Newly Uncovered 'MoneyTaker' Hacker Group Stole Millions from U.S. & Russian Banks
12.12.2017 thehackernews CyberCrime
Security researchers have uncovered a previously undetected group of Russian-speaking hackers that has silently been targeting Banks, financial institutions, and legal firms, primarily in the United States, UK, and Russia.
Moscow-based security firm Group-IB published a 36-page report on Monday, providing details about the newly-disclosed hacking group, dubbed MoneyTaker, which has been operating since at least May 2016.
In the past 18 months, the hacking group is believed to have conducted more than 20 attacks against various financial organisations—stolen more than $11 Million and sensitive documents that could be used for next attacks.
According to the security firm, the group has primarily been targeting card processing systems, including the AWS CBR (Russian Interbank System) and SWIFT international bank messaging service (United States).
"Criminals stole documentation for OceanSystems’ FedLink card processing system, which is used by 200 banks in Latin America and the US." Group-IB says in its report.
Group-IB also warned that the MoneyTaker attacks against financial organizations appear to be ongoing and banks in Latin America could be their next target.
MoneyTaker: 1.5 Years of Silent Operations
Since its first successful attack in May last year, MoneyTaker has targeted banks in California, Illinois, Utah, Oklahoma, Colorado, South Carolina, Missouri, North Carolina, Virginia and Florida, primarily targeting small community banks with limited cyber defenses.
Even after a large number of attacks against so many targets, MoneyTaker group managed to keep their activities concealed and unattributed by using various publicly available penetration testing and hacking tools, including Metasploit, NirCmd, psexec, Mimikatz, Powershell Empire, and code demonstrated as proof-of-concepts at a Russian hacking conference in 2016.
"To propagate across the network, hackers used a legitimate tool psexec, which is typical for network administrators." Group-IB says in its report.
Besides using open-source tools, the group has also been heavily utilizing Citadel and Kronos banking trojans to deliver a Point-of-Sale (POS) malware, dubbed ScanPOS.
"Upon execution, ScanPOS grabs information about the current running processes and collects the user name and privileges on the infected system. That said, it is primarily designed to dump process memory and search for payment card track data. The Trojan checks any collected data using Luhn’s algorithm for validation and then sends it outbound to the C&C server."
"The group uses 'fileless' malware only existing in RAM and is destroyed after reboot. To ensure persistence in the system MoneyTaker relies on PowerShell and VBS scripts - they are both difficult to detect by antivirus and easy to modify. In some cases, they have made changes to source code 'on the fly' – during the attack,"
"To escalate privileges up to the local administrator (or SYSTEM local user), attackers use exploit modules from the standard Metasploit pack, or exploits designed to bypass the UAC technology. With local administrator privileges they can use the Mimikatz program, which is loaded into the memory using Meterpreter, to extract unencrypted Windows credentials."
Moreover, MoneyTaker also makes use of SSL certificates generated using names of well-known brands—including as Bank of America, Microsoft, Yahoo and Federal Reserve Bank—to hide its malicious traffic.
The hacking group also configure their servers in a way that malicious payloads can only be delivered to a predetermined list of IP addresses belonging to the targeted company. Also, it relies on PowerShell and VBS scripts to ensure persistence in the targeted system.
The very first attack, which Group-IB attributes to MoneyTaker was conducted in May 2016, when the group managed to gain access to First Data's STAR—the largest U.S. bank transfer messaging system connecting ATMs at over 5,000 organizations—and stole money.
In January 2017, the similar attack was repeated against another bank.
Here's how the attack works:
"The scheme is extremely simple. After taking control over the bank's network, the attackers checked if they could connect to the card processing system. Following this, they legally opened or bought cards of the bank whose IT system they had hacked," Group-IB explains.
"Money mules – criminals who withdraw money from ATMs – with previously activated cards went abroad and waited for the operation to begin. After getting into the card processing system, the attackers removed or increased cash withdrawal limits for the cards held by the mules."
The money mules then removed overdraft limits, which made it possible for them to overdraw cash even with debit cards. Using these cards, they "withdrew cash from ATMs, one by one."
According to the report, the average money stolen by MoneyTaker from United States banks alone was about $500,000, and more than $3 million was stolen from at least three Russian banks.
The report also detailed an attack against a Russian bank, wherein the MoneyTaker group used a modular malware program to target the AWS CBR (Automated Work Station Client of the Russian Central Bank)—a Russian interbank fund transfer system similar to SWIFT.
The modular tool had capabilities to search for payment orders and modify them, replace original payment details with fraudulent ones, and carefully erase malware traces after completing its tasks.
While it is still unclear how MoneyTaker managed to get its foothold in the corporate network, in one specific case, the entry point of compromise of the bank's internal network was the home computer of the bank's system administrator.
Group-IB believes that the hackers are now looking for ways to compromise the SWIFT interbank communication system, although it found no evidence of MoneyTaker behind any of the recent cyber attacks on SWIFT systems.
Google Researcher Releases iOS Exploit—Could Enable iOS 11 Jailbreak
12.12.2017 thehackernews Apple
As promised last week, Google's Project Zero researcher Ian Beer now publicly disclosed an exploit that works on almost all 64-bit Apple devices running iOS 11.1.2 or earlier, which can be used to build an iOS jailbreak, allowing users to run apps from non-Apple sources.
On Monday morning, Beer shared the details on the exploit, dubbed "tfp0," which leveraged double-free memory corruption vulnerabilities in the kernel, the core of the operating system.
Here, "tfp0" stands for "task for pid 0" or the kernel task port—which gives users full control over the core of the operating system.
The Project Zero researcher responsibly reported these vulnerabilities to Apple in October, which were patched by the company with the release of iOS 11.2 on 2nd December.
While Beer says he has successfully tested his proof of concept exploit on the iPhone 6s and 7, and iPod Touch 6G, he believes that his exploit should work on all 64-bit Apple devices.
Another security researcher confirmed that the exploit released by Beer also works on his Apple TvOS 11.x and TV 4K running iOS 11.1.2.
What's worse? Since Apple's iOS mobile operating system and macOS desktop operating system share the same code base, the kernel for macOS is also vulnerable to the bug, according to a report published by Project Zero on Google's Chromium Blog.
Beer said he has also successfully tested the vulnerability on macOS 10.13, running on a MacBook Air 5.2, which Apple patched in macOS 10.13.1.
Earlier versions of the operating systems are still vulnerable to the exploit, which basically grants complete core access to the operating system and that is really what the jailbreak community requires.
Although we have not heard any news about iOS jailbreaks from the jailbreak community from very long, Beer's exploit could be the basis for a future iOS 11 jailbreak, allowing iPhone and iPad users to install third-party OS customizations via apps that are restricted by Apple.
If iOS 11.1.2 jailbreak surfaces in upcoming days, you can still downgrade to iOS 11.1.2 using iTunes even if you have updated to iOS 11.2 because Apple is still signing the operating system.
Cybersecurity Incidents Hit 83% of U.S. Physicians: Survey
12.12.2017 securityweek Incindent
A majority of physicians in the United States have experienced a cybersecurity incident, and many are very concerned about the potential impact of a cyberattack, according to a study conducted by professional services company Accenture and the American Medical Association (AMA).
