Security Service of Ukraine of a new wave of large-scale NotPetya-like attack 14.10.2017 securityaffairs CyberWar
The Security Service of Ukraine warning their citizens of a new “large-scale” cyber attack similar to NotPetya that could take place between Oct 13 and 17 In June the NotPetya ransomware compromised thousands of businesses and organizations worldwide, most of them in Ukraine.
Now, the Ukrainian authorities warning their citizens of a new “large-scale” cyber attack similar to NotPetya.
The Ukrainian Secret Service, SBU, published a press release on Thursday, warning an imminent massive cyber attack that could take place between October 13 and 17 when Ukraine celebrates Defender of Ukraine Day. “SBU notifies about preparing of a new wave of large-scale attack against the state institutions and private companies. According to the secret service, big state and private companies are the aims of the offenders.” reads the SBU press release.
“The basic aim – to violate normal operation of information systems, that may destabilize the situation in the country. The SBU experts received data that the attack can be conducted with the use of software updating, including public applied software. The mechanism of its realization will be similar to cyber-attack of June 2017.”
According to the authorities, a threat actor can launch a cyber attack by compromising the supply chain of a software used by government entities. Once again attackers can use a malicious software update to infect installs in the country. The attack scenario is the same exploited by NotPetya hackers when hackers compromised the update mechanism for the Ukrainian financial software provider called MeDoc. The tainted MeDoc update allowed the NotPetya rapidly spreading through Ukrainian government agencies and businesses, the operations of multinational companies were seriously affected. The Ukrainian Secret Service blamed Russia nation-state hackers for the NotPetya attacks, researchers who analyzed the ransomware discovered the malicious code was a wiper malware disguised as a ransomware. Back to the present, the security warning is urging organizations to improve their defense. The SBU provided a set of recommendations to follow to improve the resilience to cyber attacks: To update signatures of virus protection software on the server and in the workstation computer; To conduct redundancy of information, which is processed on the computer equipment; To provide daily updating of system software, including OS Windows of all versions.
Akamai shared a detailed analysis of a Fast Flux Botnet composed of 14K IPs 14.10.2017 securityaffairs BotNet
Experts at Akamai have identified a running Fast Flux botnet composed of over 14,000 compromised systems used to spread malware. Experts at Akamai have identified a running botnet of over 14,000 compromised systems used to spread malware. The botmasters implemented a technique dubbed Fast Flux to make the infrastructure hard to take down.
Treat actors implementing the Fast Flux technique hosts a domain using multiple IP addresses by switching the domain from one IP to another. The IP addresses are swapped in and out with extremely high frequency, through changing DNS records.
The Fast Flux technique was first implemented in 2016 by the Storm Worm malware variants.
“Fast Flux, a DNS technique first introduced in 2006 and widely associated with the Storm Worm malware variants, can be used by botnets to hide various types of malicious activities – including phishing, web proxying, malware delivery, and malware communication.” reported Akamai. “The technique allows the botnet to “hide” behind an ever-changing network of compromised hosts, ultimately acting as proxies and making detection incredibly difficult.”
Experts were able to track a botnet composed of more than 14,000 IP addresses, most of them originating from eastern Europe.
The Fast Flux Network works as an illegal websites hosting provider for illegal websites offering merchandise such as:
Stolen credentials for popular e-commerce websites Hacked credit card numbers with CVV Professionals hackers carders forum The botnet was working for both hosting phishing websites and malware C&C servers, it was also utilized for carrying out automated attacks such as web scraping, SQL injections, and credentials abuse.
“The primary characteristic of the Fast Flux network is that the network constantly changes its domains, IP addresses, and nameservers. These changes obfuscate the true nature of the network and make it more difficult for researchers to understand and defend against.” continues the analysis.
Researchers observed the Fast Flux network is being segregated to different sub-networks based on the offered malicious service
Researchers believe devices were infected with malware that installs a proxy component on the infcted hosts. Every time someone wants to connect to a malicious site exposed by the botnet, DNS servers would provide the IP of an infected host that was at that time “hosting” the domain. The proxy component of the infected host then redirects incoming traffic to the malicious site, hosted elsewhere.
The analysis of the Botnet revealed it was organized in two separate sub-networks:
the hosting sub-network used for hosting and redirecting traffic to malicious sites. the C&C sub-network composed of the command-and-control infrastructure of the botnet, that is different from the C&C servers. Experts noticed that most of the hosting sub-network were located in Ukraine, Romania, and Russia. The composition of the botnet’s C&C sub-network was very different.
