Chinese Cyberspies Deliver New Malware via CPL Files
13.11.2017 securityweek CyberSpy
A China-linked cyber espionage group that may have been active since as early as 2010 has developed a new piece of malware that it has used in highly targeted attacks launched over the past year.
The new malware, dubbed Reaver, was analyzed by researchers at Palo Alto Networks, who identified ten different samples representing three versions of the threat.
The final payload of the malware has been loaded using Windows Control Panel (CPL) files, which is highly uncommon – Palo Alto Networks said only 0.006% of the malware it has seen leverages this technique. A surge in CPL malware was observed in 2013 and 2014 in Brazil, where cybercriminals had been using it to deliver banking Trojans.
Based on the infrastructure it uses, Reaver has been linked by experts to SunOrcal, a piece of malware used by threat actors believed to be located in China in attacks aimed at the January 2016 presidential election in Taiwan. The group behind SunOrcal is also said to be using the Surtr RAT, which has been tied to malicious document generators named HomeKit and Four Element Sword.
The threat actor has been around since at least 2013, but some evidence suggests it may have been active since as early as 2010.
Palo Alto Networks does not have information on the individuals or organizations targeted with Reaver, but based on the group’s previous campaigns, the attacks were likely aimed at one of China’s “Five Poisons:” Uyghurs, Tibetans, Falun Gong, the Chinese democracy movement, and the movement for Taiwan’s independence.
The malware abuses the Control Panel utility in Windows, control.exe, to load the Reaver payload. The first version of the threat uses HTTP for communication, while the newer versions rely on TCP.
Once it infects a device, Reaver can help its operators collect information about the compromised system, including CPU speed, computer name, username, IP, memory information and Windows version. The malware can also read and write files, alter files and registries, spawn and terminate processes, and modify services.
The hackers started using Reaver sometime in late 2016 alongside SunOrcal. Both pieces of malware have been seen in attacks as recent as November 2017.
Palo Alto Networks has published a detailed analysis of Reaver, along with indicators of compromise (IoC) and information on overlaps with SunOrcal.
Hackers Helped Pentagon Patch Thousands of Flaws
13.11.2017 securityweek BigBrothers
Bug bounty programs and a vulnerability disclosure policy have helped the U.S. Department of Defense patch thousands of security holes in its systems.
Nearly one year after it announced its vulnerability disclosure policy, the Pentagon received 2,837 valid bug reports from roughly 650 white hat hackers located in 50 countries around the world, according to HackerOne, the platform used by the organization to host its projects.
More than 100 of the flaws reported to the Pentagon through its vulnerability disclosure program have been rated critical or high severity. Weaknesses, found in nearly 40 DoD components, include remote code execution, SQL injection, and authentication bypass issues.
A majority of the reports were submitted by researchers from the United States, followed by India, the U.K., Pakistan, Philippines, Egypt, Russia, France, Australia and Canada.
The DoD vulnerability disclosure program does not offer any monetary rewards - it only provides a channel for reporting security holes without the fear of potential legal consequences.
However, the Pentagon’s cybersecurity initiatives also include several bug bounty programs that offered monetary rewards. Researchers who took part in these challenges earned more than $300,000 for almost 500 flaws discovered in the organization’s public-facing systems. On the other hand, the government estimated that it saved millions of dollars by running these bug bounty programs.
The first initiative was Hack the Pentagon, which received 138 valid submissions and paid out roughly $75,000. Next were Hack the Army which paid out approximately $100,000 for 118 valid reports, and Hack the Air Force, which earned participants $130,000 for 207 valid reports.
Following the success of “Hack the Pentagon,” several bug bounty programs and related initiatives were announced by U.S. government organizations and lawmakers.
The General Services Administration (GSA) has launched a bug bounty program that offers rewards ranging between $300 and $5,000, and the Internal Revenue Service (IRS) announced a $2 million contract with security testing firm Synack for help in securing its online presence.
The Department of Justice (DoJ) has created a framework designed to help organizations develop formal vulnerability disclosure programs.
As for legislation, the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 will require companies that provide Internet-connected devices to the government to have a vulnerability disclosure policy. Senators also announced the Hack Department of Homeland Security (DHS) Act, which aims to establish a bug bounty pilot program within the DHS.
DHS – Tests demonstrate Boeing 757 airplanes vulnerable to hacking
13.11.2017 securityaffairs BigBrothers
Researchers and private industry experts, along with DHS officials, remotely hacked a Boeing 757 airplane that was parked at the airport in Atlantic City.
A group of researchers and private industry experts, along with DHS officials, remotely hacked a Boeing 757 airplane owned by the DHS that was parked at the airport in Atlantic City, New Jersey.
The team didn’t have physical access to the plan, the experts interacted with systems on the aircraft remotely via “radio frequency communications.”
The successful experiment took place in September 2016, pilots were not informed of the ongoing cyber attacks. In just two days, the reached their goal, but the details of the hack were not disclosed and will remain classified.
The experiment and its results were disclosed last week during the 2017 CyberSat Summit in Virginia. The test was revealed by Robert Hickey, aviation program manager with the Cyber Security Division of the DHS Science and Technology (S&T) Directorate.
Many aviation experts declared to be aware of the flaw exploited by Hickey and his team, but seven experienced pilots at American Airlines and Delta Air Lines airline companies had no knowledge of the issue when they were briefed in a March 2017 issue.
“All seven of them broke their jaw hitting the table when they said, ‘You guys have known about this for years and haven’t bothered to let us know because we depend on this stuff to be absolutely the bible,'” explained Hickey.
Even is the Boeing 757 in no more in production since 2004, but it’s still largely used by many companies, also President Donald Trump’s personal airplane is a Boeing 757.
Legacy aircraft, which make up more than 90% of the commercial planes actually in use, don’t have security protections differently by newer planes that are built with a security by design approach.
Patch management is a big problem in the avionics industry, the cost to change just one line of code on a piece of avionics equipment could reach $1 million, and it takes a year to implement.
For this reason, security updates are not so frequent.
Hacking airplane is not a novelty, in 2015, the FBI arrested the expert Chris Roberts who claimed to have hacked a commercial airplane while in flight accessing the plane’s systems by triggering a WiFi flaw in the in-flight entertainment system.
Modern aircraft are very sophisticated systems, but the massive introduction of technology could have the side effect to unload their surface of attack is the risk of airplane hacking is underestimated.
Privacy Fears Over Artificial Intelligence as Crimestopper
13.11.2017 securityweek Privacy
Police in the US state of Delaware are poised to deploy "smart" cameras in cruisers to help authorities detect a vehicle carrying a fugitive, missing child or straying senior.
The video feeds will be analyzed using artificial intelligence to identify vehicles by license plate or other features and "give an extra set of eyes" to officers on patrol, says David Hinojosa of Coban Technologies, the company providing the equipment.
"We are helping officers keep their focus on their jobs," said Hinojosa, who touts the new technology as a "dashcam on steroids."
The program is part of a growing trend to use vision-based AI to thwart crime and improve public safety, a trend which has stirred concerns among privacy and civil liberties activists who fear the technology could lead to secret "profiling" and misuse of data.
US-based startup Deep Science is using the same technology to help retail stores detect in real time if an armed robbery is in progress, by identifying guns or masked assailants.
Deep Science has pilot projects with US retailers, enabling automatic alerts in the case of robberies, fire or other threats.
The technology can monitor for threats more efficiently and at a lower cost than human security guards, according to Deep Science co-founder Sean Huver, a former engineer for DARPA, the Pentagon's long-term research arm.
"A common problem is that security guards get bored," he said.
Until recently, most predictive analytics relied on inputting numbers and other data to interpret trends. But advances in visual recognition are now being used to detect firearms, specific vehicles or individuals to help law enforcement and private security.
- Recognize, interpret the environment -
Saurabh Jain is product manager for the computer graphics group Nvidia, which makes computer chips for such systems and which held a recent conference in Washington with its technology partners.
He says the same computer vision technologies are used for self-driving vehicles, drones and other autonomous systems, to recognize and interpret the surrounding environment.
Nvidia has some 50 partners who use its supercomputing module called Jetson or its Metropolis software for security and related applications, according to Jain.
One of those partners, California-based Umbo Computer Vision, has developed an AI-enhanced security monitoring system which can be used at schools, hotels or other locations, analyzing video to detect intrusions and threats in real-time, and sending alerts to a security guard's computer or phone.
Israeli startup Briefcam meanwhile uses similar technology to interpret video surveillance footage.
"Video is unstructured, it's not searchable," explained Amit Gavish, Briefcam's US general manager. Without artificial intelligence, he says, ''you had to go through hundreds of hours of video with fast forward and rewind." "We detect, track, extract and classify each object in the video. So it becomes a database."
This can enable investigators to quickly find targets from video surveillance, a system already used by law enforcement in hundreds of cities around the world, including Paris, Boston and Chicago, Gavish said.
"It's not only saving time. In many cases they wouldn't be able to do it because people who watch video become ineffective after 10 to 20 minutes," he said.
- 'Huge privacy issues' -
Russia-based startup Vision Labs employs the Nvidia technology for facial recognition systems that can be used to identify potential shoplifters or problem customers in casinos or other locations.
Vadim Kilimnichenko, project manager at Vision Labs, said the company works with law enforcement in Russia as well as commercial clients.
"We can deploy this anywhere through the cloud," he said.
Customers of Vision labs include banks seeking to prevent fraud, which can use face recognition to determine if someone is using a false identity, Kilimnichenko said.
For Marc Rotenberg, president of the Electronic Privacy Information Center, the rapid growth in these technologies raises privacy risks and calls for regulatory scrutiny over how data is stored and applied.
"Some of these techniques can be helpful but there are huge privacy issues when systems are designed to capture identity and make a determination based on personal data," Rotenberg said.
"That's where issues of secret profiling, bias and accuracy enter the picture." Rotenberg said the use of AI systems in criminal justice calls for scrutiny to ensure legal safeguards, transparency and procedural rights.
In a blog post earlier this year, Shelly Kramer of Futurum Research argued that AI holds great promise for law enforcement, be it for surveillance, scanning social media for threats, or using "bots" as lie detectors.
"With that encouraging promise, though, comes a host of risks and responsibilities."
Microsoft president urges a digital Geneva Convention, we agree
13.11.2017 securityaffairs IT
Microsoft president Brad Smith appeared before the UN in Geneva to talk about the urgency of a digital Geneva Convention.
Microsoft president Brad Smith appeared before the UN in Geneva to talk about the role of nation-state actors in the threat landscape. We are assisting a growing number of nation-state cyber attacks, for this reason, cybersecurity experts, and Government officials urge the adoption of norms of states behavior in the cyberspace.
The risk of escalation and retaliation in cyberspace, the increasing number of cyber attacks and cyber threats even more sophisticated could have a destabilizing effect on international peace and security. The risk of conflict between states caused so cyber incidents encourages all States to engage in law-abiding, norm-respecting and confidence-building behavior in their use of ICT.
Smith last month Blamed North Korea for the WannaCry ransomware attack.
During the UN session on current internet governance challenges, Smith urged the need to define a cyber equivalent of the Geneva Convention.
“If you can hack your way into a thermostats you can hack your way into the electric grid,” Smith said, adding that the tech sector has the first responsibility for improving internet security because “after all we built this stuff”.
Most of you, already know that I was one of the experts of the Cyber G7 group at the Italian Summit that produced the voluntary, non-binding norms of State behavior during peacetime detailed in the G7 DECLARATION ON RESPONSIBLE STATES BEHAVIOR IN CYBERSPACE.
The group was led by Minister Gianfranco Incarnato and I had the honor and the opportunity to write the declaration along with Prof. Luigi Martino. We presented 12 points aimed to propose stability and security in the cyberspace.
Gianfranco Incarnato @GianfrancoIncar
Ministeriale G7 http://www.esteri.it/mae/tiny/24555#.WOy60gvHfFw.twitter … - Vedi DECLARATION ON CYBERSPACE
12:16 PM - Apr 11, 2017
Ministeriale G7
Ministeriale G7
esteri.it
Replies 8 8 Retweets 10 10 likes
Twitter Ads info and privacy
The declaration invites all the States to collaborate with the intent to reduce risks to international peace, security, and stability.
Well, part of the work wasn’t presented in the final discussion at the G7 summit, and unfortunately, the group has ended its mission, but we strongly believe that we made the first steps on the route Smith has in mind and we will do anything to complete our work.
We are currently trying to give an efficient prosecution to the work we made at the G7 Summit.
Microsoft is spending a significant effort trying to identify threat actors in the wild and profile them, the company used its technology to track down malicious infrastructure used by both criminal syndicates and nation-state actors. Smith announced Microsoft helped customers in 91 countries by seizing 75 domains using by attackers, it spends $1bn on security innovation a year.
The attacks against the 2016 US Presidential Election, such as the attacks against SWIFT banking network, were attributed to respectively Russian and NK threat APT groups linked to Russia and North Korea, both cases demonstrates that the problem of the “attribution” is hard to be solved without information sharing and collaborations among states.
For this reason, we at the Cyber G7 Group and Microsoft President believe that there is the shared need of a mandatory set of norms for states behavior in the cyber space.
“Nation states are making a growing investment in increasingly sophisticated cyber weapons,” Smith added. “We need a new digital Geneva Convention.”
“Government should agree not to attack civilian infrastructures, such as the electrical grid or electoral processes,” he said.
Smith highlighted the importance of the role of private companies in conflict, their conduct must be neutral and must ensure the protection of their customers.
But as remarked in several discussions, we are all nodes of a globally connected network, whom security depends on our behavior too.
Smith used the phishing to express this concept and the highlight the role of netizens in security the cyberspace.
“90 per cent of attacks begin with someone clicking on an email… We need to protect people from their bad habits,” he added.
Google introduces updates in Chrome to prevent unexpected redirects and unwanted content
13.11.2017 securityaffairs Vulnerebility
Google presents changes to Google Chrome that aim to prevent users from being redirected to unexpected websites and unwanted content.
Google is continuously working to improve the security of its product and service, last changes to Google Chrome aim to prevent users from being redirected to unexpected websites and unwanted content.
It has been estimated by Google that one in every five desktop users face unwanted content, it is very common to unexpectedly navigate web pages embedding third-party content.
The company announced the security updates this week, the next releases of Chrome will contain three new protection measures.
In Chrome 64, all redirects from third-party iframe will be notified to the user, the iframe, in fact, will display a sidebar of information instead of redirecting. To enable the redirection the user has to interact with that frame.
Another scenario covered by the measures introduced by Google sees users click on a desired destination, which opens in a new tab, while the main window displays an unwanted content. Starting with Chrome 65, this behavior will trigger an infobar and prevent the main tab from redirecting and bypassing Chrome’s pop-up blocker.
“One piece of feedback we regularly hear from users is that a page will unexpectedly navigate to a new page, for seemingly no reason. We’ve found that this redirect often comes from third-party content embedded in the page, and the page author didn’t intend the redirect to happen at all.” states the post on Chromium blog.
“To address this, in Chrome 64 all redirects originating from third-party iframes will show an infobar instead of redirecting, unless the user had been interacting with that frame. This will keep the user on the page they were reading, and prevent those surprising redirects.”
