Terabytes of US military social media surveillance miserably left wide open in AWS S3 buckets
19.11.2017. securityaffairs BigBrothers
Three AWS S3 buckets containing dozen of terabytes resulting from surveillance on US social media were left wide open online.
It has happened again, other three AWS S3 buckets containing dozen of terabytes resulting from surveillance on US social media were left wide open online.
The misconfigured AWS S3 buckets contain social media posts and similar pages that were scraped from around the world by the US military to identify and profile persons of interest.
The huge trove of documents was discovered by the popular data breach hunter Chris Vickery, the three buckets were named centcom-backup, centcom-archive, and pacom-archive.
CENTCOM is the abbreviation for the US Central Command, the US Military command that covers the Middle East, North Africa and Central Asia, similarly PACOM is the for US Pacific Command that covers the Southern Asia, China and Australasia.
Vickery was conducting an ordinary scan for the word “COM” in publicly accessible S3 buckets when spotted the unsecured buckets, one of them contained 1.8 billion social media posts resulting from automatic craping activities conducted over the past eight years up to today. According to Vickery, it mainly contains postings made in central Asia, in many cases comments made by US individuals.
Documents reveal that the archive was collected as part of the US government’s Outpost program, which is a social media monitoring and narrowcasting campaign designed to target youngsters and educate them to despise the terrorism.
The archive discovered by Vickery in fact includes the Outpost development, configuration files, as well as Apache Lucene indexes of keywords designed to be used with the open-source search engine Elasticsearch.
“While public information about this firm is scant, an internet search reveals multiple individuals who worked for VendorX describing work building Outpost for CENTCOM and the Defense Department” reads the blog post published by Upguard.
Another folder titled “Coral” likely refers to the US Army’s “Coral Reef” intelligence software.
“This folder contains a directory named “INGEST” that contained all the posts scraped and held in the “centcom-backup” bucket. The Coral Reef program “allows users of intelligence to better understand relationships between persons of interest” as a component of the Distributed Common Ground System-Army (DCGS-A) intelligence suite, “the Army’s primary system for the posting of data, processing of information, and dissemination to all components and echelons of intelligence, surveillance and reconnaissance information about the threats, weather, and terrain” programs. Such a focus on gathering intelligence about “persons of interest” would be even more clear-cut in the other two buckets, starting with “centcom-archive.” continues the post.
The bucket “centcom-archive” contains an impressive volume of internet posts stored in the same XML text file format as seen in “centcom-backup,” at least 1.8 billion such posts are stored here.
“The bucket “centcom-archive” contains more scraped internet posts stored in the same XML text file format as seen in “centcom-backup,” only on a much larger scale: conservatively, at least 1.8 billion such posts are stored here.” states the post.
It is disturbing how this material was leaked online due to misconfigured AWS S3 buckets, foreign governments and terrorist organization may have had access to the archive such as Vickery.
Vickery notified the American military about the discovery and the buckets have now been locked down and hidden.
It isn’t the first time that data from US Military was discovered online, in September researchers from cybersecurity firmUpGuard discovered thousands of files containing personal data on former US military, intelligence, and government workers have allegedly been exposed online for months.
City of Spring Hill in Tennessee still hasn’t recovered from ransomware attack
18.11.2017 securityaffairs Ransomware
In early November, the City of Spring Hill, Tenn, suffered a ransomware attack, but it still hasn’t recovered from attack attack.
In early November, the City of Spring Hill, Tenn, suffered a ransomware attack, but government officials refused to pay a $250,000 ransom demanded by the crooks and attempted to restore the database recovering the content from backups.
The malware caused serious damages to the city, many of the ordinary activities were affected, city workers were not able to access their email accounts, and residents were not able to make online payments or even use payment cards to pay utility bills or court fines, or conduct any other business transaction.
The situation is worse for emergency responders, the emergency dispatchers have had to log the calls, writing them by hand on a dry-erase board.
“This keeps track of our active police officers and medics out on a call,” said Director Brandi Smith about the white board.
“We write it down on paper, take the call number, put it behind them, so no matter who is working they know where the officer is, because despite all this, officer safety is still important to us,” she told News 2.
According to WKRN, the ransomware attack has shut down all mobile data terminals in the city’s police cars.
City officials announced that 911 system and city emails have been restored since Tuesday, the situation is more complicated for restoring direct deposits and online payments.
Investigators believe that the crooks haven’t stolen information from the city’s server.
GitHub warns developers when their projects include vulnerable libraries
18.11.2017 securityaffairs Vulnerebility
The code hosting service GitHub warns developers when including certain flawed software libraries in their projects and suggest fixes to solve the issues.
The code hosting service warns developers when including certain flawed software libraries in their projects and provides advice on how to address the issue.
GitHub has recently introduced the Dependency Graph, a feature that lists all the libraries used by a project. The new feature supports JavaScript and Ruby, and the company also plans to add the support for Python next year.
The new security feature is designed to alert developers when one of their project’s dependencies has known flaws. The Dependency graph and the security alerts feature have been automatically enabled for public repositories, but they are opt-in for private repositories.
The availability of a dependency graph allows to notify the owners of the projects when it detects a Known security vulnerability in one of the dependencies and suggest known fixes from the GitHub community.
“Today, for the over 75 percent of GitHub projects that have dependencies, we’re helping you do more than see those important projects. With your dependency graph enabled, we’ll now notify you when we detect a vulnerability in one of your dependencies and suggest known fixes from the GitHub community.” states GitHub on the introduction of the security alerts.
GitHub provides developers the type of flaw, the associated severity, and affected versions, the user interface includes a link that points to a page where additional details are available.
Administrators can also choose the form of warnings, including email alerts, web notifications, and warnings via the user interface, selecting also the final recipient of the message (individuals or groups).
The code hosting service relies on both Ruby gems and NPM packages on MITRE’s Common Vulnerabilities and Exposures (CVE) list in order to determine if a project is using flawed libraries.
“Vulnerabilities that have CVE IDs (publicly disclosed vulnerabilities from the National Vulnerability Database) will be included in security alerts. However, not all vulnerabilities have CVE IDs—even many publicly disclosed vulnerabilities don’t have them.” continues GitHub.
“This is the next step in using the world’s largest collection of open source data to help you keep code safer and do your best work. The dependency graph and security alerts currently support Javascript and Ruby—with Python support coming in 2018.”
Since many publicly disclosed vulnerabilities don’t have CVEs, GitHub will also try to warn users of flaws that still haven’t received the code.
“We’ll continue to get better at identifying vulnerabilities as our security data grows,” GitHub added.
In the presence of a security patch for a vulnerability discovered by GitHub, the service advises the developers to update or adopt a fix provided by the community.
EMOTET Trojan Variant Evades Malware Analysis
18.11.2017 securityweek Virus
A recently observed variant of the EMOTET banking Trojan features new routines that allow it to evade sandbox and malware analysis, Trend Micro security researchers say.
Also known as Geodo, EMOTET is a piece of malware related to the Dridex and Feodo (Cridex, Bugat) families. Mainly used to steal banking credentials and other sensitive information, EMOTET can also be used as a Trojan downloader, and recent attacks have dropped various malicious payloads.
In a report published in early November, Microsoft revealed that EMOTET has been increasingly targeting business users.
According to Trend Micro, EMOTET’s dropper changed from using RunPE to exploiting a Windows application programming interface (API) called CreateTimerQueueTimer. The API creates a queue for lightweight objects called timers, which are meant to enable the selection of a callback function at a specified time.
“The original function of the API is to be part of the process chain by creating a timer routine, but here, the callback function of the API becomes EMOTET’s actual payload. EMOTET seems to have traded RunPE for a Windows API because the exploitation of the former has become popular while the latter is lesser known, theoretically making it more difficult to detect by security scanners,” Trend Micro explains.
EMOTET, however, is not the first malware family to abuse this Windows API, as the Hancitor banking Trojan that also dropped PONY and VAWTRAK used it in its dropper (a malicious macro document) as well.
The new Trojan variant also features an anti-analysis technique that involves checking when the scanner monitors activities in order to dodge detection. With the use of said Windows API, the malware can do the job every 0x3E8 milliseconds, the security researchers say.
At the second stage of the payload, the new Trojan variant can check if it runs inside a sandbox environment and terminates its process if it does. The dropper checks the NetBIOS’ name, the UserName, and for the presence of specific files on the system.
The malware also runs itself through another process if it does not have admin privilege. If it does have said privileges, it creates an auto start service for persistence, renames it and starts it, collects system information, encrypts it, and sends it via a POST request to the command and control (C&C) server.
In a recent analysis of the EMOTET C&C infrastructure, security researcher MalwareTech (Marcus Hutchins) notes that the threat is using hardcoded IP addresses to connect to the server. However, it uses compromised sites as proxies for the C&C connection.
This practice, the researcher says, has become increasingly popular “because it adds a layer of protection preventing researchers from easily finding and shutting down the actual C2 server.” It also makes it difficult to flag the servers as malicious, given that they are legitimate websites that have been running for years.
The new EMOTET variant is distributed via phishing emails containing a malicious URL meant to drop a macro-enabled document. Best practices for defending against phishing attacks should keep both enterprises and end-users safe from the threat, Trend Micro notes.
GitHub Warns Developers When Using Vulnerable Libraries
18.11.2017 securityweek Vulnerebility
Code hosting service GitHub now warns developers if certain software libraries used by their projects contain any known vulnerabilities and provides advice on how to address the issue.
GitHub recently introduced the Dependency Graph, a feature in the Insights section that lists the libraries used by a project. The feature currently supports JavaScript and Ruby, and the company plans on adding support for Python next year.
The new security feature added by GitHub is designed to alert developers when one of their project’s dependencies has known flaws. The Dependency graph and the security alerts feature have been automatically enabled for public repositories, but they are opt-in for private repositories.
When a vulnerable library is detected, a “Known security vulnerability” alert will be displayed next to it in the Dependency graph. Administrators can also configure email alerts, web notifications, and warnings via the user interface, and they can add the teams or individuals who should see the alerts.
GitHub identifies vulnerable projects by tracking flaws in Ruby gems and NPM packages on MITRE’s Common Vulnerabilities and Exposures (CVE) list. When a new flaw is added, the company identifies all repositories that use the affected version and informs their owners.
The information provided to administrators includes the type of flaw, its severity, and affected versions. There is also a link that points to a page where additional details are available.
If a patch exists for the vulnerability, GitHub advises developers to update or uses machine learning to suggest a fix provided by the community.
GitHub currently tracks vulnerabilities that have been assigned a CVE identifier, but since many publicly disclosed flaws don’t have CVEs, the company will also try to warn users of issues that don’t have one. “We'll continue to get better at identifying vulnerabilities as our security data grows,” GitHub said.
Group Launches Secure DNS Service Powered by IBM Threat Intelligence
18.11.2017 securityweek Safety
A newly announced free Domain Name System (DNS) service promises automated immunity from known Internet threats by blocking access to websites flagged as malicious.
Called Quad9, because the IP address of the primary DNS server being 9.9.9.9, the new service was launched by IBM Security, Packet Clearing House (PCH) and The Global Cyber Alliance (GCA) and is aimed to provide increased security and privacy online to consumer and businesses alike.
The Quad9 service was designed to keep users safe from millions of malicious Internet sites that have been already flagged for stealing personal information, infecting users with ransomware and other type of malware, or for conducting fraudulent activity.
The service routes users’ DNS queries through a secure network of servers and uses threat intelligence from over a dozen cyber security companies to provide real-time perspective on whether the websites are safe or not. The users’ browsers are automatically blocked from accessing a website that the system has detected as being infected.
Quad9 harvests intelligence from IBM X-Force’s threat database and also taps feeds from 18 additional partners, including Abuse.ch, the Anti-Phishing Working Group, Bambenek Consulting, F-Secure, mnemonic, 360Netlab, Hybrid Analysis GmbH, Proofpoint, RiskIQ, and ThreatSTOP.
The service was designed to protect traditional PCs and laptops, along with Internet connected TVs, DVRs, and Internet of Things (IoT) products such as smart thermostats and connected home appliances. Many of these devices do not receive important security updates and are difficult to secure although they remain connected to the Internet, which leaves them vulnerable to hackers.
Performance should not be affected when using the new DNS service, IBM says. At launch, Quad9 has points of presence in over 70 locations across 40 countries, leveraging PCH’s expertise and global assets. The service’s points of presence should double over the next 18 months, in an attempt to improve speed, performance, privacy, and security.
Quad9 says it does not store, correlate or otherwise leverage personally identifiable information (PII) from its users. To take advantage of the new DNS service’s benefits, users only need to set their devices to use 9.9.9.9 as their DNS server.
“Setting up DNS filtering requires just a simple configuration change. Most organizations or home users can update in minutes by changing the DNS settings in the central DHCP server which will update all clients in a few minutes with no action needed at end devices at all. The service is and will remain freely available to anyone wishing to use it,” Quad9’s website reads.
Quad9 started as the brainchild of GCA, but each of the involved partners is responsible for a different aspect of the service. GCA offers system development capabilities, PCH is responsible for Quad9’s network infrastructure, while IBM provides X-Force threat intelligence and the service’s IP address 9.9.9.9.
Other services providing similar (free) offerings include Cisco-owned OpenDNS, and Google’s Public DNS (which uses 8.8.8.8 and 8.8.4.4 as its DNS server IPs).
“Protecting against attacks by blocking them through DNS has been available for a long time, but has not been used widely. Sophisticated corporations can subscribe to dozens of threat feeds and block them through DNS, or pay a commercial provider for the service. However, small to medium-sized businesses and consumers have been left behind – they lack the resources, are not aware of what can be done with DNS, or are concerned about exposing their privacy and confidential information,” said Philip Reitinger, President and CEO of the Global Cyber Alliance.
While the service looks promising, it remains to be seen how it will perform when compared to already established offerings, Lenny Zeltser, Vice President of Products at Minerva Labs, an Israel-based provider of endpoint security solutions, told SecurityWeek in an emailed comment.
“Based on the iniquitous DNS protocol, Quad9 promises to secure network activities in a non-intrusive manner and in a manner that’s easy to deploy. That’s wonderful. Though I’m encouraged by these aspects of the offering, I am curious how it compares to the well-established Cisco Umbrella (formerly OpenDNS) service, which has been around for a while and earned trust among end-users and IT practitioners. Similarly, Google DNS servers provide some network security benefits to their users,” Zeltser said.
Joseph Carson, chief security scientist at Thycotic, a Washington D.C. based provider of privileged account management (PAM) solutions, told SecurityWeek that the new service’s focus on privacy is more than welcomed. Privacy as we know it is disappearing fast, with everyone being watched and monitored 24/7 when in public places, in an attempt to improve security and deliver tailored experiences, he says.
“The new DNS service from Quad9, with a focus on both privacy and security, is a step in the right direction. It is a must needed level of protection in today’s world of cyber threats and helps put the balance back in the consumers. While many governments and ISP’s are removing the ability for citizens to surf the internet with privacy and confidence in security, Quad9 has stepped in to bring a bit of balance back. It will help bring some peace of mind to many who want to surf the internet without being continuously targeted and limit personal information flowing through the internet without their knowledge,” Carson said.
“It is also important to note that what Quad9 is providing is not 100% security. Therefore, you must continue to be cautious when using the internet and always question any suspicious links or advertisements displayed. This will not stop you from getting phishing emails or social media threats so it is always important to take additional steps. Continue to do best practices when purchasing anything online and manage your credentials and passwords securely,” he concluded.
Banking Trojan Gains Ability to Steal Facebook, Twitter and Gmail Accounts
17.11.2017 thehackernews Virus
Security researchers have discovered a new, sophisticated form of malware based on the notorious Zeus banking Trojan that steals more than just bank account details.
Dubbed Terdot, the banking Trojan has been around since mid-2016 and was initially designed to operate as a proxy to conduct man-in-the-middle (MitM) attacks, steal browsing information such as stored credit card information and login credentials and injecting HTML code into visited web pages.
However, researchers at security firm Bitdefender have discovered that the banking Trojan has now been revamped with new espionage capabilities such as leveraging open-source tools for spoofing SSL certificates in order to gain access to social media and email accounts and even post on behalf of the infected user.
Terdot banking trojan does this by using a highly customized man-in-the-middle (MITM) proxy that allows the malware to intercept any traffic on an infected computer.
Besides this, the new variant of Terdot has even added automatic update capabilities that allow the malware to download and execute files as requested by its operator.
Usually, Terdot targeted banking websites of numerous Canadian institutions such as Royal Bank, Banque Nationale, PCFinancial, Desjardins, BMO (Bank of Montreal) and Scotiabank among others.
This Trojan Can Steal Your Facebook, Twitter and Gmail accounts
However, according to the latest analysis, Terdot can target social media networks including Facebook, Twitter, Google Plus, and YouTube, and email service providers including Google's Gmail, Microsoft's live.com, and Yahoo Mail.
Interestingly, the malware avoids gathering data related to Russian largest social media platform VKontakte (vk.com), Bitdefender noted. This suggests Eastern European actors may be behind the new variant.
The banking Trojan is mostly being distributed through websites compromised with the SunDown Exploit Kit, but researchers also observed it arriving in a malicious email with a fake PDF icon button.
If clicked, it executes obfuscated JavaScript code that downloads and runs the malware file. In order to evade detection, the Trojan uses a complex chain of droppers, injections, and downloaders that allow the download of Terdot in pieces.
Once infected, the Trojan injects itself into the browser process to direct connections to its own Web proxy, read traffic and inject spyware. It can also steal authentication info by inspecting the victim's requests or injecting spyware Javascript code in the responses.
Terdot can also bypass restrictions imposed by TLS (Transport Layer Security) by generating its own Certificate Authority (CA) and generating certificates for every domain the victim visits.
Any data that victims send to a bank or social media account could then be intercepted and modified by Terdot in real-time, which could also allow it to spread itself by posting fake links to other social media accounts.
"Terdot is a complex malware, building upon the legacy of Zeus," Bitdefender concluded. "Its focus on harvesting credentials for other services such as social networks and email services could turn it into an extremely powerful cyber espionage tool that is extremely difficult to spot and clean."
Bitdefender has been tracking the new variant of Terdot banking Trojan ever since it resurfaced in October last year. For more details on the new threat, you can head on to a technical paper (PDF) published by the security firm.
Kaspersky: NSA Worker's Computer Was Already Infected With Malware
17.11.2017 thehackernews BigBrothers
Refuting allegations that its anti-virus product helped Russian spies steal classified files from an NSA employee's laptop, Kaspersky Lab has released more findings that suggest the computer in question may have been infected with malware.
Moscow-based cyber security firm Kaspersky Lab on Thursday published the results of its own internal investigation claiming the NSA worker who took classified documents home had a personal home computer overwhelmed with malware.
According to the latest Kaspersky report, the telemetry data its antivirus collected from the NSA staffer's home computer contained large amounts of malware files which acted as a backdoor to the PC.
The report also provided more details about the malicious backdoor that infected the NSA worker's computer when he installed a pirated version of Microsoft Office 2013 .ISO containing the Mokes backdoor, also known as Smoke Loader.
Backdoor On NSA Worker's PC May Have Helped Other Hackers Steal Classified Documents
This backdoor could have allowed other hackers to steal classified documents and hacking tools belonging to the NSA from the machine of the employee, who worked for the Tailored Access Operations (TAO) group of hackers at the agency.
For those unaware, United States has banned Kaspersky antivirus software from all of its government computers over suspicion of Kaspersky's involvement with the Russian intelligence agency and spying fears.
Though there's no substantial evidence yet available, an article published by US news agency WSJ last month claimed that Kaspersky Antivirus helped Russian government hackers steal highly classified documents and hacking tools belonging to the NSA in 2015 from a staffer's home PC.
However, the article, which quoted multiple anonymous sources, failed to provide any solid evidence to prove if Kaspersky was intentionally involved with the Russian spies or some hackers simply exploited some zero-day bug in the Antivirus product.
Kaspersky lives up to its claims that its antivirus software detected and collected the NSA classified files as part of its normal functionality, and has rigorously denied allegations it passed those documents onto the Russian government.
Now, in the recent report published by the anti-virus firm said between September 11, 2014, and November 17, 2014, Kaspersky Lab servers received confidential NSA materials multiple times from a poorly secured computer located in the United States.
The company's antivirus software, which was installed on the employee's PC, discovered that the files contained malware used by Equation Group, a 14-year-old NSA's elite hacking group that was exposed by Kaspersky in 2015.
Kaspersky Claims it Deleted All NSA Classified Files
Besides confidential material, the software also collected 121 separate malware samples (including a backdoor) which were not related to the Equation Group.