The botnet’s C&C sub-network IPs contained private IP addresses, such as 10.x.x.x, 192.168.x.x, belonging to Fortune 100 companies, as well as military organizations.
The analysis of the exposed ports for all IPs shows that most of the hosting network had ports 80 and 443 exposed, while most of the C&C sub-network had port 7547 exposed.
“When analyzing the C&C sub-network, we see that port 7547 is the most used port. This port is used mostly by routers that have a TR-069 management tool and the usage shows how same type of vulnerable devices are being used to the same goal. Such routers are known to be highly exploited and are probably used as infrastructure that acts as a proxy layer for the communication of the malware with its C&C server.” continues the analysis. The port 7547 is specific to the TR-069 protocol implemented by remote management tools of routers and modems, these devices are suspected to represent a good portion of the botnet.
According to Akamai, Fast Flux botnets can be compared to a living organism that evolves over the time to preserve itself, experts will continue to monitor its evolution.
The databases of the Republican polling firm Victory Phones were hacked just after the 2016 election, exposing donor records. Victory Phones, an automated phone research, and data compilation firm was hacked in January exposing data on hundreds of thousands of Americans who submitted donations to Republican political campaigns.
Victory Phones carries out polling on behalf of Republican candidates using phone calling, it also implemented a fundraising systems for the political campaigns.
According to ZDNet, who first reported the incident, the hack exposed several database files, one of them is a 223 gigabytes archive containing about two billion records
Stolen records include 166,046 unique email addresses, and contains names, postal and email addresses, phone numbers, genders, and donation amounts.
Follow Have I been pwned? ✔@haveibeenpwned New breach: Victory Phones exposed 166k addresses via unsecured Mongo DB. 75% were already in @haveibeenpwned. More: http://www.zdnet.com/article/republican-polling-firm-hacked-exposing-donor-records/ …
11:05 PM - Oct 11, 2017 Photo published for A Republican polling firm was hacked, exposing donor records A Republican polling firm was hacked, exposing donor records The data was stolen just after the 2016 election, the polling outfit confirmed.
zdnet.com 2 2 Replies 31 31 Retweets 22 22 likes Twitter Ads info and privacy Experts believe the hackers targeted the company because they were primarily interested in individual donations made to political campaigns.
“According to public records, the company gave $207,602 to a campaign by Rand Paul (R-KY) and $79,646 to Martha Roby (R-AL). The company also gave $103,977 to the Republican Party of Michigan, where the company is located, and $64,229 to the Republican National Committee, among others.” reported ZDnet.
The data contains names, postal and email addresses, phone numbers, genders, and donation amounts.
The popular cyber security expert Troy Hunt, who runs the data breach notification service Have I Been Pwned reached out to several individuals whose data was included in the stolen databases and all of those confirmed the authenticity of the information leaked online.
The Victory Phones was running an unsecured MongoDB installations as confirmed by the chief executive David Dishaw who added that the company never received a ransom note.
“We can confirm that in early January 2017, we were one of tens of thousands of users whose MongoDB instance was hacked. We received no ransom note or communication regarding this intrusion, in the immediate aftermath, or up until even now. We took steps to enhance the security of our data, and notified our users at that time of the breach. We will continue to keep them up to date as we come into any information that is relevant.”
MongoDB ransom attacks soared early this year, according to the Australian Communications and Media Authority Antipodes the number of hacked systems more than double to 27,000 in just a day. According to the experts, the hackers implement an extortion mechanism copying and deleting data from vulnerable databases.
Crooks request the payment of a ransom in order to return data and help the company to fix the flaw they exploited. Late 2016, I reported the story of a mysterious attacker that went online with the harak1r1 moniker, he was breaking into unprotected MongoDB databases, stealing their content, and requesting for a 0.2 bitcoins (US$184) ransom to return the data.
The attacks were discovered by the Co-founder of the GDI Foundation, Victor Gevers, who warned of poor security for MongoDB installations in the wild
ZDnet confirmed that at the time of writing, a Victory Phones’s server with an open database port is still indexed on Shodan.
“The breach may not be significant in terms of numbers of individuals affected compare to other breaches of voter information — much of the data is already public on the Federal Election Commission’s website. But the hack represents yet another data exposure at a time of heightened concern about election interference.” continues ZDNet.
Hunt confirmed that 75 percent of email addresses were already in Have I Been Pwned’s database.
Hyatt Hotels suffered a new payment card breach, the second in two years 14.10.2017 securityaffairs Incindent
The Hyatt Hotels Corporation notified customers that their credit card information may have been stolen by crooks, the second time in 2 years. The Hyatt Hotels Corporation made the headlines once again, the company notified customers that their credit card information may have been stolen by crooks.