Google Chrome redirects
Another scenario covered by Google sees links to third-party sites disguised as play buttons or other website controls.
“Finally, there are several other types of abusive experiences that send users to unintended destinations but are hard to automatically detect. These include links to third-party websites disguised as play buttons or other site controls, or transparent overlays on websites that capture all clicks and open new tabs or windows. ” continues Google.
“Similar to how Google Safe Browsing protects users from malicious content, starting in early January Chrome’s pop-up blocker will prevent sites with these types of abusive experiences from opening new windows or tabs.”
In January, Chrome will update its pop-up blocker to prevent these sites from opening new windows or tabs.
The IT giant is also launching the Abusive Experiences Report alongside other similar reports in the Google Search Console to help site owners and webmasters prepare for this security updates.
The report allows them to check if any of these abusive experiences have been found on their site and improve their user experience.
“Otherwise, abusive experiences left unaddressed for 30 days will trigger the prevention of new windows and tabs.” concluded Google.
IT threat evolution Q3 2017. Statistics
12.11.2017 Kaspersky Analysis Cyber
According to KSN data, Kaspersky Lab solutions detected and repelled 277,646,376 malicious attacks from online resources located in 185 countries all over the world.
72,012,219 unique URLs were recognized as malicious by web antivirus components.
Attempted infections by malware that aims to steal money via online access to bank accounts were registered on 204,388 user computers.
Crypto ransomware attacks were blocked on 186283 computers of unique users.
Kaspersky Lab’s file antivirus detected a total of 198,228,428 unique malicious and potentially unwanted objects.
Kaspersky Lab mobile security products detected:
1,598,196 malicious installation packages;
19,748 mobile banking Trojans (installation packages);
108,073 mobile ransomware Trojans (installation packages).
Mobile threats
Q3 events
The spread of the Asacub banker
In the third quarter, we continued to monitor the activity of the mobile banking Trojan Trojan-Banker.AndroidOS.Asacub that actively spread via SMS spam. Q3 saw cybercriminals carry out a major campaign to distribute the Trojan, resulting in a tripling of the number of users attacked. Asacub activity peaked in July, after which there was a decline in the number of attacks: in September we registered almost three times fewer attacked users than in July.
Number of unique users attacked by Trojan-Banker.AndroidOS.Asacub in Q2 and Q3 2017
New capabilities of mobile banking Trojans
Q3 2017 saw two significant events in the world of mobile banking Trojans.
Firstly, the family of mobile banking Trojans Svpeng has acquired the new modification Trojan-Banker.AndroidOS.Svpeng.ae capable of granting all the necessary rights to itself and stealing data from other applications. To do this, it just needs to persuade the user to allow the Trojan to utilize special functions designed for people with disabilities. As a result, the Trojan can intercept text that a user is entering, steal text messages and even prevent itself from being removed.
Interestingly, in August we discovered yet another modification of Svpeng that uses special features. Only, this time the Trojan was not banking related – instead of stealing data, it encrypts all the files on a device and demands a ransom in bitcoins.
Trojan-Banker.AndroidOS.Svpeng.ag. window containing ransom demand
Secondly, the FakeToken family of mobile banking Trojans has expanded the list of apps it attacks. If previously representatives of this family mostly overlaid banking and some Google apps (e.g. Google Play Store) with a phishing window, it is now also overlaying apps used to book taxis, air tickets and hotels. The aim of the Trojan is to harvest data from bank cards.
The growth of WAP billing subscriptions
In the third quarter of 2017, we continued to monitor the increased activity of Trojans designed to steal users’ money via subscriptions. To recap, these are Trojans capable of visiting sites that allow users to pay for services by deducting money from their mobile phone accounts. These Trojans can usually click buttons on such sites using special JS files, and thus make payments without the user’s knowledge.
Our Top 20 most popular Trojan programs in Q3 2017 included three malware samples that attack WAP subscriptions. They are Trojan-Dropper.AndroidOS.Agent.hb and Trojan.AndroidOS.Loapi.b in fourth and fifth, and Trojan-Clicker.AndroidOS.Ubsod.b in seventh place.
Mobile threat statistics
In the third quarter of 2017, Kaspersky Lab detected 1,598,196 malicious installation packages, which is 1.2 times more than in the previous quarter.
Number of detected malicious installation packages (Q4 2016 – Q3 2017)
Distribution of mobile malware by type
Distribution of new mobile malware by type (Q2 and Q3 2017)
RiskTool (53.44%) demonstrated the highest growth in Q3 2017, with its share increasing by 12.93 percentage points (p.p.). The majority of all installation packages discovered belonged to the RiskTool.AndroidOS.Skymobi family.
Trojan-Dropper malware (10.97%) came second in terms of growth rate: its contribution increased by 6.29 p.p. Most of the installation packages are detected as Trojan-Dropper.AndroidOS.Agent.hb.
The share of Trojan-Ransom programs, which was first in terms of the growth rate in the first quarter of 2017, continued to fall and accounted for 6.69% in Q3, which is 8.4 p.p. less than the previous quarter. The percentage of Trojan-SMS malware also fell considerably to 2.62% – almost 4 p.p. less than in Q2.
In Q3, Trojan-Clicker malware broke into this rating after its contribution increased from 0.29% to 1.41% in the space of three months.
TOP 20 mobile malware programs
Please note that this rating of malicious programs does not include potentially dangerous or unwanted programs such as RiskTool or adware.
Verdict % of attacked users*
1 DangerousObject.Multi.Generic 67.14
2 Trojan.AndroidOS.Boogr.gsh 7.52
3 Trojan.AndroidOS.Hiddad.ax 4.56
4 Trojan-Dropper.AndroidOS.Agent.hb 2.96
5 Trojan.AndroidOS.Loapi.b 2.91
6 Trojan-Dropper.AndroidOS.Hqwar.i 2.59
7 Trojan-Clicker.AndroidOS.Ubsod.b 2.20
8 Backdoor.AndroidOS.Ztorg.c 2.09
9 Trojan.AndroidOS.Agent.gp 2.05
10 Trojan.AndroidOS.Sivu.c 1.98
11 Trojan.AndroidOS.Hiddapp.u 1.87
12 Backdoor.AndroidOS.Ztorg.a 1.68
13 Trojan.AndroidOS.Agent.ou 1.63
14 Trojan.AndroidOS.Triada.dl 1.57
15 Trojan-Ransom.AndroidOS.Zebt.a 1.57
16 Trojan-Dropper.AndroidOS.Hqwar.gen 1.53
17 Trojan.AndroidOS.Hiddad.an 1.48
18 Trojan.AndroidOS.Hiddad.ci 1.47
19 Trojan-Banker.AndroidOS.Asacub.ar 1.41
20 Trojan.AndroidOS.Agent.eb 1.29
* Percentage of unique users attacked by the malware in question, relative to all users of Kaspersky Lab’s mobile security product that were attacked.
First place was occupied by DangerousObject.Multi.Generic (67.14%), the verdict used for malicious programs detected using cloud technologies. This is basically how the very latest malware is detected.
As in the previous quarter, Trojan.AndroidOS.Boogr.gsh (7.52%) came second. This verdict is issued for files recognized as malicious by our system based on machine learning.
Trojan.AndroidOS.Hiddad.an (4.56%) was third. The main purpose of this Trojan is to open and click advertising links received from the C&C. The Trojan requests administrator rights to prevent its removal.
Trojan-Dropper.AndroidOS.Agent.hb (2.96%) climbed from sixth in Q2 to fourth this quarter. This Trojan decrypts and runs another Trojan – a representative of the Loaipi family. One of them –Trojan.AndroidOS.Loapi.b – came fifth in this quarter’s Top 20. This is a complex modular Trojan whose main malicious component needs to be downloaded from the cybercriminals’ server. We can assume that Trojan.AndroidOS.Loapi.b is designed to steal money via paid subscriptions.
Trojan-Dropper.AndroidOS.Hqwar.i (3.59%), the verdict used for Trojans protected by a certain packer/obfuscator, fell from fourth to sixth. In most cases, this name indicates representatives of the FakeToken and Svpeng mobile banking families.
In seventh was Trojan-Clicker.AndroidOS.Ubsod.b, a small basic Trojan that receives links from a C&C and opens them. We wrote about this family in more detail in our review of Trojans that steal money using WAP subscriptions.
Trojan Backdoor.AndroidOS.Ztorg.c came eighth. This is one of the most active advertising Trojans that uses superuser rights. In the third quarter of 2017, our Top 20 included eight Trojans that try to obtain or use root rights and which make use of advertising as their main means of monetization. Their goal is to deliver ads to the user more aggressively, applying (among other methods) hidden installation of new advertising programs. At the same time, superuser privileges help them ‘hide’ in the system folder, making it very difficult to remove them. It’s worth noting that the quantity of this type of malware in the Top 20 has been decreasing (in Q1 2017, there were 14 of these Trojans in the rating, while in Q2 the number was 11).
Trojan.AndroidOS.Agent.gp (2.05%), which steals money from users making calls to premium numbers, rose from fifteenth to ninth. Due to its use of administrator rights, it resists attempts to remove it from an infected device.
Occupying fifteenth this quarter was Trojan-Ransom.AndroidOS.Zebt.a, the first ransom Trojan in this Top 20 rating in 2017. This is a fairly simple Trojan whose main goal is to block the device with its window and demand a ransom. Zebt.a tends to attack users in Europe and Mexico.
Trojan.AndroidOS.Hiddad.an (1.48%) fell to sixteenth after occupying second and third in the previous two quarters. This piece of malware imitates various popular games or programs. Interestingly, once run, it downloads and installs the application it imitated. In this case, the Trojan requests administrator rights to withstand removal. The main purpose of Trojan.AndroidOS.Hiddad.an is the aggressive display of adverts. Its main ‘audience’ is in Russia.
The geography of mobile threats
The geography of attempted mobile malware infections in Q3 2017 (percentage of all users attacked)
Top 10 countries attacked by mobile malware (ranked by percentage of users attacked):
Country* % of attacked users**
1 Iran 35.12
2 Bangladesh 28.30
3 China 27.38
4 Côte d’Ivoire 26.22
5 Algeria 24.78
6 Nigeria 23.76
7 Indonesia 22.29
8 India 21.91
9 Nepal 20.78
10 Kenya 20.43
* We eliminated countries from this rating where the number of users of Kaspersky Lab’s mobile security product is relatively low (under 10,000).
** Percentage of unique users attacked in each country relative to all users of Kaspersky Lab’s mobile security product in the country.
For the third quarter in a row Iran was the country with the highest percentage of users attacked by mobile malware – 35.12%. Bangladesh came second, with 28.3% of users there encountering a mobile threat at least once during Q3. China (27.38%) followed in third.
Russia (8.68%) came 35th this quarter (vs 26th place in Q2), France (4.9%) was 59th, the US (3.8%) 67th, Italy (5.3%) 56th, Germany (2.9%) 79th, and the UK (3.4%) 72nd.
The safest countries were Georgia (2.2%), Denmark (1.9%), and Japan (0.8%).
Mobile banking Trojans
Over the reporting period we detected 19,748 installation packages for mobile banking Trojans, which is 1.4 times less than in Q2 2017.
Number of installation packages for mobile banking Trojans detected by Kaspersky Lab solutions (Q4 2016 – Q3 2017)
Banker.AndroidOS.Asacub.ar became the most popular mobile banking Trojan in Q3, replacing the long-term leader Trojan-Banker.AndroidOS.Svpeng.q. These mobile banking Trojans use phishing windows to steal credit card data and logins and passwords for online banking accounts. In addition, they steal money via SMS services, including mobile banking.
Geography of mobile banking threats in Q3 2017 (percentage of all users attacked)
Top 10 countries attacked by mobile banker Trojans (ranked by percentage of users attacked):
Country* % of attacked users**
1 Russia 1.20
2 Uzbekistan 0.40
3 Kazakhstan 0.36
4 Tajikistan 0.35
5 Turkey 0.34
6 Moldova 0.31
7 Ukraine 0.29
8 Kyrgyzstan 0.27
9 Belarus 0.26
10 Latvia 0.23
* We eliminated countries from this rating where the number of users of Kaspersky Lab’s mobile security product is relatively low (under 10,000).
** Percentage of unique users in each country attacked by mobile banker Trojans, relative to all users of Kaspersky Lab’s mobile security product in the country.
In Q3 2017, the Top 10 countries attacked by mobile banker Trojans saw little change: Russia (1.2%) topped the ranking again. In second and third places were Uzbekistan (0.4%) and Kazakhstan (0.36%), which came fifth and tenth respectively in the previous quarter. In these countries the Faketoken.z, Tiny.b and Svpeng.y families were the most widespread threats.
Of particular interest is the fact that Australia, a long-term resident at the top end of this rating, didn’t make it into our Top 10 this quarter. This was due to a decrease in activity by the Trojan-Banker.AndroidOS.Acecard and Trojan-Banker.AndroidOS.Marcher mobile banking families.
Mobile ransomware
In Q3 2017, we detected 108,073 mobile Trojan-Ransomware installation packages, which is almost half as much as in the previous quarter.
Number of mobile Trojan-Ransomware installation packages detected by Kaspersky Lab (Q3 2016 – Q3 2017)
In our report for Q2, we wrote that in the first half of 2017, we had discovered more mobile ransomware installation packages than in any other period. The reason was the Trojan-Ransom.AndroidOS.Congur family. However, in the third quarter of this year we observed a decline in this family’s activity.
Trojan-Ransom.AndroidOS.Zebt.a became the most popular mobile Trojan-Ransomware in Q3, accounting for more than a third of users attacked by mobile ransomware. Second came Trojan-Ransom.AndroidOS.Svpeng.ab. Meanwhile, Trojan-Ransom.AndroidOS.Fusob.h, which topped the rating for several quarters in a row, was only third in Q3 2017.
Geography of mobile Trojan-Ransomware in Q3 2017 (percentage of all users attacked)
Top 10 countries attacked by mobile Trojan-Ransomware (ranked by percentage of users attacked):
1 US 1.03%
2 Mexico 0.91%
3 Belgium 0.85%
4 Kazakhstan 0.79%
5 Romania 0.70%
6 Italy 0.50%
7 China 0.49%
8 Poland 0.49%
9 Austria 0.45%
10 Spain 0.33%
* We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is lower than 10,000.
** Percentage of unique users in each country attacked by mobile Trojan-Ransomware, relative to all users of Kaspersky Lab’s mobile security product in the country.
The US (1.03%) again topped the rating of countries attacked most by mobile Trojan-Ransomware; the most widespread family in the country was Trojan-Ransom.AndroidOS.Svpeng. These Trojans appeared in 2014 as a modification of the Trojan-Banker.AndroidOS.Svpeng mobile banking family. They demand a ransom of about $500 from victims to unblock their devices.
In Mexico (0.91%), which came second in Q3 2017, most mobile ransomware attacks involved Trojan-Ransom.AndroidOS.Zebt.a. Belgium (0.85%) came third, with Zebt.a the main threat to users there too.