The report also insists that the company deleted all classified documents once one of its analysts realized that the antivirus had collected more than malicious binaries. Also, the company then created a special software tweak, preventing those files from being downloaded again.
"The reason we deleted those files and will delete similar ones in the future is two-fold; we do not need anything other than malware binaries to improve protection of our customers and secondly, because of concerns regarding the handling of potential classified materials," Kaspersky Lab report reads.
"Assuming that the markings were real, such information cannot and will not [be] consumed even to produce detection signatures based on descriptions."
Trojan Discovered on NSA Worker's Computer
The backdoor discovered on the NSA staffer's PC was actually a Trojan, which was later identified as "Smoke Bot" or "Smoke Loader" and allegedly created by a Russian criminal hacker in 2011. It had also been advertised on Russian underground forums.
Interestingly, this Trojan communicated with the command and control servers apparently set up by a Chinese individual going by the name "Zhou Lou," using the e-mail address "zhoulu823@gmail.com."
Since executing the malware would not have been possible with the Kaspersky antivirus enabled, the staffer must have disabled the antivirus software to do so.
"Given that system owner's potential clearance level, the user could have been a prime target of nation states," the Kaspersky report reads.
"Adding the user's apparent need for cracked versions of Windows and Office, poor security practices, and improper handling of what appeared to be classified materials, it is possible that the user could have leaked information to many hands."
More details on the backdoor can be found here.
For now, the Kaspersky anti-virus software has been banned by the U.S. Department of Homeland Security (DHS) from all of its government computers.
In the wake of this incident, Kaspersky Lab has recently launched a new transparency initiative that involves giving partners access to its antivirus source code and paying large bug bounties for security issues discovered in its products.
New Cyber Insurance Firm Unites Insurance With Cyber Intelligence
17.11.2017 securityweek Cyber
Mountain View, Calif-based cyber insurance firm At-Bay has emerged from stealth with a mission to shake up the status quo in cyber insurance. It brings a new model of security cooperation between insured and insurer to reduce risk and exposure to both parties.
At-Bay has partnered with HSB to bring to market a product to insure and defend organizations against cyber risks. It has closed a $6 million seed funding round, led by LightSpeed Venture Partners, with the participation of Shlomo Kramer and LocalGlobe.
"We founded At-Bay with the belief that controlling for cyber risk enables businesses to embrace technology and unlock great value to customers," said Rotem Iram, CEO and founder, At-Bay. "We match deep insights on a company's IT security with financial exposure that cyber attack vectors create, to enable insurance brokers and risk managers to more clearly and accurately assess and manage cyber risk. Our insurance products and supporting risk management services provide organizations with the confidence that they can take on the challenges of tomorrow."
Organizations are increasingly digitizing their businesses and becoming more reliant on technology. Technology is not secure and presents risk. Much of that risk is mitigated by security technology -- but each day there is further proof that security technology is not perfect. Risk managers need to consider that despite all the security technology employed to mitigate risk, there will always be residual risk that is best handled by risk transfer; that is, cyber insurance. Cyber insurance can be seen as a complement to cybersecurity technology used together to more fully mitigate the increasing risk of insecure digitization.
The primary problem for cyber insurers is that there is no established historical corpus of understanding for cybersecurity risk in the same way as there is for, say, motor or life insurance. Insurance works best with static risk, but cyber risk is intrinsically dynamic -- both the target (the IT infrastructure) and the attack methodology (attackers, tools, techniques, exploits and motivation) are continuously changing. Neither the insurer nor the insured currently understands how cybersecurity can be insured. For example, a survey by At-bay indicates that 50% of companies that do not have cyber insurance say it is because they do not know enough about cyber insurance.
At-bay proposes to solve this dilemma by uniting cybersecurity understanding with cyber insurance delivery within one supplier. At-bay's Rotem Iram points out that insurers have two advantages in this process. Firstly they are on the hook to pay out in case of loss; and secondly, as they develop their customer base, they become privy to a vast amount of information on cybersecurity and risk. The first provides the incentive for insurers to learn from the second, provided they have sufficient in-house understanding of cybersecurity threats, mitigations and response.
One of the problems for insurers is that each client's risk profile is continuously and unpredictably changing. "A rate could be set for a perceived risk; but two months later the NSA loses EternalBlue and the risk level changes," explains Iram. "The insurer cannot increase the premiums because its not the insured's fault -- so he has to carry that increased risk at the same premium for another ten months. But if the insurer has sufficient understanding of the security posture of the client, he can tell the client about the new risk and how to mitigate it."
The interesting part about this example is that Iram would still pay out on the insurance even if he warned a company about a new risk and the company did nothing about it -- and was subsequently affected. "Yes, 100%," he told SecurityWeek. He accepts that he may be being a little naive, but firmly believes the future for cyber insurance is the evolution of a mutually collaborative relationship between insurer and insured. If the insurer gives good advice, and the insured responds, the insurer could give an end-of-year rebate.
Key to that collaboration is that the insured must trust the cybersecurity knowledge of the cybersecurity insurer. This is what has been lacking and is precisely what At-Bay seeks to bring to the table. Iram himself comes from a security background, and even spent five years with the Israel Defence Forces where he became head of the techno-intelligence group. He believes that if the insurer can demonstrate that it gives good advice, the insured will respond. "Nobody wants to get hacked. There's always a cost. There will always be some aspects that aren't or cannot be covered by insurance." Insurance is about reducing financial exposure as far as possible, not about eliminating it -- it cannot, for example, insure against loss of revenue caused by brand reputation damage (think Target), or loss of share value (think Equifax).
"We will be collecting data and using researchers to push the limits of our understanding of risk," he told SecurityWeek. "As we do that, we will be improving the quality of our product. Product quality is depressed today because insurance companies do not really understand the cybersecurity risk.
"Our team," he continued, "is split between Mountain View and Tel Aviv. Tel Aviv is where we have access to incredible security talent from the intelligence community. What we've built is a nation-state level reconnaissance capability based on what we've brought from the intelligence community. Our team and machine gathers intelligence from different sources, contextualizes it, and relates it to the customer infrastructure. Long story short, we scan the entire market of publicly available resources every month. Whenever we underwrite a company we have a history of how their technology stack and their security stack has looked and evolved over a period of time. This is a good part of the underwriting process, and helps us offer really good security advice to our clients."
The Equifax breach is an example of how this model would work. Rather than sit back and wait for the breach that would trigger an insurance claim, At-Bay would detect and inform any client with an unpatched vulnerability (such as the Struts vulnerability at Equifax) and explain how it should be remediated.
If At-Bay succeeds in its model of uniting security intelligence with insurance, it could shake up the entire cyber insurance market. If it does that, then both cybersecurity vendors and technology companies will need to look at their existing own third-party liability insurance. If more companies adopt cyber insurance, then more cybersecurity insurers will start trying to claw back their payouts from third parties who may be deemed to have been at fault in the breach.
Moxa NPort Devices Vulnerable to Remote Attacks
17.11.2017 securityweek Vulnerebility
Hundreds of Moxa Devices Similar to Ones Targeted in Ukraine Power Grid Hack Vulnerable to Remote Attacks
Firmware updates released by Moxa for some of its NPort serial device servers patch several high severity vulnerabilities that can be exploited remotely. These types of devices were targeted in the 2015 attack on Ukraine’s energy sector.
According to an advisory published by ICS-CERT, the flaws affect NPort 5110 versions 2.2, 2.4, 2.6 and 2.7, NPort 5130 version 3.7 and prior, and NPort 5150 version 3.7 and prior. The security holes have been patched with the release of version 2.9 for NPort 5110 and version 3.8 for NPort 5130 and 5150.
ICS-CERT said one of the vulnerabilities, CVE-2017-16719, allows an attacker to inject packets and disrupt the availability of the device. Another flaw, CVE-2017-16715, is related to the handling of Ethernet frame padding and it could lead to information disclosure, while the last issue, CVE-2017-14028, can be leveraged to cause memory exhaustion by sending a large amount of TCP SYN packets.Moxa NPort devices vulnerable to remote attacks
Florian Adamsky, the researcher credited by ICS-CERT for finding the flaws, told SecurityWeek that the vulnerabilities were found as part of a bigger research project conducted by him and Dr. Thomas Engel of the University of Luxembourg’s SECAN-Lab.
The research focuses on industrial Serial-to-Ethernet converters, which are often used in critical infrastructure, including power plants, water treatment facilities, and chemical plants. Adamsky pointed out that in the 2015 attack on Ukraine’s power grid, which caused significant blackouts, the hackers targeted these types of devices in an effort to make them inoperable. A detailed research paper describing the vulnerabilities will be published at some point in the future.
The researcher said all of the Moxa device vulnerabilities can be exploited remotely over the Internet. A scan with the Censys search engine revealed more than 2,000 Moxa devices connected to the Web, including over 1,350 NPort systems affected by the discovered flaws.
Adamsky said the CVE-2017-16719 vulnerability exists due to the fact that the TCP Initial Sequence Number (ISN) from NPort 5110 and 5130 devices is predictable. This allows an attacker to create and inject malicious network packets into an established TCP connection by predicting the ISN.
According to the researcher, the ISN was based on uptime, which can be easily obtained via the Simple Network Management Protocol (SNMP). Exploitation of this vulnerability could, in certain circumstances, lead to arbitrary command execution, the expert said.
Exploiting CVE-2017-16715 can allow an attacker to obtain previously sent network packets, which can include the session ID of an HTTP connection. This ID can be leveraged by an attacker to gain access to a device’s web interface.
“In CVE-2017-16715, we found out that these devices were using uninitialized memory as padding for network packets,” Adamsky explained. “According to RFC 894, the minimum Ethernet frame size is 46 bytes. If a packet is smaller than the minimum size, the IP packet ‘should be padded (with octet of zero) to meet the Ethernet minimum frame size’. Instead of octets of zeros, Moxa used uninitialized memory. This vulnerability was called Etherleak in the past.”
The security holes were reported to Moxa via ICS-CERT in June and August, and they were patched by the vendor on November 14.
Ransomware Targets SMBs via RDP Attacks
17.11.2017 securityweek Ransomware
A series of ransomware attacks against small-to-medium companies are leveraging Remote Desktop Protocol (RDP) access to infect systems, Sophos reports.
As part of these attacks, the mallicious actors abuse a commonly found issue in many business networks: weak passwords. After managing to crack and RDP password, attackers can easily install their malware onto the company’s systems with hopes to collect a ransom payment.
Discovering RDP ports exposed to the Internet isn’t difficult at all, Sophos explains. Cybercriminals can use specialized search engines such as Shodan for that and then abuse public or private tools to gain access to the discovered systems.
As part of the analyzed attacks, the actors used a tool called NLBrute to brute-force their way into the found systems by trying a variety of RDP passwords. Once they managed to find the right password, the attackers would immediately log into the network and create their own administrative accounts, Sophos says.
By doing so attackers can reconnect to the network even if the admin password they used for initial compromise has been changed. “They’ve already got backup accounts they can use to sneak back in later,” the researchers say.
Next, the attackers download and install low-level system tweaking software, such as Process Hacker, after which they turn off or reconfigure anti-malware applications. They also attempt to elevate privileges through abusing known vulnerabilities, including the CVE-2017-0213 and CVE-2016-0099 flaws that have been long patched by Microsoft.
The attackers also turn off database services to allow their malware to target databases, and also turn off the Windows live backup service called Volume Shadow Copy and delete existing backups, to prevent victims from restoring targeted files without paying. Next, they upload and run their ransomware.
According to Sophos, the attackers demanded a 1 Bitcoin ransom from their victims. Although numerous companies were hit, the attackers’ Bitcoin wallet shows a single transaction matching the demanded amount. Either victims have not paid, or they managed to negotiate lower payments, the security researchers say.
“The victims of this kind of attack are almost always small-to-medium companies: the largest business in our investigation had 120 staff, but most had 30 or fewer,” Sophos says.
To stay protected, organizations are advised to turn off RDP, or to protect it well if they need to use it regularly. They should also consider using a Virtual Private Network (VPN) for connections from outside their network, along with two-factor authentication (2FA), as well as to install available patches fast, to ensure their systems remain protected.
“You've probably heard the saying that 'if you want a job done properly, do it yourself’. Sadly, there's a niche of cybercrooks who have taken that advice to heart: if you've been sloppy setting up remote access to your network, they log in themselves and infect you with ransomware by simply running it directly, just like you or I might load Word or Notepad. This means the cyber criminals don’t need to mess around with emails, social engineering or malicious attachments,” said Paul Ducklin, Senior Technologist, Sophos.
The use of RDP to spread ransomware, however, isn’t a new practice. In fact, this attack method was so popular in the beginning of this year that it even topped email for ransomware distribution.
Last month, a BTCware ransomware variant called Payday was observed abusing the same method for infection. Security researchers investigating the attacks discovered that the malware operators were using brute-force attacks to crack RDP passwords and compromise the poorly secured systems.
Who is behind MuddyWater in the Middle East? Likely a politically-motivated actor
17.11.2017 securityaffairs BigBrothers
Researchers are investigating a mysterious wave of attacks in the Middle East that was dubbed MuddyWater due to the confusion in attributing the.
Security experts at Palo Alto Networks are monitoring long-lasting targeted attacks aimed at entities in the Middle East and that are difficult to attribute.
The experts called the campaign ‘MuddyWater’ due to the confusion in attributing these attacks that took place between February and October 2017 targeting entities in Saudi Arabia, Iraq, Israel, United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States to date.
Threat actors used PowerShell-based first stage backdoor named POWERSTATS, across the time the hackers changed tools and techniques.
“This blog discusses targeted attacks against the Middle East taking place between February and October 2017 by a group Unit 42 is naming MuddyWater” states the analysis from PaloAlto Networks.
“MuddyWater attacks are characterized by the use of a slowly evolving PowerShell-based first stage backdoor we call “POWERSTATS”. Despite broad scrutiny and reports on MuddyWater attacks, the activity continues with only incremental changes to the tools and techniques.”
MuddyWater attackers used a set of weaponized documents that were also used in recently observed incidents targeting the Saudi Arabian government. The same set of documents is similar to ones associated with a series of attacks discovered by experts at Morphisec.
The malicious documents associated with this last wave of attacks had been tailored according to the target regions.
Some of the attacks were attributed to the FIN7 that launched a campaign aimed at employees involved in SEC Filings.
Palo Alto Networks believe that the recent wave of attacks might have been mistakenly associated with the FIN7 group, it also reported that a C&C server delivering the FIN7-linked DNSMessenger tool was in MuddyWater attacks as well.
The hackers maintained the same final payload while changing delivery methods between attacks.
“Based on these connections we can be confident that all the files and infrastructure […] are related, since more than one of these can be used to link each of the samples discussed in each case,” Palo Alto notes.
The hackers used well known tools, including Meterpreter, Mimikatz, Lazagne, Invoke-Obfuscation, and more.
In some recent attacks, the threat actor used GitHub to host the POWERSTATS backdoor.
“In some of their recent attack documents, the attackers also used GitHub as a hosting site for their custom backdoor, POWERSTATS.” continues the analysis.
The experts managed a number of GitHub repositories related to their malware.
The experts observed compromised accounts at third party organizations sending the MuddyWater malware, in one case, the attackers sent a malicious document which appears nearly identical to a legitimate attachment which PaloAlto observed later being sent to the same recipient.
“This indicates that the attackers stole and modified a legitimate document from the compromised user account, crafted a malicious decoy Word macro document using this stolen document and sent it to the target recipient who might be expecting the email from the original account user before the real sender had time to send it,” reported PaloAlto.
According to Palo Alto Networks, past attribution of the attacks were wrong, the group in not financially motivated as previously thought, instead it politically motivated.
Threat actors might have planted a false flag to make hard the attribution.
“Whilst we could conclude with confidence that the attacks discussed in this article are not FIN7 related, we were not able to answer many of our questions about the MuddyWater attacks. We are currently unable to make a firm conclusion about the origin of the attackers, or the specific types of information they seek out once on a network,” the security researchers concluded.
Kaspersky provided further details on NSA Incident. Other APTs targeted the same PC
17.11.2017 securityaffairs BigBrothers
Kaspersky Lab publishes a full technical report related to hack of its antivirus software to steal NSA hacking code.
In October, anonymous source claimed that in 2015 the Russian intelligence stole NSA cyber weapons from the PC of one of its employees that was running the Kaspersky antivirus.
Kaspersky denies any direct involvement and provided further details about the hack, but it wasn’t a good period for the firm.
In September, the US Government banned the Russian security firm from all federal government systems.
The PC was hacked after the NSA employee installed a backdoored key generator for a pirated copy of Microsoft Office.
Kaspersky Lab, published in October a detailed report on the case that explains how cyber spies could have easily stolen the software exploits from the NSA employee’s Windows PC.
In October many media accused Kaspersky of helping the Russian intelligence for the detection of the US cyber-weapons on the PC via its security solutions, but according to the security firm the situation is quite different.
According to the telemetry logs collected by the Russian firm, the staffer temporary switched off the antivirus protection on the PC, and infected his personal computer with a spyware from a product key generator while trying to use a pirated copy of Office.
On September 11, 2014, Kaspersky antivirus detected the Win32.GrayFish.gen trojan on the NSA employee’s PC, some time later the employee disabled the Kaspersky software to execute the activation-key generator
Then the antivirus was reactivated on October 4, it removed the backdoored key-gen tool from the NSA employee’s PC and uploaded it to Kaspersky’s cloud for further analysis.
Kaspersky offered to hand over the source code of its solution to the US experts, to prove it wasn’t up involved in any cyber espionage operation.
Back to the present, Kaspersky published a new report that sheds the light on the investigation conducted by the firm on the NSA-linked Equation Group APT.
Kaspersky began running searches in its databases since June 2014, 6 months prior to the year the alleged hack of its antivirus, for all alerts triggered containing wildcards such as “HEUR:Trojan.Win32.Equestre.*”. The experts found a few test signatures in place that produced a LARGE amount of false positives.
The analysis revealed the presence of a specific signature that fired a large number of times in a short time span on just one system, specifically the signature “HEUR:Trojan.Win32.Equestre.m” and a 7zip archive (referred below as “[undisclosed].7z”). This is the beginning of the analysis on the system that was found containing not only this archive, but many files both common and unknown that indicated this was probably a person related to the malware development.
“In total we detected 37 unique files and 218 detected objects, including executables and archives containing malware associated with the Equation Group. Looking at this metadata during current investigation we were tempted to include the full list of detected files and file paths into current report, however, according to our ethical standards, as well as internal policies, we cannot violate our users’ privacy.” states the new report published by Kaspersky.
“This was a hard decision, but should we make an exception once, even for the sake of protecting our own company’s reputation, that would be a step on the route of giving up privacy and freedom of all people who rely on our products. Unless we receive a legitimate request originating from the owner of that system or a higher legal authority, we cannot release such information.”
kaspersky
The analysis of the computer there the archive was found revealed that it was already infected with malware. In October of that year the user downloaded a pirated copy of the Microsoft Office 2013, but the .ISO was containing the Mokes backdoor.
“What is interesting is that this ISO file is malicious and was mounted and subsequently installed on the system along with files such as “kms.exe” (a name of a popular pirated software activation tool), and “kms.activator.for.microsoft.windows.8.server.2012.and.office.2013.all.editions”. Kaspersky Lab products detected the malware with the verdict Backdoor.Win32.Mokes.hvl.” continues Kaspersky.
Kaspersky was able to detect and halt Mokes, but the user turned off the Russian software to execute the keygen.
Once the antivirus was turned on again, it detected the malware. Kaspersky added that over a two month its security software found 128 separate malware samples on the machine that weren’t related to the Equation Group.
Kaspersky found that the Mokes’ command and control servers were apparently being operated by a Chinese entity going by the name “Zhou Lou”, from Hunan, using the e-mail address “zhoulu823@gmail.com.”
Kaspersky explained that it’s also possible that the NSA contractor’s PC may have been infected with a sophisticated strain of malware developed by an APT that was not detected at the time.
“Given that system owner’s potential clearance level, the user could have been a prime target of nation states,” Kaspersky said. “Adding the user’s apparent need for cracked versions of Windows and Office, poor security practices, and improper handling of what appeared to be classified materials, it is possible that the user could have leaked information to many hands.”
Further details are included in the technical report.
Oracle issues emergency patches for JOLTANDBLEED flaws
17.11.2017 securityaffairs Vulnerebility
JoltandBleed – Oracle issued an emergency patch for vulnerabilities affecting several of its products that rely on the proprietary Jolt protocol.