A survey of 1,300 doctors revealed that 83% of clinical practices experienced some type of cybersecurity incident. The most common is phishing (55%), followed by malware infections (48%), improper access to electronic protected health information, or ePHI (37%), network breaches (12%), and ransomware and other attacks involving ransom demands (9%).
More than half of respondents said they were either very concerned or extremely concerned about future cyberattacks, particularly that they may result in interruption to their business or electronic health records (EHR) getting compromised. Physicians are also worried about patient safety (53%), civil or criminal liability (36%), damage to reputation (34%), costs associated with incident response (32%), impact on revenue (30%), fines (25%), and medical device security (19%).
When asked about the impact of past cybersecurity incidents on their business, 64% of respondents said it had caused downtime of four hours or less, but in 12% of cases normal operations were suspended for 1-2 days, and in 4% of cases for more than two days.
In response to incidents, the most common actions were notification of the internal IT team (65%), notification or education of employees (61%), implementation of new policies and procedures (59%), and notification of the EHR or health IT vendor (56%).
While doctors are concerned about the security risks associated with the use of electronic systems, they also noted that the ability to share data with outside entities is in most cases very important.
The study also shows that physicians often trust third parties to keep their ePHI data secure. In many cases, they either get assurance from the vendor or simply trust that their data is being protected. Many also sign contracts or rely on their privacy officer to ensure that sensitive information is stored securely.
Nearly half of organizations have an in-house person responsible for cybersecurity and 17% said they are interested in appointing someone to such a position. Others either outsource security management (26%), or share security management with another practice (23%). Some physicians said they received donated cybersecurity software or hardware.
When it comes to security training, half of respondents named tips for good cyber hygiene as the factor that would boost their confidence in their security posture. Others named simplifying the legal language of HIPAA (47%), easily digestible summary of HIPAA (44%), explaining the more complex rules described by HIPAA (40%), and guidance on conducting risk assessments (38%).
Smart Shield Detector allows thieves to discover if the ATM is protected by anti-skimming technology
12.12.2017 securityaffairs CyberCrime
Crooks are now involving a small, battery-powered device dubbed Smart Shield Detector that is able to detect digital anti-skimming technology used by ATMs.
ATM skimmers are widely adopted by crooks to steal payment card data, in the last months, experts observed an increase in the number of cyber attacks against ATM involving so-called ‘insert skimmers.’
In response, financial institutions are adopting a variety of technological measures designed to defeat skimming devices, but crooks are now involving a small, battery powered device that is able to detect digital anti-skimming technology.
According to the popular investigator Brian Krebs, a well-known skimmer thief is marketing a product called ‘Smart Shield Detector’ claiming that this device is able to detect a variety of anti-skimming technology used by financial institutions.
“The device, which sells for $200, is called a ‘Smart Shield Detector,’ and promises to detect “all kinds of noise shields, hidden shields, delayed shields and others!”” wrote Krebs.
“It appears to be a relatively simple machine that gives a digital numeric indicator of whether an ATM uses any of a variety of anti-skimming methods.”
The device is able to determine if an ATM uses an anti-skimming method such as the “frequency jamming,” that relies on electronic signals to scramble both the clock (timing) and the card data itself in a bid to interfere with skimming devices.
“You will see current level within seconds!,” says the seller in an online ad for the Smart Shield Detector. “Available for sale after November 1st, market price 200usd. Preorders available at price 150usd/device. 2+ devices for your team – will give discounts.”
As you can see in the following video, low level (a score between 3-5) means that the ATM isn’t protected by any anti-skimmer shield, while a readout of 15 or higher indicates the presence of some type of electronic shield or jamming technology.
The following video was shared with Krebs by Alex Holden, founder of Hold Security.
The Smart Shield Detector is a very precious instrument for thieves that can avoid attacking protected ATM.
“KrebsOnSecurity shared this video with Charlie Harrow, solutions manager for ATM maker NCR Corp. Harrow called the device “very interesting” but said NCR doesn’t try to hide which of its ATM include anti-skimming technologies — such as those that claim to be detectable by the Smart Shield Detector.” continues Krebs.
“The bad guys are skilled, resourced and determined enough that sooner or later they will figure out exactly what we have done, so the ATM has to be safe against a knowledgeable attacker,” Harrow said. “That said, a little secret sauce doesn’t hurt, and can often be very effective in stopping specific attack [methods] in the short term, but it can’t be relied on to provide any long term protection.”
A good habit for bank customers while using ATM consist of covering the PIN pad with your hand while you enter your PIN, this precaution is effective against the majority of cases in which crooks use a skimmer and a tiny hidden camera to read the PIN while customers are entering it.
Users can also check the presence a fake keypad that could be placed over the top of the genuine keypad on an ATM as a means of stealing card data.
Another recommendation is to avoid using ATM located outside banks in not controlled places., be aware of your physical surroundings while using an ATM; you’re probably more apt to get mugged physically than virtually at a cash machine. Finally, try to stick to cash machines that are physically installed inside of banks, as these tend to be much more challenging for thieves to compromise than stand-alone machines like those commonly found at convenience stores.
If you are interested in skimming activity, give a look at the Krebs’s material about skimming scam
Firmy v Česku čelí novému typu podvodu, celá třetina jich naletěla
12.12.2017 Novinky/Bezpečnost Kriminalita
Firmy v Česku čelí novému typu podvodu, kdy účetní dostávají falešné e-maily od ředitelů s požadavkem na proplacení peněz do zahraničí. Takto oslovených bylo podle policie zhruba 200 firem, škoda je zatím vyčíslena na víc než 30 miliónů korun. Policisté to v úterý uvedli na tiskové konferenci.
Policisté řeší obdobné případy od května, první byl evidovaný na jihu Moravy. Pachatelé při nich využívají veřejně dostupných zdrojů, z nichž zjistí strukturu firmy včetně klíčových jmen a poté odešlou podvodný e-mail účetnímu či sekretářce, který se tváří jako e-mail od ředitele firmy.
Prvním e-mailem se dotazují, zda může být proplacena určitá suma do zahraničí, a to od 9000 eur (asi 230 tisíc korun) až do 140 tisíc eur (3,5 miliónu korun). Když účetní „řediteli” možnost převodu potvrdí, dostane druhý e-mail s pokynem o vyplacení peněz. Třetím e-mailem se pachatel následně dotazuje, zda platba byla provedena.
Naletěla asi třetina
„Ze zhruba 200 takto oslovených firem jich asi třetina peníze poslala. Výše škody je víc než 30 miliónů korun, v pokusu je dalších 150 miliónů korun, kdy firmy peníze neodeslaly," uvedl kriminalista Tomáš Němec.
Podvodné e-maily podle kriminalistů chodí ze zahraničí, kde končí i vylákané peníze. E-maily podle policistů vypadají věrohodně, jsou však psané pomocí internetového překladače takzvanou strojovou češtinou.
„Ochranou je především dobře nastavená komunikace uvnitř firmy. Je důležité věnovat pozornost obdobným požadavkům a při sebemenším podezření si ověřit, zda požadavek na proplacení přišel opravdu od vedení firmy,” řekl kriminalista. Podle něj je možné, že obdobným útokům mohou čelit i firmy v zahraničí.
Před vlnou podvodných útoků označovaných jako „falešný prezident“ letos v květnu varovala Komerční banka. Uvedla tehdy, že se šíří ve velké míře v okolních zemích i Česku. Jde zřejmě o totožné schéma - podvodníci se vydávali napodobením firemního e-mailu za vysoce postavené představitele firmy a nechávali si poslat peníze do daňových rájů.