Vulnerable apps exploited by cybercriminals
Q3 2017 saw continued growth in the number of attacks launched against users involving malicious Microsoft Office documents. We noted the emergence of a large number of combined documents containing an exploit as well as a phishing message – in case the embedded exploit fails.
Although two new Microsoft Office vulnerabilities, CVE-2017-8570 and CVE-2017-8759, have emerged, cybercriminals have continued to exploit CVE-2017-0199, a logical vulnerability in processing HTA objects that was discovered in March 2017. Kaspersky Lab statistics show that attacks against 65% users in Q3 exploited CVE-2017-0199, and less than 1% exploited CVE-2017-8570 or CVE-2017-8759. The overall share of exploits for Microsoft Office was 27.8%.
There were no large network attacks (such as WannaCry or ExPetr) launched in Q3 using vulnerabilities patched by the MS17-010 update. However, according to KSN data, there was major growth throughout the quarter in the number of attempted exploitations of these vulnerabilities that were blocked by our Intrusion Detection System component. Unsurprisingly, the most popular exploits have been EternalBlue and its modifications, which use an SMB protocol vulnerability; however, KL statistics show that EternalRomance, EternalChampion and an exploit for the CVE-2017-7269 vulnerability in IIS web servers have also been actively used by cybercriminals. EternalBlue, however, accounts for millions of blocked attempted attacks per month, while the numbers for other exploits are much lower.
Distribution of exploits used in attacks by type of application attacked, Q3 2017
The distribution of exploits by the type of attacked application this quarter was practically the same as in Q2. First place is still occupied by exploits targeting browsers and browser components with a share of 35.0% (a decline of 4 p.p. compared to Q2.) The proportion of exploits targeting Android vulnerabilities (22.7%) was almost identical to that in Q2, placing this type of attacked application once again in third behind Office vulnerabilities.
Online threats (Web-based attacks)
These statistics are based on detection verdicts returned by the web antivirus module that protects users at the moment when malicious objects are downloaded from a malicious/infected web page. Malicious sites are specifically created by cybercriminals; infected web resources include those whose content is created by users (e.g. forums), as well as legitimate resources.
Online threats in the banking sector
These statistics are based on detection verdicts of Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data. Beginning from the first quarter of 2017 these statistics include malicious programs for ATMs and POS terminals, but do not include mobile threats.
In Q3 2017, Kaspersky Lab solutions blocked attempts to launch one or more malicious programs capable of stealing money via online banking on 204,388 computers.
Number of users attacked by financial malware, Q3 2017
Geography of attacks
To evaluate and compare the risk of being infected by banking Trojans and ATM and POS-malware worldwide, we calculate the percentage of Kaspersky Lab product users in the country who encountered this type of threat during the reporting period, relative to all users of our products in that country.
Geography of banking malware attacks in Q3 2017 (percentage of all users attacked)
TOP 10 countries attacked by mobile banker Trojans (ranked by percentage of users attacked)
Country* % of users attacked**
1 Togo 2.30
2 China 1.91
3 Taiwan 1.65
4 Indonesia 1.58
5 South Korea 1.56
6 Germany 1.53
7 United Arab Emirates 1.52
8 Lebanon 1.48
9 Libya 1.43
10 Jordan 1.33
These statistics are based on detection verdicts returned by the antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.
* We excluded those countries in which the number of Kaspersky Lab product users is relatively small (under 10,000).
** Unique users whose computers have been targeted by banking Trojan malware attacks as a percentage of all unique users of Kaspersky Lab products in the country.
TOP 10 banking malware families
The table below shows the Top 10 malware families used in Q3 2017 to attack online banking users (in terms of percentage of users attacked):
Name* % of attacked users**
1 Trojan-Spy.Win32.Zbot 27.9
2 Trojan.Win32.Nymaim 20.4
3 Trojan.Win32.Neurevt 10.0
4 Trickster 9.5
5 SpyEye 7.5
6 Caphaw 6.3
7 Trojan-Banker.Win32.Gozi 2.0
8 Shiz 1.8
9 ZAccess 1.6
10 NeutrinoPOS 1.6
* The detection verdicts of Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data.
** Unique users whose computers have been targeted by the malware in question as a percentage of all users attacked by financial malware.
The malware families Dridex and Tinba lost their places in this quarter’s Top 10. One of their former positions was occupied by the Trickster bot (accounting for 9.5% of attacked users), also known as TrickBot, a descendant of the now defunct Dyre banker. There was a small change in the leading three malicious families. First and second places are still occupied by Trojan-Spy.Win32.Zbot (27.9%) and Trojan.Win32.Nymaim (20.4%) respectively, while third place is now occupied by Trojan.Win32.Neurevt (10%) whose share grew by nearly 4 p.p.
Cryptoware programs
Q3 highlights
Crysis rises from the dead
In our Q2 report we wrote that the cybercriminals behind the Crysis ransomware cryptor halted distribution of the malware and published the secret keys needed to decrypt files. This took place in May 2017, and all propagation of the ransomware was stopped completely at that time.
However, nearly three months later, in mid-August, we discovered that this Trojan had come back from the dead and had set out on a new campaign of active propagation. The email addresses used by the blackmailers were different from those used in earlier samples of Crysis. A detailed analysis revealed that the new samples of the Trojan were completely identical to the old ones apart from just one thing – the public master keys were new. Everything else was the same, including the compilation timestamp in the PE header and, more interestingly, the labels that the Trojan leaves in the service area at the end of each encrypted file. Closer scrutiny of the samples suggests that the new distributors of the malware didn’t have the source code, so they just took its old body and used a HEX editor to change the key and the contact email.
The above suggests that this piece of ‘zombie’ malware is being spread by a different group of malicious actors rather than its original developer who disclosed all the private keys in May.
Surge in Cryrar attacks
The Cryrar cryptor (aka ACCDFISA) is a veteran among the ransomware Trojans that are currently being spread. It emerged way back in 2012 and has been active ever since. The cryptor is written in PureBasic and uses a legitimate executable RAR archiver file to place the victim’s files in password-encrypted RAR-sfx archives.
In the first week of September 2017 we recorded a dramatic rise in the number of attempted infections with Cryrar – a surge never seen before or since. The malicious actors used the following approach: they crack the password to RDP by brute force, get authentication on the victim’s system using the remote access protocol and manually launch the Trojan’s installation file. The latter, in turn, installs the cryptor’s body and the components it requires (including the renamed RAR.EXE file), and then automatically launches the cryptor.
According to KSN data, this wave of attacks primarily targeted Vietnam, China, the Philippines and Brazil.
Master key to original versions of Petya/Mischa/GoldenEye published
In July 2017, the authors of the Petya Trojan published their master key, which can be used to decrypt the Salsa keys required to decrypt MFT and unblock access to systems affected by Petya/Mischa or GoldenEye.
This happened shortly after the ExPetr epidemic which used part of the GoldenEye code. This suggests that the authors of Petya/Mischa/GoldenEye did so in an attempt to distance themselves from the ExPetr attack and the outcry that it caused.
Unfortunately, this master key won’t help those affected by ExPetr, as its creators didn’t include the option of restoring a Salsa key to decrypt MFT.
The number of new modifications
In Q3 2017, we identified five new ransomware families in this classification. It’s worth noting here that this number doesn’t include all the Trojans that weren’t assigned their own ‘personal’ verdict. Each quarter, dozens of these malicious programs emerge, though they either have so few distinctive characteristics or occur so rarely that they and the hundreds of others like them remain nameless, and are detected with generic verdicts.
Number of newly created cryptor modifications, Q3 2016 – Q3 2017
The number of new cryptor modifications continues to decline compared to previous quarters. This could be a temporary trend, or could indicate that cybercriminals are gradually losing their interest in cryptors as a means of making money, and are switching over to other types of malware.
The number of users attacked by ransomware
July was the month with the lowest ransomware activity. From July to September, the number of ransomware attacks rose, though it remained lower than May and June when two massive epidemics (WannaCry and ExPetr) struck.
Number of unique users attacked by Trojan-Ransom cryptor malware (Q3 2017)
The geography of attacks
Top 10 countries attacked by cryptors
Country* % of users attacked by cryptors**
1 Myanmar 0.95%
2 Vietnam 0.92%
3 Indonesia 0.69%
4 Germany 0.62%
5 China 0.58%
6 Russia 0.51%
7 Philippines 0.50%
8 Venezuela 0.50%
9 Cambodia 0.50%
10 Austria 0.49%
* We excluded those countries where the number of Kaspersky Lab product users is relatively small (under 50,000)
** Unique users whose computers have been targeted by ransomware as a percentage of all unique users of Kaspersky Lab products in the country.
Most of the countries in this Top 10 are from Asia, including Myanmar (0.95%), a newcomer to the Top 10 that swept into first place in Q3. Vietnam (0.92%) came second, moving up two places from Q2, while China (0.58%) rose one place to fifth.
Brazil, Italy and Japan were the leaders in Q2, but in Q3 they failed to make it into the Top 10. Europe is represented by Germany (0.62%) and Austria (0.49%).
Russia, in tenth the previous quarter, ended Q3 in sixth place.
Top 10 most widespread cryptor families
Name Verdict* % of attacked users**
1 WannaCry Trojan-Ransom.Win32.Wanna 16.78%
2 Crypton Trojan-Ransom.Win32.Cryptoff 14.41%
3 Purgen/GlobeImposter Trojan-Ransom.Win32.Purgen 6.90%
4 Locky Trojan-Ransom.Win32.Locky 6.78%
5 Cerber Trojan-Ransom.Win32.Zerber 4.30%
6 Cryrar/ACCDFISA Trojan-Ransom.Win32.Cryrar 3.99%
7 Shade Trojan-Ransom.Win32.Shade 2.69%
8 Spora Trojan-Ransom.Win32.Spora 1.87%
9 (generic verdict) Trojan-Ransom.Win32.Gen 1.77%
10 (generic verdict) Trojan-Ransom.Win32.CryFile 1.27%
* These statistics are based on detection verdicts received from users of Kaspersky Lab products who have consented to provide their statistical data.
** Unique users whose computers have been targeted by a specific Trojan-Ransom family as a percentage of all users of Kaspersky Lab products attacked by Trojan-Ransom malware.
Wannacry (16.78%) tops the rating for Q3, and the odds are that it’s set to remain there: the worm has been propagating uncontrollably, and there are still huge numbers of computers across the globe with the unpatched vulnerability that Wannacry exploits.
Crypton (14.41%) came second. This cryptor emerged in spring 2016 and has undergone many modifications since. It has also been given multiple names: CryptON, JuicyLemon, PizzaCrypts, Nemesis, x3m, Cry9, Cry128, Cry36.
The cryptor Purgen (6.90%) rounds off the top three after rising from ninth. The rest of the rating is populated by ‘old timers’ – the Trojans Locky, Cerber, Cryrar, Shade, and Spora.
The Jaff cryptor appeared in the spring of 2017, going straight into fourth place in the Q2 rating, and then stopped spreading just as suddenly.
Top 10 countries where online resources are seeded with malware
The following statistics are based on the physical location of the online resources used in attacks and blocked by our antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.). Any unique host could be the source of one or more web attacks. In order to determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.
In the third quarter of 2017, Kaspersky Lab solutions blocked 277,646,376 attacks launched from web resources located in 185 countries around the world. 72,012,219 unique URLs were recognized as malicious by web antivirus components.
Distribution of web attack sources by country, Q3 2017
In Q3 2017, the US (3.86%) was home to most sources of web attacks. The Netherlands (25.22%) remained in second place, while Germany moved up from fifth to third. Finland and Singapore dropped out of the top five and were replaced by Ireland (1.36%) and Ukraine (1.36%).
Countries where users faced the greatest risk of online infection
In order to assess the risk of online infection faced by users in different countries, we calculated the percentage of Kaspersky Lab users in each country who encountered detection verdicts on their machines during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers work in different countries.
This rating only includes attacks by malicious programs that fall under the Malware class. The rating does not include web antivirus module detections of potentially dangerous or unwanted programs such as RiskTool or adware.
Country* % of users attacked**
1 Belarus 27.35
2 Algeria 24.23
3 Russia 23.91
4 Armenia 23.74
5 Moldova 23.61
6 Greece 21.48
7 Azerbaijan 21.14
8 Kyrgyzstan 20.83
9 Uzbekistan 20.24
10 Albania 20.10
11 Ukraine 19.82
12 Kazakhstan 19.55
13 France 18.94
14 Venezuela 18.68
15 Brazil 18.01
16 Portugal 17.93
17 Vietnam 17.81
18 Tajikistan 17.63
19 Georgia 17.50
20 India 17.43
These statistics are based on detection verdicts returned by the web antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.
* These calculations excluded countries where the number of Kaspersky Lab users is relatively small (under 10,000 users).
** Unique users whose computers have been targeted by Malware-class attacks as a percentage of all unique users of Kaspersky Lab products in the country.
On average, 16.61% of computers connected to the Internet globally were subjected to at least one Malware-class web attack during the quarter.
Geography of malicious web attacks in Q3 2017 (ranked by percentage of users attacked)
The countries with the safest online surfing environments included Iran (9.06%), Singapore (8.94%), Puerto Rico (6.67%), Niger (5.14%) and Cuba (4.44%).
Local threats
Local infection statistics for user computers are a very important indicator: they reflect threats that have penetrated computer systems by infecting files or removable media, or initially got on the computer in an encrypted format (for example, programs integrated in complex installers, encrypted files, etc.).
Data in this section is based on analyzing statistics produced by antivirus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media.
In Q3 2017, Kaspersky Lab’s file antivirus detected 198,228,428 unique malicious and potentially unwanted objects.
Countries where users faced the highest risk of local infection
For each country, we calculated the percentage of Kaspersky Lab product users on whose computers the file antivirus was triggered during the quarter. These statistics reflect the level of personal computer infection in different countries.
The rating of malicious programs only includes Malware-class attacks. The rating does not include web antivirus module detections of potentially dangerous or unwanted programs such as RiskTool or adware.
Country* % of users attacked**
1 Yemen 56.89
2 Vietnam 54.32
3 Afghanistan 53.25
4 Uzbekistan 53.02
5 Laos 52.72
6 Tajikistan 49.72
7 Ethiopia 48.90
8 Syria 47.71
9 Myanmar 46.82
10 Cambodia 46.69
11 Iraq 45.79
12 Turkmenistan 45.47
13 Libya 45.00
14 Bangladesh 44.54
15 China 44.40
16 Sudan 44.27
17 Mongolia 44.18
18 Mozambique 43.84
19 Rwanda 43.22
20 Belarus 42.53
These statistics are based on detection verdicts returned by on-access and on-demand antivirus modules, received from users of Kaspersky Lab products who have consented to provide their statistical data. The data include detections of malicious programs located on users’ computers or on removable media connected to the computers, such as flash drives, camera and phone memory cards, or external hard drives.
* These calculations exclude countries where the number of Kaspersky Lab users is relatively small (under 10,000 users).
** The percentage of unique users in the country with computers that blocked Malware-class local threats as a percentage of all unique users of Kaspersky Lab products.