Oracle issued an emergency patch for vulnerabilities affecting several of its products that rely on the proprietary Jolt protocol.
The vulnerabilities were reported by experts at ERPScan who named the set of five vulnerabilities JoltandBleed.
The most critical flaw was rated with the highest CVSS base score of 9.9 and even 10.0, according to the experts it may be exploited over a network without the need for a valid username and password.
The JoltandBleed issues affect the Jolt server within Oracle Tuxedo that is used by numerous Oracle’s products, including Oracle PeopleSoft. An attacker can exploit the vulnerabilities to gain full access to all data stored in the following ERP systems:
Oracle PeopleSoft Campus Solutions
Oracle PeopleSoft Human Capital Management
Oracle PeopleSoft Financial Management
Oracle PeopleSoft Supply Chain Management, etc.
Below the complete list of the JoltandBleed vulnerabilities discovered by the expert:
CVE-2017-10272 is a vulnerability of memory disclosure; its exploitation gives an attacker a chance to remotely read the memory of the server.
CVE-2017-10267 is a vulneralility of stack overflows.
CVE-2017-10278 is a vulneralility of heap overflows.
CVE-2017-10266 is a vulnerability that makes it possible for a malicious actor to bruteforce passwords of DomainPWD which is used for the Jolt Protocol authentication.
CVE-2017-10269 is a vulnerability affecting the Jolt Protocol; it enables an attacker to compromise the whole PeopleSoft system.
The flaw ties the way Jolt Handler (JSH) processes a command with opcode 0x32
“This error is originated with that how Jolt Handler processes a command with opcode 0x32. If the package structure is incorrect, a programmer has to provide a Jolt client with a certain Jolt response indicating there is an error in the communication process,” continues ERPScan.
Oracle made the patches available Tuesday for Oracle Fusion Middleware, which address all vulnerabilities.
The vulnerability was caused by a coding mistake in a function call that was responsible for packing data to transmit.
“The confusion was between 2 functions, jtohi and htoji. Consequently, packing of a constant package length that must be 0x40 bytes is actually 0x40000000,” said ERPScan.
“Then a client initiates the transmission of 0x40000000 bytes of data. Manipulating the communication with the client, an attacker can achieve a stable work of a server side and sensitive data leakage. Initiating a mass of connections, the hacker passively collects the internal memory of the Jolt server,”
The vulnerability causes the leakage of credentials when a user enters them through the web interface of PeopleSoft systems.
Technically, the flaw is a memory leakage vulnerability similar to HeartBleed so it can be used to retrieve a user password and other sensitive data.
“One of the possible attacks besides an obvious theft of employees data is for students to hack Campus Solutions and modify or delete payment orders for their education or gain financial aid. This attack as well as other details was demonstrated today at the DeepSec Security conference in Vienna.” said ErpScan.
Below the video PoC published by ErpScan:
According to Oracle the CVE-2017-10272 memory disclosure vulnerability is easy to exploit and allows a low privileged attacker with network access via Jolt to compromise Oracle Tuxedo.
“Vulnerability in the Oracle Tuxedo component of Oracle Fusion Middleware (subcomponent: Core). Supported versions that are affected are 11.1.1, 12.1.1, 12.1.3 and 12.2.2. Easily exploitable vulnerability allows low privileged attacker with network access via Jolt to compromise Oracle Tuxedo.” wrote Oracle. “While the vulnerability is in Oracle Tuxedo, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Tuxedo accessible data as well as unauthorized access to critical data or complete access to all Oracle Tuxedo accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Tuxedo.”
Threat Predictions for Automotive in 2018
17.11.2017 Kaspersky Analysis
The landscape in 2017
Modern cars are no longer just electro-mechanical vehicles. With each generation, they become more connected and incorporate more intelligent technologies to make them smarter, more efficient, comfortable and safe. The connected-car market is growing at a five-year compound annual growth rate of 45% — 10 times faster than the car market overall.
In some regions (e.g. the EU or Russia) two-way connected systems (eCall, ERA-GLONASS) are extensively implemented for safety and monitoring purposes; and all major auto manufacturers now offer services that allow users to interact remotely with their car via a web interface or a mobile app.
Remote fault diagnostics, telematics and connected infotainment significantly enhance driver safety and enjoyment, but they also present new challenges for the automotive sector as they turn vehicles into prime targets for cyberattack. The growing risk of a vehicle’s systems being infiltrated or having its safety, privacy and financial elements violated, requires manufacturers to understand and apply IT security. Recent years have seen a number (here, here, and here) of examples highlighting the vulnerability of connected cars.
What can we expect in 2018?
Gartner estimates that there will be a quarter of a billion connected cars on the roads by 2020. Others suggest that by then around 98% of cars will be connected to the Internet. The threats we face now, and those we expect to face over the coming year should not be seen in isolation – they are part of this continuum – the more vehicles are connected, in more ways, the greater the surface and opportunities for attack.
The threats facing the automotive sector over the coming 12 months include the following:
Vulnerabilities introduced through lack of manufacturer attention or expertise, combined with competitive pressures. The range of connected mobility services being launched will continue to rise, as will the number of suppliers developing and delivering them. This ever-growing supply (and the likelihood of products/suppliers being of variable quality), coupled with a fiercely competitive marketplace could lead to security short cuts or gaps that provide an easy way in for attackers.
Vulnerabilities introduced through growing product and service complexity. Manufacturers serving the automotive sector are increasingly focused on delivering multiple interconnected services to customers. Every link is a potential point of weakness that attackers will be quick to seize on. An attacker only needs to find one insecure opening, whether that is peripheral such as a phone Bluetooth or a music download system, for example, and from there they may be able to take control of safety-critical electrical components like the brakes or engine, and wreak havoc.
No software code is 100% bug free – and where there are bugs there can be exploits. Vehicles already carry more than 100 million lines of code. This in in itself represents a massive attack surface for cybercriminals. And as more connected elements are installed into vehicles, the volume of code will soar, increasing the risk of bugs. Some automotive manufacturers, including Tesla have introduced specific bug bounty programs to address this.
Further, with software being written by different developers, installed by different suppliers, and often reporting back to different management platforms, no one player will have visibility of, let alone control over, all of a vehicle’s source code. This could make it easier for attackers to bypass detection.
Apps mean happiness for cybercriminals. There are a growing number of smartphone apps, many introduced by car manufacturers, which owners can download to remotely unlock their cars, check the engine status or find its location. Researchers have already demonstrated proof of concepts of how such apps can be compromised. It will not be long before Trojanized apps appear that inject malware direct into the heart of an unsuspecting victim’s vehicle.
With connected components increasingly introduced by companies more familiar with hardware than software, there is a growing risk that the need for constant updates could be overlooked. This could make it harder, if not impossible for known issues to be patched remotely. Vehicle recalls take time and cost money and in the meantime many drivers will be left exposed.
Connected vehicles will generate and process ever more data – about the vehicle, but also about journeys and even personal data on the occupants – this will be of growing appeal to attackers looking to sell the data on the black market or to use it for extortion and blackmail. Car manufacturers are already under pressure from marketing companies eager to get legitimate access to passenger and journey data for real time location-based advertising.
Fortunately, growing awareness and understanding of security threats will result in the first cyber secure devices for remote diagnostic and telematics data appearing on the marke
Further, lawmakers will come up with requirements and recommendations for making cybersecurity a mandatory part of all connected vehicles.
Last but not least, alongside existing safety certification there will be new organizations set up that are responsible for cybersecurity certification. They will use clearly defined standards to assess connected vehicles in terms of their resistance to cyberattacks.
Recommended action
Addressing these risks involves integrating security as standard, by design, focused on different parts of the connected car ecosystem. Defensive software solutions could be installed locally on individual electrical components— for instance, the brakes — to reinforce them against attacks. Next, software can protect the vehicle’s internal network as a whole by examining all network communications, flagging any changes in standard in-vehicle network behaviour and stopping attacks from advancing in the network. Overarching this, a solution needs to protect all components that are connected externally, to the Internet. Cloud security services can detect and correct threats before they reach the vehicle. They also can send the vehicle over-the-air updates and intelligence in real time. All of this should be supported with rigorous and consistent industry standards.
Threat Predictions for Connected Health in 2018
17.11.2017 Kaspersky Analysis
The landscape in 2017
In 2017, Kaspersky Lab research revealed the extent to which medical information and patient data stored within the connected healthcare infrastructure is left unprotected and accessible online for any motivated cybercriminal to discover. For example, we found open access to around 1,500 devices used to process patient images. In addition, we found that a significant amount of connected medical software and web applications contains vulnerabilities for which published exploits exist.
This risk is heightened because cyber-villains increasingly understand the value of health information, its ready availability, and the willingness of medical facilities to pay to get it back.
What can we expect in 2018?
The threats to healthcare will increase as ever more connected devices and vulnerable web applications are deployed by healthcare facilities. Connected healthcare is driven by a number of factors, including a need for resource and cost efficiency; a growing requirement for remote, home-based care for chronic conditions like diabetes and ageing populations; consumer desire for a healthy lifestyle; and a recognition that data-sharing and patient monitoring between organizations can significantly enhance the quality and effectiveness of medical care.
The threats facing these trends over the coming 12 months include the following:
Attacks targeting medical equipment with the aim of extortion, malicious disruption or worse, will rise. The volume of specialist medical equipment connected to computer networks is increasing. Many such networks are private, but one external Internet connection can be enough for attackers to breach and spread their malware through the ‘closed’ network. Targeting equipment can disrupt care and prove fatal – so the likelihood of the medical facility paying up is very high.
There will also be a rise in the number of targeted attacks focused on stealing data. The amount of medical information and patient data held and processed by connected healthcare systems grows daily. Such data is immensely valuable on the black market and can also be used for blackmail and extortion. It’s not just other criminals who could be interested: the victim’s employer or insurance company might want to know as it could impact premiums or even job security.
There will be more incidents related to ransomware attacks against healthcare facilities. These will involve data encryption as well as device blocking: connected medical equipment is often expensive and sometimes life-critical, which makes them a prime target for attack and extortion.
The concept of a clearly-defined corporate perimeter will continue to ‘erode’ in medical institutions, as ever more workstations, servers, mobile devices and equipment go online. This will give criminals more opportunities to gain access to medical information and networks. Keeping defenses and endpoints secure will be a growing challenge for healthcare security teams as every new device will open up a new entry point into the corporate infrastructure.
Sensitive and confidential data transmitted between connected ‘wearables’, including implants, and healthcare professionals will be a growing target for attack as the use of such devices in medical diagnosis, treatment and preventative care continues to increase. Pacemakers and insulin pumps are prime examples.
National and regional healthcare information systems that share unencrypted or otherwise insecure patient data between local practitioners, hospitals, clinics and other facilities will be a growing target for attackers looking to intercept data beyond the protection of corporate firewalls. The same applies to data shared between medical facilities and health insurance companies.
The growing use by consumers of connected health and fitness gadgets will offer attackers access to a vast volume of personal data that is generally minimally protected. The popularity of health-conscious, connected lifestyles means that fitness bracelets, trackers, smart watches, etc. will carry and transmit ever larger quantities of personal data with only basic security – and cybercriminals won’t hesitate to exploit this.
Disruptive attacks – whether in the form of denial of service attacks or through ‘ransomware’ that simply destroys data (such as WannaCry) – are a growing threat to increasingly digital health care facilities. The ever increasing number of work stations, electronic records management and digital business processes that underpin any modern organization broadens the attack surface for cybercriminals. In healthcare, they take on an extra urgency, as any disruption can in real terms become a matter of life or death.
Last, but not least, emerging technologies such as connected artificial limbs, implants for smart physiological enhancements, embedded augmented reality etc. designed both to address disabilities and create better, stronger, fitter human beings – will offer innovative attackers new opportunities for malicious action and harm unless they have security integrated from the very first moment of design.
Threat Predictions for Financial Services and Fraud in 2018
17.11.2017 Kaspersky Analysis
The landscape in 2017
In 2017 we’ve seen fraud attacks in financial services become increasingly account-centric. Customer data is a key enabler for large-scale fraud attacks and the frequency of data breaches among other successful attack types has provided cybercriminals with valuable sources of personal information to use in account takeover or false identity attacks. These account-centric attacks can result in many other losses, including that of further customer data and trust, so mitigation is as important as ever for businesses and financial services customers alike.
What can we expect in 2018?
2018 will be a year of innovation in financial services as the pace of change in this space continues to accelerate. As more channels and new financial service offerings emerge, threats will diversify. Financial services will need to focus on omni-channel fraud prevention to successfully identify more fraud crossing from online accounts to newer channels. Newer successful payment types will see more attack attempts as their profitability for attack increases.
Real-time payment challenges. Increasing demand from consumers for real-time and cross-border financial transactions results in pressure to analyse risk more quickly. Consumer expectations for friction-free payments make this task even more challenging. Financial services will need to rethink and make ‘Know Your Customer’ processes more effective. Machine learning and eventually AI-based solutions will also be key in meeting the need for quicker fraud and risk detection.
Social engineering attacks. Financial services will need to stay focused on tried and tested attack techniques. In spite of more sophisticated emergent threats, social engineering and phishing continue to be some of the simplest and most profitable attacks – exploiting the human element as the weakest link. Customer and employee education should continue to improve awareness of the latest attacks and scams.
Mobile threats. According to the latest Kaspersky Cybersecurity Index, ever more online activity now takes place on mobile. For example, 35 per cent of people now use their smartphone for online banking and 29 per cent for online payment systems (up from 22 per cent and 19 per cent respectively in the previous year). These mobile-first consumers will increasingly be prime targets for fraud. Cybercriminals will use previously-successful and new malware families to steal user banking credentials in creative ways. In 2017 we saw the modification of malware family Svpeng. In 2018, other families of mobile malware will re-surface to target banking credentials with new features. Identification and the removal of mobile malware is essential to financial services institutions to stop these attacks early.
Data breaches. Data breaches will continue to make the headlines in 2018 and the secondary impact on financial institutions will be felt through fake account set ups and account take-over attacks. Data breaches, although harder to commit than individual fraud attacks against customers, are hugely profitable to criminals thanks to the high volume of customer data exposed in one hit. Financial services should regularly test their defences and use solutions to detect any suspicious access at the earliest stages.
Cryptocurrency targets. More financial institutions will explore the application of cryptocurrencies, making attacks on these currencies a key target for cybercriminals. We already saw the occurrence of mining malware increasing in 2017 and more attempts to exploit these currencies will be seen in 2018. Solutions capable of detecting the latest malware families should be used as well as combining the latest threat intelligence into prevention strategies. [See Threat Predictions for Cryptocurrencies for further information on this threat.]
Account takeover. More secure physical payments through chip technology and other Point of Sale improvements, have shifted fraud online in the past decade. Now, as online payment security improves through tokenisation, biometric technology and more, fraudsters are shifting to account takeover attacks. Industry estimates suggest fraud of this type will run into billions of dollars as fraudsters pursue this highly profitable attack vector. Financial services will need to rethink digital identities and use innovative solutions to be sure that customers are who they say they are, every time.
Pressure to innovate. More and more businesses will venture into payment solutions and open banking offerings in 2018. Innovation will be key to incumbent financial service firms seeking a competitive advantage over an increasing number of competitors. But understanding the regulatory complications can be challenging enough, never mind evaluating the potential for attack on new channels. These new offerings will be targets for fraudsters upon release and any new solution not designed with security at the core will find itself an easy target for cybercriminals.
Fraud-as-a-Service. International underground communication amongst cybercriminals means that knowledge is shared quickly and attacks can spread globally even faster. Fraud services are offered on the dark web, from bots and phishing translation services to remote access tools. Less experienced cybercriminals purchase and use these tools, meaning more attempted attacks for financial services to block. Sharing knowledge across departments as well as looking to threat intelligence services will be key in mitigation.
ATM attacks. ATMs will continue to attract the attention of many cybercriminals. In 2017, Kaspersky Lab researchers uncovered, among other things, attacks on ATM systems that involved new malware, remote and fileless operations, and an ATM-targeting malware called ‘Cutlet Maker’ that was being sold openly on the DarkNet market for a few thousand dollars with a step-by-step user guide. Kaspersky Lab has published a report on future ATM attack scenarios targeting ATM authentication systems.
Threat Predictions for Industrial Security in 2018
17.11.2017 Kaspersky Analysis
The landscape in 2017
2017 was one of the most intense in terms of incidents affecting the information security of industrial systems. Security researchers discovered and reported hundreds of new vulnerabilities, warned of new threat vectors in ICS and technological processes, provided data on accidental infections of industrial systems and detected targeted attacks (for example, Shamoon 2.0/StoneDrill). And, for the first time since Stuxnet, discovered a malicious toolset some call a ‘cyber-weapon’ targeting physical systems: CrashOverride/Industroyer.
However, the most significant threat to industrial systems in 2017 was encryption ransomware attacks. According to a Kaspersky Lab ICS CERT report, in the first half of the year experts discovered encryption ransomware belonging to 33 different families. Numerous attacks were blocked, in 63 countries across the world. The WannaCry and ExPetr destructive ransomware attacks appear to have changed forever the attitude of industrial enterprises to the problem of protecting essential production systems.
What can we expect in 2018?
A rise in general and accidental malware infections. With few exceptions, cybercriminal groups have not yet discovered simple and reliable schemes for monetizing attacks on industrial information systems. Accidental infections and incidents in industrial networks caused by ‘normal’ (general) malicious code aimed at a more traditional cybercriminal target such as the corporate networks, will continue in 2018. At the same time, we are likely to see such situations result in more severe consequences for industrial environments. The problem of regularly updating software in industrial systems in line with the corporate network remains unresolved, despite repeated warnings from the security community.
Increased risk of targeted ransomware attacks. The WannaCry and ExPetr attacks taught both security experts and cybercriminals that operational technology (OT) systems are more vulnerable to attack than IT systems, and are often exposed to access through the Internet. Moreover, the damage caused by malware can exceed that in the corresponding corporate network, and ‘firefighting’ in the case of OT is much more difficult. Industrial companies have demonstrated how inefficient their organization and staff can be when it comes to cyberattacks on their OT infrastructure. All of these factors make industrial systems a desirable target for ransomware attacks.
More incidents of industrial cyberespionage. The growing threat of organized ransomware attacks against industrial companies could trigger development of another, related area of cybercrime: the theft of industrial information systems data to be used afterwards for the preparation and implementation of targeted (including ransomware) attacks.
New underground market activity focused on attack services and hacking tools. In recent years, we have seen growing demand on the black market for zero day exploits targeting ICS. This tells us that criminals are working on targeted attack campaigns. We expect to see this interest increase in 2018, stimulating the growth of the black markets and the appearance of new segments focused on ICS configuration data and ICS credentials stolen from industrial companies and, possibly, botnets with ‘industrial’ nodes offerings. Design and implementation of advanced cyberattacks targeting physical objects and systems requires an expert knowledge of ICS and relevant industries. Demand is expected to drive growth in areas such as ‘malware-as-a-service’, ‘attack-vector-design-as-a-service’, ‘attack-campaign-as-a-service’ and more.
New types of malware and malicious tools. We will probably see new malware being used to target industrial networks and assets, with features including stealth and the ability to remain inactive in the IT network to avoid detection, only activating in less secure OT infrastructure. Another possibility is the appearance of ransomware targeting lower-level ICS devices and physical assets (pumps, power switches, etc.).
Criminals will take advantage of ICS threat analyses published by security vendors. Researchers have done a good job finding and making public various attack vectors on industrial assets and infrastructures and analyzing the malicious toolsets found. However, this could also provide criminals with new opportunities. For example, the CrashOverride/Industroyer toolset disclosure could inspire hacktivists to run denial-of-service attacks on power and energy utilities; or criminals may targeted ransomware and may even invent monetizing schemes for blackouts. The PLC (programmable logic controller) worm concept could inspire criminals to create real world malicious worms; while others could try to implement malware using one of standard languages for programming PLCs. Criminals also could recreate the concept of infecting the PLC itself. Both these types of malware could remain undetected by existing security solutions.
Changes in national regulation. In 2018, a number of different cybersecurity regulations for industrial systems will need to be implemented. For example, those with critical infrastructures and industrial assets facilities will be compelled to do more security assessments. This will definitely increase protection and awareness. Thanks to that, we will probably see some new vulnerabilities found and threats disclosed.
Growing availability of, and investment in industrial cyber insurance. Industrial cyber-risk insurance is becoming an integral part of risk management for industrial enterprises. Previously, the risk of a cybersecurity incident was excluded from insurance contracts – just like the risk of a terrorist attack. But the situation is changing, with new initiatives introduced by both cybersecurity and insurance companies. In 2018, this will increase the number of audits/assessments and incident responses undertaken, raising cybersecurity awareness among the industrial facility’s leaders and operators.