The data breach affects three hotels in the United States, 18 in China, four in Mexico, three in Puerto Rico, three in Saudi Arabia, three in South Korea, and facilities in Brazil, Colombia, Guam, India, Indonesia, Japan, and Malaysia.
“We understand the importance of protecting customer information and securing our systems, and we regret to inform you that we discovered signs of and then resolved unauthorized access to payment card information from cards manually entered or swiped at the front desk of certain Hyatt-managed locations between March 18, 2017 and July 2, 2017. A list of affected hotels and respective at-risk dates is available here.” states the breach notification.
According to Hyatt, crooks planted a malware on payment systems at certain hotels to harvest credit card data from guests that physically entered or swiped at some hotel front desks between March 18, 2017 and July 2, 2017.
The malicious code allowed crooks to siphon cardholder name, card number, expiration date, and internal verification code.
“Based on our investigation, we understand that such unauthorized access to card data was caused by an insertion of malicious software code from a third party onto certain hotel IT systems. Our enhanced cybersecurity measures and additional layers of defense implemented over time helped to identify and resolve the issue.” continues the notification.
At the time, Hyatt is not able to identify each specific payment card that may have been affected by the data breach.
“While we estimate that the incident affected a small percentage of payment cards used by guests who visited the group of affected Hyatt hotels during the at-risk time period, the available information and data does not allow Hyatt to identify each specific payment card that may have been affected,” said Chuck Floyd, global president of operations at Hyatt Hotels Corporation.
Unfortunately, this isn’t the first time the company discovered a data breach, this is the second incident in the last two years.
In January 2016, the Hyatt Hotels Corporation announced a total of 250 of its resorts were compromised in a malware-based attack in 2015, hackers stole customer payment card information.
At the time of the incident, the company announced a significant enhancement of cybersecurity measures to protect its payment systems, but the actions were obviously not enough.
A new Facebook scam allows your friend contacts to hack your account 14.10.2017 securityaffairs Social
Researchers spotted a new Facebook scam that could deceive also tech-savvy people and trick them into giving the attacker access to their Facebook accounts. Don’t trust message apparently sent from any of your Facebook Friends asking for urgent help to recover their Facebook account.
Researchers have spotted a new Facebook scam that could deceive also tech-savvy people and trick them into giving the attacker access to their Facebook accounts.
The Facebook scam abuse “Trusted Contacts, ” a Facebook account recovery feature that sends access codes to a selected list of trusted user’s friends in order to help you regain access to their Facebook account in case you forget your password or lost access to your account.
The alert was launched by AccessNow, the attack chain starts with a message from the compromised account of one of the friends of the potential victim.
“The new attack targets people using Facebook, and it relies on your lack of knowledge about the platform’s “Trusted Contacts” feature. states the public security alert.
“Trusted Contacts is a system created by Facebook to help you gain access to your account if you forget your password or your account is locked. If you enable Trusted Contacts, Facebook will ask you to identify three to five people. If you need access to your account, Facebook will send part of a code to each of these users that can be combined to gain access to your account.”
The attacker asks for victim’s help recovering his account, he tells the victim that he is as one of his Trusted Contacts on Facebook, and inform him that he will receive by mail a code for recovering their account.
The attacker, who is posing as a victims’ friend thanks to the compromised account, asks the victim to share the recovery code.
Then the attacker triggers the “I forgot my password” feature for the victim’s Facebook account and requests a recovery code.
At this point, the code received by the victim is not the key to unlock his friend’s account, but instead, the code requested by the attacker through the “Forgot my password” procedure.
If the victim shares the code with the attacker he will be able to take over the your account from you.
Below the step by step procedure:
You get a message from an attacker on Facebook Messenger, who is using the compromised account of someone on your Friends list. The attacker asks for your help recovering their account, explaining that you are listed as one of their Trusted Contacts on Facebook, and tells you that you will receive a code for recovering their account. Then the attacker triggers the “I forgot my password” feature for your Facebook account and requests a recovery code. In an effort to help, you send the code you’ve just received to your “friend.” Using the code, the attacker can now steal your account from you, and use it to victimize other people.
This specific Facebook scam relies on the lack of victim’s knowledge about the Trusted Contacts feature.
“The new attack targets people using Facebook, and it relies on your lack of knowledge about the platform’s Trusted Contacts feature,” states Access Now.
The Facebook scam can potentially target any users of the popular social network, but experts are seeing the majority of reports from human right defenders and activists from the Middle East and North Africa.”