This Top 20 of countries has not changed much since Q2, with the exception of China (44.40%), Syria (47.71%) and Libya (45.00%) all making an appearance. The proportion of users attacked in Russia amounted to 29.09%.
On average, 23.39% of computers globally faced at least one Malware-class local threat during the third quarter.
Geography of local malware attacks in Q3 2017 (ranked by percentage of users attacked)
The safest countries in terms of local infection risks included Estonia (15.86%), Singapore (11.97%), New Zealand (9.24%), Czechia (7.89%), Ireland (6.86%) and Japan (5.79%).
All the statistics used in this report were obtained using Kaspersky Security Network (KSN), a distributed antivirus network that works with various anti-malware protection components. The data was collected from KSN users who agreed to provide it. Millions of Kaspersky Lab product users from 213 countries and territories worldwide participate in this global exchange of information about malicious activity.
Google introduces updates in Chrome to prevent unexpected redirects and unwanted content
12.11.2017 securityaffairs Vulnerebility
Google presents changes to Google Chrome that aim to prevent users from being redirected to unexpected websites and unwanted content.
Google is continuously working to improve the security of its product and service, last changes to Google Chrome aim to prevent users from being redirected to unexpected websites and unwanted content.
It has been estimated by Google that one in every five desktop users face unwanted content, it is very common to unexpectedly navigate web pages embedding third-party content.
The company announced the security updates this week, the next releases of Chrome will contain three new protection measures.
In Chrome 64, all redirects from third-party iframe will be notified to the user, the iframe, in fact, will display a sidebar of information instead of redirecting. To enable the redirection the user has to interact with that frame.
Another scenario covered by the measures introduced by Google sees users click on a desired destination, which opens in a new tab, while the main window displays an unwanted content. Starting with Chrome 65, this behavior will trigger an infobar and prevent the main tab from redirecting and bypassing Chrome’s pop-up blocker.
“One piece of feedback we regularly hear from users is that a page will unexpectedly navigate to a new page, for seemingly no reason. We’ve found that this redirect often comes from third-party content embedded in the page, and the page author didn’t intend the redirect to happen at all.” states the post on Chromium blog.
“To address this, in Chrome 64 all redirects originating from third-party iframes will show an infobar instead of redirecting, unless the user had been interacting with that frame. This will keep the user on the page they were reading, and prevent those surprising redirects.”
Another scenario covered by Google sees links to third-party sites disguised as play buttons or other website controls.
“Finally, there are several other types of abusive experiences that send users to unintended destinations but are hard to automatically detect. These include links to third-party websites disguised as play buttons or other site controls, or transparent overlays on websites that capture all clicks and open new tabs or windows. ” continues Google.
“Similar to how Google Safe Browsing protects users from malicious content, starting in early January Chrome’s pop-up blocker will prevent sites with these types of abusive experiences from opening new windows or tabs.”
In January, Chrome will update its pop-up blocker to prevent these sites from opening new windows or tabs.
The IT giant is also launching the Abusive Experiences Report alongside other similar reports in the Google Search Console to help site owners and webmasters prepare for this security updates.
The report allows them to check if any of these abusive experiences have been found on their site and improve their user experience.
“Otherwise, abusive experiences left unaddressed for 30 days will trigger the prevention of new windows and tabs.” concluded Google.
Malwarebytes Scores Legal Win Over Enigma Software
12.11.2017 securityweek Cyber
Enigma Software, supplier of software known as SpyHunter, has a notice on its website: "Malwarebytes Inc., the maker of Malwarebytes Anti-Malware ("MBAM") and AdwCleaner, is intentionally blocking SpyHunter and RegHunter for what we believe are competitive reasons... We have taken legal action against Malwarebytes and are seeking remedies for this unfair conduct."
Those legal remedies were dismissed by the District Court, Northern District of California, San Jose Division on November 7, 2017.
The heart of the issue has been Malwarebytes' determination that SpyHunter is effectively a PUP; that is, a potentially unwanted program. PUPs tend to be nuisances rather than specifically malware. They are often adware apps that are easy to install and difficult to remove, offering little practical value to the consumer. Malwarebytes has been one of the more aggressive endpoint protection vendors in its classification and removal of PUPs.
It does so with SpyHunter -- and Enigma Software objected. Enigma's legal complaint claimed that Malwarebyte's actions were competitively motivated, and it asked the court for "Preliminarily and permanently enjoining Malwarebytes from programming MBAM to prevent the download and installation of SpyHunter or RegHunter;" adding a request for "punitive damages".
In response, Malwarebytes requested the court to dismiss Enigma's action, citing immunity under the Communications Decency Act -- which states, "No provider or user of an interactive computer service shall be held liable on account of... any action voluntarily taken in good faith to restrict access to or availability of material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected..."
The court agreed, confirmed Malwarebytes' immunity, and dismissed Enigma's case.
This doesn't mean that SpyHunter is legally a PUP, only that Enigma cannot stop Malwarebytes from offering users the option to remove it under its PUP program.
F-Secure's Sean Sullivan commented, "We at F-Secure have our own PUP criteria in our efforts to do what's best and right for our customers -- and I'm comfortable that's exactly the intentions of the folks at Malwarebytes. Fighting for their customers -- good for them!"
Malwarebytes is delighted. "This is not only a critical win for Malwarebytes, but for all security providers who will continue to have legal protection to do what is right for their users," blogged CEO Marcin Kleczynski yesterday. "This decision affirms our right to enable users by giving them a choice on what belongs on their machines and what doesn't."
It's too early to tell whether this is the beginning of the end of the PUP problem. "I'm not sure how much difference isolated instances of case law will make in the short term," comments ESET senior research fellow, David Harley, "but anything that tends to make monetization firms more answerable to the needs of the population as a whole -- or at least that sector of the population whose interests the security industry aims to protect -- is positive. It might be better in the long term, though, if the software distribution and monetization industries and the security vendors work out their differences in the context of the Clean Software Alliance. Well, we can but hope," he added.
Luis Corrons, technical director at PandaLabs, is not sure that the battle can be won in the courts. "All PUP fights in court, win or lose," he told SecurityWeek, "are a waste of time and resources for all of us. We could fight in court for ages and that won't help anyone."
Instead, he hopes for a solution via a relatively new organization, AppEsteem. "It is time to take a different approach in this field," he continued. Here what AppEsteem is doing has the potential to be a game-changer that helps everyone: users not being bothered by software that does not behave properly, security vendors focusing only on protecting their users and software vendors making money by being transparent and offering real value to end users."
AppEsteem's president, Dennis Batchelder, is clear, however. The result from the courts is "great for security companies, but more importantly, this dismissal is a big win for consumers. Security companies can truly put protection first. This strengthens AppEsteem's resolve to call out every deceptive app and drive a world where consumers are safe from fraud."
Avira spotted a new strain of the dreaded Locky Ransomware in the wild
12.11.2017 securityaffairs Ransomware
Avira firm detected a new strain of the Locky ransomware that is spreading through malicious attachments disguised as legitimate Libre and Office documents.
Researchers at Avira Virus Lab detected a new strain of the Locky ransomware that is spreading through malicious attachments disguised as legitimate documents from productivity applications like Microsoft Word and Libre Office.
The new Lock Ransomware appends the same “.asasin” extension to the file names of encrypted documents as samples analyzed by security firm PhishMe in October.
The malware authors attempt to trick the victims into double-clicking the envelope.
“This new wave is being spread through Office Word documents, not only Microsoft but also other programs such as Libre Office, which look like the following image:”Locky Ransomware
“By doing so, this sets off a cascade of actions which will end in all valuable files being encrypted and the user getting the following message.” states the analysis published by Avira.
Once the users double-click the image, a series of actions is triggered, ending with the encryption of the files on the infected machine.
The analysis of the image included in the bait Word document revealed a LNK file (Windows shortcut), by pasting the command into a text editor, the researchers discovered it is meant to run a PowerShell script.
“The script is in clear text and can easily be read. Its intent is to download another PowerShell script from a link embedded in the script and then run this script by using the Invoke-Expression function.” continues the analysis.
The second script connects a server controlled by the operators and downloads a Windows executable file, which includes several stages of code obfuscation to confuse analysts and trick people into thinking it’s a clean file.
The new strain of Locky ransomware collects information about the operating system and sends it, encrypted, to the command-and-control server that in turn replies with the encryption key.
The rapid evolution of ransomware in the threat landscape is worrisome, and this case demonstrates it.
Security experts are observing a rapid evolution of the Locky ransomware, recently they have seen it spreading via spam campaigns that rely on the Necurs botnet. A couple of weeks ago, operators behind Locky ransomware campaigns have switched to new attack techniques to evade detection.
One of the new techniques adopted by the crooks is the use of the Dynamic Data Exchange (DDE) protocol designed to allow data transferring between applications.
Equifax earnings release: Security breach related expenses cost $87.5 Million in Q3
12.11.2017 securityaffairs Incindent
Equifax announced during the third quarter of 2017, it incurred $87.5 million in expenses related to the cyber attack that was reported in September.
It is very difficult to estimate the overall losses caused by a cyber attack because victims incur in direct and indirect costs that aren’t easy to calculate.
This week the credit reporting agency Equifax announced during the third quarter of 2017, it incurred $87.5 million in expenses related to the cyber attack that was reported on September 7, 2017.
The expenses associated with the massive attack include “costs to investigate and remediate the cybersecurity incident and legal and other professional services related thereto, all of which were expensed as incurred.”
The expenses are divided in $55.5 million in product costs, $17.1 million in firms hired as part of the incident investigation and response (i.e. security firm Mandiant, attorney’s), and $14.9 million in activities to support customers.
“During the third quarter of 2017, we recorded $87.5 million ($59.3 million, net of tax) for expenses related to the cybersecurity incident announced September 7, 2017. The components of the costs are as follows:
(In millions)
Three Months Ended
September 30, 2017
Product cost
$ 55.5
Professional fees
17.1
Consumer support
14.9
Total
$ 87.5
Expenses Incurred. In the third quarter of fiscal 2017, the Company recorded $27.3 million of pretax expenses related to the cybersecurity incident.” reported Equifax. “These expenses are included in Selling, General and Administrative expenses in the accompanying Consolidated Statements of Income for the three and nine months ended September 30, 2017. Expenses include costs to investigate and remediate the cybersecurity incident and legal and other professional services related thereto, all of which were expensed as incurred. “Equifax data breach
Unfortunately, the expenses could increase in the incoming months because the agency would be liable for additional costs stemming from the free credit file monitoring and identity theft protection that it is already offering all U.S. consumers.
“Additionally, as a result of the cybersecurity incident, we are offering free credit file monitoring and identity theft protection to all U.S. consumers. We have concluded that the costs associated with providing this service are a contingent liability that is probable and estimable.” Equifax added in the earnings release.
“We have therefore recorded an estimate of the expenses necessary to provide this service to those who have signed up or will sign up by the January 31, 2018 deadline. We have incurred $4.7 million through September 30, 2017 and have estimated a range of additional costs between $56 million and $110 million.”
Equifax also reported other costs associated with the breach, such as billions in market cap due to a falling share price after the security breach was disclosed.
IT threat evolution Q3 2017
11.11.2017 Kaspersky Cyber
Targeted attacks and malware campaigns
[Re-]enter the dragon
In July, we reported on the recent activities of a targeted attack group called ‘Spring Dragon’ (also known as LotusBlossom), whose activities data back to 2012. Spring Dragon makes extensive use of spear-phishing and watering-hole attacks. The group’s targets include high-profile government agencies, political parties, educational institutions and telecommunication around the South China Sea – including Taiwan, Indonesia, Vietnam, the Philippines, Hong Kong, Malaysia and Thailand.
Most of the malicious tools implemented by Spring Dragon over the years are backdoors designed to steal data, execute additional malware components and run system commands on victim’s computers. These give the attackers the ability to undertake a variety of different malicious activities on their victims’ computers. The group maintains a large C2 infrastructure, comprising more than 200 unique IP addresses and C2 domains.
The large number of samples that we have collected have customized configuration data, different sets of C2 addresses with new hardcoded campaign IDs, as well as customized configuration data for creating a service for malware on a victim’s system – all of which makes detection more difficult.
We think it is likely that Spring Dragon, like many other targeted attack campaigns, is likely to re-surface in this region, so it is important for organisations to make effective use of good detection mechanisms such as YARA rules and IDS signatures.
You can read our report on Spring Dragon here.
Stepping-stones
One of the most striking aspects of the ExPetr attacks earlier this year was its primary attack vector: the attackers specifically targeted a company supplying accounting software to Ukrainian companies. Most of the victims of this wiper were located in Ukraine. However, it recently became clear that the attack has had a significant impact on some companies that operate worldwide. Among them are Maersk, the world’s largest container ship and supply vessel company. The company indicated in its earnings report that it expected losses of between $200 and $300 as a result of ‘significant business interruption’ caused by the ExPetr attack. Another was FedEx, which revealed that the operations of its TNT Express unit in Europe were ‘significantly affected’ by the attack, costing the company around $300 in lost earnings.
In recent months, we have seen further cases of attackers compromising software supply chain providers and using this as a stepping-stone into their chosen targets.
In July, we discovered suspicious DNS requests on the network of a customer working in the financial services industry: we found the requests on systems used to process transactions. The source of the DNS queries was a package for popular server management software developed by NetSarang. Customers of NetSarang, which has headquarters in South Korea and the United States, include companies working in financial services, energy, retail, technology and media. The attackers had modified one of the updates to include a backdoor.
NetSarang quickly removed the compromised update, but not before it had been activated at least once (we were able to confirm an activation on a computer in Hong Kong).
The attackers hide their malicious intent in several layers of encrypted code. The tiered architecture means that the business logic of the backdoor is not activated until a special packet has been received from the first tier C2 (Command and Control) server. Until then, it transfers basic information every eight hours: this includes computer, domain and user names. The payload is only activated through a crafted ‘dns.txt’ record for a specific domain. This allows the attackers to glean system information and send a decryption key to unlock the next stage of the attack, activating the backdoor itself.
This backdoor, called ShadowPad, is a modular platform that lets the attackers download and execute arbitrary code, create processes and maintain a virtual file system in the registry, all of which are encrypted and stored in locations unique to each victim.
You can read more about ShadowPad here.
Another supply-chain attack occurred in September, when attackers compromised an update to the Windows clean-up utility CCleaner, published by Avast. Researchers at Cisco Systems Talos Group discovered that attackers had modified the installer for CCleaner 5.3 to drop their malware on the computers of anyone who downloaded the utility. The malware, which was signed with a valid certificate, was active for a month and infected around 700,000 computers. The attackers used a two-stage infection process. The first delivered a profile of the victim to the attackers C2 servers, while the second was reserved for specific targets. You can find details of the analysis here.
It is sometimes tempting for companies to imagine that no one would want to target them – perhaps because they are not a large company, or because they do not believe that they have anything of significance to an attacker. However, even quite apart from their intellectual property, or personal information belonging to customers, they can be valuable as a stepping-stone into another organisation.