Threat Predictions for Cryptocurrencies in 2018
17.11.2017 Kaspersky Analysis
The landscape in 2017
Today, cryptocurrency is no longer only for computer geeks and IT pros. It’s starting to affect people’s daily life more than they realize. At the same time, it is fast becoming an attractive target for cybercriminals. Some cyberthreats have been inherited from e-payments, such as changing the address of the destination wallet address during transactions and stealing an electronic wallet, among other things. However, cryptocurrencies have opened up new and unprecedented ways to monetize malicious activity.
In 2017, the main global threat to users was ransomware: and in order to recover files and data encrypted by attackers, victims were required to pay a ransom in cryptocurrency. In the first eight months of 2017, Kaspersky Lab products protected 1.65 million users from malicious cryptocurrency miners, and by the end of the year we expect this number to exceed two million. In addition, in 2017, we saw the return of Bitcoin stealers after a few years in the shadows.
What can we expect in 2018?
With the ongoing rise in the number, adoption and market value of cryptocurrencies, they will not only remain an appealing target for cybercriminals, but will lead to the use of more advanced techniques and tools in order to create more. Cybercriminals will quickly turn their attention to the most profitable money-making schemes. Therefore, 2018 is likely to be the year of malicious web-miners.
Ransomware attacks will force users to buy cryptocurrency. Cybercriminals will continue to demand ransoms in cryptocurrency, because of the unregulated and almost anonymous cryptocurrency market: there is no need to share any data with anyone, no one will block the address, no one will catch you, and there is little chance of being tracked. At the same time, further simplification of the monetization process will lead to the wider dissemination of encryptors.
Targeted attacks with miners. We expect the development of targeted attacks on companies for the purpose of installing miners. While ransomware provides a potentially large but one-off income, miners will result in lower but longer Next year we will see what tips the scales.
Rise of miners will continue and involve new actors. Next year mining will continue to spread across the globe, attracting more people. The involvement of new miners will depend on their ability to get access to a free and stable source of electricity. Thus, we will see the rise of ‘insider miners’: more employees of government organizations will start mining on publicly owned computers, and more employees of manufacturing companies will start using company-owned facilities.
Web-mining. Web-mining is a cryptocurrency mining technique used directly in browser with a special script installed on a web-page. Attackers have already proved it is easy to upload such a script to a compromised website and engage visitors’ computers in mining and, as a result add more coins to the criminals’ wallets. Next year web-mining will dramatically affect the nature of the Internet, leading to new ways of website monetization. One of these will replace advertising: websites will offer to permanently remove a mining script if the user subscribes to paid content. Alternatively, different kinds of entertainment, such as movies, will be offered for free in exchange for your mining. Another method is based on a website security check system – Captcha verification to distinguish humans from bots will be replaced with web mining modes, and it will be no longer matter whether a visitor is bot or human since they will ‘pay’ with mining.
Fall of ICO (Initial Coin Offering). ICO means crowdfunding via cryptocurrencies. 2017 saw tremendous growth of this approach; with more than $3 billion collected by different projects, most related in some way to blockchain. Next year we should expect ICO-hysteria to decline, with a series of failures (inability to create the ICO-funded product), and more careful selection of investment projects. A number of unsuccessful ICO projects may negatively affect the exchange rate of cryptocurrencies (Bitcoin, Ethereum etc.), which in 2017 experienced unprecedented growth. Thus we will see a decrease in the absolute number of phishing and hacking attacks targeting ICO, smart contracts and wallets.
Drone Maker DJI, Researcher Quarrel Over Bug Bounty Program
17.11.2017 securityweek Vulnerebility
China-based Da-Jiang Innovations (DJI), one of the world’s largest drone makers, has accused a researcher of accessing sensitive information without authorization after the expert bashed the company’s bug bounty program.
DJI announced the launch of a bug bounty program in late August and offered between $100 and $30,000 for vulnerabilities that allow the creation of backdoors, and ones that expose sensitive customer information, source code or encryption keys.
Bug bounty hunters started analyzing the company’s systems for vulnerabilities, but didn’t know exactly where to look for them as DJI had failed to clarify exactly which of its assets were in scope.
Kevin Finisterre, a security researcher who specializes in drones, discovered that DJI had inadvertently made public SSL and firmware AES keys in source code published on GitHub. He also found keys for AWS buckets storing flight logs and customer identity documents, including passports, driver’s licenses, and state identification.DJI fights with researcher over bug bounty program
Finisterre said others had found unprotected AWS buckets storing, among other things, personal data and images of damaged drones submitted by customers.
“There were serious ramifications to the things that were found on the DJI AWS servers,” the researcher said. “One of the first things I did to judge the impact of the exposure was grep for ‘.mil’ and ‘.gov’, ‘gov.au’. Immediately flight logs for a number of potentially sensitive locations came out. It should be noted that newer logs, and PII seemed to be encrypted with a static OpenSSL password, so theoretically some of the data was at least loosely protected from prying eyes. Unfortunately the rest of the server side security renders this point moot.”
After reporting his findings to DJI via its bug bounty program, Finisterre was informed that he qualified for the maximum reward, $30,000. However, the company told him that in order to receive the bug bounty, he would have to sign an agreement.
“I won’t go into too much detail, but the agreement that was put in front of me by DJI in essence did not offer researchers any sort of protection,” Finisterre said. “For me personally the wording put my right to work at risk, and posed a direct conflicts of interest to many things including my freedom of speech. It almost seemed like a joke. It was pretty clear the entire ‘Bug Bounty’ program was rushed based on this alone.”
While the researcher was trying to negotiate the non-disclosure agreement (NDA) via a DJI representative in the United States, the drone manufacturer’s legal department in China sent him a notice that he may be facing charges under the controversial Computer Fraud and Abuse Act (CFAA).
After consulting with lawyers who told him that DJI’s agreement was “extremely risky” and “likely crafted in bad faith to silence anyone that signed it,” the researcher decided to walk away from the bug bounty. He also decided to make his findings public, including some of the communications with DJI representatives during this process.
In response, DJI published a statement saying that it’s investigating Finisterre’s unauthorized access to its servers, and accused the researcher of publishing confidential communications with DJI employees.
“DJI implemented its Security Response Center to encourage independent security researchers to responsibly report potential vulnerabilities,” the company said in a statement. “DJI asks researchers to follow standard terms for bug bounty programs, which are designed to protect confidential data and allow time for analysis and resolution of a vulnerability before it is publicly disclosed. The hacker in question refused to agree to these terms, despite DJI’s continued attempts to negotiate with him, and threatened DJI if his terms were not met.”
The infosec community is split on this issue – some have taken Finisterre’s side pointing to DJI’s failure to specify exactly what its bug bounty covered and what researchers were allowed to do. Others, however, have sided with DJI, noting that the bounty hunter shouldn’t have accessed the data and that the agreement was reasonable.
Following Finisterre’s disclosure, DJI provided more information on its bug bounty program, including scope and requirements for disclosing flaws.
“DJI understands the importance of public disclosure of unknown or novel security flaws to build a common base of knowledge within the security community and to build a safer internet,” the company said. “DJI is committed to disclosing such information to the fullest extent possible. However, DJI in its sole discretion will decide when and how, and to what extent of details, to disclose to the public the bugs/vulnerabilities reported by you.”
DJI says it has paid out “thousands of dollars” to nearly a dozen researchers since the launch of its bug bounty program.
20 Million Google Home and Amazon Echo devices are affected by the Blueborne flaws
17.11.2017 securityaffairs Vulnerebility
Millions of AI-based voice-activated personal assistants, including Google Home and Amazon Echo, are affected by the Blueborne flaws.
A series of recently disclosed critical Bluetooth flaws that affect billions of Android, iOS, Windows and Linux devices have now been discovered in
Millions of AI-based voice-activated personal assistants, including Google Home and Amazon Echo, are affected by the recently discovered Blueborne vulnerabilities.
The recently discovered BlueBorne attack technique was devised by experts with Armis Labs. Researchers discovered a total of eight vulnerabilities in the Bluetooth design that expose devices to cyber attacks.
Billions of mobile, desktop and IoT devices that use Bluetooth may be exposed to a new remote attack, even without any user interaction and pairing. The unique condition for BlueBorne attacks is that targeted devices must have Bluetooth enabled.
Once an attacker compromises a Bluetooth-enabled device, he can infect any other device on the same network.
The IoT security firm Armis now reported that an estimated 15 million Amazon Echo and 5 million Google Home devices are vulnerable to BlueBorne attack.
“Following the disclosure of the BlueBorne attack vector this past September, Armis discovered that critical Bluetooth vulnerabilities impact the Amazon Echo and Google Home. These new IoT voice-activated Personal Assistants join the extensive list of affected devices.” reads the blog post published by Armis.
“Personal Assistants are rapidly expanding throughout the home and workplace, with an estimated 15 million Amazon Echo and 5 million Google Home devices sold. Since these devices are unmanaged and closed sourced, users are unaware of the fact their Bluetooth implementation is based on potentially vulnerable code borrowed from Linux and Android.”
The Amazon Echo devices are affected by the following two vulnerabilities:
Remote code execution vulnerability in the Linux Kernel (CVE-2017-1000251)
Information leak vulnerability in the SDP Server (CVE-2017-1000250)
The researchers highlighted that other Echo devices running Linux or Android operating systems are affected by other Blueborne vulnerabilities.
Google Home devices are affected only by the CVE-2017-0785 vulnerability that is an information disclosure flaw in Android’s Bluetooth stack.
The voice-activated personal assistants are constantly listening to Bluetooth communications, an attacker within the range of the vulnerable IoT device can easily hack them.
“These devices are constantly listening to Bluetooth communications. There is no way to put an agent/antivirus on these devices. And given their limited UI, there is no way to turn their Bluetooth off” continues the blog post.
Experts from Armis published a video proof-of-concept (PoC) to show how to hack an Amazon Echo device.
Armis reported the issues to both Amazon and Google that have released patches and issued automatic updates for the affected problems.
Amazon Echo users can check that their devices are using a version that is newer than v591448720.
“The Amazon Echo and Google Home are the better examples as they were patched, and did not need user interaction to update. However, the vast bulk of IoT devices cannot be updated. However, even the Echos and the Homes will eventually be replaced by new hardware versions (as Amazon and Google recently announced), and eventually the old generations will not receive updates – potentially leaving them susceptible to attacks indefinitely.” concluded Armis.
Terdot Banking Trojan is back and it now implements espionage capabilities
17.11.2017 securityaffairs Virus
The Terdot banking Trojan isn’t a novelty in the threat landscape, it has been around since mid-2016, and now it is reappearing on the scenes.
According to Bitdefender experts, vxers have improved the threat across the years, implementing credential harvesting features as well as social media account monitoring functionality.
The Terdot banking Trojan is based on the Zeus code that was leaked back in 2011, the authors have added a number of improvements, such as leveraging open-source tools for spoofing SSL certificates and using a proxy to filter web traffic in search of sensitive information.
“Terdot is a complex malware. Its modular structure, complex injections, and careful use of threads make it resilient, while its spyware and remote execution abilities make it extremely intrusive.” states the report published by BitDefender.
The ability of the Trojan in powering man-in-the-middle attacks could be exploited also to manipulate traffic on most social media and email platforms.
The Terdot banking Trojan implements sophisticated hooking and interception techniques, experts highlighted its evasion capabilities.
The banking Trojan is distributed mainly through compromised websites hosting the SunDown Exploit Kit. The Bitdefender researchers observed crooks spreading it through spam emails with a bogus PDF icon button which, if selected, executes JavaScript code that drop the malware on the victim’s machine.
Once installed on the victim’s machine, the Terdot banking Trojan downloads updates and commands from the C&C server, the URL it the same it sends system information to. The Trojan also used a Domain Generation Algorithm (DGA).
“Terdot goes above and beyond the capabilities of a banker Trojan. Its focus on harvesting credentials for other services such as social networks and email service providers could turn it into an extremely powerful cyber-espionage tool that is extremely difficult to spot and clean,” Bitdefender concludes.
Google Discloses Details of $100,000 Chrome OS Flaws
17.11.2017 securityweek Vulnerebility
Google has made public the details of a code execution exploit chain for Chrome OS that has earned a researcher $100,000.
In March 2015, Google announced its intention to offer up to $100,000 for an exploit chain that would lead to a persistent compromise of a Chromebox or Chromebook in guest mode via a web page. Prior to that, the company had offered $50,000 for such an exploit.
A researcher who uses the online moniker Gzob Qq informed Google on September 18 that he had identified a series of vulnerabilities that could lead to persistent code execution on Chrome OS, the operating system running on Chromebox and Chromebook devices.
The exploit chain includes an out-of-bounds memory access flaw in the V8 JavaScript engine (CVE-2017-15401), a privilege escalation in PageState (CVE-2017-15402), a command injection flaw in the network_diag component (CVE-2017-15403), and symlink traversal issues in crash_reporter (CVE-2017-15404) and cryptohomed (CVE-2017-15405).
Gzob Qq provided Google a proof-of-concept (PoC) exploit tested with Chrome 60 and Chrome OS platform version 9592.94.0. Google patched the vulnerabilities on October 27 with the release of Chrome OS 62 platform version 9901.54.0/1, which also addressed the recently disclosed KRACK vulnerabilities.
Google informed the researcher on October 11 that he had earned the $100,000 Pwnium reward. Pwnium was a single-day hacking competition that Google held every year alongside the CanSecWest conference until February 2015, when it decided to turn Pwnium into a year-round program.
Gzob Qq’s initial report, which describes the entire exploit chain, was made public by Google earlier this week, along with the advisories for each of the vulnerabilities it leverages.
This is not the first time the researcher has earned a $100,000 reward from Google. Roughly one year prior, he reported a similar Chrome OS exploit chain for which he received the same amount.
Back in 2014, at the Pwnium competition, researcher George Hotz earned $150,000 for a persistent Chrome OS exploit.
China May Delay Vulnerability Disclosures For Use in Attacks
17.11.2017 securityweek Vulnerebility
The NSA and CIA exploit leaks have thrown the spotlight on US government stockpiles of 0-day exploits -- and possibly led to this week's government declassification of the Vulnerabilities Equities Policy (VEP) process used to decide whether to disclose or retain the exploits it discovers.
There is no doubt that other nations also hold stockpiles of exploits; but there has been little public information on this. While not being a stockpile per se, Recorded Future has today published research suggesting that China delays disclosure of known critical vulnerabilities, sometimes to enable their immediate use by APT groups with probable Chinese government affiliation.
Today's publication has spun out of earlier research demonstrating that China's national vulnerability database (CNNVD) -- which is run by the Chinese Ministry of State Security (MSS) -- is generally faster at publishing vulnerability details than its U.S. equivalent, the NVD. In a few cases, however, it is considerably slower. These 'outliers' have now been analyzed by Recorded Future with surprising results.
The research takes a close look at two particular vulnerabilities that were, unusually, published by the U.S. NVD much sooner than by China's CNNVD. The first is CVE-2017-0199 -- the exploit used in the WannaCry and NotPetya outbreaks. Details were published by the NVD on April 12, 2017; but were not published by CNNVD until more than 50 days later (June 7, 2017). The WannaCry outbreak, generally attributed to North Korean hackers, occurred between these two dates.
However, the researchers also point to Proofpoint's analysis of Chinese threat actors known as TA459 using the same vulnerability in the same timeframe against military and aerospace organizations in Russia and Belarus. "It is likely," suggests Recorded Future, "that the publication lag for CVE-2017-0199 could have been affected by the MSS which wanted to buy time for the vulnerability to be exploited in its operations or on behalf of another Chinese state-sponsored actor."
The second 'outlier' analyzed by the researchers concerns CVE-2016-10136 and CVE-2016-10138, two vulnerabilities in Android software developed by a company named Shanghai Adups Technology. Kryptowire researchers reported in November 2016 that these vulnerabilities amount to a backdoor in certain Android phones resulting in the transmission of text messages, contact lists, call logs, location information, and other data to a Chinese server.
Details were published by NVD in January 2017, two months after the vulnerability became public knowledge. CNNVD took another eight months before publishing a much less detailed description of the vulnerability. "The systems with these backdoors were overwhelmingly located in China, CNNVD is largely followed and consumed by Chinese businesses and citizens, and the MSS has a mission to collect domestic intelligence. While we cannot determine with certainty that the MSS was exploiting this vulnerability, we believe this is another example of likely MSS interference in the CNNVD publication process."
In total, the researchers analyzed nearly 300 different CVEs that fell outside of the statistical norm for vulnerability reporting in China. "What we discovered," they say, "were numerous clear examples of unexplainable behavior in vulnerability reporting by CNNVD, and cases where we believe the MSS likely have interfered to delay publication."
This is not an example of stockpiling 0-day exploits in the same way as the NSA and the CIA have stockpiled exploits, but are indications that China sometimes delays publication of details either while it is already using the exploits, or to possibly allow for the rapid use of them.
"Our analysis of these critical statistical deviations highlights why an intelligence service should not manage the vulnerability publication process -- it is impossible for an intelligence service to equally uphold the mandates for both vulnerability reporting (transparency) and intelligence operations (secrecy). Our analysis of this dataset demonstrates that in China, one mandate is typically sacrificed -- that of transparency."
This is in sharp contrast to the separation of vulnerability reporting away from the intelligence agencies in the U.S.; and the U.S. attempt this week to increase the transparency over its approach towards vulnerabilities.
Kaspersky Security Bulletin: Threat Predictions for 2018
16.11.2017 Kaspersky Analysis
Advanced Persistent Threats in 2018
By Juan Andrés Guerrero-Saade, Costin Raiu, Kurt Baumgartner on November 15, 2017. 10:01 am
Download the Kaspersky Security Bulletin: Threat Predictions for 2018
Introduction
As hard as it is to believe, it’s once again time for our APT Predictions. Looking back at a year like 2017 brings the internal conflict of being a security researcher into full view: on the one hand, each new event is an exciting new research avenue for us, as what were once theoretical problems find palpable expression in reality. This allows us to understand the actual attack surface and attacker tactics and to further hone our hunting and detection to address new attacks. On the other hand, as people with a heightened concern for the security posture of users at large, each event is a bigger catastrophe. Rather than consider each new breach as yet another example of the same, we see the compounding cumulative insecurity facing users, e-commerce, financial, and governmental institutions alike.
As we stated last year, rather than thinly-veiled vendor pitching, our predictions are an attempt to bring to bear our research throughout the year in the form of trends likely to peak in the coming year.
Our record – did we get it right?
As a snapshot scorecard of our performance last year, these are some of our 2017 predictions and some examples where relevant:
Espionage and APTs:
Passive implants showing almost no signs of infection come into fashion
Yes – https://securelist.com/unraveling-the-lamberts-toolkit/77990/
Ephemeral infections / memory malware
Yes – https://securelist.com/fileless-attacks-against-enterprise-networks/77403/
Espionage goes mobile
Yes – https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html
Financial Attacks:
The future of financial attacks
Yes – https://securelist.com/lazarus-under-the-hood/77908/
Ransomware:
Dirty, lying ransomware
Yes – https://securelist.com/schroedingers-petya/78870/
Industrial threats:
The ICS Armageddon didn’t come yet (and we are happy to be wrong on that), however, we’ve seen ICS come under attack from Industoyer – https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/
IoT:
A brick by any other name
Yes! BrickerBot – https://arstechnica.com/information-technology/2017/04/brickerbot-the-permanent-denial-of-service-botnet-is-back-with-a-vengeance/
Information Warfare:
Yes, multiple examples – https://citizenlab.ca/2017/05/tainted-leaks-disinformation-phish/
What can we expect in 2018?
More supply chain attacks. Kaspersky Lab’s Global Research and Analysis Team tracks over 100 APT (advanced persistent threat) groups and operations. Some of these are incredibly sophisticated and possess wide arsenals that include zero-day exploits, fileless attack tools, and combine traditional hacking attacks with handovers to more sophisticated teams that handle the exfiltration part. We have often seen cases in which advanced threat actors have attempted to breach a certain target over a long period of time and kept failing at it. This was either due to the fact that the target was using strong internet security suites, had educated their employees not to fall victim to social engineering, or consciously followed the Australian DSD TOP35 mitigation strategies for APT attacks. In general, an actor that is considered both advanced and persistent won’t give up that easily, they’ll continue poking the defenses until they find a way in.