A collection of 1.4 Billion Plain-Text leaked credentials is available online
12.12.2017 securityaffairs Incindent
A 41-gigabyte archive containing 1.4 Billion credentials in clear text was found in dark web, it had been updated at the end of November.
Another monster data dump was found online, the huge archive contains over 1.4 billion email addresses, passwords, and other credentials in clear text.
The huge trove of data, a 41-gigabyte archive, has been found online on December 5 by security shop @4iQ.
According to 4iQ founder and chief technology officer Julio Casal, the archive is the largest ever aggregation of various leaks found in the dark web to date.
“While scanning the deep and dark web for stolen, leaked or lost data, 4iQdiscovered a single file with a database of 1.4 billion clear text credentials — the largest aggregate database found in the dark web to date.” reads a post published by 4iQ on Medium.
“None of the passwords are encrypted, and what’s scary is the we’ve tested a subset of these passwords and most of the have been verified to be true.”
The 41-gigabyte file had been updated at the end of November, it aggregates data from a collection of 252 previous data breaches and credential lists.
It is still unclear who collected this data, the unique information we have at this time is the Bitcoin and Dogecoin wallet details left for donations.
Collector organized and indexed data alphabetically, the total amount of credentials is 1,400,553,869.
“The breach is almost two times larger than the previous largest credential exposure, the Exploit.in combo list that exposed 797 million records.” continues Julio Casal.
“This new breach adds 385 million new credential pairs, 318 million unique users, and 147 million passwords pertaining to those previous dumps.”
Digging the archive, it is possible to verify that users continue to use weak passwords, the top password is still 123456, followed by 123456789, qwerty, password and 111111.
Not only … the expert observed that users tend to reuse the same passwords for multiple online services.
“Since the data is alphabetically organized, the massive problem of password reuse — — same or very similar passwords for different accounts — — appears constantly and is easily detectable.” states the post.
The researchers highlighted that 14% of exposed credentials are new and in clear text.
“We compared the data with the combination of two larger clear text exposures, aggregating the data from Exploit.in and Anti Public. This new breach adds 385 million new credential pairs, 318 million unique users, and 147 million passwords pertaining to those previous dumps.” continues the expert.
As usual, let me suggest avoiding password reuse on multiple sites and of course use strong passwords.
Microsoft accidentally exposed Dynamics 365 TLS certificates exposing sandbox environments to MiTM attacks
12.12.2017 securityaffairs Krypto
Microsoft accidentally exposed a Dynamics 365 TLS certificate and private key for at least 100 days leaving the sandbox environments open to MiTM attacks.
Data leakage continues to represent a serious problem for organizations, now it’s up to Microsoft that accidentally exposed a Dynamics 365 TLS certificate and private key for at least 100 days.
The software developer Matthias Gliwka discovered the issue while working with the cloud version of the Microsoft ERP system.
Microsoft started offering the ERP product last year, it is SaaS solution hosted in Azure and accessible through a comprehensive control panel (Life Cycle Services).
According to Gliwka, the TLS certificate was exposed in the Dynamics 365 sandbox environment that is used for user acceptance testing (also referred to as “sandbox”) .
The user acceptance system mirrors the setup of the production environment with a single exception, it offers administrative RDP access.
The expert accessed a sandbox environment via RDP to learn how Microsoft would set up a server hosting such a business critical application.
“The hostname for a sandbox environment is customername.sandbox.operations.dynamics.com. A quick glance at the certificates inside the built-in “Certificate Manager” revealed something shocking” wrote Gliwka on Medium.
“Sitting there in plain sight was a valid TLS certificate for the common name *.sandbox.operations.dynamics.com and the corresponding private key — by the courtesy of Microsoft IT SSL SHA2 CA! This certificate is shared across all sandbox environments, even those hosted for other Microsoft customers.”
The certificate is used encrypt the web traffic between the users and the server, extracting the certificate an attacker could s access to any sandbox environment.
Matthias Gliwka
@cerebuild
@msftsecresponse Reported a leaked TLS private key for a cloud product >45 days ago - still no response. Can you take a look? Case #40397
10:59 PM - Oct 4, 2017
1 1 Reply 2 2 Retweets 6 6 likes
Twitter Ads info and privacy
Gliwka reported the issue to Microsoft that took time to fix it, then he contacted German tech freelancer Hanno Böck to get coverage.
Böck tried filing a bug ticket with Mozilla’s bug tracker that triggered the Microsoft’s action.
The issue was solved on 5 December, months later it first notification on 17 August.
The OceanLotus MacOS Backdoor Transforms into HiddenLotus with a Slick UNICODE Trick
12.12.2017 securityaffairs Apple
Experts at Malwarebytes warns of a new variant of the macOS OceanLotus backdoor is using an innovative technique to avoid detection,
A few years ago the bad actors realized they could use UNICODE characters that looked like English characters to lead unsuspecting victims to malicious websites. Now, they have figured out how to use a similar trick to fool Apple computers too! Substitute a Roman d for a Latin d in .pdf and you might have a way to fool the computer and the user into running the OceanLotus backdoor.
Wikipedia tells us: UNICODE is an industry standard for “the consistent encoding, representation, and handling of text.” Or put another way, it tries to identify every unique character in all of the languages so we can recognize an English “A” and a Greek “A” as distinct.
The bad actors figured out that to humans, a URL in English characters ‘aaa.com‘ looks the same as ‘aaa.com‘ in Greek characters but computers recognize these as different and will take you to two different websites depending on which you choose.
In 2001, this became known as the internationalized domain name (IDN) homograph attack. Most browsers now have defenses against such attacks, and while there are some creative folks still finding new ways to exploit UNICODE attacks in browsers, it looks like some have moved onto creative file-based attacks.
To make life easier for users, operating systems (OSes) allow users to double-click on a file through the GUI and take it from there. If the file is a document, the appropriate application runs and the requested file is opened. If the file is an application, the OS runs the program. Windows operating systems simply look at the file extension to determine the file type. MacOS is more diligent after a series of cyber attacks in 2009 when bad actors renamed applications to have document file extensions getting through the security controls at the time.
In response, Apple implemented “File Quarantine” in a number of applications that download files from the Internet. Think: Safari, Messages, iChat, and mail. To identify applications, MacOS looks at the file extension, but also looks at the internal structure of files with known document extensions to determine if it is a renamed application. If it appears to be an application, the user receives a warning that the file is “an application downloaded from the Internet” and given the option to avoid opening it.
This all seems like a good plan until some crafty person leveraged the confusion that comes with UNICODE characters to create the OSX HiddenLotus. An attack. In this attack, the victim receives the file “Lê Thu Hà (HAEDC).pdf” which looks like a benign PDF document but MacOS knows better because the internal structure gives it away as an application that could contain malware. Following the File Quarantine procedure, the user will see the popup warning shown above. But wait, it doesn’t have an “unknown extension” it has a PDF extension, doesn’t it?
This is where the UNICODE magic comes in to fool the computer. The “d” in the .pdf file above isn’t from the LATIN character set, it is actually a Roman numeral “d” which looks the same to human eyes but is distinctive to computers. MacOS knows that the Adobe extension .pdf should be opened by a PDF reader like Adobe Reader, but the malware extension .pdf has no defined application. It is internally structured like an application so MacOS follows the procedures and asks the user.