The bear facts
In August, we provided an update on an interesting APT that we call ‘WhiteBear’, related to the Turla group. Like Turla, WhiteBear uses compromised web sites and hijacked satellite connections for its C2 infrastructure. The project also overlaps with other Turla campaigns such as ‘Skipper Turla’ (or ‘WhiteAtlas’) and ‘Kopiluwak’ (both of which we detailed for subscribers to Kaspersky APT intelligence reports). In addition, we have found WhiteBear components on a subset of systems that were previously targeted by WhiteAtlas, with the same file-paths and identical filenames. Nevertheless, we have been unable to firmly tie the delivery of WhiteBear to any specific WhiteAtlas components, and we believe that WhiteBear is the product of a separate development effort and has a distinct focus.
For much of 2016, WhiteBear activity was narrowly focused on embassies and consulates around the world – all related to diplomatic and foreign affairs organisations. This shifted in mid-2017 to include defence-related organizations.
Although we’re not sure of the delivery vector for WhiteBear components, we strongly suspect that the group sends spear-phishing e-mails to its targets containing malicious PDF files.
The encryption implemented in the main module, the WhiteBear orchestrator, is particularly interesting. The attackers encrypt/decrypt, and pack/decompress the resource section with RSA+3DES+BZIP2. This implementation is unique and includes the format of the private key as stored in the resource section. 3DES is also present in Sofacy and Duqu 2.0 components, but they are missing in this Microsoft-centric RSA encryption technique. The private key format used in this schema and the RSA crypto combination with 3DES is (currently) unique to this group.
Most WhiteBear samples are signed with a valid code-signing certificate issued for ‘Solid Loop Ltd’, a once-registered British organization. This is probably a front organization or a defunct organization; and the attackers have assumed its identity to abuse the name and trust, in order to create deceptive digital certificates.
You can find full technical details of WhiteBear here.
(Un)documented Word feature abused by hackers
If a targeted attack is to be successful, the attackers must first gather intelligence on their prospective victims. In particular, they need details about the operating system and key applications, so that they can deliver the appropriate exploit.
During an investigation of a targeted attack, we found some spear-phishing e-mails with interesting Word documents attached to them. At first sight, they seemed unremarkable: they contained no macros, exploits or other active content.
However, on closer inspection, we found that they contained several links to PHP scripts located on third-party web resources. When we attempted to open these files in Microsoft Word, we found that the application addressed one of the links and, as a result, provided the attackers with information about software installed on the target computer. The documents were in OLE 2 (Object Linking and Embedding) format. OLE allows authors to embed objects and link to multiple objects or resources in a single Word document. For example, an author can created a field in a document that points to a graphic file, rather than simply embedding the graphic file.
We found a field in the document called ‘INCLUDEPICTURE’. The link to the image in this field should be in ASCII, but in this case, it was in Unicode. Microsoft documentation provides virtually no information about this field. However, the attackers manipulated the Unicode framework to trigger a GET request to malicious and obfuscated URLs contained in the underlying code of the Word document. These links then point to PHP scripts located on third-party web sites, enabling the attackers to gather information about the software installed on the computer.
This feature is not only present in Word for Windows, but also in Microsoft Office for iOS and in Microsoft Office for Android.
You can read further details about our investigation here.
Information security incidents and how to respond to them
Our growing dependence on technology, connectivity and data means that businesses present a bigger attack surface than ever. Targeted attackers have become more adept at exploiting their victims’ vulnerabilities to penetrate corporate defences while ‘flying under the radar’. Unfortunately, corporate information security services are often unprepared. Their employees underestimate the speed, secrecy and efficiency of modern cyber-attacks and businesses often fail to recognize how ineffective the old approaches to security are. Even where companies supplement traditional prevention tools such as anti-malware products, IDS/IPS and security scanners with detection solutions such as SIEM and anti-APT, they may not be used to their full potential.
You can’t manage what you can’t measure. One of the key factors in responding effectively to a targeted attack is to understand the nature of the incident.
In August, our incident response team used the example of a bank attack to present the key stages of a targeted attack (known as the kill chain) and the steps required for an effective incident response process. You can read the report here, but the following is a summary of the key elements.
The basic principles of a successful targeted attack include thorough preparation and a step-by-step strategy. The stages of the kill chain are:
RECONNAISSANCE (learning about the target)
WEOPANISATION (choosing the method of attack)
DELIVERY (deciding on the attack vector)
EXPLOITATION (exploiting a vulnerability to gain an initial foothold)
INSTALLATION (installing the malware)
COMMAND-AND-CONTROL (connecting to the attackers’ server for further instructions)
ACTIONS ON OBJECTIVE (achieving the attackers’ goals)
The basic principles behind the work of information security staff are the same as the attackers – careful preparation and a step-by-step strategy. The objectives, of course, are fundamentally different: to prevent incidents and, if one occurs, to restore the initial state of the system as soon as possible.
There are two main stages involved in responding to a specific incident: investigation and system restoration. The investigation must determine
The initial attack vector
The malware, exploits and other tools use by the attackers
The target of the attack (affected networks, systems and data)
The extent of the damage (including reputational damage) to the organisation
The stage of the attack (whether or not it was completed and the attackers’ goals were achieved)
Timeframes (when the attack started and ended, when it was detected and the response time of the information security service)
Once the investigation has been completed, it is necessary to use the information learned to create a system recovery plan or, if one exists, to assess how it can be improved.
The overall strategy includes the following steps.
PREPARATION (develop the tools, policies and processes needed to defend the organisation)
IDENTIFICATION (decide if an incident has occurred by identifying pre-defined triggers)
CONTAINMENT (limit the scope of the incident and maintain business continuity)
ERADICATION (restore the system to its pre-incident state)
RECOVERY (re-connect the affected systems to the wider network)
LESSONS LEARNED (how well did the information security team deal with the incident and what changes need to be made to the strategy)
In the event of the information security team having to respond to multiple incidents simultaneously, it’s important to correctly set priorities and focus on the main threats. The key factors involved in determining the severity of an incident include:
The network segment where the compromised computer is located
The value of the data stored on that computer
The type and number of incidents that affect the same computer
The reliability of the IoCs (Indicators of Compromise) for this incident
The choice of computer, server or network segment to deal with first will depend on the specific nature of the organisation.
Malware stories
The hidden advertising threat
As well as banking Trojans, ransomware and other threats that can clearly be defined as malware, people also face numerous borderline programs – including advertising bots and modules, and partnership programs – which are typically referred to as ‘potentially unwanted programs’. They are borderline because there is sometimes a fine line between classifying something as an outright Trojan or adware. One such program is Magala, a Trojan-Clicker.
Such programs imitate a user click on a particular web page, thus boosting advertisement click counts. Magala doesn’t actually affect the person whose computer it is installed on, other than consuming some of their computer’s resources. The victims are those who pay for the advertising – typically small business owners doing business with unscrupulous advertisers.
The first stage of the infection involves the Trojan checking which version of Internet Explorer is installed and locating it in the system. The Trojan doesn’t run if it’s version 8 or earlier. Otherwise, it initialises a virtual desktop, used to perform all subsequent activities. Then it runs a sequence of utility operations (typical for this type of malware): it sets up autorun, sends a report to a hardcoded URL, and installs the required adware. To interact with the content of an open page, Magala uses IHTMLDocument2, the standard Windows interface that makes it easy to use DOM tree. The Trojan uses it to load the MapsGalaxy Toolbar, installs this on the system and adds the site ‘hxxp://hp.myway.com’ to the system registry, associating it with MapsGalaxy so that it becomes the browser’s home page.
The Trojan then contacts the remote server and requests a list of search queries for the click counts that it needs to boost. The server returns this list in plain text. Magala uses the list to send the requested search queries and clicks on each of the first 10 links in the search results, with an interval of 10 seconds between each click.
The average cost per click in a campaign of this sort is $0.07. So a botnet consisting of 1,000 infected computers clicking 10 web site addresses from each search result, performing 500 search requests with no overlaps in the search results, could earn the cybercriminals up to $350 from each infected computer. However, this is just an estimate as the costs can vary greatly in each situation.
Statistics from March to early June 2017 indicate that most Magala infections occur in the United States and Germany.
This class of program typically doesn’t present as much of a threat to consumers as, for example, banking Trojans or ransomware. However, two things make it tricky to deal with. First, such programs straddle the borderline between legitimate and malicious software and it’s vital to determine whether a specific program is part of a secure and legal advertising campaign or if it’s illegitimate software making use of similar functions. Second, the sheer quantity of such programs means that we need to use a fundamentally different approach to analysis.
You can read more about Magala here.
It started with a link
Cybercriminals are constantly on the lookout for ways of luring unsuspecting victims into doing things that compromise their security and capture personal data. In August, David Jacoby from Kaspersky Lab and Frans Rosen from Detectify teamed up to expose one such campaign that used Facebook Messenger to infect people.
It started with a link to a YouTube video. The cybercriminals behind the scam used social engineering to trick their victims into clicking on it: the message contained the recipient’s first name, plus the word ‘Video’ – for example ‘David Video’ – and then a bit.ly link.
This link pointed to Google Drive, where the victim would see what looks like a playable movie, with a picture of them in the background and what seems to be a ‘Play’ button.
If the victim tried to play the video in the Chrome browser, they were redirected to what looked like a YouTube video and were prompted to install a Chrome extension –in fact, this was the malware. The malware waited for the victim to sign in to their Facebook account and stole their login credentials. It also captured information about their Facebook contacts and sent malicious links to their friends – so spreading the infection further.
Anyone using a different extension was nagged into updating their Adobe Flash Player instead – but the file they downloaded was adware, earning money for the cybercriminals through advertising.
This attack relied heavily on realistic social interactions, dynamic user content and legitimate domains as middle steps. The core infection point of the spreading mechanism was the installation of a Chrome Extension. It’s really important to be careful about allowing extensions to control your browser interactions and also to make sure that you know exactly what extensions you are running in your browser. In Chrome, you can type ‘chrome://extensions/’ into the address field of your browser to get a list of enabled extensions. On top of this, of course, be wary about clicking on links. If you’re in any doubt about whether it’s legitimate or not, contact the sender to check if it was really them who sent it.
Undermining your security
We have seen a substantial growth in crypto-currency miners this year. In 2013, our products blocked attempts to install miners on the computers of 205,000 people protected by Kaspersky Lab products. In 2014, this increased to 701,000. In the first eight months of 2017, this increased to 1.65 million.
Crypto-currency mining is not illegal. However, there are groups of people who trick unwitting people into installing mining software on their computers, or exploit software vulnerabilities to do so. The criminals obtain crypto-currency, while the computers of their victims slow down. We have recently detected several large botnets designed to profit from concealed crypto mining. We have also seen growing numbers of attempts to install miners on servers owned by organizations. When these attempts are successful, the business processes of the target organisations suffer because data processing speeds fall substantially.
The main method used to install miners is adware installers spread using social engineering. There are also more sophisticated propagation methods – one is using the EternalBlue exploit published in April 2017 by the Shadow Brokers group. In this case, the cybercriminals tend to target servers – these provide them with a more powerful asset.
We recently detected a network made up of an estimated 5,000 plus computers on which Minergate, a legal console miner, had been installed without the knowledge or consent of the victims. The victims had downloaded the installer from a file-hosting service, under the guise of a freeware program or keys to activate licensed products. This installer downloader the miner’s dropper file to their computer. This installed the Minergate software to the computer, ensuring that it is loaded each time the computer boots and re-installing it if it is deleted.
Often, crypto-miners come with extra services to maintain their presence in the system, launch automatically every time the computer boots and conceal their operation. Such services could, for example try to turn off security software, monitor system activities or ensure that the mining software is always present by restoring it if the files are deleted.
Concealed miners are very difficult to detect because of their specific nature and operating principles. Anyone can choose to install this kind of software and legally use it to mine a crypto-currency.
Monero (XMR) and Zcash are the two currencies most often used in concealed mining. They both ensure the anonymity of transactions – this is clearly very useful for cybercriminals. Even according to conservative estimates, a mining network can generate up to $30,000 per month for its owners.
The above image shows a wallet coded into the miner’s configuration data. At the time of writing, 2,289 XMR had been transferred from this wallet, which at the current exchange rate is equivalent to $208,299.
You can read more here.
Connected hospitals
Technology now reaches into more parts of society than ever before. As a result, organisations that previously didn’t need to think about cyber-security now face cyber-attacks. One example of this is the healthcare industry. Medical information that has traditionally existed in paper form is now to be found in databases, portals and medical equipment.
Data security in medicine is more serious than it seems at first glance. The obvious issue might be the theft and resale of medical data on the black market. However, the possibility of diagnostic data being modified by attackers is even more alarming. Regardless of the goals of the attackers (extortion or attacks targeted at specific patients), there’s a serious risk to patients: after receiving incorrect data, doctors may prescribe the wrong course of treatment. Even if the attempt to substitute data is detected in time, the normal operation of the medical facility may be disrupted, prompting the need to verify all of the information stored on compromised equipment. According to a report by the Centre for Disease Control and Prevention (CDC), the third leading cause of death in the United States comes from medical errors. Establishing a correct diagnosis depends not only on the knowledge and skill of a doctor, but on the correctness of data received from medical devices and stored on medical servers. This makes the resources for connected medicine a more attractive target for attackers. Unfortunately, in some cases, the security of the network infrastructure of healthcare facilities is neglected, and resources that process medical information are accessible from outside sources.
This term ‘connected medicine’ refers to a large number of workstations, servers, and dedicated medical equipment that are connected to the network of a medical institution (a simplified model is shown in the figure below).
Diagnostic devices can be connected to the LAN of an organization or to workstations- for example, through a USB connection. Medical equipment quite often processes data (for example, a patient’s photographs) in DICOM format, an industry standard for images and documents. In order to store them and provide access to them from outside, PACS (Picture Archiving and Communication Systems) are used, which can also be of interest to cybercriminals.
We have put together some recommendations for securing medical facilities. You can find the details here, but the following is a summary of the key points:
Prevent public access to all nodes that process medical data
Assign counter-intuitive names to resources
Periodically update installed software and remove unwanted applications
Don’t connect expensive equipment to the main LAN
Ensure timely detection of malicious activity on the LAN
#AVGater attack abuse Quarantine vulnerabilities for privilege escalation
11.11.2017 securityaffairs Vulnerebility
The security experts Florian Bogner devised a method dubbed AVGater to escalate privileges by abusing the quarantine feature of some antiviruses.
Several popular antivirus solutions are affected by flaws that could be exploited by attackers to escalate privileges on a compromised system by abusing the quarantine feature.
The security experts Florian Bogner devised a method dubbed AVGater to escalate privileges by abusing the quarantine feature of some antiviruses.
“Today, I’m disclosing an issue, that can be exploited by any local user to gain full control over the endpoint by abusing the restore from quarantine Anti-Virus feature. ” wrote Bogner.
avgater
According to the expert, Bogner, the attack chain starts by inducting the AV software into placing a malicious DLL file into quarantine. The attacker then uses the security application’s Windows process, that runs with SYSTEM permissions, to restore the file. The malicious DLL is not restored to its original location, but to a different folder from which it is possible to execute a privileged process such as the Program Files or Windows folders, In this new location files cannot be written by a user with limited privileges.