When everything else fails, they are likely to take a step back and re-evaluate the situation. During such a re-evaluation, threat actors can decide a supply chain attack can be more effective than trying to break into their target directly. Even a target whose networks employ the world’s best defenses is likely using software from a third-party. The third party might be an easier target and can be leveraged to attack the better protected original target enterprise.
During 2017, we have seen several such cases, including but not limited to:
Shadowpad
CCleaner
ExPetr / NotPetya
These attacks can be extremely difficult to identify or mitigate. For instance, in the case of Shadowpad, the attackers succeeded in Trojanizing a number of packages from Netsarang that were widely used around world, in banks, large enterprises, and other industry verticals. The difference between the clean and Trojanized packages can be dauntingly difficult to notice –in many cases it’s the command and control (C&C) traffic that gives them away.
For CCleaner, it was estimated that over 2 million computers received the infected update, making it one of the biggest attacks of 2017. Analysis of the malicious CCleaner code allowed us to correlate it with a couple of other backdoors that are known to have been used in the past by APT groups from the ‘Axiom umbrella’, such as APT17 also known as Aurora. This proves the now extended lengths to which APT groups are willing to go in order to accomplish their objectives.
Our assessment is that the amount of supply chain attacks at the moment is probably much higher than we realize but these have yet to be noticed or exposed. During 2018, we expect to see more supply chain attacks, both from the point of discovery and as well as actual attacks. Trojanizing specialized software used in specific regions and verticals will become a move akin to waterholing strategically chosen sites in order to reach specific swaths of victims and will thus prove irresistible to certain types of attackers.
More high-end mobile malware. In August 2016, CitizenLab and Lookout published their analysis of the discovery of a sophisticated mobile espionage platform named Pegasus. Pegasus, a so-called ‘lawful interception’ software suite, is sold to governments and other entities by an Israeli company called NSO Group. When combined with zero-days capable of remotely bypassing a modern mobile operating systems’ security defenses, such as iOS, this is a highly potent system against which there is little defense. In April 2017, Google published its analysis of the Android version of the Pegasus spyware which it called Chrysaor. In addition to ‘lawful surveillance’ spyware such as Pegasus and Chrysaor, many other APT groups have developed their own mobile malware implants.
Due to the fact that iOS is an operating system locked down from introspection, there is very little that a user can do to check if their phone is infected. Somehow, despite the greater state of vulnerability of Android, the situation is better on Android where products such as Kaspersky AntiVirus for Android are available to ascertain the integrity of a device.
Our assessment is that the total number of mobile malware existing in the wild is likely higher than currently reported, due to shortcomings in telemetry that makes these more difficult to spot and eradicate. We estimate that in 2018 more high-end APT malware for mobile will be discovered, as a result of both an increase in the attacks and improvement in security technologies designed to catch them.
More BeEF-like compromises with web profiling. Due to a combination of increased interest and better security and mitigation technologies being deployed by default in operating systems, the prices of zero-day exploits have skyrocketed through 2016 and 2017. For instance, the latest Zerodium payout chart lists up to $1,500,000 for a complete iPhone (iOS) Remote jailbreak with persistence attack, which is another way of saying ‘a remote infection without any interaction from the user’.
The incredible prices that some government customers have most certainly chosen to pay for these exploits mean there is increasing attention paid towards protecting these exploits from accidental disclosure. This translates into the implementation of a more solid reconnaissance phase before delivering the actual attack components. The reconnaissance phase can, for instance emphasize the identification of the exact versions of the browser used by the target, their operating system, plugins and other third-party software. Armed with this knowledge, the threat actor can fine tune their exploit delivery to a less sensitive ‘1-day’ or ‘N-day’ exploit, instead of using the crown jewels.
These profiling techniques have been fairly consistent with APT groups like Turla and Sofacy, as well as Newsbeef (a.k.a. Newscaster, Ajax hacking team, or ‘Charming Kitten’), but also other APT groups known for their custom profiling frameworks, such as the prolific Scanbox. Taking the prevalence of these frameworks into account in combination with a surging need to protect expensive tools, we estimate the usage of profiling toolkits such as ‘BeEF‘ will increase in 2018 with more groups adopting either public frameworks or developing their own.
Sophisticated UEFI and BIOS attacks. The Unified Extensible Firmware Interface (UEFI) is a software interface which serves as the intermediary between the firmware and the operating system on modern PCs. Established in 2005 by an alliance of leading software and hardware developers, Intel most notable amongst them, it’s now quickly superseding the legacy BIOS standard. This was achieved thanks to a number of advanced features that BIOS lacks: for example, the ability to install and run executables, networking and Internet capabilities, cryptography, CPU-independent architecture and drivers, etc. The very advanced capabilities that make UEFI such an attractive platform also open the way to new vulnerabilities that didn’t exist in the age of the more rigid BIOS. For example, the ability to run custom executable modules makes it possible to create malware that would be launched by UEFI directly before any anti-malware solution – or, indeed, the OS itself – had a chance to start.
The fact that commercial-grade UEFI malware exists has been known since 2015, when the Hacking team UEFI modules were discovered. With that in mind, it is perhaps surprising that no significant UEFI malware has been found, a fact that we attribute to the difficulty in detecting these in a reliable way. We estimate that in 2018 we will see the discovery of more UEFI-based malware.
Destructive attacks continue. Beginning in November 2016, Kaspersky Lab observed a new wave of wiper attacks directed at multiple targets in the Middle East. The malware used in the new attacks was a variant of the infamous Shamoon worm that targeted Saudi Aramco and Rasgas back in 2012. Dormant for four years, one of the most mysterious wipers in history has returned. Also known as Disttrack, Shamoon is a highly destructive malware family that effectively wipes the victim machine. A group known as the ‘Cutting Sword of Justice’ took credit for the Saudi Aramco attack by posting a Pastebin message on the day of the attack (back in 2012), and justified the attack as a measure against the Saudi monarchy.
The Shamoon 2.0 attacks seen in November 2016 targeted organizations in various critical and economic sectors in Saudi Arabia. Just like the previous variant, the Shamoon 2.0 wiper aims for the mass destruction of systems inside compromised organizations. While investigating the Shamoon 2.0 attacks, Kaspersky Lab also discovered a previously unknown wiper malware that appears to be targeting organizations in Saudi Arabia. We’ve called this new wiper StoneDrill and have been able to link it with a high degree of confidence to the Newsbeef APT group.
In addition to Shamoon and Stonedrill, 2017 has been a tough year in terms of destructive attacks. The ExPetr/NotPetya attack, which was initially considered to be ransomware, turned out to be a cleverly camouflaged wiper as well. ExPetr was followed by other waves of ‘ransomware’ attacks, in which there is little chance for the victims to recover their data; all cleverly masked ‘wipers as ransomware’. One of the lesser known facts about ‘wipers as ransomware’ is perhaps that a wave of such attacks was observed in 2016 from the CloudAtlas APT, which leveraged what appeared to be ‘wipers as ransomware’ against financial institutions in Russia.
In 2018, we estimate that destructive attacks will continue to rise, leveraging its status as the most visible type of cyberwarfare.
More subversion of cryptography. In March 2017, IoT encryption scheme proposals developed by the NSA came into question with Simon and Speck variant ISO approvals being both withdrawn and delayed a second time.
In August 2016, Juniper Networks announced the discovery of two mysterious backdoors in their NetScreen firewalls. Perhaps the most interesting of the two was an extremely subtle change of the constants used for the Dual_EC random number generator, which would allow a knowledgeable attacker to decrypt VPN traffic from NetScreen devices. The original Dual_EC algorithm was designed by the NSA and pushed through NIST. Back in 2013, a Reuters report suggested that NSA paid RSA $10 million to put the vulnerable algorithm in their products as a means of subverting encryption. Even if the theoretical possibility of a backdoor was identified as early as 2007, several companies (including Juniper) continued to use it with a different set of constants, which would make it theoretically secure. It appears that this different set of constants made some APT actor unhappy enough to merit hacking into Juniper and changing the constants to a set that they could control and leverage to decrypt VPN connections.
These attempts haven’t gone unnoticed. In September 2017, an international group of cryptography experts have forced the NSA to back down on two new encryption algorithms, which the organization was hoping to standardize.
In October 2017, news broke about a flaw in a cryptographic library used by Infineon in their hardware chips for generation of RSA primes. While the flaw appears to have been unintentional, it does leave the question open in regards to how secure are the underlying encryption technologies used in our everyday life, from smart cards, wireless networks or encrypted web traffic. In 2018, we predict that more severe cryptographic vulnerabilities will be found and (hopefully) patched, be they in the standards themselves or the specific implementations.
Identity in e-commerce comes into crisis. The past few years have been punctuated by increasingly catastrophic large-scale breaches of personally identifiable information (PII). Latest among these is the Equifax breach reportedly affecting 145.5 million Americans. While many have grown desensitized to the weight of these breaches, it’s important to understand that the release of PII at scale endangers a fundamental pillar of e-commerce and the bureaucratic convenience of adopting the Internet for important paperwork. Sure, fraud and identity theft have been problems for a long time, but what happens when the fundamental identifying information is so widely proliferated that it’s simply not reliable at all? Commerce and governmental institutions (particularly in the United States) will be faced with a choice between scaling back the modern comforts of adopting the Internet for operations or doubling down on the adoption of other multi-factor solutions. Perhaps thus far resilient alternatives like ApplePay will come into vogue as de facto means of insuring identity and transactions, but in the meantime we may see a slowdown in the critical role of the Internet for modernizing tedious bureaucratic processes and cutting operational costs.
More router and modem hacks. Another known area of vulnerability that has gone vastly ignored is that of routers and modems. Be they home or enterprise, these pieces of hardware are everywhere, they’re critically important to daily operations, and tend to run proprietary pieces of software that go unpatched and unwatched. At the end of the day, these little computers are Internet-facing by design and thereby sitting at a critical juncture for an attacker intent on gaining persistent and stealthy access to a network. Moreover, as some very cool recent research has shown, in some cases attackers might even be able to impersonate different Internet users, making it possible to throw off the trail of an attacker entirely to a different connecting address. At a time of increased interest in misdirection and false flags, this is no small feat. Greater scrutiny of these devices will inevitably yield some interesting findings.
A medium for social chaos. Beyond the leaks and political drama of the past year’s newfound love for information warfare, social media itself has taken a politicized role beyond our wildest dreams. Whether it’s at the hand of political pundits or confusing comedic jabs at Facebook’s CEO by South Park’s writers, eyes have turned against the different social media giants demanding some level of fact-checking and identification of fake users and bots attempting to exert disproportionate levels of social influence. Sadly, it’s becoming obvious that these networks (which base their success on quantified metrics like ‘daily active users’) have little incentive to truly purge their user base of bots. Even when these bots are serving an obvious agenda or can be tracked and traced by independent researchers. We expect that as the obvious abuse continues and large bot networks become accessible to wider swaths of politically unsavory characters, that the greater backlash will be directed at the use of social media itself, with disgusted users eagerly looking for alternatives to the household giants that revel in the benefits of the abuse for profits and clicks.
APT predictions – conclusion
In 2017 we pronounced the death of Indicators of Compromise. In 2018, we expect to see advanced threat actors playing to their new strengths, honing their new tools and the terrifying angles described above. Each year’s themes and trends shouldn’t be taken in isolation – they build on each other to enrich an ever-growing landscape of threats facing users of all types, be it individuals, enterprise, or government. The only consistent reprieve from this onslaught is the sharing and knowledgeable application of high-fidelity threat intelligence.
While these predictions cover trends for advanced targeted threats, individual industry sectors will face their own distinct challenges. In 2018, we wanted to shine the spotlight on some of those as well – and have prepared predictions for the connected healthcare, automotive, financial services, and industrial security sectors, as well as cryptocurrencies. You can find them all here!
Cisco issued a security advisory warning of a flaw in Cisco Voice Operating System software
16.11.2017 securityaffairs Vulnerebility
Cisco issued a security advisory warning of a vulnerability in Cisco Voice Operating System software platform that affects at least 12 products.
The tech giant Cisco issued a security advisory warning of a vulnerability in Cisco Voice Operating System software platform that could be triggered by an unauthenticated, remote hacker to gain unauthorized and elevated access to vulnerable devices.
The flaw in Cisco Voice Operating System software platform, tracked as CVE-2017-12337, was rated as Critical
“A vulnerability in the upgrade mechanism of Cisco collaboration products based on the Cisco Voice Operating System software platform could allow an unauthenticated, remote attacker to gain unauthorized, elevated access to an affected device.” reads the Cisco Security Bulletin.
“The vulnerability occurs when a refresh upgrade or Prime Collaboration Deployment (PCD) migration is performed on an affected device. When a refresh upgrade or PCD migration is completed successfully, an engineering flag remains enabled and could allow root access to the device with a known password.”
The US-CERT issued an alert related to the flaw encouraging users and administrators to review apply the necessary update.
Cisco issued a security advisory warning of a flaw in Cisco Voice Operating System software
A remote attacker that manages to access the vulnerable devices over SSH File Transfer Protocol (SFTP) could gain root access. 12 products are affected by the vulnerability, including Cisco Prime License Manager, Cisco SocialMiner, Cisco Emergency Responder and Cisco MediaSense.
“An attacker who can access an affected device over SFTP while it is in a vulnerable state could gain root access to the device. This access could allow the attacker to compromise the affected system completely.” continues the security bulletin.
The vulnerability could be fixed by upgrading the device using the standard upgrade method to an Engineering Special Release, service update, or a new major release of the affected product.
“If the vulnerable device is subsequently upgraded using the standard upgrade method to an Engineering Special Release, service update, or a new major release of the affected product, this vulnerability is remediated by that action,” said Cisco.
CISCO highlighted that Engineering Special Releases that are installed as COP files do not fix this vulnerability.
Middle East 'MuddyWater' Attacks Difficult to Clear Up
16.11.2017 securityweek Attack
Long-lasting targeted attacks aimed at entities in the Middle East are difficult to attribute despite being analyzed by several researchers, Palo Alto Networks said this week.
Dubbed “MuddyWater” by the security firm because of the high level of confusion they have already created, the attacks took place between February and October 2017. The campaign has made use of a variety of malicious documents, and hit targets in Saudi Arabia, Iraq, Israel, United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States to date.
The attacks, researchers say, use a slowly evolving PowerShell-based first stage backdoor named POWERSTATS. The activity related to this threat actor continues despite existing reports, with the only observed changes being related to tools and techniques.
The malicious documents used in these attacks are almost identical to those in recently observed incidents targeting the Saudi Arabian government. Those documents were similar to files previously associated with a series of fileless assaults that Morphisec linked to a single attack framework. Some of these attacks were attributed to the hacking group known as FIN7.
According to a new Palo Alto Networks report, the attacks might have been mistakenly associated with the FIN7 group. A command and control (C&C) server delivering the FIN7-linked DNSMessenger tool was said to have been employed by MuddyWater as well, but there’s no evidence that the latter group ever used the utility, the researchers claim.
Between February and October, the malicious documents associated with the group’s activity had been tailored according to the target regions. They often used the logos of branches of local government in an attempt to trick users into enabling malicious macros.
The delivery method might have changed between attacks, but the final payload remained the same non-public PowerShell backdoor mentioned above. Moreover, the malicious documents used in this campaign shared the same C&C infrastructure and featured similar attributes.
“Based on these connections we can be confident that all the files and infrastructure […] are related, since more than one of these can be used to link each of the samples discussed in each case,” Palo Alto notes. The researchers also published lists of C&C servers, compromised sites, and related files.
Tools used by the group have been well-documented in previous reports, including open-source utilities such as Meterpreter, Mimikatz, Lazagne, Invoke-Obfuscation, and more. In some recent attacks, GitHub is used as a hosting site for the POWERSTATS custom backdoor, as the actor controls multiple GitHub repositories, the researchers say.
MuddyWater even compromised accounts at third-party organizations to send their malware. As part of an attack, the malicious document used was nearly identical to a legitimate attachment that the same recipient received later.
“This indicates that the attackers stole and modified a legitimate document from the compromised user account, crafted a malicious decoy Word macro document using this stolen document and sent it to the target recipient who might be expecting the email from the original account user before the real sender had time to send it,” the researchers explain.
According to Palo Alto Networks, the reports previously associating this cluster of activity to FIN7 would rather create confusion. The FIN7 group is financially motivated and targets organizations in the restaurant, services and financial sectors, which suggests that the threat actor is unlikely to be tied to espionage-focused attacks in the Middle East.
Malware associated with FIN7 hasn’t been observed in MuddyWater attacks, and the researchers also claim that there might be a mistake in the report linking the attacks to FIN7. However, they also admit that the hackers might have planted a false flag when realizing they were under investigation.
“Whilst we could conclude with confidence that the attacks discussed in this article are not FIN7 related, we were not able to answer many of our questions about the MuddyWater attacks. We are currently unable to make a firm conclusion about the origin of the attackers, or the specific types of information they seek out once on a network,” the security researchers say.
White House Cyber Chief Provides Transparency Into Zero-Day Disclosure Process
16.11.2017 securityweek BigBrothers
Government Vulnerability Disclosure Process (VEP)
The U.S. government Wednesday introduced greater transparency into its Vulnerabilities Equities Policy (VEP) program. This is the process by which government agencies decide whether to disclose or stockpile the cyber vulnerabilities they discover.
In a lengthy statement, White House Cybersecurity Coordinator Rob Joyce explained why not all discoveries are disclosed. That will not change; but in introducing greater transparency into the process of decision-making, he hopes "to demonstrate to the American people that the Federal Government is carefully weighing the risks and benefits as we carry out this important mission."
The extent to which the government agencies use cyber vulnerabilities to further their own overseas missions became known with Edward Snowden's leaked documents. This sparked greater discussion over the morality of government collection and use of vulnerabilities without disclosing the existence of those vulnerabilities to the product vendors concerned.
Microsoft, for example, developed detailed proposals for introducing international norms of cyber behavior that would rely on no government keeping private supplies (hoarding) of undisclosed 0-day vulnerabilities; and also called for a digital Geneva Convention that would "mandate that governments report vulnerabilities to vendors rather than stockpile, sell or exploit them." This is unlikely to happen. "Our national capacity to find and hold criminals and other rogue actors accountable relies on cyber capabilities enabled by exploiting vulnerabilities in the digital infrastructure they use. Those exploits produce intelligence for attribution, evidence of crimes, enable defensive investigations, and posture us to respond to our adversaries with cyber capabilities," said Joyce in his statement.
The theft and release of 'Equation Group' (generally considered to be the NSA) tools and exploits by the Shadow Brokers (generally considered to be 'Russia') brought new emphasis to the issue. These tools included the EternalBlue exploit soon used by hackers (quite probably nation-state affiliated hackers) in the worldwide WannaCry and NotPetya ransomware outbreaks.
Joyce formerly served as head of the NSA’s Tailored Access Operations (TAO) unit—an offensive hacking team tasked with breaking into systems of foreign entities.
The unproven implication is that if the NSA had disclosed their vulnerabilities, the worldwide disruption caused by WannaCry and NotPetya might not have happened. There is, however, little mention of the danger of theft inherent in any store of vulnerabilities in this week's VEP transparency announcement, beyond two considerations in the decision process: "If USG knowledge of this vulnerability were to be revealed, what risks could that pose for USG relationships with industry?", and "If USG knowledge of this vulnerability were to be revealed, what risks could that pose for USG international relations?"
The full unclassified VEP process document (PDF) "describes the Vulnerabilities Equities Policy and Process for departments and agencies of the United States Government (USG) to balance equities and make determinations regarding disclosure or restriction when the USG obtains knowledge of newly discovered and not publicly known vulnerabilities in information systems and technologies."
In short, it explains the process without altering the policy. Its purpose is to introduce transparency and reassure the public that the government will weigh the offensive advantages obtained against the threat of public disruption if used by third-parties, for each 0-day vulnerability it discovers.
That transparency is valuable, but there remain numerous concerns. One is that the VEP continues to be an administrative exercise not enshrined in law. It can be changed at any time without public or legislative overview.
In May 2017, Senators Brian Schatz (D-Hawaii), Ron Johnson (R-Wis.), and Cory Gardner (R-Colo.) and U.S. Representatives Ted Lieu (D-Calif.) and Blake Farenthold (R-Texas) introduced the 'Protecting Our Ability to Counter Hacking Act of 2017' -- the PATCH Act.
Its purpose is to promote the transparency introduced this week, but make it a legal requirement rather than an administrative choice. The Patch Act appears to have stalled, with no real progress since its introduction in May.
