoft, none of the vulnerabilities patched this month have been exploited in attacks or disclosed publicly before fixes were released.
Earlier this month, Microsoft informed users that it had released a patch for a critical remote code execution vulnerability affecting its Malware Protection Engine. The flaw, discovered by the UK's National Cyber Security Centre (NCSC), can be exploited to take control of the targeted system.
After publishing an advisory with information on how users can protect themselves against recent attacks abusing the Dynamic Data Exchange (DDE) protocol, Microsoft announced on Tuesday that it has released a defense-in-depth update that disables DDE in supported versions of Word.
Adobe has only patched one moderate severity vulnerability in Flash Player this Patch Tuesday.
Trump Signs Bill Banning Kaspersky Products
13.12.2017 securityweek BigBrothers
U.S. President Donald Trump on Tuesday signed a bill that prohibits the use of Kaspersky Lab products and services in federal agencies.
The National Defense Authorization Act for FY2018 (H.R. 2810) focuses on Department of Defense and Department of Energy programs, authorizes recruitment and retention bonuses for the Armed Forces, and makes changes to national security and foreign affairs programs.
Section 1634 of the bill bans the use of products and services provided by Russia-based cybersecurity firm Kaspersky Lab. The prohibition will go into effect on October 1, 2018.
“No department, agency, organization, or other element of the Federal Government may use, whether directly or through work with or on behalf of another department, agency, organization, or element of the Federal Government, any hardware, software, or services developed or provided, in whole or in part, by (1) Kaspersky Lab (or any successor entity); (2) any entity that controls, is controlled by, or is under common control with Kaspersky Lab; or (3) any entity of which Kaspersky Lab has majority ownership,” the bill reads.
Senator Jeanne Shaheen, who has spearheaded the campaign against Kaspersky, stated, “The case against Kaspersky is well-documented and deeply concerning. This law is long overdue, and I appreciate the urgency of my bipartisan colleagues on the Senate Armed Services Committee to remove this threat from government systems.”
Sen. Shaheen recently sent a letter to the Trump administration asking that information on Kaspersky Lab be declassified “to raise public awareness regarding the serious threat that the Moscow-based software company poses to the United States’ national security.”
The U.S. Department of Homeland Security (DHS) ordered federal agencies to stop using Kaspersky products back in September, and the bill signed on Tuesday reinforces that order. However, the government has yet to provide any evidence of wrongdoing and even Sen. Shaheen’s statements appear to be largely based on various media reports citing anonymous officials.
One of the most recent media reports involving Kaspersky claimed Russian spies exploited the company’s products to steal sensitive files from an NSA contractor’s computer. The contractor in question has been charged and the cybersecurity firm has shared its side of the story.
The UK's National Cyber Security Center (NCSC) has also issued a warning regarding the use of Kaspersky products by government agencies. While the ban is less explicit compared to the US, it is expected to have a similar effect.
Kaspersky has repeatedly denied the accusations and it recently announced the launch of a transparency initiative that involves giving partners access to source code and paying significantly larger bug bounties for vulnerabilities found in the firm’s products.
UPDATE. Kaspersky Lab has provided the following statement:
“Kaspersky Lab continues to have serious concerns about Section 1634 of the National Defense Authorization Act due to its geographic-specific approach to cybersecurity, singling out Kaspersky Lab, which we maintain, does little to mitigate information security risks affecting government networks. Nevertheless, Kaspersky Lab is assessing its options, while continuing to protect its customers from cyber threats, and collaborating globally with the IT security community to fight cybercrime.”
Upstream Security Raises $9 Million to Protect Connected Cars Through the Cloud
13.12.2017 securityweek IT
Upstream Security, a Herzliya, Israel-based cybersecurity company that helps protect connected cars and autonomous vehicles from cyber threats, today announced that it has raised $9 million through a Series A funding round.
The company explains that it has developed a cloud-based automotive cybersecurity platform that leverages artificial intelligence and machine learning that can be applied to the vast amount of data continuously produced by vehicles.