“if a non-privileged user would be able to manipulate any of the communication channels that cross security boundaries (unprivileged user mode to privileged user mode or privileged user mode to kernel mode) he could escalate his privileges.” continues Bogner.
“As shown in the above video, #AVGater can be used to restore a previously quarantined file to any arbitrary filesystem location. This is possible because the restore process is most often carried out by the privileged AV Windows user mode service. Hence, file system ACLs can be circumvented (as they don’t really count for the SYSTEM user). This type of issue is called a privileged file write vulnerability and can be used to place a malicious DLL anywhere on the system. The goal is to side load this library for a legitimate Windows servers by abusing the DLL Search Order:”
In order to tamper with the restore process attackers leverage junctions, a type of file link supported by the NTFS file system that can be used to link directories.
Once the DLL is placed in the differed folder, the privileged Windows process associated with that folder will execute it instead of the legitimate file because of how the DLL search order works.
Windows first looks for a DLL in the directory from which the app is loaded.
The AVGater vulnerability can only be exploited if the user whose account has been compromised can restore quarantined files.
The flaw affects AV software from Emsisoft, Kaspersky Lab, Malwarebytes, Trend Micro, Check Point (ZoneAlarm) and Ikarus, other AV solutions from different vendors are impacted but their names will be disclosed only after they addressed the issue.
Bogner published the detailed analysis of the AVGater attack working against AV solutions from Emsisoft and Malwarebytes. The expert explained that the attacker can trigger the flaw by placing the malicious DLL in the directory associated with this AV software allowing the Emsisoft Protection Service and the Malwarebytes Service process, respectively, to load the malware instead of the legitimate library.
Both Emsisoft and Malwarebytes issued security patches within a week to address the vulnerabilities.
Antivirus Quarantine Flaws Allow Privilege Escalation
11.11.2017 securityweek Vulnerebility
Several popular antivirus products are affected by a type of vulnerability that allows an attacker to escalate privileges on a compromised system by abusing the quarantine feature, a researcher warned on Friday.
Once an attacker hacks into a system, they might need to somehow obtain higher privileges in order to access information that would allow them to move laterally within the network.
Florian Bogner, information security auditor at Austria-based Kapsch, claims to have discovered a new way to achieve this: abusing the quarantine feature of some antiviruses.
The attack method, dubbed by the researcher AVGater, relies on a combination of flaws and known techniques.AVGater
According to Bogner, an attack starts with a malicious DLL file being placed into quarantine by the antivirus software. The attacker then abuses the security application’s Windows process, which typically has SYSTEM permissions, to restore the file. However, the malicious DLL is not restored to its original location, but to a different folder from which a privileged process is launched – such as the Program Files or Windows folders – and where files cannot be written by a user with limited privileges.
Writing the restored file anywhere on the system is possible due to junctions, a type of file link supported by the NTFS file system. Junctions are file system representations that can be used to link directories.
Once the malicious DLL is placed in the targeted folder, the privileged Windows process associated with that folder will execute it instead of the legitimate file due to how the DLL search order works – Windows first looks for a DLL in the directory from which the app is loaded.
The vulnerability has been confirmed to affect products from Trend Micro, Emsisoft, Kaspersky Lab, Malwarebytes, Check Point (ZoneAlarm) and Ikarus, the expert said. Software from other vendors is impacted as well, but their names will only be disclosed after they release patches.
Bogner has published two separate blog posts detailing exploitation against Emsisoft and Malwarebytes products. In these examples, the attacker could have placed the malicious DLL in the directory associated with these security products so that the Emsisoft Protection Service and the Malwarebytes Service process, respectively, would load the malware instead of the legitimate library.
The researcher has not specified when other antivirus vendors were notified, but Emsisoft and Malwarebytes were informed in late 2016 and early 2017 and they released patches within a week.
Bogner pointed out that the AVGater vulnerability can only be exploited if the user whose account has been compromised can restore quarantined files. That is why he has advised organizations to ensure that regular users cannot complete such operations.
Similar to any other software, security products can also have serious vulnerabilities that could be exploited by threat actors. Experts also warned that antiviruses can not only increase the attack surface, but also weaken HTTPS security.
Phishing Poses Biggest Threat to Users: Google
10.11.2017 securityweek Phishing
A study conducted by Google over a one-year period showed that online accounts are most likely to become compromised as a result of phishing attacks.
Between March 2016 and March 2017, Google researchers identified 12.4 million potential victims of phishing, roughly 788,000 potential victims of keylogger malware, and over 1.9 billion users whose accounts had been exposed due to data breaches.
The fact that third-party data breaches expose significant amounts of information is not surprising. Several companies admitted that hackers had stolen the details of millions of users from their systems and Yahoo alone exposed over one billion accounts in the past years.
However, Google’s analysis showed that only less than 7 percent of the passwords exposed in third-party data breaches were valid due to password reuse. Furthermore, the company’s data suggests that credential leaks are less likely to result in account takeover due to a decrease in password reuse rates.
On the other hand, nearly a quarter of the passwords stolen via phishing attacks were valid, and Google believes phishing victims are 460 times more likely to have their accounts hacked compared to a random user.
As for keyloggers, nearly 12 percent of the compromised passwords were valid, and falling victim to such malware increases the chances of account takeovers 38 times.
Phishing kits and keyloggers are also more likely to lead to account hijacking due to the fact that many of them also collect additional information that may be requested by the service provider to verify the user’s identity, including IP address, location and phone number.
An analysis of the most popular phishing kits revealed that they mainly target Yahoo, Hotmail, Gmail, Workspace Webmail (GoDaddy) and Dropbox users.
In the case of keyloggers, the HawkEye malware appears to be the most successful, with more than 400,000 emails containing stolen credentials being sent to attackers. Cyborg Logger and Predator Pain also made a significant number of victims.
As for the location of the individuals using these phishing kits and keyloggers, Google’s analysis of the IP addresses used to sign in to the email accounts receiving stolen credentials revealed that the top country is Nigeria in both cases.
“Our findings were clear: enterprising hijackers are constantly searching for, and are able to find, billions of different platforms’ usernames and passwords on black markets,” Google employees wrote in a blog post. “While we have already applied these insights to our existing protections, our findings are yet another reminder that we must continuously evolve our defenses in order to stay ahead of these bad actors and keep users safe.”
Using legitimate tools to hide malicious code
10.11.2017 Kaspersky Virus
The authors of malware use various techniques to circumvent defensive mechanisms and conceal harmful activity. One of them is the practice of hiding malicious code in the context of a trusted process. Typically, malware that uses concealment techniques injects its code into a system process, e.g. explorer.exe. But some samples employ other interesting methods. We’re going to discuss one such type of malware.
Our eye was caught by various samples for .NET that use the trusted application InstallUtil.exe from the Microsoft .NET Framework (information from Microsoft’s website: “The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies. This tool works in conjunction with classes in the System.Configuration.Install namespace”).
The technique was described by information security researcher Casey Smith aka subTee (Proof of Concept). Briefly, the console utility InstallUtil.exe runs a malicious .NET assembly, bypassing the entry point of the assembly; all malicious activity is then hidden in the context of the trusted process.
The spreading of malicious samples follows a standard pattern: they basically reach the user in a password-protected archive, and the executable file icons in most cases are chosen specially so that the victim perceives the file as a normal document or photo. We also encountered executable files masquerading as a key generator for common software. To begin with, the malicious content of the generator got inside the %TEMP% folder, where it was run later in the described manner.
Users are misled by executable file icons
Analysis
All the malicious files we encountered were heavily obfuscated, which complicated their manual analysis. We took the sample 263dc85de7ec717e8940b1ccdd6ee119 and deobfuscated its strings, classes, methods, and fields. Here’s how the file looked before deobfuscation:
Sample before deobfuscation
InstallUtil.exe allows file execution to start not from the .NET assembly entry point: execution begins from a class inherited from System.Configuration.Install.Installer. To facilitate manual analysis, this class was renamed InstallUtilEntryClass in the sample under investigation. The code in static class constructors is known to execute first when the assembly is loaded into memory, a feature utilized by the authors of this piece of malware.
Let’s examine the behavior of the malicious file in the order of methods execution. First up is FirstMainClass, since its constructor is marked with the keyword “static” and assembly execution begins with it:
The static constructor of FirstMainClass that is triggered when the assembly is loaded
The constructor does the following:
CheckSandboxieEnvironment() determines whether the file is running in Sandboxie by attempting to load the SbieDll.dll library. If the library can be loaded, the malicious process terminates;
CheckVirtualBoxEnvironment() searches for the vboxmrxnp.dll library, which belongs to VitrualBox. If the library can be found, the malicious process likewise terminates;
AddResourceResolver() adds a method for handling the resource load event. This method unpacks the assembly, which is packed by the Deflate algorithm, from a specific resource and loads the assembly into memory;
The method responsible for loading the assembly from the resource
The assembly is unpacked from the resource and loaded into memory
The UnpackAllAssemblies() method of the AssemblyResourceLoader class iterates through all the assembly resources and, if the resource name contains the string “+||”, unpacks the assemblies from these resources. The assemblies unpacked by this method are required by the malicious file to operate, and are legitimate libraries: Interop.MSScript.Control, Interop.TaskScheduler, SevenZipSharp;
RemoveZoneIdentifier() deletes the NTFS alternate stream Zone.Identifier through the command line to prevent a warning at startup if the file was downloaded from the Internet. The authors made a slight mistake in the command line (“cmd.exe /c (echo. > file path:Zone.Identifier) 2 > Null”) by leaving a space between the characters 2 and >, which produces an error in the console:
The warning issued on deleting Zone.Identifier
The ElevatePrivilegesProxy() method is the wrapper for the ElevatePrivileges() method, which in turn uses the known UAC bypass technique described by Matt Nelson aka enigma0x3.
Control then passes to the traditional entry point—the Main() method, which is located in the Form5 class:
The traditional entry point is the Main() method
We see that a WMI object is retrieved after a 30-second pause. Next, the ScriptControlClassInstance object is customized, which the language (Visual Basic script) and the body of the script are transferred to:
The script that runs the executable file using InstallUtil.exe
The AddCode() method adds and executes a VB script that runs the current assembly using InstallUtil.exe. After that, the current process is closed by calling Environment.Exit(0).
At the next stage, the malicious object is run using the InstallUtil tool and once more executes the static constructor of the FirstMainClass class examined above; control passes to the static constructor of the InstallUtilEntryClass class, which, as mentioned, is inherited from System.Configuration.Install.Installer:
The static class constructor called by InstallUtil.exe
The functions of this class include:
Copying the malicious file to %APPDATA%\program\msexcel.EXE, setting the Hidden+System attributes for the “program” folder, running msexcel.EXE, and terminating the current process;
Adding the copied file to autorun (HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run or HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run);
Creating a task called “filesqmaepq0d.tnk” that runs msexcel.EXE every minute to ensure survival on the victim’s computer;
Checking if the malicious process is already running. An event with the name “78759961M” is created, and if such an event already exists in the system, the new process terminates;
Creating the Form5 class and calling its destructor.
Let’s sum up the interim results: all the actions described above (entrenchment in the system, elevation of privileges, startup from a trusted application) are essentially laying the foundation for the main task. Let’s move on to analyzing the next stage of the preparatory actions, which will take us closer to the heart of the malicious activity.
The malicious assembly contains, inter alia, five classes inherited from System.Windows.Forms.Form. Inheritance from the Form class is not accidental: in its inheritance hierarchy it implements several interfaces, one of which is IDisposable, which allows to override the Dispose() method for its own purposes. Dispose() methods are called by the garbage collector in order to free up unmanaged resources used by the class when closing or unloading the assembly. Now let’s look at the source code of the Dispose() method of the Form5 class:
The overridden Dispose() method of the Form5 class
As we can see, various methods are executed at each iteration of the cycle, and the results are saved. Let’s take a closer look:
At the first iteration, the full path to the RegAsm.exe utility from .NET Framework is retrieved;
A chain of nested methods is called with a view to decoding strings from Base64 that are stored in another class and unpacking the resulting array using the SevenZipExtractor library. As a result, we get an array that is the remote administration tool NanoCore Client;
The PERun.dll library is loaded from the assembly that was previously unpacked from the resource into memory;
A class with the name “RunPE” and the Run method of this class are sought in this library;
At the final iteration, the parameters are transferred and the Run method is called.
Knowing that the legalProgramPath variable contains the full path to the legitimate utility RegAsm.exe, PEFileByteArray contains the executable file in the form of a byte array, while the class name is RunPE; it is not hard to figure out that the Run() method employs the technique of hiding malicious code in the address space of the trusted process RunPE. This technique is widely known and described here, for instance.
Deep inside the Run() method, a legitimate utility process is created in CREATE_SUSPENDED state (the sixth parameter is 4u):
Creating a legitimate program process in CREATE_SUSPENDED state
Eventually, the RegAsm.exe process is loaded in the address space and starts to execute the payload: the remote administration tool NanoCore Client. Only trusted processes remain in the list of running processes, and even an experienced user might not realize that the system is compromised:
Only legitimate utilities can be seen in the list of running processes
RegAsm.exe was chosen as the “carrier” because (a) it is a legitimate utility from Microsoft, (b) it is located in the same directory as InstallUtil.exe, and (c) a utility from .NET Framework calling another utility from the same framework is less suspicious than calling, say, notepad.exe. In fact, the use of RegAsm.exe is not critical: the “carrier” could be any program that does not arouse the suspicion of security software and users. It is also important that all actions involving a malicious module are executed in memory, which allows file scanners to be bypassed.
As we’ve mentioned, this sample contains NanoCore Client, which can be used to control the victim’s computer, take screenshots, record keystrokes, download files, and much more. It should be noted that the payload here can be anything: from “fashionable” encrypters and miners to advanced Trojans.
Conclusion
Malware writers employ various tricks to conceal malicious activity, and the above technique allowing the execution of malicious code in the context of two legitimate programs is an obvious example. Detecting this kind of concealment method requires a behavioral analysis of the program. Kaspersky Lab’s security solutions detect this behavior as PDM: Trojan.Win32.Generic and PDM: Exploit.Win32.Generic.
IOC (MD5)
263DC85DE7EC717E8940B1CCDD6EE119 payload: EF8AF3D457DBE875FF4E3982B34F1DE9
3E4825AA1C09E27C2E6A1309BE8D6382 payload: 82709B139634D74DED404A516B7952F0
7E3863F827C1696835A49B8FD7C02D96 payload: D1A9879FFCB14DF70A430E59BFF5EF0B
8CB8F81ECF1D4CE46E5E96C866939197 payload: D8652841C19D619D2E3B5D7F78827B6E
FDF4086A806826503D5D332077D47187 payload: BF4A3F4B31E68B3DE4FB1F046253F2D0
TOASTAMIGO – the first known strain of malware that uses the Toast Overlay exploit
10.11.2017 securityaffairs Android
Trend Micro spotted TOASTAMIGO, the first known malware that uses the recently patched vulnerability that ties with the Toast Overlay attacks.
Malware researchers at Trend Micro have spotted the first known strain of malware that triggers the recently patched vulnerability, tracked as CVE-2017-0752, that ties with the Toast Overlay attacks.