Other concerns appear in the Exceptions section of the VEP process document. For example, "The United States Government's decision to disclose or restrict vulnerability information could be subject to restrictions by partner agreements and sensitive operations." This will exclude 0-days discovered by, say, GCHQ and disclosed to the NSA under an effective non-disclosure agreement; and it could also exclude 0-days expected to be used in potential operations (such as Stuxnet).
It has long been suspected that members of the Five Eyes surveillance alliance share intelligence on each other's nationals to circumvent individual laws forbidding surveillance of own subjects. If this happens in practice, a similar arrangement between each members' intelligence agencies would exclude shared vulnerabilities from the VEP process. Both exclusions will undoubtedly be used by the more offense-driven agencies (the NSA and the CIA) to both hold and keep secret their most 'valuable' exploits.
Nevertheless, the purpose of declassifying the VEP process is primarily to reassure the American people that the secretive intelligence agencies do not have free rein in the vulnerabilities they keep and the vulnerabilities they use -- and to that extent it will probably succeed.
'Fake news' Becomes a Business Model: Researchers
16.11.2017 securityweek CyberCrime
Cyber criminals have latched onto the notion of "fake news" and turned it into a profitable business model, with services starting at under $10, security researchers said Thursday.
The online security firm Digital Shadows released a report highlighting services aimed at creating bogus media websites, fake reviews and social media "bots" or automated accounts to promote or denigrate commercial products and services.
One of the methods used is creating bogus or "spoofed" media websites designed to look like those of legitimate news organizations. The researchers uncovered some 2,800 "live spoof" sites.
This can be done by changing a single letter in a web address to create a fake "clone" of a legitimate news organization site.
Some criminals use the same methods as Russia-based propagandists -- modifying legitimate documents and leaking them as part of disinformation campaigns, the report said.
"Like any good news story, content will be shared, liked, reposted and distributed across many different platforms and channels," the report said.
"The more widely a piece of disinformation can be spread, the better the chances of it capturing the public imagination and achieving its objective -- whether that is to discredit an opponent, sow discord or to generate profit."
While the use of these tools in political campaigns has become a growing concern, the same methods can be used for profit, according to the report.
"The sheer availability of tools means that barriers to entry are lower than ever," said Rick Holland, vice president of strategy at Digital Shadows.
"It means this now extends beyond geopolitical to financial interests that affect businesses and consumers."
Holland said "tool kits" are available on a trial basis for as little as $7 to controls the activities of social media bots.
Retailers are also a target, with one service offering Amazon ranking, reviews, votes, listing optimization and selling promotions at prices from $5 for an unverified review to $500 for a monthly retainer.
Still other services tout the merits of crypto-currencies to push up the price, similar to stock "pump and dump" scams, the report said.
Many of these services are advertised on the anonymous "dark web" where users are difficult to trace, according to Holland.
But some are openly advertised as marketing tools as well, he said.
Holland said misinformation has been around for a long time but that "what has changed in the digital world is the speed such techniques spread around the world."
Kaspersky Shares More Details on NSA Incident
16.11.2017 securityweek BigBrothers
Kaspersky Lab on Thursday shared more details from its investigation into reports claiming that Russian hackers stole data belonging to the U.S. National Security Agency (NSA) by exploiting the company’s software.
The Wall Street Journal reported last month that hackers working for the Russian government stole information on how the U.S. penetrates foreign networks and how it defends against cyberattacks. The files were allegedly taken in 2015 from the personal computer of an NSA contractor who had been using a security product from Kaspersky Lab.
The WSJ article suggested that Kaspersky either knowingly helped the Russian government obtain the files or that the hackers exploited vulnerabilities in the company’s software without the firm’s involvement.
In a preliminary report, Kaspersky said the incident referenced in the WSJ article likely took place in 2014, when the company was investigating malware used by the Equation Group, a threat actor later associated with the NSA.
In a more technical report published on Thursday, Kaspersky said the incident likely occurred between September 11, 2014 and November 17, 2014 – the security firm believes WSJ’s source may have mixed up the dates.
In September 2014, Kaspersky’s products detected malware associated with the Equation Group on a device with an IP address pointing to the Baltimore area in Maryland. It’s worth noting that the NSA headquarters are in Fort Meade, Maryland, less than 20 miles from the city of Baltimore.
The Kaspersky product present on the device automatically sent an archive containing the suspected malware files back to the company’s systems for further analysis. The said archive contained source code for Equation malware, along with four documents with classification markings (e.g. secret, confidential).
The Kaspersky analyst who found the archive informed the company’s CEO of its content and the decision was made to remove the files from its storage systems.
So is it possible that the classified files were somehow obtained by Russian actors from Kaspersky’s systems? The firm denies spying for the Russian government and claims the data was removed from its systems – only some statistics and metadata remain – but it cannot guarantee that its employees handled the data appropriately.
“We cannot assess whether the data was ‘handled appropriately’ (according to US Government norms) since our analysts have not been trained on handling US classified information, nor are they under any legal obligation to do so,” the company said.
While Kaspersky admitted that its systems were breached in 2015 by a threat group linked to Israeli intelligence, the company said it found no evidence that the NSA files left its systems.
As for the assumption that Kaspersky’s products may have been specifically configured to look for secret files on the systems they were installed on, the company said all the signatures for retrieving files from a user’s device are carefully handled and verified by an experienced developer, and there is no evidence that anyone created a signature for files marked “secret” during the Equation investigation.
The company determined that an analyst did create a signature for files with names that included the string “secret,” but it was for a piece of malware associated with the TeamSpy espionage campaign. The signature included a path specific for that malware to avoid false positives.
Another possible scenario is related to the fact that the device of the NSA contractor got infected with malware after the Kaspersky antivirus was disabled. The security product was temporarily disabled when the user attempted to install a pirated copy of Microsoft Office using a known activation tool.
After the antivirus was re-enabled, Kaspersky detected 121 threats on the system. The malware associated with the Office activation tool was Smoke Bot (aka Smoke Loader), which had been sold on Russian underground forums since 2011. At the time of the incident, the malware communicated with servers apparently set up by an individual located in China.
Kaspersky says it’s also possible that the contractor’s computer may have been infected with stealthy malware from a sophisticated threat actor that was not detected at the time.
Several recent media reports focused on Kaspersky’s alleged connection to the Kremlin, which has led to many U.S. officials raising concerns regarding the use of company’s products. As a result, the Department of Homeland Security (DHS) has ordered all government agencies to identify and remove the firm’s products, despite the apparent lack of evidence supporting the claims.
In an effort to clear its name, Kaspersky announced the launch of a new transparency initiative that involves giving partners access to source code and paying significantly larger bug bounties for vulnerabilities found in the firm’s products.
Terdot Banking Trojan Could Act as Cyber-Espionage Tool
16.11.2017 securityweek BigBrothers
The Terdot banking Trojan packs information-stealing capabilities that could easily turn it into a cyber-espionage tool, Bitdefender says in a new report.
Highly customized and sophisticated, Terdot is based on the source code of ZeuS, which leaked online in 2011. The banking Trojan resurfaced in October last year and Bitdefender has been tracking its whereabouts ever since, the security company notes in a technical paper (PDF).
Terdot was designed to operate as a proxy to perform man-in-the-middle (MitM) attacks, as well as to steal browser information such as login credentials or the stored credit card data. Furthermore, the malware is capable of injecting HTML code into visited web pages.
The malware relies more on legitimate applications for its nefarious purposes, including certificate injection tools, than on in-house developed software.
Although designed as a banking Trojan, Terdot’s capabilities go well beyond its primary purpose, Bitdefender notes. The threat can eavesdrop and modify traffic on social media and email platforms, and also packs automatic update features that allow it to download and execute any file provided by the operator.
This malware family mainly focuses on targeting Canadian institutions from the banking sector, but the analyzed samples would also target email service providers such as Microsoft’s live.com, Yahoo Mail, and Gmail. It also targets social networks such as Facebook, Twitter, Google Plus, and YouTube. According to Bitdefender, the malware avoids gathering data related to vk.com, the largest social platform in Russia.
The main distribution channel for the Trojan is the Sundown exploit kit, but Terdot was also observed spreading via malicious emails containing a button masquerading behind a PDF icon. When clicked on, it would execute obfuscated JavaScript code to download and run the malware file.
A complex chain of droppers, injections, and downloaders is used to deliver Terdot and third-party utilities employed by the threat, in an attempt to trick defenses and hinder analysis.
After infection, the malware injects itself into the browser process by hooking very-low network socket operations to direct connections to its own proxy and read traffic (which also allows it to alter traffic). Terdot can steal authentication data either by inspecting the client’s requests or by injecting spyware JavaScript code into the response.
The malware can also bypass secure connections by generating certificates for each of the domains the victim visits.
Terdot’s components are split across numerous processes, each with a specific role. Long-running Windows processes such as Windows Explorer, for example, are used either for injection purposes to spread the infection inside the machine or as watchdogs, to hinder disinfection. The malware uses the msiexec.exe process for running its MitM proxy.
In their technical analysis of the threat, Bitdefender’s security researchers explain that, after installation and initial handshake with the command and control server, the malware downloads updates and commands from the same URL it sends system information to (including a unique identifier, malware version, CRC32s of downloaded data, Windows version, processor architecture, system language, and network adapter IP).
The bot features support for a wide range of commands: can uninstall itself, can run a specified file, can execute a simple GET request, can add or remove URLs to/from a list that signals the proxy to disable injections for them, and can add or remove URLs to a blocking list. The malware also features a Domain Generation Algorithm (DGA).
“Terdot is a complex malware. Its modular structure, complex injections, and careful use of threads make it resilient, while its spyware and remote execution abilities make it extremely intrusive. Terdot goes above and beyond the capabilities of a banker Trojan. Its focus on harvesting credentials for other services such as social networks and email service providers could turn it into an extremely powerful cyber-espionage tool that is extremely difficult to spot and clean,” Bitdefender concludes.
Critical Vulnerabilities Patched in Apache CouchDB
16.11.2017 securityweek Vulnerebility
An update released last week for Apache CouchDB patched critical vulnerabilities that could have been exploited by malicious actors for privilege escalation and code execution on a significant number of installations.
CouchDB is a document-oriented open source database management system and it’s currently the 28th most popular out of the more than 300 systems tracked by DB-Engines. One of the projects using CouchDB is npm, a package manager for JavaScript and the world's largest software registry.
Researcher Max Justicz discovered a CouchDB vulnerability while looking for bugs on the server responsible for distributing npm packages, registry.npmjs.org. The registry serves nearly 3.5 billion package downloads every week, according to the npm website.
The flaw identified by Justicz, tracked as CVE-2017-12635, could have been exploited by an attacker with non-admin privileges to obtain administrator rights and ultimately execute arbitrary code.
“Due to differences in CouchDB’s Erlang-based JSON parser and JavaScript-based JSON parser, it is possible to submit _users documents with duplicate keys for `roles` used for access control within the database, including the special case `_admin` role, that denotes administrative users,” CouchDB developers said in an advisory.
In the case of the npm registry, Justicz believes that exploitation of the vulnerability could have allowed an attacker to modify packages served to users. However, the researcher did not attempt to exploit the vulnerability against npm’s production servers.
While analyzing CVE-2017-12635, a member of the CouchDB security team discovered CVE-2017-12636, a flaw that could have been exploited in combination with the privilege escalation bug to execute arbitrary shell commands on the server.
“CouchDB administrative users can configure the database server via HTTP(S). Some of the configuration options include paths for operating system-level binaries that are subsequently launched by CouchDB. This allows a CouchDB admin user to execute arbitrary shell commands as the CouchDB user, including downloading and executing scripts from the public internet,” CouchDB’s advisory explains.
The vulnerabilities were patched last week with the release of versions 2.1.1 and 1.7.0/1.7.1, and CouchDB developers believe all users have already installed the updates. The details of the flaws were made public only a week after the release of the updates to give users time to apply the patches.
APT Trends report Q3 2017
16.11.2017 Kaspersky Analysis APT
Beginning in the second quarter of 2017, Kaspersky’s Global Research and Analysis Team (GReAT) began publishing summaries of the quarter’s private threat intelligence reports in an effort to make the public aware of what research we have been conducting. This report serves as the next installment, focusing on important reports produced during Q3 of 2017.
As stated last quarter, these reports will serve as a representative snapshot of what has been offered in greater detail in our private reports in order to highlight significant events and findings we feel most should be aware of. For brevity’s sake, we are choosing not to publish indicators associated with the reports highlighted. However, if you would like to learn more about our intelligence reports or request more information for a specific report, readers are encouraged to contact: intelreports@kaspersky.com.
Chinese-Speaking Actors
The third quarter demonstrated to us that Chinese-speaking actors have not “disappeared” and are still very much active, conducting espionage against a wide range of countries and industry verticals. In total, 10 of the 24 reports produced centered around activity attributed to multiple actors in this region.
The most interesting of these reports focused on two specific supply chain attacks; Netsarang / ShadowPad and CCleaner. In July 2017, we discovered a previously unknown malware framework (ShadowPad) embedded inside the installation packages hosted on the Netsarang distribution site. Netsarang is a popular server management software used throughout the world. The ShadowPad framework contained a remotely activated backdoor which could be triggered by the threat actor through a specific value in a DNS TXT record. Others in the research community have loosely attributed this attack to the threat actor Microsoft refers to as BARIUM. Following up on this supply chain attack, another was reported initially by Cisco Talos in September involving CCleaner, a popular cleaner / optimization tool for PCs. The actors responsible signed the malicious installation packages with a legitimate Piriform code signing certificate and pushed the malware between August and September.
Q3 also showed China is very interested in policies and negotiations involving Russia with other countries. We reported on two separate campaigns demonstrating this interest. To date, we have observed three separate incidents where Russia and another country hold talks and are targeted shortly thereafter, IndigoZebra being the first. IronHusky was a campaign we first discovered in July targeting Russian and Mongolian government, aviation companies, and research institutes. Earlier in April, both conducted talks related to modernizing the Mongolian air defenses with Russia’s help. Shortly after these talks, the two countries were targeted with a Poison Ivy variant from a Chinese-speaking threat actor. In June, India and Russia signed a much awaited agreement to expand a nuclear power plant in India, as well as further define the defense cooperation between the two countries. Very soon after, both countries energy sector were targeted with a new piece of malware we refer to as “H2ODecomposition”. In some case this malware was masquerading as a popular Indian antivirus solution (QuickHeal). The name of the malware was derived from an initial RC5 string used in the encryption process (2H2O=2H2+O2) which describes a chemical reaction used in hydrogen fuel cells.
Other reports published in the third quarter under chinese-speaking actors were mainly updates to TTPs by known adversaries such as Spring Dragon, Ocean Lotus, Blue Termite, and Bald Knight. The Spring Dragon report summarized the evolution of their malware to date. Ocean Lotus was observed conducting watering hole attacks on the ASEAN website (as done previously) but with a new toolkit. A new testing version of Emdivi was discovered in use by Blue Termite as well as their testing of CVE-2017-0199 for use. Finally, Bald Knight (AKA – Tick) was seen using their popular XXMM malware family to target Japan and South Korea.
Below is a summary of report titles produced for the Chinese region. As stated above, if you would like to learn more about our threat intelligence products or request more information on a specific report, please direct inquiries to intelreports@kaspersky.com.
Analysis and evolution of Spring Dragon tools
EnergyMobster – Campaign targeting Russian-Indian energy project
IronHusky – Intelligence of Russian-Mongolian military negotiations
The Bald Knight Rises
Massive watering holes campaign targeting Asia-Pacific
Massive Watering Holes Campaign Targeting AsiaPacific – The Toolset
NetSarang software backdoored in supply chain attack – early warning
ShadowPad – popular server management software hit in supply chain attack
New BlueTermite samples and potential new wave of attacks
CCleaner backdoored – more supply chain attacks
Russian-Speaking Actors
The third quarter was a bit slower with respect to Russian speaking threat actors. We produced four total reports, two of which focused on ATM malware, one on financial targeting in Ukraine and Russia, and finally a sort of wrap-up of Sofacy activity over the summer.
The ATM related reports centered around Russian speaking actors using two previously unknown pieces of malware designed specifically for certain models. “Cutlet Maker” and “ATMProxy” both ultimately allowed the users to dispense cash at will from a chosen cartridge within the ATMs. ATMProxy was interesting since it would sit dormant on an ATM until a card with a specific hard coded number was inserted, at which point it would dispense more cash than what was requested.
Another report discussed a new technique utilizing highly targeted watering holes to target financial entities in Ukraine and Russia with Buhtrap. Buhtrap has been around since at least 2014, but this new wave of attacks was leveraging search engine optimization (SEO) to float malicious watering hole sites to the top of search results, thus providing more of a chance for valid targets to visit the malicious sites.
Finally, we produced a summary report on Sofacy’s summertime activity. Nothing here was groundbreaking, but rather showed the group remained active with their payloads of choice; SPLM, GAMEFISH, and XTUNNEL. Targeting also remained the same, focusing on European defense entities, Turkey, and former republics.
Below is a list of report titles for reference:
ATMProxy – A new way to rob ATMs
Cutlet maker – Newly identified ATM malware families sold on Darknet
Summertime Sofacy – July 2017
Buhtrap – New wave of attacks on financial targets
English-Speaking Actors
The last quarter also had us reporting on yet another member of the Lamberts family. Red Lambert was discovered during our previous analysis of Grey Lambert and utilized hard coded SSL certificates in its command and control communications. What was most interesting about the Red Lambert is that we discovered a possible operational security (OPSEC) failure on the actor’s part, leading us to a specific company who may have been responsible, in whole or in part, for the development of this Lambert malware.
The Red Lambert
Korean-Speaking Actors
We were also able to produce two reports on Korean speaking actors, specifically involving Scarcruft and Bluenoroff. Scarcruft was seen targeting high profile, political entities in South Korea using both destructive malware as well as malware designed more for espionage. Bluenoroff, the financially motivated arm of Lazarus, targeted a Costa Rican casino using Manuscrypt. Interestingly enough, this casino was compromised by Bluenoroff six months prior as well, indicating they potentially lost access and were attempting to get back in.
Report titles focusing on Korean-speaking actors:
Scent of ScarCruft
Bluenoroff hit Casino with Manuscrypt
Other Activity
Finally, we also wrote seven other reports on “uncategorized” actors in the third quarter. Without going into detail on each of these reports, we will focus on two. The first being a report on the Shadowbrokers’ June 2017 malware dump. An anonymous “customer” who paid to get access to the dump of files posted the hashes of the files for the month, mainly due to their displeasure in what was provided for the money. We were only able to verify one of nine file hashes, which ended up being an already known version of Triple Fantasy.
The other report we’d like to highlight (“Pisco Gone Sour”) is one involving an unknown actor targeting Chilean critical institutions with Veil , Meterpreter, and Powershell Empire. We are constantly searching for new adversaries in our daily routine and this appears to be just that. The use of publicly available tools makes it difficult to attribute this activity to a specific group, but our current assessment based on targeting is that the actor may be based somewhere in South America.
Dark Cyrene – politically motivated campaign in the Middle East
Pisco Gone Sour – Cyber Espionage Campaign Targeting Chile
Crystal Finance Millennium website used to launch a new wave of attacks in Ukraine
New Machete activity – August 2017
ATMii
Shadowbroker June 2017 Pack
The Silence – new trojan attacking financial organizations
Final Thoughts
Normally we would end this report with some predictions for the next quarter, but as it will be the end of the year soon, we will be doing a separate predictions report for 2018. Instead, we would like to point out one alarming trend we’ve observed over the last two quarters which is an increase in supply chain attacks. Since Q2, there have been at least five incidents where actors have targeted the supply chain to accomplish their goals instead of going directly after the end target; MeDoc, Netsarang, CCleaner, Crystal Finance, and Elmedia. While these incidents were not the result of just one group, it does show how the attention of many of the actors out there may be shifting in a direction that could be much more dangerous. Successfully compromising the supply chain provides easy access to a much wider target base than available through traditional means such as spear phishing. As an added benefit, these attacks can remain undetected for months, if not longer. It remains to be seen if this trend will continue into 2018, but given the successes from the five mentioned above, we feel we haven’t seen the last of this type of attack in the near future.
WordPress Sites Exposed to Attacks by 'Formidable Forms' Flaws
16.11.2017 securityweek Attack
Vulnerabilities found by a researcher in a popular WordPress plugin can be exploited by malicious actors to gain access to sensitive data and take control of affected websites.
Formidable Forms, available both for free and as a paid version that provides additional features, is a plugin that allows users to easily create contact pages, polls and surveys, and other types of forms. The plugin has more than 200,000 active installations.
Jouko Pynnönen of Finland-based company Klikki Oy has analyzed the plugin and discovered several vulnerabilities, including ones that introduce serious security risks for the websites using it.