The platform, Upstream describes, “provides customers with data protection, anomaly detection and real-time analytics of cyber attacks and vehicle fleet health. By centralizing cybersecurity in the cloud instead of in-vehicle, threats are detected and prevented before they even reach a vehicle's network.”
Upstream says the new funding will help expand its R&D program and open sales and marketing offices in the United States and Europe, with plans to open an office in Silicon Valley in the coming months.
Cyber threats to automotive systems are not new, and are becoming more of an issue as more cars become connected to the Internet and to other devices such as smartphones, smart keys, diagnostic tools and other vehicles.
A number of security researchers have demonstrated the ability hack into modern vehicles to manipulate steering, acceleration, speedometers and safety sensors, sparking concerns that malicious attackers could use similar techniques to compromise a vehicle's Electronic Control Units (ECUs) allowing manipulation of a car's engine, brakes, airbags and other safety systems or vehicle components.
Researchers have demonstrated over the past years that vehicles such as the Toyota Prius, Tesla Model S, Jeep Cherokee, and Nissan Leaf are exposed to hacker attacks due to vulnerabilities in connected systems.
With Gartner forecasting there to be 250 million connected vehicles by 2020, Upstream is not the only company looking to tap this market.
Several companies that specialize in automotive security have emerged recently, including Karamba Security and Argus Cyber Security. Some traditional security industry players, such as Symantec and IOActive, have also launched vehicle security divisions. In late 2016, German carmaker Volkswagen teamed up with three Israeli cybersecurity experts to launch CYMOTIVE.
Just last month, Argus Cyber Security was acquired by Continental subsidiary Elektrobit (EB), which provides embedded software solutions to the automotive industry.
Led by CRV (Charles River Ventures), Upstream’s Series A funding round included expanded investments from Israeli-based Glilot Capital Partners and Maniv Mobility. The company previously raised a $2 million seed funding round in June of this year.
Old Crypto Vulnerability Hits Major Tech Firms
13.12.2017 securityweek Vulnerebility
A team of researchers has revived an old crypto vulnerability and determined that it affects the products of several major vendors and a significant number of the world’s top websites.
Last month, F5 Networks informed customers that some of its BIG-IP products include a vulnerability that can be exploited by a remote attacker for recovering encrypted data and launching man-in-the-middle (MitM) attacks.
The security hole was reported to the vendor by Tripwire’s Craig Young, researcher and journalist Hanno Böck, and Juraj Somorovsky of Ruhr-Universität Bochum. The experts noted at the time that the issue affected products from other vendors as well and promised to release details at a later time.
While proof-of-concept (PoC) code will only be made available after affected organizations have had a chance to patch their systems, the researchers have published some additional details.ROBOT crypto attack
The attack method now has a name, a logo and a website. It has been dubbed ROBOT (Return Of Bleichenbacher's Oracle Threat) and, as the name suggests, it’s related to an attack method discovered by Daniel Bleichenbacher back in 1998.
The vulnerability affects TLS connections that use RSA encryption and it can allow an attacker to access protected data. The weakness, however, cannot be exploited to obtain private keys.
“For hosts that are vulnerable and only support RSA encryption key exchanges it's pretty bad. It means an attacker can passively record traffic and later decrypt it,” researchers explained. “For hosts that usually use forward secrecy, but still support a vulnerable RSA encryption key exchange the risk depends on how fast an attacker is able to perform the attack. We believe that a server impersonation or man in the middle attack is possible, but it is more challenging.”
In addition to F5, the vulnerability impacts products from Citrix (CVE-2017-17382), Radware (CVE-2017-17427), Cisco (CVE-2017-17428), Bouncy Castle (CVE-2017-13098), Erlang (CVE-2017-1000385) and WolfSSL (CVE-2017-13099). These organizations have released patches, except for Cisco, whose vulnerable ACE appliances have reached end-of-life. Several other vendors are also affected, but they will not be named until they release fixes.