The vulnerability was discovered in September by security researchers with Palo Alto Networks Unit 42.
The experts reported that it is possible to abuse Android’s toast notification, a feature that is used to provide feedback about an operation in a small short-lived pop up notification, to obtain admin rights on targeted phones and take over the device.
The vulnerability affects all versions of the Android operating system prior to the latest Android 8.0, (Oreo), nearly all Android users.
“What our researchers have found is a vulnerability that can be used to more easily enable an “overlay attack,” a type of attack that is already known on the Android platform. This type of attack is most likely to be used to get malicious software on the user’s Android device.” reads the analysis published by Palo Alto Networks. “This type of attack can also be used to give malicious software total control over the device. In a worst-case attack scenario, this vulnerability could be used to render the phone unusable (i.e., a “brick”) or to install any kind of malware including (but not limited to) ransomware or information stealers. In simplest terms, this vulnerability could be used to take control of devices, lock devices and steal information after it is attacked.”
The toast attack is exploitable for “overlay” attacks on Android phones, attackers use them to create a UI overlay to be displayed on top of legitimate Android applications and trick victims into providing sensitive information or clicking confirmation buttons.
Google fixed the flaw in its monthly Android security updates.
This week, Trend Micro experts reported seeing the first piece of malware exploiting the Toast overlay flaw, for this reason, it was dubbed TOASTAMIGO. The Android malware was disguised as apps named Smart AppLocker that had been available on Google Play, it has been downloaded hundreds of thousands of times before Google removed it.
The TOASTAMIGO app claims to secure devices with a PIN code, but once the victim installed it, the app requests Accessibility permissions and inform the user that they need to scan the phone for unsecure apps. The malware uses the Toast exploit to display a progress screen for the “scan,” while it executes commands from the attackers in background and installs a second-stage malware named by Trend Micro AMIGOCLICKER.
“The malware ironically pose as legitimate app lockers that supposedly secure the device’s applications with a PIN code. Upon installation, these apps will notify the user that they need to be granted Accessibility permissions for it to work. It’s all a ruse to sidestep Android’s countermeasure that requires apps to have explicit user permission.” states Trend Micro. “After granting permissions, the apps will launch a window to purportedly “analyze” the apps. Behind the scenes, however, the apps carry out actions or commands, including the installation of a second malware (since it already has the permissions).”
TOASTAMIGO also implements features to prevent its removal by security software. AMIGOCLICKER is able to collect Google accounts and perform other actions, including click on buttons in system dialogs, click on Facebook ads, and give itself a five-star rating on Google Play.
“The miscellany of the malware’s malicious functionalities, combined with a relatively unique attack vector, makes them credible threats. In fact, the aforementioned functionalities can actually be modified for further cyberattacks,” Trend Micro researchers said in a blog post. “Since TOASTAMIGO and AMIGOCLICKER can misuse Android’s Accessibility feature to virtually do anything, this malware can update itself when getting the remote server’s commands.”
Experts explain the Return on Investments in the cybercriminal underground
10.11.2017 securityaffairs CyberCrime
How much is the return on investment in the cybercriminal underground? Let’s dig a report recently published by threat intelligence firm Recorded Future to find the answer.
Cybercrime is a profitable business and the returns of investments can be enormous, this is what emerged from another interesting research of the threat intelligence firm Recorded Future.
It is cheap and simple for wannabe hackers to set up their own botnet, a banking trojan can be paid from professional malware developers for $3,000–$5,000.
Web-injects to intercept credentials for bank account goes from $100 up to $1,000, and of course, crooks need a bulletproof hosting that can cost $150 to $200 per month, while payload obfuscation tools to avoid detection can cost up to $50.
Another crucial aspect of the illicit business is the cash out, researchers from Recorded Future reported that there’s the 50%- to 60% commission wannabe crooks need to pay from the money you steal from each victim’s account if they want it professionally laundered. The money can be delivered in Bitcoin, Western Union, or other direct methods by paying a supplementary fee of 5% to 10%.
“Once the malware is successfully planted and banking credentials intercepted, the perpetrator has to work with a chain of mule handlers and money-laundering intermediaries to receive a final pay-off.” states the analysis from Recorded Future.
“A money launderer with a stellar reputation and is capable of quick turnaround, will charge a hefty 50-60 percent commission from each payment transferred from a victim’s account. In some cases, an additional 5-10 percent commission might be required to launder the funds and deliver it to the main operator via preferred payment method, such as bitcoin, Web Money, or the Western Union.”
According to Andrei Barysevich, director of advanced collection at Recorded Future, the costs can add up and the paybacks are enormous.
“We estimate the average ROI of a botnet operation to be between 400% to 600%,” Barysevich explained.
Which kind of return has the illegal activity?
The returns are both direct and indirect, of course, the main income is related to the funds stolen from the bank accounts, but crooks can also earn selling the login credentials at $100 to $200 a pop, or offering a service of per-demand malware installation on the compromised devices.
The dark web is an excellent aggregator for the crooks, this is the right places where it is possible to find the above services.
Economics like this are driving enormous interest in malware goods and services on the Dark Web. Researchers are observing that the cybercrime underground is evolving to highly specialized products and services.
A malware for launching a distributed denial-of-service attack can cost $700 and the overall infrastructure for a spam or phishing campaign can run into the thousands.
“The cybercriminal underground is quite verticalized, with threat actors specializing in particular areas of expertise. It is this distribution of expertise that contributes to the underground market’s resiliency. Similar to drug cartels, once you remove one threat actor or forum, rivals will immediately take its place.” continues the analysis.
The underground market is capable to satisfy any need of newbies and script kiddies just as efficiently as it can help the most sophisticated criminal groups and nation-state actors, this is very scaring.
Cyber attacks are rarely conducted by a single individual operating in isolation, any campaign requires expertise across multiple disciplines to maximize the profit … and any expertise has its price in the criminal underground.
The experts did not observe significant price fluctuations in the offer of illegal products and services in the cybercriminal underground.
“based on experience, we can say a majority of the services and data types have not seen significant price fluctuations,” Barysevich added.
#AskACISO Interview with Paul Rivers, CISO at Yale University
10.11.2017 securityaffairs Security
Could you tell us something about yourself?
I have been involved in IT and information security for 25 years. I have been in financial services, higher education and security consulting.
yale cisoHave you, or would you ever consider, hiring an individual who has been known to be a hacker? If no, why, and if yes what would the benefits to your organization be?
Yes, I would certainly consider it. I suppose I would need to know exactly what is meant by “hacker”, which is a term that people seem to take to mean whatever they want.
People who like to understand how things work and know how to break them are invaluable to a security team. What I would want to understand about a hacker or anyone else is whether they can exercise good judgment about risk, and fully understand and will abide by the rules of engagement within the organization. Technical superstars are like raw energy, they can be channeled to useful or destructive purposes when building a team and running a program. So, superstar technical chops are but one part of the overall equation.
What are the biggest challenges that come with working as a CISO in the public sector? Is lack of budget an issue?
I can’t speak to the public sector, but I can speak to the challenges of working at top-tier research and teaching institutions. The challenges are largely cultural. Top research and teaching institutions operate in many respects as if they are a large federation of small, independent start-ups and entrepreneurship. When I have worked in the financial services sector, by contrast, there is a single mission for the entire organization. It is easier to fit a security program to a single mission. In research institutions, the missions are diverse and often unrelated. It also means communication by necessity must be emphasized even more than it is otherwise, as there are orders of magnitude more stakeholders across these largely independent units. And yet, the overall organization is still one legal entity, and so carries with it an overall level of inherent risk that goes beyond what a typical startup carries. The culture of openness and sharing, which is fundamental and vital to a university and must be maintained, adds yet another difficulty, as you can learn a great deal about the internals of a university simply by reading its websites. Social engineering is thus an even more difficult vector to address. The diversity of technology, again a necessary part of top-tier universities, adds additional challenges.
Budget is always a challenge, but that’s as true in a university as it is almost anywhere. To sum up the above, there are necessary and inherent characteristics about top-tier universities that will always make adequate information security more challenging than most other industries.
What do you consider your main tasks and responsibilities in your role?
Identify and credibly stack rank risk across the organization, ensure this information is presented to and understood by the right levels within the organization to make decisions on risk treatment, and then ensure those decisions are carried out. Beyond this, I must bridge the gap in understanding between technical staff and the rest of the organization, so that everyone is properly engaged in managing cybersecurity risk.
How should modern CISO’s prepare for the inevitable breach?
Practice. Do not just practice with the technical team, make the case for full practice and participation by the CEO, Legal, Public Relations, and all the other usual suspects on the leadership team. You do not want to be in the position of figuring out roles and responsibilities during a live event. Ensure legal and PR has vetted the plan. Have a retainer agreement for incident response for supplementation of internal labor and appropriate management of apparent conflicts of interest. Finally, talk to other CISOs who have been through public breaches.
What are the key questions a security professional needs to ask internally?
The answer to this question depends on what kind of security professional we are talking about. What seems to be common across intrusion analyst, pen tester, security operations manager, security director and CISO would be are we credible in how we identify, assess and prioritize risk? Are we resorting to chicken-little tactics, which might have some effect in the very short term, but ultimately undermines and hobbles a security program in the longer term?
How can you balance innovation and security when you must move quickly?
“Security is everyone’s job” can be a vacuous bumper sticker slogan, or it can be a real way in which roles outside of security and outside of IT are assigned real responsibilities for addressing cyber risk. When the entire organization understands their very concrete role in managing cyber risk and has the support to carry it out, security has scaled from a single team to the organization. This does not solve the problem referenced in this question, but it is a huge step in the right direction.
There was a hot topic in the Netherlands. “Email spoofing against Dutch Parliament could lead to serious spear phishing attacks”. What are your thoughts on these attacking vectors? (Email Spoofing) / (Spear Phishing)
What often gets discussed here: there are technical measures (SPF/DKIM/DMARC) that can help. There is training and awareness which supposedly helps. Neither is full-proof.
What seems to be discussed less often is cultural issues. Organizations often have terrible mass communication practices or they have internal processes which have never been looked at through the lens of a threat modeler. Email has inherent “watermark of authenticity” issues, but addressing these process and cultural weaknesses often get overlooked.
Yale University has so many websites. How do you guys keep them all secure against (criminal) hackers?
To say something that to those outside information security will seem surprising and even provocative: they are not all secure.
As mentioned above, higher education is more open than perhaps any other sector, and this is a feature of higher education that should not change. This does mean more risk. So, it is even more important in higher education to be able to triage all assets, including websites, into risk tiers so that the most stringent controls and the most resources can be devoted towards securing and testing the highest risk assets.
Is there any chance that Yale University will launch a bug bounty program at HackerOne/Bugcrowd in the future? If yes, could you give us more details about this?
I am new to Yale, so I do not know how this might play out. In principle, I am fully in favor and support the idea of bug bounty
After that Paul replied to us that he supports bug bounty programs. I asked him if he wants to talk with his management about running a potential program at HackerOne.
“Yes, I will put a bug bounty program such as HackerOne on my issues list to review. Some patience will be required, as again I am new to Yale and am in the process of triage for all issues related to Yale’s cybersecurity program. I’ll say again I am philosophically in favor of such approaches.”
Hackers Hacking Hackers: IoT Attack Script Embedded With Backdoor
10.11.2017 securityweek IoT
Hackers hack hackers. There's no surprise there. Big fish eat little fish. In the past, money mule recruiters have been known to use their recruitment adverts as a lure to get targets to visit a malicious site; while more recently it is suggested that cyberspies hack cyberspies.
Now NewSky Security has found a doubly dubious script kiddie hacking script that contains an obfuscated backdoor inserted by the developer. "On 22nd October 2017," blogged NewSky's principal researcher Ankit Anubhav on Wednesday, "we observed a shady yet popular site that often hosts IoT botnet scripts had a new piece of code to offer. Labeled as "NEW IPCAM EXPLOIT", this script promised to make the work of script kiddies easy by helping them locate IoT devices that use the potentially vulnerable embedded GoAhead server."
Many different IP cameras are vulnerable, and they figure heavily in IoT botnets such as Mirai and Reaper.
This script intrigued NewSky -- unusually, it was cyphered multiple times and archived with gzip. They deciphered it and found a script that would determine whether an IoT device uses the embedded and vulnerable GoAhead server. But they also found a backdoor that uses a shellscript to connect to a malicious server to download and execute another file -- which NewSky determined to be the Kaiten botnet.
The motivation for this backdoor is simple. If a script kiddie uses it to gain a 10,000 strong IoT botnet, then multiple kiddies could rapidly gain an army of bots that could all be controlled by the original script developer. It's a lazy way to build a large IoT botnet.
"Script kiddies often don't bother trying to understand the tools they use," comments F-Secure's Andy Patel, "or read the code associated with those tools, so this is a pretty easy troll to pull off. Considering that there are ongoing turf-wars around the IoT botnets that are so popular with this crowd, I wouldn't be surprised to hear about similar incidents in the future -- or to find out that these things already happened, and we just didn't hear about them."
Android Malware Exploits Recently Patched 'Toast' Flaw
10.11.2017 securityweek Android
Researchers at Trend Micro have spotted the first known piece of malware to exploit a recently patched vulnerability affecting the Toast feature in Android.
The flaw, reported to Google by researchers at Palo Alto Networks, enables malicious actors to launch overlay attacks by abusing Android’s Toast feature, which allows applications to display messages and notifications on top of other apps. The feature is named Toast because the notifications pop up on the screen just like toast.
Overlay attacks are commonly used by Android malware for phishing attacks, but using Toast provides some advantages, including the fact that it does not require the same types of permissions as other windows, and it allows an app to display a window that covers the device’s entire screen.
The vulnerability, tracked as CVE-2017-0752 and classified as high risk, was patched by Google in September with its monthly Android security updates. Toast overlay attacks don’t work against devices running Android 8.0 Oreo.
On Thursday, Trend Micro researchers reported seeing the first piece of malware leveraging the Toast overlay exploit. The threat, detected by the company as TOASTAMIGO, was disguised as apps named Smart AppLocker that had been available on Google Play, from where they were downloaded hundreds of thousands of times. The applications have since been removed from Google Play.
The malicious apps claim to secure devices with a PIN code. Once installed, they request Accessibility permissions and inform the user that they need to scan the phone for unprotected apps. The Toast exploit is used to display a progress screen for the “scan,” but in the background the malware executes commands from the attackers and installs a second piece of malware named by Trend Micro AMIGOCLICKER.
In addition to downloading other malware, TOASTAMIGO can terminate mobile security apps and perform other actions that prevent it from being removed. AMIGOCLICKER has self-preservation capabilities as well, but it can also collect Google accounts, click on buttons in system dialogs, click on Facebook ads, and give itself a five-star rating on Google Play.
“The miscellany of the malware’s malicious functionalities, combined with a relatively unique attack vector, makes them credible threats. In fact, the aforementioned functionalities can actually be modified for further cyberattacks,” Trend Micro researchers said in a blog post. “Since TOASTAMIGO and AMIGOCLICKER can misuse Android’s Accessibility feature to virtually do anything, this malware can update itself when getting the remote server’s commands.”