The flaw with the highest severity is a blind SQL injection that can allow attackers to enumerate a website’s databases and obtain their content. Exposed data includes WordPress user credentials and data submitted to a website via Formidable forms.
The researcher also found another flaw that exposes data submitted via Formidable forms. Both this and the SQL injection bug are related to Formidable’s implementation of shortcodes, WordPress-specific code that allows users to add various types of content to their sites with very little effort.
Pynnonen also discovered reflected and stored cross-site scripting (XSS) vulnerabilities. The stored XSS allows an attacker to execute arbitrary JavaScript code in the context of an administrator’s browsing session – the attacker injects the malicious code via forms and it gets executed when viewed by the site admin in the WordPress dashboard.
The expert also noticed that if the iThemes Sync WordPress maintenance plugin is present alongside Formidable Forms, an attacker can exploit the aforementioned SQL injection flaw to obtain a user’s ID and authentication key. This information can be used to control WordPress via iThemes Sync, including to add new admins or install plugins.
Formidable Forms addressed the vulnerabilities with the release of versions 2.05.02 and 2.05.03. iThemes Sync does not view the attack vector described by the researcher as a vulnerability so it has decided not to release a patch.
Pynnonen identified these flaws after being invited to take part in a HackerOne-hosted bug bounty program that offers rewards of up to $10,000. The program was run by an unnamed Singapore-based tech company, but the Formidable Forms vulnerabilities qualified for a bounty due to the fact that the plugin had been used by the firm. Exploitation of the flaws on the tech firm’s website could have allowed an attacker to gain access to personal information and other sensitive data.
The researcher earned $4,500 for the SQL injection vulnerability and a few hundred dollars for each of the other security holes. However, he is displeased that the Singaporean company downplayed the risks posed by the flaws and downgraded the severity of the SQL injection bug from “critical” to “high.”
Pynnonen previously identified serious vulnerabilities in Yahoo Mail, WordPress plugins and the WordPress core.
Oracle Patches Critical Flaws in Jolt Server for Tuxedo
16.11.2017 securityweek Vulnerebility
Oracle informed customers on Tuesday that it has patched several vulnerabilities, including ones rated critical and high severity, in the Jolt Server component of Oracle Tuxedo.
Oracle Tuxedo, a key component of Oracle Fusion Middleware, is an application server that helps users build and deploy enterprise applications developed in non-Java programming languages. Jolt provides a Java-based interface that extends the functionality of Tuxedo applications so that they can be accessed over the Internet or intranet using a web browser.
According to Oracle, a total of five vulnerabilities have been found in the Jolt Server component – the Jolt client is not impacted. The security holes affect Tuxedo versions 11.1.1, 12.1.1, 12.1.3 and 12.2.2.
The most serious of the flaws, with a CVSS score of 10, is CVE-2017-10269, which allows an unauthenticated attacker with access to the network to easily take control of Tuxedo.
“Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Tuxedo accessible data as well as unauthorized access to critical data or complete access to all Oracle Tuxedo accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Tuxedo,” Oracle said.
Another critical vulnerability in Jolt Server is CVE-2017-10272. The flaw has a CVSS score of 9.9 and its impact is similar to the one of CVE-2017-10269. However, in order to exploit it, an attacker needs to have access to at least a low privileged account.
The company pointed out that these vulnerabilities may have significant impact on other products as well, not just Tuxedo. For example, Oracle PeopleSoft products also use Tuxedo, which means PeopleSoft customers are required to apply the patches as well.
The updates released by Oracle also resolve a high severity vulnerability that allows an unauthenticated attacker to gain access to critical data (CVE-2017-10267). Another high severity flaw, tracked as CVE-2017-10278, allows access to critical data as well, but it can also be exploited to modify data and cause a partial DoS condition in Tuxedo. On the other hand, the vendor said CVE-2017-10278 is difficult to exploit.
The last vulnerability, CVE-2017-10266, has been classified as medium severity as it only gives access to a subset of Tuxedo data.
“Oracle strongly recommends affected Oracle Customers apply this Security Alert as soon as possible,” said Eric Maurice, director of security assurance at Oracle.
This is the second round of security patches released by Oracle since the company’s October Critical Patch Update (CPU). In late October, the company informed customers of an out-of-band update that fixed a critical vulnerability in Identity Manager, which is also part of the Fusion Middleware offering.
Investment Firm Combines Smarsh and Actiance to Solve FinServ Compliance Issues
16.11.2017 securityweek Safety
Two major financial services and regulated industry compliance firms, Smarsh and Actiance, have combined to better serve industry's increasingly complex requirements around communications, archiving and discovery regulations. Actiance has been acquired by K1 Investment Management, and combined with Smarsh.
"The Financial Services sector is undergoing rapid change," explains Neil Malik, Managing Partner at K1; "legacy technologies are no longer sufficient to comply with SEC and FINRA standards, let alone MiFID II. This combination of capabilities from Actiance and Smarsh provides the industry with a means to get ahead -- and stay ahead -- of compliance trends, while introducing the latest communications technologies to increase efficiency and effectiveness in the modern enterprise."
Smarsh provides cloud-based archiving and compliance solutions for companies in regulated and litigious industries. It provides a unified compliance and e-discovery workflow across a range of digital communications systems, including emails, public and enterprise social media, websites, and instant and mobile messaging. Actiance is a major provider of communications compliance, archiving, and analytics -- providing compliance across a broad set of communications channels with insights on what's being captured.
Before the acquisition, the two firms could be considered competitors, and there is overlap in their solutions. Together, however, they provide a more complete compliance service from a single provider. "Together, Actiance and Smarsh uniquely enable global customers across industries to capture, record, store, and analyze over 100 content types," said Kailash Ambwani, CEO of Actiance. "Together we will enhance our combined sales and distribution capabilities, offer our customers additional resources and services, and accelerate our product development."
"Perhaps most importantly," added Stephen Marsh, founder, chairman and CEO of Smarsh, "organizations with legacy, on-premise capture and archiving solutions can make the overdue transition to upgraded and more modern solutions. All of this is now possible through a single provider."
Compliance is an increasingly important part of the risk management portfolio. New regulations are affecting all industries; but none more so than financial services. Coupled with the growth of regulations is an increasingly active regulator. The annual Eversheds Sutherland analysis of Financial Industry Regulatory Authority (FINRA) cases shows that FINRA fines on FinServ firms increased by around 435% in 2016.
Two particular areas of FINRA activity are relevant to the newly combined suppliers: 'books and records' actions, and actions against compliance officers. Books and records fines increased by 423%, "driven largely by enforcement actions against 12 firms for, among other things, failing to preserve records in "write once, read many" (WORM) format. FINRA fined these firms a total of $14.4 million."
FINRA also cracked down on individual compliance officers. In one case, a firm's former compliance officer was fined $25,000 and suspended for three months. Eversheds Sutherland (US) partner Brian Rubin commented, "These cases are a signal to compliance officers that they are in FINRA's crosshairs. They ought to take heed and try to ensure that adequate compliance-related policies and procedures are in place."
Few details of the new Smarsh/Actiance arrangement have been made public. It is not described as a merger, and there is no current indication of a new name for the combined firms. The statement merely says, "Together, the combined company offers deployment options (cloud, dedicated, on-premise, and hybrid) to meet the needs of its customers... It will continue to support both company's product lines while providing customers greater value and flexibility. Near-term priorities include more investment in product capabilities, increased flexibility in deployment options, accelerated expansion in Europe and development of a joint channel partner program."
Existing operations of both Smarsh and Actiance will be maintained in Oregon, California, New York, Massachusetts, Georgia, North Carolina, Canada, India, and the United Kingdom. Terms of the deal were not disclosed.
In September, K1 Investment Management acquired SecureAuth for $225 million, with plans to merge it with Core Security, a firm focused on vulnerability discovery, identity governance, and threat management. K1 had previously acquired Damballa in a deal reported to be under $10 million.
Multi-Stage Android Malware Evades Google Play Detection
16.11.2017 securityweek Android
A newly discovered multi-stage Android malware that managed to sneak into Google Play is using advanced anti-detection features, ESET security researchers reveal.
Eight malicious applications hiding the new threat were found in the official application store, all legitimate-looking but delaying the malicious activity to hide their true intent. Google has removed all eight programs after being alerted of the threat.
Detected as Android/TrojanDropper.Agent.BKY, the applications form a new family of multi-stage Android malware, ESET says. Although the most popular of these apps reached only several hundred downloads, the use of advanced anti-detection features makes this malware family interesting.
All samples of the mobile Trojan employ a multi-stage architecture and make use of encryption to stay under the radar, the security researchers say. The applications managed to keep their malicious intent hidden by not requesting suspicious permissions after installation and by mimicking the activity they were supposed to exhibit.
However, the apps also decrypt and execute a first-stage payload designed to decrypt and execute the second-stage payload from the assets of the app downloaded from Google Play. These steps, however, are not visible to the user but serve as obfuscatory measures, ESET says.
The second-stage payload downloads a malicious app from a hardcoded URL without the victim’s knowledge. After a delay of around 5 minutes, however, the victim is prompted to install this third-stage payload.
This application masquerades as Adobe Flash Player or another popular app. To appear legitimate to the user, the app uses a name such as Android Update or Adobe Update to trick the user into allowing it to execute and into granting the necessary permissions for the payload to perform nefarious actions.
Once installed and with the requested permissions granted, the app decrypts and executes a final, fourth-stage payload. According to ESET, this payload was a mobile banking Trojan in all analyzed cases.
The Trojan was designed to present the victim with fake login forms to steal their credentials or credit card details.
Because one of the malicious apps downloads the final payload using the bit.ly URL shortener, the security researchers discovered that the link had been used almost 3000 times as of November 14, and that most of the hits came from the Netherlands.
Two of most recent samples of this malware downloader were observed dropping either the notorious MazarBot banking Trojan or spyware. According to ESET, the downloader’s nature allows its operators to deliver any payload through it, “as long as it doesn’t get flagged by the Google Protect mechanism.”
Impacted users are advised to first deactivate the admin rights for the installed payload, and then uninstall the surreptitiously-installed apps, along with the application initially downloaded from the Play Store.
Users should head to Settings > (General) > Security > Device administrators and deactivate the admin rights that Adobe Flash Player, Adobe Update, or Android Update might have. The installed payload can be removed from the Application manager.
The nefarious apps involved in this malicious campaign include MEX Tools, Clear Android, Cleaner for Android, World News, WORLD NEWS, World News PRO, Игровые Автоматы Слоты Онлайн, and Слоты Онлайн Клуб Игровые Автоматы.
“Unfortunately, multi-stage downloaders, with their improved obfuscation features, have a better chance of sneaking into official app stores than common Android malware does. Users who want to stay protected should not rely fully on the stores’ protections; instead, it’s crucial for users to check app ratings and comments, pay attention to what permissions they grant to apps, and run a quality security solution on their mobile devices,” ESET concludes.
UK Cyber Security Chief Blames Russia for Hacker Attacks
16.11.2017 securityweek BigBrothers
Russia has launched cyber attacks on the UK media, telecoms and energy sectors in the past year, Britain's cyber security chief said Wednesday amid reports of Russian interference in the Brexit referendum.
"Russia is seeking to undermine the international system. That much is clear," Ciaran Martin, head of Britain's National Cyber Security Centre (NCSC) said at a London tech conference, according to his office.
"Russian interference, seen by the NCSC over the past year, has included attacks on the UK media, telecommunications and energy sectors," Martin said.
The centre has coordinated the government's response to 590 significant incidents since its launch in 2016, although the government agency has not detailed which were linked to Russia.
Prime Minister Theresa May on Monday accused Moscow of "seeking to weaponise information" and "sow discord in the West and undermine our institutions".
Russia's cyber activities include "deploying its state-run media organisations to plant fake stories and photo-shopped images", she said in a speech.
The scathing criticism was rejected by Russia's foreign ministry, which accused May of trying to distract the British public from problems at home.
Moscow's alleged attempts to influence last year's referendum on Britain's membership of the European Union are part of investigations under way in London.
May told lawmakers on Wednesday that parliament's intelligence and security committee would be looking into Russian interference.
Meanwhile parliament's digital, culture, media and sport committee has requested data from Twitter and Facebook on Russia-linked accounts and aims to interview social media executives at the British embassy in Washington early next year.
- Pro-Brexit 'bots' -
Damian Collins, the committee chairman, said it was "beyond doubt" that Russia has interfered in UK politics.
He said there was a pattern of behaviour of Russian organisations seeking out opportunities to create division, unrest and instability in the West.
"Foreign organisations have the ability to manipulate social media platforms to target voters abroad," he told AFP.
"This is seriously-organised buildings of hundreds of people engaged in propagating every day fake news through social media."
He said it was "terrifying" how cheap and easy it was for them to reach millions of people.
"It is one of the biggest threats our democracies face and we have to be serious about combatting it," Collins added.
May's spokesman insisted: "There has been no evidence of successful interference in our electoral processes."
Researchers at the University of Edinburgh, who examined 2,752 accounts suspended by Twitter in the United States, found 419 were operating from the Russian Internet Research Agency and attempting to influence British politics, The Guardian reported.
Professor Laura Cram, the university's neuropolitics research director, told the newspaper they tweeted about Brexit 3,468 times -- mostly after the June 23 referendum.
The content overall was "quite chaotic and it seems to be aimed at wider disruption. There's not an absolutely clear thrust. We pick up a lot on refugees and immigration", she said.
Meanwhile researchers at Swansea University in Wales and the University of California, Berkeley, have found more than 150,000 Russian-based Twitter accounts which may have influenced the Brexit referendum.
The social media accounts switched their attention to EU membership in the run-up to the referendum, 2016, according to research outlined in The Times newspaper.
Many of the accounts were fully-automated "bot" profiles which posted hundreds of tweets daily, or "cyborg" accounts which were partially run by people, the newspaper said.
The majority of the posts were pro-Brexit, while some supported remaining in the European Union.
Meanwhile it was revealed that a tweet which caused a furore after the Westminster terror attack in March originally came from a trolling agency account which, according to evidence before the US Congress, is backed by the Russian government.
The tweet showing a picture of a woman in a headscarf walking next to a victim, with the words: "Muslim woman pays no mind to the terror attack, casually walks by a dying man while checking phone".
Amazon Echo, Google Home Vulnerable to BlueBorne Attacks
16.11.2017 securityweek Attack
Amazon Echo and Google Home devices are vulnerable to attacks exploiting a series of recently disclosed Bluetooth flaws dubbed “BlueBorne.”
IoT security firm Armis reported in September that billions of Android, iOS, Windows and Linux devices using Bluetooth had been exposed to a new attack that can be carried out remotely without any user interaction.
A total of eight Bluetooth implementation vulnerabilities allow a hacker who is in range of the targeted device to execute arbitrary code, obtain sensitive information, and launch man-in-the-middle (MitM) attacks. There is no need for the victim to click on a link or open the file in order to trigger the exploit, and most security products would likely not detect an attack.
Google patched the vulnerabilities affecting Android in September and Microsoft released fixes for Windows in July. Apple had already addressed the issue in iOS one year prior to disclosure, and Linux distributions released updates shortly after disclosure.
However, Armis has now revealed that the voice-activated personal assistants Google Home and Amazon Echo are also vulnerable to attacks leveraging the BlueBorne flaws.
Echo is affected by a remote code execution vulnerability in the Linux kernel (CVE-2017-1000251) and an information disclosure bug in the SDP server (CVE-2017-1000250). Google Home is exposed to attacks by an information leakage issue affecting Android’s Bluetooth implementation (CVE-2017-0785). This Android flaw can also be exploited to cause a denial-of-service (DoS) condition.
Since the Bluetooth feature cannot be disabled on either of the devices, attackers can easily launch an attack as long as they are in range. Armis has published a video showing how an Amazon Echo device can be hacked and manipulated by a remote attacker:
The security firm pointed out that this is the first remote attack demonstrated against Echo. An attack method was previously described by MWR, but it required physical access to the device.
Amazon Echo and Google Home represent 99 percent of the U.S. market for voice-controlled personal assistants, with 15 million and 5 million units sold, respectively. This normally indicates a significant number of potential victims, including many enterprises that use these products. However, Armis has notified Google and Amazon of the vulnerabilities and both companies released patches that have likely reached a majority of devices via automatic updates.
“The Amazon Echo and Google Home are the better examples as they were patched, and did not need user interaction to update. However, the vast bulk of IoT devices cannot be updated,” Armis researchers said. “However, even the Echos and the Homes will eventually be replaced by new hardware versions (as Amazon and Google recently announced), and eventually the old generations will not receive updates - potentially leaving them susceptible to attacks indefinitely.”
Armis has released an Android app that is designed to help users identify vulnerable devices.
Microsoft Patches 17 Year-Old Vulnerability in Office
16.11.2017 securityweek Vulnerebility
Microsoft on Tuesday released its November 2017 security updates to resolve 53 vulnerabilities across products, including a security bug that has impacted all versions of its Microsoft Office suite over the past 17 years.
Tracked as CVE-2017-11882, the vulnerability resides in the Microsoft Equation Editor (EQNEDT32.EXE), a tool that provides users with the ability to insert and edit mathematical equations inside Office documents.
The bug was discovered by Embedi security researchers as part of very old code in Microsoft Office. The vulnerable version of EQNEDT32.EXE was compiled on November 9, 2000, “without essential protective measures,” the researchers say.
Although the component was replaced in Office 2007 with new methods of displaying and editing equations, Microsoft kept the vulnerable file up and running in the suite, most likely to ensure compatibility with older documents.
“The component is an OutPorc COM server executed in a separate address space. This means that security mechanisms and policies of the Office processes do not affect exploitation of the vulnerability in any way, which provides an attacker with a wide array of possibilities,” Embedi notes in a research paper (PDF).
EQNEDT32.EXE, the researchers explain, employs a set of standard COM interfaces for Object Linking and Embedding (OLE), an Office feature already known to be abused by cybercriminals.
The researchers discovered they could cause a buffer overflow using a procedure calling a function designed to “copy null-term lines from an internal form to buffer which was sent to it as the first argument.” The bug, the researchers say, can be exploited to achieve arbitrary code execution.
According to Embedi, the use of several OLEs designed to exploit the vulnerability could lead to the execution of an arbitrary sequence of commands, such as downloading a file from the Internet and executing it.
The security researchers claim that they managed to create an exploit that would work with all Office versions released over the past 17 years, including Office 365, and which would impact all Windows versions, including Windows 10 Creators Update. Furthermore, the exploit would work on all architectures.
The most worrying aspect of the vulnerability is that the exploit doesn’t require user interaction for it to work, once the malicious document carrying the code is opened. In fact, the attack would not even interrupt a user’s work with Microsoft Office, the researchers claim.
“The only hindrance here is the protected view mode because it forbids active content execution (OLE/ActiveX/Macro). To bypass it cyber criminals use social engineering techniques. For example, they can ask a user to save a file to the Cloud (OneDrive, GoogleDrive, etc.). In this case, a file obtained from remote sources will not be marked with the MOTW (Mark of The Web) and, when a file is opened, the protected view mode will not be enabled,” Embedi notes.
This vulnerability, the researchers conclude, proves that EQNEDT32.EXE is an obsolete component that may contain other security weaknesses, possibly easily exploitable. Had standard security mitigation been used when compiling the file, the vulnerability wouldn’t be exploitable, the researchers say.
The vulnerability was reported to Microsoft in April 2017. The software giant addressed it this week, as part of its November 2017 Patch Tuesday.
Fileless Attacks Ten Times More Likely to Succeed: Report
16.11.2017 securityweek Virus
A new report from the Ponemon Institute confirms, but quantifies, what most people know: protecting endpoints is becoming more difficult, more complex and more time-consuming -- but not necessarily more successful.
Commissioned by endpoint protection firm Barkly, the report (PDF) confirms that defenders are increasingly moving away from primarily signature-based malware detection by replacing or supplementing existing defenses with additional protection or response capabilities. One third of respondents have replaced their existing AV product, while half of the respondents have retained their existing product but supplemented them with additional protections.
To combat both old and new defenses, attackers are responding with a new attack methodology -- the fileless attack. Ponemon notes that 29% of attacks in 2017 have been fileless. This is up from 20% in 2016, and is expected to increase to 35% in 2018.
The fileless attack does not install detectable files. These attacks, says Ponemon, "instead leverage exploits designed to run malicious code or launch scripts directly from memory, infecting endpoints without leaving easily-discoverable artifacts behind. Once an endpoint has been compromised, these attacks can also abuse legitimate system administration tools and processes to gain persistence, elevate privileges, and spread laterally across the network."