Experts have determined that the best workaround is to disable RSA encryption, an action which they believe has relatively low costs.
Researchers have made available an online tool that can be used to test public HTTPS servers. An analysis showed that at least 27 of the top 100 Alexa websites, including Facebook and PayPal, were affected.
The vulnerability that allows ROBOT attacks has been known since 1998 and several variations have been found over the years. One recent version of the attack is known as DROWN, which Somorovsky and several others discovered last year.
Each new attack method resulted in a series of countermeasures being developed to protect systems against potential attacks. However, these measures have become increasingly complex, making them difficult for vendors to implement.
The experts who discovered ROBOT said the vulnerability had been hiding in plain sight and the attack involves only minor modifications to the original Bleichenbacher method.
AIG Creates New Model to Score Client Cyber Risk
13.12.2017 securityweek Safety
Insurance giant American International Group said this week that it has developed a new cyber benchmarking model that quantifies and scores the cyber risk of its clients.
The new model, AIG says, evaluates a client’s cyber security maturity against 10 common attack patterns across 11 commonly used technology devices.
While the insurer did not provide details on the attack patterns and technologies used to benchmark cyber risk, it says the model “incorporates critical security data, such as current threat intelligence from multiple sources, effectiveness of an organization’s cyber controls, potential impact of a cyber breach on an organization, and insights gained from the thousands of cyber claims handled by AIG.”
“We developed the model based on historical insights and patterns of how companies experience cyber breaches – the points of entry and the types of attacks and vulnerabilities seen in the vast majority of cyber breach scenarios,” says Tracie Grella, Head of Cyber Risk Insurance at AIG. “Companies have been demanding a way to benchmark their cyber maturity against these known cyber risks to quantify what they are up against and where they stand.”
Clients that provide the required information can receive a report detailing security scores, peer benchmarking, and key risk mitigation controls to help quantify cyber risk.
To support its new model, AIG also announced the launch of CyberMatics, an analytics tool that leverages cyber threat detection firms CrowdStrike and Darktrace. CyberMatics, AIG explains, verifies inputs into AIG’s model from clients’ cyber security tools, which AIG says will provide greater confidence in underwriting information, and ultimately allows for better tailored terms and conditions in cyber insurance policies.
“AIG is partnering with Darktrace to leverage its AI technology to address a cumbersome and outdated process for assessing cyber risk -- manual questionnaires asking for information that most corporations don’t even know the correct answers to, leading to high premiums based on little to no hard evidence,” a Darktrace spokesperson told SecurityWeek.
“As an insurer, we gain a better understanding of the level of risk we are taking on with each client so we can react accordingly,” said Grella. “Our new model combined with CyberMatics can help our clients make informed and quantifiable decisions about their preparedness for cyber security risk events and insurance cover.”
In 2014, AIG expanded its cyber insurance offering to include property damage and bodily injury that could be caused as a result of cyberattacks.
While AIG has developed its own model to rank client cyber risk, third part solutions are also available to help brokers and underwriters. In August 2014, FireEye announced a new line of services designed specifically to help brokers and underwriters gain visibility into enterprises' exposure to cyber threats.
Critical Flaws Found in Palo Alto Networks Security Platform
13.12.2017 securityweek Vulnerebility
Updates released by Palo Alto Networks for the company’s PAN-OS security platform patch critical and high severity vulnerabilities that can be exploited for remote code execution and command injection.
The issue classified by the company as “critical” is actually a combination of vulnerabilities in the management interface that can be exploited by a remote and unauthenticated attacker to execute arbitrary code on affected firewalls.
PAN-OS 6.1.18, 7.0.18, 7.1.13, 8.0.5 and earlier versions are affected. Patches are included in PAN-OS 6.1.19, 7.0.19, 7.1.14 and 8.0.6, but attacks can also be blocked using vulnerability signatures made available by the company.