Note: there is nothing magic about “pdf” in this case, other than it looks benign to humans and is unrecognized by MacOS.
“The HiddenLotus dropper is a folder with the proper internal bundle structure to be an application, and it uses an extension of .pdf, where the ‘d’ is a Roman numeral, not a letter. Although this extension looks exactly the same as the one used for Adobe Acrobat files, it’s completely different, and there are no applications registered to handle that extension. Thus, the system will fall back on the bundle structure, treating the folder as an application, even though it does not have a telltale .app extension.” reads the analysis published by MalwareBytes.
“There is nothing particularly special about this .pdf extension (using a Roman numeral ‘d’) except that it is not already in use. Any other extension that is not in use will work just as well”
Any unknown extension will have this behavior. But imagine what happens when the popup box warns that “Lê Thu Hà (HAEDC).pdf is an application downloaded from the Internet. Are you sure you want to open it?“
How many users will notice “application” in that popup box — which is the important part — or will they quickly scan the message and get “are you sure you want to open this PDF file from the Internet?”
Apple has updated the MacOS XProtect anti-malware system to watch for this specific attack and then provide a stronger message to the user. But there are a lot of characters beside the Roman “d” that can be leveraged for similar attacks. The game of cat and mouse continues.
Google Project Zero white hacker reveals Apple jailbreak exploit
12.12.2017 securityaffairs Apple
White hat hacker Ian Beer of Google Project Zero has revealed an Apple jailbreak exploit that relies on a kernel memory corruption vulnerability.
White hat hacker Ian Beer of Google Project Zero has revealed an Apple jailbreak exploit. The expert publicly disclosed the kernel memory corruption vulnerability after Apple addressed it with a fix.
Last week highlighted Beer announced an iOS 11.1.2 exploit called “tfp0,” which he believes could be the basis for a future iOS 11.1.2 jailbreak.
Today, Beer released the exploit and explained it should work on all iOS devices running iOS 11.1.2 or below, though he only tested it on iPhone 7, iPhone 6s, and a sixth-generation iPod touch.
Watch out, Beer doesn’t release a full iOS 11 jailbreak, but what could potentially be used to develop a working jailbreak.
The attack vector is the tfp0 (“task for pid 0”), the kernel task port.
Ian Beer
@i41nbeer
iOS 11.1.2, now with more kernel debugging: https://bugs.chromium.org/p/project-zero/issues/detail?id=1417#c3 …
5:20 PM - Dec 11, 2017
171 171 Replies 805 805 Retweets 1,718 1,718 likes
Twitter Ads info and privacy
Beer started from his work with Apple’s Mach kernel implementation, and the Mach interface generator (MIG) made in September 2016.
“Userspace MIG services often use mach_msg_server or mach_msg_server_once to implent an RPC server. These two functions are also responsible for managing the resources associated with each message similar to the ipc_kobject_server routine in the kernel.” wrote Beer.
“Exploitability hinges on being able to get the memory reallocated in between the two vm_deallocate calls, probably in another thread.”
Beer published a proof-of-concept code to exploit a second bug that provided the vector to attack MIG.
The expert exploited “a recent addition to the kernel, presumably as a debugging tool to help enumerate places where the kernel is accidentally disclosing pointers to userspace. The implementation currently enumerates kqueues and dumps a bunch of values from them.”
“IOSurfaceRootUserClient external method 17 (s_set_surface_notify) will drop a reference on the wake_port (via IOUserClient::releaseAsyncReference64) then return an error code if the client has previously registered a port with the same callback function.” reads the security advisory published by Beer.
“The external method’s error return value propagates via the return value of is_io_connect_async_method back to the MIG generated code which will drop a futher reference on the wake_port when only one was taken. This bug is reachable from the iOS app sandbox as demonstrated by this PoC.”
Beer included a step-by-step explanation in the readme file included in the PoC code:
First, he used a proc_pidlistuptrs bug to disclose the address of arbitrary ipc_ports;
Second, he triggered an out-of-bounds read for “various kallocsizes” to identify “the most commonly-leaked kernel pointer”;
Next, he sent Mach messages to gather “a pretty large number of kalloc allocations;
With enough Mach port allocations, Beer gathered a page “containing only my ports”. The port address disclosure provided “a port which fits within particular bounds on a page. Once I’ve found it, I use the IOSurface bug to give myself a dangling pointer to that port”;
”I free the kalloc allocations made earlier and all the other ports then start making kalloc.4096 allocations (again via crafted mach messages);”
Careful reallocation (1 MB at a time) made garbage collection trigger and “collect the page that the dangling pointer points to”.
Beer explained that “the bsdinfo->pid trick” allowed him to build an arbitary read to find the kernel task’s vm_map and the kernel’s ipc_space, allowing him to reallocate the kalloc.4096 buffer with a fake kernel task port.
Jailbreaking iOS devices is no more so popular, especially after two major Cydia repositories shut down. Both ModMy and ZodTTD/MacCiti, which provided apps, themes, tweaks, and more for jailbroken iOS devices, shut down in November.
Google Researcher Releases iOS 11 Jailbreak Exploit
12.12.2017 securityweek Apple
Google Project Zero researcher Ian Beer has released a proof-of-concept (PoC) exploit that could pave the way for the first iOS 11 jailbreak.
The iOS vulnerabilities leveraged by Beer’s exploit are CVE-2017-13865, a kernel flaw that allows an application to read restricted memory, and CVE-2017-13861, a weakness in IOSurface that can be leveraged to execute arbitrary code with kernel privileges. Both security holes were patched by Apple in early December with the release of iOS 11.2.
When Beer announced his intention to release an iOS exploit a few days ago, some were hoping that the researcher would release a full jailbreak. Nevertheless, many iPhone fans anticipate that the exploit made available by the Google expert will allow someone to create a jailbreak by the end of the year.
Beer has released the exploit in an effort to help security researchers analyze Apple devices by running their own tools. The exploit has been tested on iPhone 7, iPhone 6s and iPod Touch 6G running iOS 11.1.2, but the expert believes support can easily be added for other devices.
The researcher’s exploit targets task_for_pid 0 (tfp0), a function that provides access to the kernel task port and which can be useful for jailbreaking, and a local kernel debugger. Technical details and PoC code are available via the Project Zero bug tracker.
The vulnerabilities necessary for a jailbreak have become increasingly difficult to find and Apple has implemented many of the features that in the past required third-party apps and jailbroken devices. This has led to fewer researchers trying to develop exploits and fewer users needing jailbroken devices.
However, there has been a lot of interest in Beer’s exploits – even before they were actually released – and many users are hoping to see an iOS 11 jailbreak in the coming weeks.
It’s worth pointing out that even if a jailbreak is released, it will only work on devices running iOS 11.1.2 – and possibly earlier versions of iOS 11 – as Apple has already patched the vulnerabilities in iOS 11.2.
macOS Backdoor Uses Innovative Disguise Technique
12.12.2017 securityweek Apple
A variant of the macOS-targeting OceanLotus backdoor is using an innovative technique to disguise the fact that it is an executable in order to avoid alerting users on its execution, Malwarebytes warns.