According to Ponemon, 54% of companies have experienced one or more successful attacks that have compromised data and/or infrastructure, while 77% of those attacks used exploits or fileless attacks. While the attack methodology has changed, the ultimate goal of the attacker has not. Ransomware, for example, remains a major problem. Half of the surveyed organizations have suffered a ransomware incident in 2017, while 40% of those have experienced multiple incidents. The average ransomware demand is now $3,675.
The implication from these figures is that bad guys can adapt to new security faster than good guys can adapt to new attacks. Barkly's CTO Jack Danahy doesn't believe that this is inevitable. "For us," he told SecurityWeek, "the problem is behavioral." Since the bad guys will always get better at obfuscating what they are doing, plus the reality that they have equal access to the technologies that the good guys use, "you know that they are going to look for ways to get around the entire class of defense."
Fileless attacks are the bad guys' response to traditional machine learning. When you look at the two bodies of technology, the older and the newer endpoint protection products, there's a common factor -- they are all file-based. They both still need a file to look at. This is what led to the development of fileless attacks. "We knew right from the beginning that we had to concentrate on stopping attacks because of their behavior, not because of any malware files they use. We had to find a way," he explained, "to identify really low-level, really early behaviors that are representative of when malware is trying to set itself up, before it can do any corrupting activity."
To do this, Barkly developed a system that would examine both good behaviors and bad behaviors, and to be able to 'disambiguate' the two. "This is opposed to the standard method of looking for changes that have already happened or specific attributes of existing files in order to know that something bad is happening. That's too late," he said.
The end result is a SaaS product that updates its ability to differentiate between good and bad behavior on a daily basis -- using Barkly's own 'responsive machine-learning' (a combination of both supervised and unsupervised machine learning). "It's like a factory of bad behaviors and a factory of good behaviors, with machine learning to disambiguate the two," he said.
Users do not have a high opinion of most existing endpoint products, notes the Ponemon report. The average organization has seven different software agents on its endpoints to manage security, making it 'noisy and time-consuming'. Perhaps because of the growing number of products, 73% of organizations say it is getting more difficult to manage endpoint security, and two-thirds do not have the resources to do so adequately.
The biggest problem with most current solutions, according to the Ponemon study, is that they do not provide adequate protection. Danahy is not surprised. "You cannot claim to do endpoint protection unless you can stop both file-based and fileless attacks before they get through and harm the client. A fileless attack is ten times more likely to succeed than a file-based attack."
According to the study, the total cost of a successful attack is now over $5 million. The 'cost of a breach' is a contentious subject because of the variables concerned. Ponemon is known to take great care over its conclusions, but Danahy agrees it's a difficult concept. "That's why," he told SecurityWeek, "I insisted on the 'average cost per employee' being included." This figure stands at $301. It makes it easier for smaller firms to realistically consider the likely cost to themselves.
Ponemon's conclusion from the study is that organizations would "benefit from endpoint security solutions designed to block new threats like fileless attacks, which are responsible for the majority of today's endpoint compromises. To restore their faith in endpoint security's effectiveness, new solutions need to address this crucial gap in protection without adding unnecessary complexity to endpoint management."
Windows 10 Detects Reflective DLL Loading: Microsoft
16.11.2017 securityweek Safety
Windows 10 Creators Update can detect reflective Dynamic-Link Library (DLL) loading in a variety of high-risk processes, including browsers and productivity software, Microsoft says.
This is possible because of function calls (VirtualAlloc and VirtualProtect) related to procuring executable memory, which generate signals for Windows Defender Advanced Threat Protection (Windows Defender ATP).
Reflective DLL loading, the software giant explains, relies on loading a DLL into a process memory without using the Windows loader. First described in 2008, the method allows for the loading of a DLL into a process even if the DLL isn’t registered with the process.
The technique is employed by modern attacks to avoid detection, although the operation is not trivial, as it requires the use of a custom loader that can write the DLL into memory and then resolve its imports and/or its relocation.
What motivates attackers to use the method, Microsoft says, is that reflectively loading a DLL doesn’t require the DLL to reside on disk, and the library that is loaded may not be readily visible without forensic analysis, especially because it is not written to disk.
“A crucial aspect of reflectively loading a DLL is to have executable memory available for the DLL code. This can be accomplished by taking existing memory and changing its protection flags or by allocating new executable memory. Memory procured for DLL code is the primary signal we use to identify reflective DLL loading,” Christian Seifert, Windows Defender ATP Research, explains.
The detection model used in Windows 10 first learns about the normal allocations of a process, then it determines that a process associated with malicious activity allocates executable memory that deviates from the normal behavior. The model is meant to prove that memory events can be used as the primary signal for detecting reflective DLL loading, Seifert says.
The real model, however, also includes various other features, such as allocation size, allocation history, thread information, allocation flags, and the like. It also takes into consideration variations in application behavior, so its effectiveness is increased through additional behavioral signals, such as network connection behavior.
In an attack scenario where the victim opens a malicious Word document from a file share and enables macro code to run, the Word process connects to the attacker-specified command and control (C&C) server to fetch the DLL to be reflectively loaded. Once the loading has been completed, it connects to the C&C and provides command line access to the victim machine.
Windows Defender ATP, Microsoft says, identifies the memory allocations as abnormal and alerts on the matter, providing context on the document and information on the C&C communication. Similarly, Microsoft Office 365 Advanced Threat Protection prevents such attacks through dynamic behavior matching.
Seifert also points out that Windows Defender ATP is a post-breach solution designed to alert on detected hostile activity. It can also provide detailed event timelines and other contextual information for attack analysis, the researcher says.
Hackeři tvrdí, že ukradli dokumenty italské vlády a armády
16.11.2017 Novinky/Bezpečnost BigBrother
Italská policie vyšetřuje hackerský útok na místní úřady. Skupina Anonymous totiž zveřejnila údajnou komunikaci mezi členy administrativy a oznámila, že má v držení stovky dokumentů s osobními údaji italských činitelů. Policie v úterý uvedla, že útok zaregistrovala v sobotu, napsala agentura Reuters. Potvrzené je prý v tuto chvíli vniknutí do e-mailové schránky příslušníka policie a zaměstnance ministerstva obrany.
Specializované oddělení policie uvedlo, že "technické vyšetřování... zatím neodhalilo další narušení úředních informačních systémů". Z osobních schránek dvou státních zaměstnanců byly údajně ukradeny e-mailové kontakty a další dokumenty. Zdroj obeznámený s vyšetřováním Reuters řekl, že pátrání policie pokračuje, dosud však prokázalo pouze narušení dvou účtů.
Hackeři skupiny Anonymous na svém italském blogu zveřejnili kopii e-mailu údajně odeslaného z vládní adresy pracovníkovi kanceláře premiéra Paola Gentiloniho. Obsahuje prý jména členů ochranky, která bude předsedu vlády příští týden doprovázet na cestě do Boloně.
Dále se na stránkách objevil dopis s rádiovými frekvencemi použitými bezpečnostními pracovníky během říjnové návštěvy Gentiloniho v Bruselu a čerstvé instrukce pro římskou policii ohledně konfrontací s demonstranty. Anonymous rovněž zveřejnila několik výplatních pásek, kopie osobních dokladů a informace ohledně platů v armádě.
Mají prý složky státních i evropských institucí
Anonymous ale tvrdí, že získala také složky z několika ministerstev, státních i evropských institucí. Má se jednat o e-maily, telefonní čísla, příkazy policejních stanic, kopie dokladů totožnosti, fotografie agentů či vojáků.
"Občané, s potěšením vám oznamujeme, v zájmu demokracie a důstojnosti národů, že máme v držení seznam osobních údajů týkajících se ministerstva vnitra, ministerstva obrany, vojenského námořnictva, jakož i úřadu vlády a evropského parlamentu," citoval deník Corriere della Sera prohlášení Anonymous. "Zkorumpovaná vládo, revoluce se nezadržitelně děje i zde, a její strůjci nyní znají vaše jména, vaše telefonní čísla, vaše adresy," pokračuje sdělení.
Ministerstvo obrany podle Reuters popřelo, že by jeho informační systémy měly "díry", a dodalo, že zveřejněný materiál byl osobního charakteru a pocházel především z osobních účtů jednotlivých zaměstnanců. "Žádné oficiální informace nebyly ukradeny, a už vůbec ne jakékoli tajné informace," znělo prohlášení rezortu obrany.
Web Účtenkovky napadli hackeři
16.11.2017 Novinky/Bezpečnost Počítačový útok
Výpadek webových stránek loterie Účtenkovka, kde se ve středu měly objevit výsledky prvního slosování, způsobil útok hackerů, řekla Radiožurnálu náměstkyně ministra financí pro daně a cla Alena Schillerová. Stránky byly asi hodinu a půl nefunkční, ministerstvo muselo výsledky zveřejnit na vlastních stránkách.
„Celou dobu jsem ve spojení s dodavatelskou firmou. Ta ten problém zanalyzovala. Došlo k hackerskému útoku, který ona odstraňuje a dává dohromady. Nicméně, my jsme hned v 19:30 zveřejnili všechny údaje na webové stránce ministerstva financí,“ řekla Schillerová Radiožurnálu.
Výpadek postihl web www.uctenkovka.cz od zhruba sedmi hodin večer do půl deváté.
Útokům čelilo Česko už dříve
O jaký typ útoku se jednalo, není v tuto chvíli jasné. S největší pravděpodobností však šlo o hackerskou techniku DDoS (Distributed Denial of Service). Ta má vždy stejný scénář. Stovky tisíc počítačů začnou přistupovat v jeden okamžik na konkrétní server. Ten zpravidla nezvládne tak vysoké množství požadavků zpracovat a spadne. Pro běžné uživatele se pak takto napadená webová stránka tváří jako nedostupná.
Stejnému typu útoku čelily na konci října – během volebního víkendu – prezentační volební weby volby.cz a volbyhned.cz. Ty byly tehdy nefunkční 2,5 hodiny.
Masivním útokům typu DDoS čelily v roce 2013 některé další tuzemské servery. Směrovány byly nejprve na zpravodajské weby, potom na portál Seznam.cz, servery bank a telefonních operátorů.
Podle bezpečnostních expertů šlo tehdy o největší kybernetický útok v celé historii Česka.
O co se hraje v Účtenkovce
Do prvního kola Účtenkovky se zapojilo kolem pěti procent Čechů, dohromady registrovali přes 11 miliónů účtenek. Losovalo se z účtenek ze systému EET zaregistrovaných do hry v době od začátku října do neděle 12. listopadu. Generátor náhodných čísel vybral 21 tisíc výherních kódů.
Od 1. listopadu mohou soutěžící registrovat účtenky ze svých listopadových nákupů do slosování, které bude 15. prosince, a kde se bude znovu hrát o 21 025 výher včetně automobilu. Ceny jsou hrazeny z veřejných peněz.
Formidable Forms plugin vulnerabilities expose WordPress sites attacks
16.11.2017 securityaffairs Vulnerebility
A researcher from Finland-based company Klikki Oy has discovered several vulnerabilities in the Formidable Forms plugin that expose websites to attacks.
The researcher Jouko Pynnönen from Finland-based company Klikki Oy has discovered several vulnerabilities in the Formidable Forms plugin the expose websites to attacks.
The Formidable Forms plugin allows users to easily create contact pages, polls and surveys, and many other kinds of forms, it has more than 200,000 active installs.
Pynnönen discovered that the dangerous flaws affect both the free and as a paid version.
The most severe issue discovered by the expert is a blind SQL injection that can be exploited by attackers to enumerate a website’s databases and access their content, including user credentials and data submitted to a website via Formidable forms.
Unfortunately, this isn’t the unique flaw of this type, the researcher also found another flaw that exposes data submitted via forms created with the Formidable Forms plugin. Both vulnerabilities are related to the way the plugin implements shortcodes.
“The plugin implemented a form preview AJAX function accessible to anyone without authentication. The function accepted some parameters affecting the way it generates the form preview HTML. Parameters after_html and before_html could be used to add custom HTML after and before the form. Most of the vulnerabilities relied on this feature.” wrote Pynnonen.
The Formidable Forms plugin is also affected by reflected and stored cross-site scripting (XSS) vulnerabilities. The stored XSS could be exploited by an attacker to execute arbitrary JavaScript code in the context of an administrator’s browsing session. An attacker can inject a malicious code via forms, the code is executed when the site admin view it on the dashboard.
“Administrators can view data entered by users in Formidable forms in the WordPress Dashboard. Any HTML entered in forms is filtered with the wp_kses() function. This isn’t enough to prevent dangerous HTML as it allows the “id” and “class” HTML attributes and e.g. the <form> HTML tag. It was possible to craft HTML code which would result in attacker-supplied JavaScript to be executed when the form entry is viewed.” added the expert.
Below the example shared by the expert:
<form id=tinymce><textarea name=DOM> </textarea></form>
<a class=frm_field_list>panelInit</a>
<aid ="frm_dyncontent"> <bid ="xxxdyn_default_valuexxxxx" class="ui-find-overlay wp-editor-wrap">overlay</b></a>
<aid =post-visibility-display>vis1</a><aid =hidden-post-visibility>vis2</a><aid =visibility-radio-private>vis3</a>
<div id=frm-fid-search-menu><aid =frm_dynamic_values_tab>zzz</a></div>
<form id=posts-filter method=post action=admin-ajax.php?action=frm_forms_preview>
<textarea name=before_html><svg on[entry_key]loaad=ler(t/xss/) <//te&xtagt;rea></form>
The expert also discovered that if the WordPress installation includes the iThemes Sync WordPress maintenance plugin alongside Formidable Forms, the attacker can exploit the SQL injection flaw to obtain a user’s ID and authentication key.
The user’s ID and the authentication key can be used to control WordPress via iThemes Sync.
Formidable Forms promptly fixed the flaws with the release of versions 2.05.02 and 2.
The expert identified the issued as part of a bug bounty program that offers rewards of up to $10,000, the initiative managed by the HackerOne was run by an unnamed Singapore-based tech company. The Formidable Forms plugin is one of the software used by the tech company.
The researcher received $4,500 reward for the SQL injection vulnerability and a few hundred dollars for each of the other security holes.
Multi-Stage Android/TrojanDropper.Agent.BKY Malware bypasses Google Play detection once again
16.11.2017 securityaffairs Android
Researchers from security firm ESET, discovered a multi-stage Malware dubbed Android/TrojanDropper.Agent.BKY that evaded Google Play detection.
Security experts at ESET have discovered a multi-stage Android malware, tracked as Android/TrojanDropper.Agent.BKY, that was available for download in the official Google Play store.
The researchers have found eight malicious applications in the official application store (MEX Tools, Clear Android, Cleaner for Android, World News, WORLD NEWS, World News PRO, Игровые Автоматы Слоты Онлайн, and Слоты Онлайн Клуб Игровые Автоматы), they appear as legitimate applications and use advanced anti-detection features.
“Detected by ESET security systems as Android/TrojanDropper.Agent.BKY, these apps form a new family of multi-stage Android malware, legitimate-looking and with delayed onset of malicious activity.” states the analysis published by ESET.
The experts highlighted the use of advanced anti-detection features implemented by these apps that were downloaded only by several hundred users.
The Android/TrojanDropper.Agent.BKY samples analyzed by ESET employ a multi-stage architecture along with encryption.
Once downloaded and installed, the malicious apps do not request any suspicious permissions and even mimic the activity they were supposed to.
In background, the apps decrypt and execute a first-stage payload designed to decrypt and execute the second-stage payload from the assets of the app downloaded from Google Play.Android 
TrojanDropper Agent.BKY
The malware implements obfuscatory measures to remain under the radar.
The second-stage payload downloads a malicious application from a hardcoded URL it waits around 5 minutes before asking users to install the third-stage payload that masquerades as Adobe Flash Player or another popular app.
“The app downloaded by the second-stage payload is disguised as well-known software like Adobe Flash Player or as something legitimate-sounding yet completely fictional – for example “Android Update” or “Adobe Update”. In any case, this app’s purpose is to drop the final payload and obtain all the permissions that payload needs for its malicious actions.” continues the analysis.
Once the third-stage payload is installed it decrypts and executes the final fourth-stage payload that was a mobile banking Trojan.
The Trojan displays a fake login forms to steal their credentials or credit card details.
Experts noticed that one of the malicious apps downloads the trojan using the bit.ly URL shortener, this allowed them to discover that the link had been used almost 3000 times as of November 14, that most of the connections were from infected hosts in the Netherlands.
Two of most recent samples of the TrojanDropper malware were observed dropping either the MazarBot banking Trojan or spyware.
ESET suggests the impacted users to first deactivate the admin rights for the installed payload, and then uninstall the installed payload uninstall the app initially downloaded from the Play Store.
Further technical details, including the IoCs are included in the report published by ESET.
“Unfortunately, multi-stage downloaders, with their improved obfuscation features, have a better chance of sneaking into official app stores than common Android malware does.” concluded ESET. “Users who want to stay protected should not rely fully on the stores’ protections; instead, it’s crucial for users to check app ratings and comments, pay attention to what permissions they grant to apps, and run a quality security solution on their mobile devices,”
Forever 21 Warns Shoppers of Payment Card Breach at Some Stores
15.11.2017 thehackernews Crime
Another day, another data breach. This time a fast-fashion retailer has fallen victim to payment card breach.
American clothes retailer Forever 21 announced on Tuesday that the company had suffered a security breach that allowed unknown hackers to gain unauthorized access to data from payment cards used at a number of its retail locations.
The Los Angeles based company, which operates over 815 stores in 57 countries, didn't say which of its stores were affected, but it did note that customers who shopped between March and October this year may be affected.
Forever 21 learned of the breach after the retailer received a report from a third-party monitoring service, suggesting there may have been "unauthorized access to data from payment cards that were used at certain FOREVER 21 stores."
Besides this, the company also revealed that it implemented encryption and token-based authentication systems in 2015 that are intended to protect transaction data on its point-of-sale (PoS) machines in its stores.
However, due to dysfunctional of the security layers on certain PoS devices, hackers were able to gain unauthorized access to data from payment cards at some Forever 21 stores, the company admitted.
Since the investigation of its payment card systems is still ongoing, complete findings of the incident, including the number of customers potentially affected, are not available at the moment.
"Forever 21 immediately began an investigation of its payment card systems and engaged a leading security and forensics firm to assist," the US clothing retailer said while announcing the data breach.
"We regret that this incident occurred and apologize for any inconvenience. We will continue to work to address this matter."
Meanwhile, customers who shopped at Forever 21 are advised to monitor their payment card statements carefully, and immediately notify their banks that issued the card for any unauthorized charge.
This incident is yet another embarrassing breach disclosed recently, followed by Disqus' disclosure of a 5-year-old breach where hackers stole details of over 17.5 million users and Yahoo's disclosure that 2013 data breach affected all of its 3 Billion users.
The recent incidents also include Equifax's disclosure of a breach of potentially 145.5 million customers, U.S. Securities and Exchange Commission (SEC) disclosure of a breach that profited hackers, and Deloitte's revelation of a cyber attack that resulted in the theft of its clients' private emails and documents.
Firefox 57 "Quantum" Released – 2x Faster Web Browser
15.11.2017 thehackernews IT
It is time to give Firefox another chance.
The Mozilla Foundation today announced the release of its much awaited Firefox 57, aka Quantum web browser for Windows, Mac, and Linux, which claims to defeat Google's Chrome.
It is fast. Really fast. Firefox 57 is based on an entirely revamped design and overhauled core that includes a brand new next-generation CSS engine written in Mozilla’s Rust programming language, called Stylo.
Firefox 57 "Quantum" is the first web browser to utilize the power of multicore processors and offers 2x times faster browsing experience while consuming 30 percent less memory than Google Chrome.
Besides fast performance, Firefox Quantum, which Mozilla calls "by far the biggest update since Firefox 1.0 in 2004," also brings massive performance improvements with tab prioritization, and significant visual changes with a completely redesigned user interface (UI), called Photon.
This new version also adds in support for AMD VP9 hardware video decoding during playback in an attempt to reduce power consumption, and thus preventing your systems from running out of battery.
Firefox 57 also includes built-in screenshot functionality, improved tracker blocking and support for WebVR to enable websites to take full advantage of VR headsets.
Firefox has plans to speed things even further by leveraging modern GPUs in the near future.
Firefox Quantum for the desktop version is available for download now on Firefox's official website, and all existing Firefox users should be able to upgrade to the new version automatically.
However, the Android version of Firefox 57 is rolling out on Google Play in coming days, and its iOS version should eventually arrive on Apple's official App Store.