Automotive Cybersecurity Firm Argus Acquired by Continental
10.11.2017 securityweek Cyber
Argus Cyber Security, a Tel Aviv, Israel-based startup focused on automotive cyber security, has been acquired by Continental subsidiary Elektrobit (EB), which provides embedded software solutions to the automotive industry.
Terms of the acquisition were not disclosed, but some reports have the deal estimated to be in the range of $450 million.
Argus Cyber Security Logo
Founded in 2013, Argus offers a modular suite designed to protect cars from hacks. Offerings include an Intrusion Prevention System (IPS) that leverages Deep Packet Inspection (DPI) algorithms to help prevent a vehicle's critical components from being hacked, which the company says can be integrated into any vehicle production line.
The Argus IPS also generates reports and alerts for remote monitoring of a vehicle's cyber health, the company said.
The company has more 70 employees and 38 granted and pending patents.
As part of EB, the company will continue to engage in commercial relations with all automotive suppliers globally. “This combination of Continental’s broad automotive know-how, Argus’ technology, market-ready solutions and expertise in automotive cyber security, and EB’s deep automotive software knowledge, marks a unique cooperation in the automotive industry,” the company said.
Cyber threats to automotive systems are not necessarily new, but are becoming more of an issue as cars become connected to the Internet and to other devices such as smartphones, smart keys, diagnostic tools and other vehicles.
A number of security researchers have demonstrated the ability hack into modern vehicles to manipulate steering, acceleration, speedometers and safety sensors, sparking concerns that malicious attackers could use similar techniques to compromise a vehicle's Electronic Control Units (ECUs) allowing manipulation of a car's engine, brakes, airbags and other safety systems or vehicle components.
Schneider Electric Patches Critical Flaw in HMI Products
10.11.2017 securityweek Vulnerebility
Schneider Electric has released updates for its InduSoft Web Studio and InTouch Machine Edition products to address a critical vulnerability that can be exploited for remote code execution.
InduSoft Web Studio allows organizations to develop human-machine interfaces (HMIs), supervisory control and data acquisition (SCADA) systems and embedded instrumentation solutions. The Wonderware InTouch product, which is used in over one-third of the world’s industrial facilities, is an HMI visualization software. The products are used in various industries, including manufacturing, water and wastewater, automotive, oil and gas, building automation, and energy.
Aaron Portnoy, former CTO and founder of Exodus Intelligence and current employee of Raytheon, discovered that the products are affected by a critical stack-based buffer overflow vulnerability (CVE-2017-14024) that allows a remote attacker to execute arbitrary code with elevated privileges.
“InduSoft Web Studio and InTouch Machine Edition provide the capability for an HMI client to subscribe to tags and monitor their values,” Schneider Electric explained in its advisory. “A remote malicious entity could send a carefully crafted packet to exploit a stack-based buffer overflow vulnerability during tag subscription, with potential for code to be executed. The code would be executed under high privileges and could lead to a complete compromise of the InduSoft Web Studio or InTouch Machine Edition server machine.”
The vulnerability affects InduSoft Web Studio 8.0 SP2 Patch 1 and prior, and InTouch Machine Edition 8.0 SP2 Patch 1 and prior. Patches are included in version 8.1 of the products.
According to ICS-CERT, an exploit for the flaw is publicly available and only low-level hacking skills are required for exploitation.
This is not the only critical flaw discovered by Portnoy in the two Schneider Electric products. In September, ICS-CERT and the vendor warned users of a serious missing authentication issue that also allowed attackers to execute arbitrary code and possibly take complete control of affected servers.
Back in 2012, the researcher reported finding nearly two dozen security holes in ICS products from Rockwell Automation, Schneider, InduSoft (which at the time was not owned by Schneider), RealFlex and Eaton.
Quantum Dawn War Games Test Cyber Resiliency in Finance Sector
10.11.2017 securityweek Cyber
Quantum Dawn IV, a large-scale exercise to test the cyber resiliency of the U.S. finance sector, was held on Tuesday and Wednesday this week. The excercise had more than 900 participants from over 50 financial institutions, government agencies and regulators.
Run by SIFMA (the Securities Industry and Financial Markets Association), Quantum Dawn is designed to test this industry's ability to weather a major cyber attack. SIFMA describes itself as the voice of the U.S. securities industry, representing broker-dealers, banks and asset managers.
"There is likely no greater threat to financial stability than a large-scale cyber event, which SIFMA considers a low-probability, high-impact event that the industry must prepare for along with other possible crisis events," explains Kenneth Bentsen, SIFMA president and CEO.
The exercise, he said, enabled financial institutions, key government agencies and other industry partners to practice communication and response processes to maintain smooth financial market operations in the event of a sector-wide attack. The outcome of the exercise, however, will not be known until the Deloitte Risk and Financial Advisory Cyber Risk Services analyzes the data and produces a 'public after-action' report with observations and recommendations over the next few weeks.
In the meantime, we just have Bentsen's comment, "A clear takeaway from the exercise is the importance of a robust partnership between the industry and government grounded in information sharing. No single actor -- not the federal government, nor any individual firm -- has the resources to protect markets from cyber threats on their own."
The value of such exercises is rarely questioned.
"Any exercise of this nature is always a good idea. Financial Services are part of critical infrastructure and we know they they are under sustained and increasing attacks," Neira Jones told SecurityWeek. "Destabilization of financial markets is definitely not something we want to see happen (well, not caused by cybercrime where we could potentially help it/minimize it anyway)," she said.
Jones is a non-executive director at Cognosec, chairs the advisory board for Ensygnia, and spent four years on the PCI SSC Board of Advisers. She has also worked for Barclaycard, Santander, Abbey National, Oracle Corp. and Unisys.
"While financial services are heavily regulated (in security, too), regulations are always some steps behind technology and criminals," she added. "Quantum Dawn is essentially good practice because it is merely testing an incident response plan through simulation, which should be standard practice anyway. It doesn't detract from individual bank testing of their own incident response processes -- which does happen in the great majority, and certainly for the major banks and FS firms."
Quantum Dawn is similar to Waking Shark in the UK. "The trick of course," Jones told SecurityWeek, "will be to act on the lessons learned and for the results not to be confined to the archives. Only time will tell."
That is certainly the hope of Bentsen. "Cybersecurity is truly an issue where the interests of the industry and public sector are fully aligned. SIFMA and our members are constantly working to improve cyber defenses, resiliency and recovery through massive monetary investment in technology and personnel, regular training, industry exercises, and close coordination between the financial sector and the government, including our regulators. Best practices are developed and refined regarding penetration testing, insider threats, third-party risks, and secure data storage and recovery. Lessons learned from Quantum Dawn IV will help shape these initiatives as we constantly work to get better."
Quantum Dawn IV leveraged NUARI (Norwich University Applied Research Institutes), and its latest version of the DECIDE FS, and the SimSpace Corporation’s Cyber Range software for the simulation and execution of the exercise.
In 2013, U.S. banks suffered a series of disruptive DDoS attacks from a group that called itself itself the Izz ad-Din al-Qassam Cyber Fighters. Growing concern about both nation-state and organized criminal attacks of increasing sophistication against the critical infrastructure make exercises like Quantum Dawn essential.
Ordinypt is a wiper disguised as ransomware that targets German users
10.11.2017 securityaffairs Ransomware
Security experts spotted a new malware dubbed Ordinypt, it is a wiper disguised as ransomware that currently only targets German users
The malware researcher Michael Gillespie first reported a new strain of malware called Ordinypt that is currently targeting German users, but unfortunately instead of encrypting users’ files, the malware intentionally destroy them.
Early this week, the security researcher Karsten Hahn has spotted a sample that, based on VirusTotal detections, has been targeting only German users. The malware was spread via emails written in German, and delivering notes in an error-free language, it pretends to be a resume being sent in reply to job adverts.
The malware was first dubbed HSDFSDCrypt, but later G Data changed the name in Ordinypt ransomware.
These emails come with two files, a JPG file containing the resume and a curriculum vitae. The files in the observed samples use two attachments named Viktoria Henschel – Bewerbungsfoto.jpg and Viktoria Henschel – Bewerbungsunterlagen.zip.
“The ZIP archive contains two EXE files that use the old double-extension and custom icon tricks to fool users into thinking they’re different files. In this case, PDF files.” reported BleepingComputer.com.
“On Windows PCs that hide the file extensions by default, the EXE extension does not show up, and users just want to see the PDF part, which are legitimate PDFs, and not an executables.”
When the victim runs the executable will launch the Ordinypt ransomware, that in instead of encrypting files, wiper them by replacing files with random data.
9 Nov
Army Nael B. Leido @armynael
Replying to @demonslay335 and 4 others
It looks like its not encrypted before. It didn't even read the content of the file looking on its code. Also tested 300MB+ bait file and was replaced with a 21KB (very unlikely to be encrypted copy).
Philipp Mackensen @PMackensen
File names and content are generated by the same function (only needs a length as input) which randomly generates a string that consists of uppercase, lowercase and numeric characters . File size can differ between 8KB and 24KB (also random). Doesn't encrypt .png files tho.
11:42 AM - Nov 9, 2017
1 1 Reply 1 1 Retweet 6 6 likes
Twitter Ads info and privacy
The Ordinypt ransomware generates new “pseudo-encrypted-file’s” name, which is made up of 14 random alpha-numeric characters, the new files are sometimes more than half the size of the original ones.
The malware drops a ransom note in every folder where it wiped file content, the note is named where_sind_my_files.html. (translated which translates to where_are_my_files.html).
The fact that the Ordinypt is a wiper disguised as ransomware is also confirmed by its strange ransom note that doesn’t list an infection ID, nor does it ask for a file from where the ransomware’s authors can extract an ID.
The Ordinypt’s ransom note uses a bitcoin address from a hardcoded wallet address.
“The targeting of HR departments via job application emails also means that this is an intentional campaign to damage the operations of some Germany-based companies.” concluded Catalin Cimpanu from BleepingComputer.
“Furthermore, there’s no way of contacting the faux ransomware’s authors and verifying the payment. All evidence points to the fact that someone coded Ordinypt with the intention to damage computers.”
Hack the hackers. Watcha out the NEW IPCAM EXPLOIT, it is a scam!
10.11.2017 securityaffairs Exploit
Security experts have discovered a new hacking tool dubbed NEW IPCAM EXPLOIT containing a backdoor that is offered on several underground hacking forums.
Wannabe hackers, be careful out of free hacking tools, many of them are scams. Recently security experts reported several cases of fake hacking tools hiding backdoors, for example, a fake Facebook hacking tool or the Cobian RAT.
Now, the security researcher Ankit Anubhav has discovered a new tool containing a backdoor that is offered on several underground hacking forums. The hacking tool is a free PHP script that allows users to scan the Internet for vulnerable IP Cameras running a vulnerable version of GoAhead embedded web-server.
“The market is particularly hot for IoT devices using a vulnerable version of an embedded GoAhead server. This arises due to the fact that there are a large number of IP camera vendors that can be hacked using exploits like CVE-2017–8225, and it is already employed successfully by the IoTroop/Reaper botnet.” wrote the researcher in a blog post.
“On 22nd October 2017, we observed a shady yet popular site that often hosts IoT botnet scripts had a new piece of code to offer. Labeled as “NEW IPCAM EXPLOIT”, this script promised to make the work of script kiddies easy by helping them locate IoT devices that use the potentially vulnerable embedded GoAhead server.”
The expert analyzed the NEW IPCAM EXPLOIT and discovered that it includes the code to hack the wannabe criminals using it, this implies that is the script kiddie owns a botnet, scammers can use the tool to take over it.
After going through all levels of decoding, the expert discovered that the NEW IPCAM EXPLOIT scan the web for devices using the GoAhead embedded server by checking for the banner “GoAhead-Webs”. At the bottom of the script, there is a backdoor which uses shellscript to connect to contact a malicious server, download a second-stage script, and execute it.
The NEW IPCAM EXPLOIT IoT scanning script works in four steps:
The script scans a set of IP addresses looking for GoAhead servers vulnerable to the authentication bypass flaw tracked as CVE-2017-8225. The vulnerability affects Wireless IP Camera (P2P) WIFI CAM devices.
The script establishes a secret backdoor by creating the user account (username: VM | password: Meme123) on the wannabe cybercriminal’s system. The scammer gains the same toot privileges as of the victim.
The Script determine the IP address of the wannabe hacker in order to access the compromised systems remotely.
The script runs a second payload on the victim’s system, in some cases, it installs the Kaiten bot.
Experts from Bleeping computers that made further investigations reported that the author of the script already put online backdoored hacking tools.
“Digging deeper into some of the IDs used by the backdoor creator, we also discovered that this wasn’t the first time when he published backdoored malware or had online fights with other hackers. This may explain why Anubhav found a dox file in the hacker’s name. ” reported Bleepingcomputer.
Vault 8: WikiLeaks Releases Source Code For Hive - CIA's Malware Control System
10.11.2017 thehackernews BigBrothers
Almost two months after releasing details of 23 different secret CIA hacking tool projects under Vault 7 series, Wikileaks today announced a new Vault 8 series that will reveal source codes and information about the backend infrastructure developed by the CIA hackers.
Not just announcement, but the whistleblower organisation has also published its first batch of Vault 8 leak, releasing source code and development logs of Project Hive—a significant backend component the agency used to remotely control its malware covertly.
In April this year, WikiLeaks disclosed a brief information about Project Hive, revealing that the project is an advanced command-and-control server (malware control system) that communicates with malware to send commands to execute specific tasks on the targets and receive exfiltrated information from the target machines.
Hive is a multi-user all-in-one system that can be used by multiple CIA operators to remotely control multiple malware implants used in different operations.
Hive’s infrastructure has been specially designed to prevent attribution, which includes a public facing fake website following multi-stage communication over a Virtual Private Network (VPN).
"Using Hive even if an implant is discovered on a target computer, attributing it to the CIA is difficult by just looking at the communication of the malware with other servers on the internet," WikiLeaks says.
As shown in the diagram, the malware implants directly communicate with a fake website, running over commercial VPS (Virtual Private Server), which looks innocent when opened directly into the web browser.
However, in the background, after authentication, the malware implant can communicate with the web server (hosting fake website), which then forwards malware-related traffic to a "hidden" CIA server called 'Blot' over a secure VPN connection.
The Blot server then forwards the traffic to an implant operator management gateway called 'Honeycomb.'
In order to evade detection by the network administrators, the malware implants use fake digital certificates for Kaspersky Lab.
"Digital certificates for the authentication of implants are generated by the CIA impersonating existing entities," WikiLeaks says.
"The three examples included in the source code build a fake certificate for the anti-virus company Kaspersky Laboratory, Moscow pretending to be signed by Thawte Premium Server CA, Cape Town."
The whistleblowing organisation has released the source code for Project Hive which is now available for anyone, including investigative journalists and forensic experts, to download and dig into its functionalities.
The source code published in the Vault 8 series only contains software designed to run on servers controlled by the CIA, while WikiLeaks assures that the organisation will not release any zero-day or similar security vulnerabilities which could be abused by others.