Dubbed HiddenLotus, the backdoor is distributed via an application named Lê Thu Hà (HAEDC).pdf, which masquerades as an Adobe Acrobat file. The app uses an old method for this behavior, one that inspired the file quarantine feature introduced in Leopard (Mac OS X 10.5), where files downloaded from the Internet are tagged as quarantined.
Should the downloaded file be an executable, such as an application, a pop-up notification warns the user on the fact when they attempt to open the file. The quarantine feature has been around for nearly a decade, but malware continues to masquerade as documents, Malwarebytes says.
HiddenLotus, a new variant of the OceanLotus backdoor that was last seen this summer posing as a Microsoft Word document and targeting users in Vietnam, takes the disguise to a new level. While older malware had a hidden .app extension to indicate that it was an application, HiddenLotus actually has a .pdf extension. There was no .app extension included.
This is possible because the threat uses a hidden extension, where the ‘d’ in .pdf is actually the Roman numeral ‘D’ (representing the number 500) in lowercase, as Arnaud Abbati has discovered.
“An application does not need to have a .app extension to be treated like an application. An application on macOS is actually a folder with a special internal structure called a bundle. A folder with the right structure is still only a folder, but if you give it an .app extension, it instantly becomes an application,” Malwarebytes explains.
Because of that, the Finder treats the folder as a single file and launches it as an application when double-clicked, instead of opening the folder.
When the user double-clicks a file or a folder, LaunchServices considers the extension first and opens the item accordingly, if it knows the extension. A file with a .txt extension will be opened with TextEdit by default. Thus, a folder with the .app extension will be launched as an application, should it have the right internal structure.
If the extension isn’t known, the user is consulted when attempting to open the file, and they can choose an application to open the file or search the Mac App Store.
When double-clicking a folder with an unknown extension, however, LaunchServices falls back on looking at the folder’s bundle structure.
This is the behavior that HiddenLotus’ author leverages: the dropper is a folder that has the internal bundle structure of an application. Because of the use of a Roman numeral in the .pdf extension and because there is no application registered to open it, the system treats it as an application even though it does not have a telltale .app extension.
“There is nothing particularly special about this .pdf extension (using a Roman numeral ‘d’) except that it is not already in use. Any other extension that is not in use will work just as well,” Malwarebytes says.
The security researchers also point out that there is an enormously large list of possible extensions that malicious actors could abuse, especially when using Unicode characters. Because of that, users could be tricked into opening files that mimic Word documents (.doc), Excel spreadsheets (.xls), Pages documents (.pages), and the like.
“This is a neat trick, but it’s still not going to get past file quarantine. The system will alert you that what you’re trying to open is an application. Unless, of course, what you are opening was downloaded via an application that does not use the APIs that properly set the quarantine flag on the file, as is the case for some torrent apps,” the researchers also note.
Event Logs Manipulated With NSA Hacking Tool Recoverable
12.12.2017 securityweek BigBrothers
Researchers at security firm Fox-IT have developed a tool that allows investigators to detect the use of specific NSA-linked malware and recover event log data it may have deleted from a machine.
The group calling itself Shadow Brokers has published several tools and exploits stolen from the Equation Group, cyberspies believed to be working for the U.S. National Security Agency (NSA). One of the tools leaked by the Shadow Brokers in April is DanderSpritz, a post-exploitation framework that allows hackers to harvest data, bypass and disable security systems, and move laterally within a compromised network.
An interesting DanderSpritz plugin is EventLogEdit, which is designed for manipulating Windows Event Log files to help attackers cover their tracks. While hacker tools that modify event logs are not unheard of, EventLogEdit is more sophisticated compared to others as it allows removal of individual entries from the Security, Application and System logs without leaving any obvious clues that the files had been edited.
“While we understand that event logs can be cleared and event logging stopped, surgically editing event logs is usually considered to be a very advanced capability (if possible at all),” Jake Williams, founder of Rendition Infosec and an expert in Shadow Broker leaks, said after news of the tool emerged. “Knowing that some attackers apparently have the ability to edit event logs can be a game changer for an investigation.”
Since the tool has been made public by the Shadow Brokers, it gives less sophisticated actors the opportunity to cover their tracks and hamper forensic investigations.
Fortunately, Fox-IT researchers have found a way to determine if EventLogEdit has been used on a system, and even recover the event log entries that it removed.
“When eventlogedit is used, the to-be-removed event record itself isn’t edited or removed at all: the record is only unreferenced. This is achieved by manipulation of the record header of the preceding record. Eventlogedit adds the size of the to-be-removed-record to the size of the previous record, thereby merging the two records. The removed record including its record header is now simply seen as excess data of the preceding record,” researchers explained. “You might think that an event viewer would show this excess or garbage data, but no. Apparently, all tested viewers parse the record binXml message data until the first end-tag and then move on to the next record.”
Experts pointed out that the removed records should be seen by organizations that send logs on the fly to a central server, but sophisticated attackers are likely to hijack that machine as well in an effort to hide their activities.
However, since the EventLogEdit tool leaves the removed record and record header in their original state, full recovery of the data is possible.
Fox-IT has released an open source Python script that identifies and exports removed event log records, allowing organizations to check if they have been targeted by the NSA or other threat actor that may be leveraging EventLogEdit. Users who don’t want to bother with compiling the code themselves can download a version of the tool provided as a Windows executable.
'MoneyTaker' Hackers Stole Millions from Banks: Report
12.12.2017 securityweek CyberCrime
A group of Russian-speaking cybercriminals has launched over 20 successful attacks against financial institutions and legal firms in the US, UK and Russia over the past two years, according to cybecrime research firm Group-IB.
Called “MoneyTaker” by Group-IB, the group has been focused on card processing systems, such as the AWS CBR (Russian Interbank System) and SWIFT (US). The fraudsters might soon switch interest to financial institutions in Latin America, given the wide usage of STAR in the region, Group-IB researchers believe.
The group has performed successful attacks on banks in different countries, as well as law firms and financial software vendors. In total 20 companies were hit, including 16 in the US, 3 banks in Russia, and one IT-company in the UK.
The attacks caused losses of roughly $500,000 per attack on average, according to Group-IB's analysis.
The hackers managed to fly under the radar for so long by constantly changing tools and tactics and carefully eliminating traces after completing their operations.
“MoneyTaker uses publicly available tools, which makes the attribution and investigation process a non-trivial exercise. In addition, incidents occur in different regions worldwide and at least one of the US banks targeted had documents successfully exfiltrated from their networks, twice. Group-IB specialists expect new thefts in the near future,” Dmitry Volkov, Group-IB Co-Founder and Head of Intelligence, says.
The first US attack attributed to the group was conducted in the spring of 2016. The hackers stole money by gaining access to First Data’s “STAR” network operator portal. Since then, MoneyTaker hit organizations in California, Utah, Oklahoma, Colorado, Illinois, Missouri, South Carolina, North Carolina, Virginia and Florida.
A total of 10 attacks were attributed to the group in 2016: 6 attacks on banks in the US, 1 attack on a US service provider, 1 attack on a company in the UK, and 2 attacks on Russian banks. In 2017, the group hit 8 US banks and 1 law firm and 1 bank in Russia.
Group-IB has discovered that the group is using specific withdrawal schemes, where a single account is employed for each transaction. After the theft, the hackers continue to monitor impacted banks, the security researchers say.