The flaws, collectively tracked as CVE-2017-15944, were reported to Palo Alto Networks by Philip Pettersson, who has released an advisory of his own this week. The expert said the security holes were reported to the vendor in July.
Pettersson’s advisory, which includes complete technical details, describes three vulnerabilities: a partial authentication bypass, an arbitrary directory creation issue, and a command injection bug. Combining these flaws allows an unauthenticated attacker to execute arbitrary code with root privileges through the web interface.
Palo Alto Networks has advised customers to avoid exposing the web interface of its devices to the Internet, but the Sonar and Shodan search engines show that it’s not uncommon for organizations to make it remotely accessible.
PAN-OS updates also address a high severity flaw in the web interface packet capture management component. The security hole, reported by researchers from Samsung and tracked as CVE-2017-15940, allows an authenticated attacker to inject arbitrary commands.
Palo Alto Networks has also informed customers of a low severity flaw discovered by a CrowdStrike researcher in the macOS version of the GlobalProtect Client. The vulnerability, identified as CVE-2017-15870, can be exploited by an attacker who has root privileges to the local system to achieve a certain level of persistence.
This issue affects GlobalProtect for macOS 4.0.2 and earlier, and it has been fixed with the release of version 4.0.3.
Apple Patches KRACK Flaws in AirPort Base Station
13.12.2017 securityweek Vulnerebility
Apple this week released security updates to the firmware for its AirPort Base Stations to resolve vulnerabilities that make the network routers at risk to Key Reinstallation Attacks (KRACK).
The KRACK vulnerabilities were discovered earlier this year in the Wi-Fi standard itself. Because of the flaws, all Wi-Fi Protected Access II (WPA2) protocol implementations, including correct ones, were rendered vulnerable to a new type of attack. Industrial networking devices were also found to be vulnerable.
Discovered by Mathy Vanhoef and Frank Piessens, the flaws could be exploited by tricking the victim into reinstalling an already-in-use key through manipulating and replaying handshake messages. An attacker within range of a victim could access information previously assumed to be safely encrypted.
Soon after the vulnerabilities became public in mid-October 2017, vendors raced to patch them in their products. Depending on implementation, each product could be impacted by one or more of the 10 issues associated with the KRACK attack.
Apple released the first set of KRACK-related patches on October 31. At the time, the company addressed the issue tracked as CVE-2017-13080 in iOS, tvOS, and watchOS, as well as three bugs (CVE-2017-13077, CVE-2017-13078, and CVE-2017-13080) in macOS High Sierra.
Earlier this month, the company released another set of KRACK-related patches to address CVE-2017-13080 in Apple Watch (1st Generation) and Apple Watch Series 3, Apple TV (4th generation), and multiple iOS devices (iPhone 6s, iPhone 6s Plus, iPhone 6, iPhone 6 Plus, iPhone SE, iPhone 5s, 12.9-inch iPad Pro 1st generation, iPad Air 2, iPad Air, iPad 5th generation, iPad mini 4, iPad mini 3, iPad mini 2, and iPod touch 6th generation).
The company has now patched the issues in AirPort Base Station Firmware and released two security updates for the wireless routers.
With the release of AirPort Base Station Firmware Update 7.6.9 on Tuesday, Apple addresses three KRACK vulnerabilities (CVE-2017-13077, CVE-2017-13078, and CVE-2017-13080) in AirPort Express, AirPort Extreme, and AirPort Time Capsule base stations with 802.11n.
AirPort Base Station Firmware Update 7.7.9, on the other hand, patches the three bugs in AirPort Extreme and AirPort Time Capsule base stations with 802.11ac. The update also fixes a fourth bug – CVE-2017-9417 – that could allow an attacker within range to execute arbitrary code on the Wi-Fi chip.
In an alert published on Tuesday, the United States Computer Emergency Readiness Team (US-CERT) “encourages users and administrators to review the Apple security pages for AirPort Base Station Firmware Update 7.6.9 and Firmware Update 7.7.9 and apply the necessary updates.”