By continuously exfiltrating internal banking documentation (admin guides, internal regulations and instructions, change request forms, transaction logs, etc.), the group stays updated on bank operations and can prepare future attacks.
Tools associated with MoneyTaker include the infamous Citadel and Kronos banking Trojans, and the ScanPOS Point-of-Sale (POS) malware. The hackers also used privilege escalation utilities compiled based on codes presented at the Russian cybersecurity conference ZeroNights 2016.
The group uses both borrowed and self-written tools. They developed an app with screenshot and keylogger capabilities for spying purposes. Compiled in Delphi, the app can also steal clipboard contents and can disable itself. The app includes 5 timers and an anti-emulation function in the timer code.
An attack on a Russian bank employed MoneyTaker v5.0, a modular tool capable of searching for payment orders, modifying them, replacing original payment details with fraudulent ones, and erasing traces. After the transaction, a concealment module also replaces the fraudulent payment details with the original ones in a debit advice. Thus, the payment order is accepted with the fraudulent details, but the response comes with the initial details instead.
MoneyTaker uses a distributed infrastructure that features a persistence server designed to deliver payloads only to victims with IP addresses in MoneyTaker’s whitelist.
The hackers use a pentest framework server with Metasploit installed on it. The hackers compromise a computer at the targeted organization, then leverage the pentesting framework for network reconnaissance, finding vulnerable applications, exploiting flaws, escalating systems privileges, and information collection.
Courtesy of fileless malware, MoneyTaker can easily hide tracks. When persistence is needed, the group uses PowerShell and VBS scripts, which are difficult to detect and easy to modify. The researchers also observed the group making changes to source code ‘on the fly’ during the attack.
To protect communication with the command and control (C&C) server, the group uses SSL certificates generated using names of well-known brands: Bank of America, Federal Reserve Bank, Microsoft, Yahoo, etc. They also used the LogMeIn Hamachi solution for remote access.
In May 2016, MoneyTaker performed the first attack targeting card processing. Through the compromised network of a bank, the hackers gained access to First Data’s STAR network portal operators, which allowed them to make the necessary modifications and start withdrawing money.
After connecting to the card processing system, the group legally opened or bought cards of the hacked bank. Money mules with previously activated cards waited abroad for the operation to begin. The hackers then removed or increased cash withdrawal limits for the cards and removed overdraft limits, thus allowing the money mules to withdraw an excessive amount of cash from ATMs.
Group-IB says they provided the uncovered information on MoneyTaker to Europol and Interpol for further investigative activities.
Malware Isolation Firm Menlo Security Raises $40 Million
12.12.2017 securityweek IT
Menlo Security, a provider of malware isolation technology, announced on Monday that it has closed a $40 million Series C funding round, bringing the total amount raised by the company to $85 million.
Menlo Security LogoThe Menlo Park, Calif.-based company pushes the fact that its offerings do not provide malware detection or classification. Instead, the company’s cloud-based security platform takes all active content—including potentially malicious files—and executes it in the cloud, giving malware no path to reach an endpoint via compromised or malicious web sites, e-mail, or documents.
“Rather than try to distinguish between safe and risky content, the Menlo Security Isolation Platform acts like a digital partition, isolating and executing all web content, email links and documents in the cloud, then streaming a malware-free version of the content to employees’ computers,” the company explains.
Menlo says the additional funding will help support sales and marketing efforts.
American Express Ventures, Ericsson Ventures and HSBC, participated in the funding round as new investors. They join existing investors JPMorgan Chase, General Catalyst, Sutter Hill Ventures, Osage University Partners and Engineering Capital.
Synopsys Completes $550 Million Acquisition of Black Duck Software
12.12.2017 securityweek IT
Synopsys, a company that provides tools and services for designing chips and electronic systems, has completed its acquisition of Black Duck Software, a privately held company that offers solutions for securing and managing open source software.
The value of the cash transaction was approximately $547 million net of cash acquired, Synopsys said.
Black Duck's products help development and security teams automate the process of identifying and inventorying open source code, and help detect known security vulnerabilities. It also provides automated alerts for any newly discovered vulnerabilities affecting the open source code and assists with software license compliance.
In 2014, Synopsys acquired software testing firm Coverity for roughly $350 million. In November 2016, Synopsys announced its plans to acquire software security testing firm Cigital for an undisclosed sum.
Get the Ultimate 2018 Hacker Bundle – Pay What You Want
11.12.2017 thehackernews Security
Due to the growing number of threats in the computer world, ethical hackers have become the most important player for not only governments but also private companies and IT firms in order to safeguard their systems and networks from hackers trying to infiltrate them.
By 2020, employment in all information technology occupations is expected to increase by 22 percent, where demand for ethical hackers and IT security engineers will be the strongest. So, it's high time that you should start preparing yourself in the field of ethical hacking.
Although there are many popular and best online courses available in the market, you can't learn everything from a single book or a course.
Good news, we bring an amazing deal of this month for our readers, known as The Ultimate White Hat Hacker 2018 Bundle online hacking bundle, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!
You will get at least 4 hacking courses for less than the average price you pay (as little as $1), and all 8 online courses for the average price (which is $12.11 at the time of writing).
Here's the brief of all 8 courses which is included in this Pay What You Want deal and requires a minimum of the average price:
1. Learn Hacking Windows 10 Using Metasploit From Scratch
Hack Windows Like a Pro, Secure It Like an Expert, and Detect the Hacker
This online course helps you learn how black hat hackers hack Windows using advanced techniques while improving your knowledge on how to analyze and secure Windows and combat hackers.
2. Hack People, Systems, and Mobile Devices
Learn Advanced Social Engineering Techniques to Crack Mobile Devices
This course helps you learn ethical hacking techniques and methodology used in penetration systems to better protect yourself and those around you.
3. Web Application Penetration Testing Professional: WAPTP v3.1
Attack Web Apps with the Latest Professional Tools & Tricks
This online course helps you build towards mapping an application for insecurities, and understanding how to identify and mitigate threats, with WAPTP v3.1 which is a highly practical and hands-on training for web application penetration testing.
4. From Zero to Hero in Web, Network, and WiFi Hacking
Learn Basic to Advanced Web, Network, and WiFi Hacking
This online course helps you learn the essential elements of WiFi hacking so you can start applying them to a career in ethical hacking.
5. Ethical Hacking Using Kali Linux From A to Z
Discover the Power of Kali Linux, One of the Most Popular Ethical Hacking Tools
This course introduces you to the latest ethical hacking tools and techniques with the popular Kali Linux, using a testing lab for practicing different types of attacks.
6. Learn Website Hacking and Penetration Testing From Scratch
Learn How to Hack Sites Like A Black Hat Hacker and How to Protect Them Like A White Hat Hacker
This course helps you gain a complex understanding of websites, and then learn how to exploit them to carry out a number of powerful cyber attacks and test the security of websites and apps, and fix vulnerabilities.
7. Cyber Security Volume II: Network Security
Discuss Network Security, Firewalls, and Learn the Best Password Managers On the Market
This course helps you learn network hacking techniques and vulnerability scanning to discover security issues and risks across an entire network, learning skills for which big companies are willing to pay top dollar.
8. Ethical Hacking for Beginners
Hack Your Way to a Secure and Threat-Free Environment Using Best-in-Class Tools and Technique.
This course helps you learn ethical hacking and identify threats and vulnerabilities to secure your IT environment.
10 Biggest Cyber Espionage Cases
11.12.2017 securityaffairs CyberSpy
Cyber espionage is now becoming more sophisticated and widespread both on the international and domestic stages. These are 10 Biggest Cyber Espionage Cases.
Cyber spying is now becoming more sophisticated and widespread both on the international and domestic stages. Cyber terrorists can attack you from any place in the world at any time if you don’t secure your computer properly. What more embarrassing about cyber espionage is that victims don’t often know that they are under constant threat for years. In the case of increasing business competition, even the smallest companies have to consider options for cyber espionage prevention. If you still don’t believe in enormous capabilities of cyber attackers, let’s look at the list of 10 biggest cyber espionage cases that affected companies, governments, and even nations.
1. Moonlight Maze
In 1999, Newsweek revealed the first case of coordinated cyber espionage in the United States. A series of cyber attacks began in 1998 and resulted in thousands of stolen documents containing confidential information about American military technologies. Hackers broke into the network of Wright Patterson Air Force Base and then connected to military research institutions. The Russia was blamed in these attacks, but there was a lack of proves. The malware implemented during the Moonlight Maze operation is still widely used for modern attacks.
2. Titan Rain
Within two years from 2003 to 2005, the U.S. government computers were under constant threat arranged by Chinese military hackers. Titan Rain also included attacks on the UK defense and foreign ministries that continued till 2007. This was the first case of cyber espionage sponsored by a state. The hackers penetrated into the network computers using different methods and tried to steal away as much information as possible. The complicity of the Chinese government in this operation wasn’t proven, but countries became more cautious about cyber espionage attacks.
3. Gillette Industrial Espionage
In 1997, Gillette suffered from industrial espionage after its engineer disclosed corporate information to the company’s competitors. Steven Louis Davis worked on the development of a new razor, but then because of quarrels with his supervisor, the engineer stole the designed technology of the new shaver system and revealed it via email and fax to Gillette’s competitors. Davis was found guilty in industrial espionage and sentenced to 27 months in jail.
4. Office of Personnel Management Data Breach
Starting from 2012, Chinese government hackers allegedly attacked the U.S. Office of Personnel Management and stole personal information about 21 million Americans. As the result of this cyber espionage, perpetrators gained an access to the sensitive data about people who worked or applied for the federal government, including military service. The data leakage was discovered in June 2015 when OPM personnel detected a malware that built a backdoor into the network. A Chinese national suspected in the malware development was arrested only in 2017. Though OPM representatives assured that no one suffered because of hacker’s intrusion, the long-term results of this data breach are still unknown.
5. Operation Aurora
In the beginning of 2010, Google claimed that the company was attacked by of a series of cyber threats originated from China. Apart from Google, hackers also attacked more than 20 international companies, including Adobe Systems and Yahoo. Google said that its intellectual property was stolen and Gmail accounts were also under persistent threats. The company even considered stopping censoring its search results in China. Attacks were performed exploiting a vulnerability in Internet Explorer and combining stealth programming and encryption techniques.
6. GhostNet
In 2009, Canadian researchers revealed a large spy network called GhostNet that arranged an intrusion into more than one thousand computers in 103 countries. Perpetrators got unauthorized access to the network of the Dalai Lama offices and used it for compromising other computers. Besides, the attacks were also performed on the foreign ministers and embassies of Germany, Pakistan, India, Iran, South Korea, and Thailand. The Chinese government denied any involvement in the attacks.
7. Night Dragon
In 2011, McAfee reported about the Night Dragon operation initiated by Chinese hackers for attacking the largest European and American energy businesses, including Royal Dutch Shell and Baker Hughes. This was one of the biggest cyber espionage cases when intruders got an access to topographical maps with potential oil reserves. According to McAfee report, attackers used a range of unsophisticated hacking tools and techniques that were available on Chinese hacker websites.
8. Spying on the Obama and McCain Computers
Another case of cyber espionage infected the computers of John McCain and Barack Obama during their presidential campaigns in 2008. Chinese or Russian hackers allegedly installed spyware on the computers of these two presidential candidates and stole sensitive data related to foreign policy. The cyber attack was initially considered as a computer virus, but then technology experts discovered a leakage of the considerable amount of files. The data leakage was revealed only after the presidential election during the federal investigation.
9. Computer Spies Breach Fighter-Jet Project
In 2009, Pentagon reported that the Fighter-Jet Project came under assault from unknown intruders. This multi-billion project of the next generation fighter became a victim of coordinated cyber espionage attacks during two years. Attackers used computers located in China for stealing a massive volume of data about electronics and internal maintenance. Fortunately, the most sensitive information was kept offline and terrorists weren’t able to access it. Though, the U.S. officials suspected Chinese hackers, the true origin of the perpetrators remained undefined.
10. Operation Shady RAT
Operation Shady RAT is undeniably one of the biggest cyber espionage cases in the history, as it affected more than 70 companies and organizations in since 2006. Victims included the International Olympic Committee that was compromised during several months prior to the 2008 Olympic Games in Beijing. The United Nation and the World Anti-Doping Agency were also under the attack. McAfee identified previously unknown malware that was spread via e-mail with a link to a self-loading remote-access tool, or rat. Cyber terrorists got an authorized access to legal contracts, government secrets, and other sensitive data. Chinese hackers have allegedly arranged the operation, as all countries of Southeast Asia suffered from the attacks except China.
As you can see, cyber hackers can attack you either inside or outside the company, so you should always be ahead of the game. In order to protect your sensitive information against any unauthorized access, consider options for cyber espionage prevention that will ensure employee monitoring and external intrusion blocking.
Vietnamese hacker stole security details and building plans from an Australian airport
11.12.2017 securityaffairs CyberCrime
Hackers compromised computer systems at an Australian Airport and stole sensitive security details and building plans. The man was identified and arrested.
Hackers compromised computer systems at the Australian Perth Airport and stole sensitive security details and building plans.
The culprit has a name, he is the Vietnamese citizen Le Duc Hoang Hai (31) who accessed the systems in March last year using credentials of a third-party contractor.
“A skilled hacker in Vietnam stole sensitive security details and building plans from Perth Airport after breaking into its computer systems.” reported The West Australian.
“The West Australian can reveal Vietnamese man Le Duc Hoang Hai used the credentials of a third-party contractor to get access to the airport’s computer systems in March last year.”
According to Prime Minister Malcolm Turnbull’s cybersecurity adviser Alastair MacGibbon, the Hai stole “a significant amount of data” relating to the airport, including building schematics and details of physical security at airport buildings.
The man did not access systems linked to aircraft operations, it seems that the man was financially motivated, in fact, he was hacking into the system in the attempt to steal payment card data.
The investigation revealed that Hai also hacked infrastructure and websites in Vietnam, including banks, telecommunications, and an online military newspaper.
He has been jailed by the Vietnamese military court for four years for illegally accessing Perth Airport’s corporate network in 2016.
Australian Airport
“We detected a cyber intrusion of one of our networks in 2016 and notified the Australian Cyber Security Centre and the Australian Federal Police.” Kevin Brown, Perth Airport CEO, told Nine.com.au
“The assistance and hard work of these two agencies has resulted in the successful identification and prosecution of the individual responsible for the cyber intrusion.”
“Based on evidence gathered by the Australian Federal Police, it appears that credit card theft was the motivation for the illegal accessing of our system.”
“No personal data of members of the public, such as details of credit card numbers, was accessed but other Perth Airport documents were taken.”
Brown also added that stolen data could not pose any risk or threat to the travelling public.
“At no time was the safety or security of the airport, its staff, passengers or partners compromised,” he added.
After the incident, the Perth Airport has added additional security measures investing $2 million.
Vulnerability Allows Modification of Signed Android Apps
11.12.2017 securityweek Android
One of the vulnerabilities patched by Google as part of the December 2017 Android security patches is a High severity bug that could result in tampering with applications’ code without altering their signature.
Discovered by GuardSquare security researchers and tracked as CVE-2017-13156, the security flaw is created by the fact that “a file can be a valid APK file and a valid DEX file at the same time.” Because of that, the researchers called the bug the Janus vulnerability (after the Roman god of duality).
The issue, the researchers say, is that extra bytes can be added to APK files and to DEX files. As ZIP archives, APK files can contain arbitrary bytes at the start, between its ZIP entries, which are the only ones the JAR signature scheme takes into account when verifying the application's signature (any extra bytes are ignored). DEX files, on the other hand, can contain arbitrary bytes at the end.
Another issue is that the Dalvik/ART virtual machine can load and execute both APK and DEX files. In theory, it loads the APK then extracts the DEX and runs it. In practice, it looks at the file’s header and, depending on how it interprets the information there, loads the APK either as a DEX file or as an APK file containing a ZIP entry with a DEX file.
“An attacker can leverage this duality. He can prepend a malicious DEX file to an APK file, without affecting its signature. The Android runtime then accepts the APK file as a valid update of a legitimate earlier version of the app. However, the Dalvik VM loads the code from the injected DEX file,” the security researchers explain.
By exploiting the vulnerability, an attacker could have malicious code running on an Android device with the same permissions as the targeted application, provided they trick the user into downloading and installing a fake update.
“An attacker can replace a trusted application with high privileges (a system app, for instance) by a modified update to abuse its permissions. Depending on the targeted application, this could enable the hacker to access sensitive information stored on the device or even take over the device completely,” the security researchers note.
An attacker could clone sensitive applications (such as banking or messaging apps) and deliver them as fake updates of legitimate software. Thus, the cloned application could look and behave the same as the original but inject malicious behavior.
Attack scenarios would require for the user to accept the malicious update from a source outside Google Play, which would prove relatively easy to pull off in some cases, considering that the application would still look exactly like the original.
The Janus vulnerability was found in Android 5.0 and newer. Applications signed with APK signature scheme v2 and running on Android 7.0 and newer platforms, which support the latest signature scheme, are protected. Apps using DexGuard's tamper detection mechanism are better hardened against the attack.
“Unlike scheme v1, this scheme v2 considers all bytes in the APK file. Older versions of applications and newer applications running on older devices remain susceptible. Developers should at least always apply signature scheme v2,” GuardSquare says.
Google was informed on the vulnerability on July 31, 2017, but only released a patch to its partners in November. A fix was included in the Android Security Bulletin released on December 4, 2017.
Google May Allow Innovative Use of Android Accessibility Service
11.12.2017 securityweek Android
After getting complaints from many developers, Google is evaluating whether it should continue allowing Android applications to use accessibility services for purposes other than assisting people with disabilities.
Many Android adware and malware families that make it onto Google Play abuse the BIND_ACCESSIBILITY_SERVICE permission to obtain administrator privileges and for other unauthorized activities.
As a result, Google informed application developers last month that they had 30 days to either demonstrate that the accessibility service is actually needed to help users with disabilities or remove the use of the permission from their product. The Internet giant warned that those who fail to comply would risk having their apps pulled from the official store.
The developers of several popular applications that use the accessibility service for various features that may otherwise be difficult to implement complained on various forums and reached out to Google with their concerns. The list of impacted apps includes the LastPass password manager and the Tasker automation app – the latter is not designed specifically for people with disabilities, but it is used by them.
In response to complaints, Google told developers, “We’re evaluating responsible and innovative uses of accessibility services. While we complete this evaluation, we are pausing the 30 day notice we previously contacted you about.”
In the meantime, developers whose Android applications require the BIND_ACCESSIBILITY_SERVICE permission must clearly inform users of why the service is needed before asking them to enable it. Developers must also convince Google that their app uses the permission for responsible and innovative purposes.
“Your disclosure must meet the following requirements: In all cases, you must have a disclosure to explain why you need to observe user actions in general using the Accessibility Service API. For each accessibility capability declared, you must have an accompanying disclosure to describe the app functionality that the Accessibility Service permission is enabling for your app. (The default disclosure tells us ‘what’, but you must disclose to the user ‘why’),” Google told developers.
The information provided by application developers on how they use the service will help Google make a decision regarding the use of the accessibility service.
Microsoft Says ERP Product Private Key Leak Posed Little Risk
11.12.2017 securityweek Krypto
It took Microsoft more than 100 days to address a problem related to the use of the same digital certificate for all installations of its Dynamics 365 enterprise resource planning (ERP) product, but the company said the issue posed little risk.
Dynamics 365, a product hosted on Microsoft’s Azure cloud platform, has three main components: a production system, a development system, and a user acceptance testing system. The user acceptance system, also known as a sandbox, is a test environment that mimics the production system and allows remote access via RDP.
Developer Matthias Gliwka accessed the sandbox via RDP and noticed in the application’s Certificate Manager that it included a wildcard TLS certificate for the *.sandbox.operations.dynamics.com domain, along with its private key. The certificate, shared across all sandbox environments, had been issued by Microsoft’s own certificate authority (CA).
Since the certificate – for which the expert easily extracted the private key – had been used to encrypt traffic between users and the server, a man-in-the-middle (MitM) attacker in possession of the key could have intercepted data without raising any suspicion.
“The users of this user acceptance (sandbox) systems are high-value targets,” Gliwka explained in a blog post. “They are usually in key positions at the respective organization and have access to valuable information. The sandbox system itself often also contains sensitive information to make the tests more realistic. There is even a feature to copy the production database into the sandbox environment to enable this use case.”
Further analysis showed that all production systems used a wildcard certificate for the *.operations.dynamics.com domain. However, RDP access to production environments is not possible, making it more difficult to extract the certificate’s private key and launch an attack. Nevertheless, Gliwka believes this could have been achieved if the attacker had managed to find a code execution vulnerability on the server.
Microsoft told SecurityWeek that it has decided to update all sandbox and production environments to use unique certificates, but the company has described it as a “defense-in-depth” measure, claiming that “controls exist in production environments that render the described technique ineffective.”
While the issue may not have posed a big risk to Dynamics 365 users, Gliwka claims it took a lot of time to get Microsoft to take action. The developer reported his findings to Microsoft in mid-August, but the exposed wildcard certificates were only revoked in early December after German researcher and journalist Hanno Böck got involved and a ticket was opened on Mozilla’s bug tracker. Certificates whose private key has been compromised should normally be revoked within 24 hours.
Gliwka claims that during communications with Microsoft support, he was provided a phone number for the Marine Spill Response Corporation (MSRC), an oil spill and emergency response organization in the U.S., instead of contact information for the Microsoft Security Response Center (MSRC).