“So far we’re seeing the majority of reports [falling victims to this new Facebook phishing scam] from human right defenders and activists from the Middle East and North Africa.” We started this post explaining that the attack chain starts with a message sent by the attacker through a compromised account belonging to one of your friends. Another scenario sees the Facebook scam initiated by your Facebook friend that intentionally trick you into handing over your Facebook account to him. The best way to protect your account is to remain vigilant on every suspicious message including recovery emails from trusted friends.
DoubleLocker, the Android Ransomware that encrypts files and changes PIN Lock 14.10.2017 securityaffairs Android
Crooks have developed a strain of Android ransomware dubbed Doublelocker that both encrypts user data and changes PIN Lock. DoubleLocker, the name says it all, is a new malware that not only encrypts the Android mobile devices but also changes PIN lock.
The DoubleLocker ransomware was discovered by security researchers from cybersecurity firm ESET.
DoubleLocker is the first-ever ransomware to abuse the Android accessibility feature that implements alternative ways to interact with a mobile device.
The Android accessibility services are abused by several mobile malware including banking Trojan and adware.
“Given its banking malware roots, DoubleLocker may well be turned into what could be called ransom-bankers.” explained Lukáš Štefanko, the ESET malware researcher who discovered DoubleLocker. “Two-stage malware that first tries to wipe your bank or PayPal account and subsequently locks your device and data to request a ransom… Speculation aside, we spotted a test version of such a ransom-banker in the wild as long ago as May, 2017.”
Researchers first detected the DoubleLocker ransomware in May, crooks spread it as a fake Adobe Flash update via compromised websites.
Once the victim launched the app, it requests activation of the malware’s accessibility service, named “Google Play Service”. Once the malicious code has obtained the accessibility permissions, it uses them to activate device administrator rights and set itself as the default Home application without the user’s consent.
“Setting itself as a default home app – a launcher – is a trick that improves the malware’s persistence. Whenever the user clicks on the home button, the ransomware gets activated and the device gets locked again. Thanks to using the accessibility service, the user doesn’t know that they launch malware by hitting Home,” explains Štefanko.
DoubleLockerr, once executed on the device, first changes the device PIN to a random value that neither crooks know nor stored anywhere. At the same time, the ransomware encrypts all the files using AES encryption algorithm, it appends the extension “.cryeye” to each file.
Unfortunately, encryption process has no bugs making impossible to recover the files without receiving the encryption key from the crooks.
The ransomware demands 0.0130 BTC (approximately USD 73.83 at time of writing). the ransom payment must be completed within 24 hours.
If the victim pays the ransom, he will receive the decryption key to unlock the files and the crooks will remotely reset the PIN to unlock the victim’s device. The researchers highlighted that there is no way to unlock encrypted files for non-rooted devices, in this case, the unique way to clean the device is to factory-reset their phone.
Users with rooted Android devices with debugging mode enabled can use the Android Debug Bridge (ADB) tool to reset PIN without formatting their phones.
“For rooted devices, however, there is a method to get past the PIN lock without a factory reset. For the method to work, the device needed to be in the debugging mode before the ransomware got activated.” reads the analysis from ESET.
As usual, the best way to protect your device is to install applications only from trusted stores, like Google Play and pay attention to the reputation of the developers.
Be vigilant with any links provided in an unsolicited email, SMS or instant messaging app message.
Do not forget to install an antivirus app on your mobile device and keep all running software up-to-date.
Microsoft’s October Patch Tuesday addresses critical Windows DNS client Zero-Day Flaws tied to DNSSEC 14.10.2017 securityaffairs Vulnerebility
Microsoft’s October Patch Tuesday addresses three critical zero-day security vulnerabilities tied to the DNSSEC protocol. Microsoft’s October Patch Tuesday addresses three critical security vulnerabilities in the Windows DNS client in Windows 8, Windows 10, and Windows Server 2012 and 2016.
The vulnerabilities affect the Microsoft’s implementation of one of the data record features used in the secure Domain Name System protocol, DNSSEC.
DNSSEC is a set of extensions to DNS that was designed to protect applications from using forged or manipulated DNS data, such as that created by DNS cache poisoning. The answers from DNSSEC protected zones are digitally signed, a DNS resolver can verify the digital signature to check the integrity of the information compared with to the information published by the zone owner and served on an authoritative DNS server.
The heap buffer-overflow flaws, tracked as CVE-2017-11779, were reported by experts at security firm Bishop Fox, The issues are Windows DNSAPI Remote Code Execution flaws that could be exploited by an attacker to gain full control over the victim’s machine without user interaction.
Microsoft fixed the flaw by releasing the KB4042895 security update (OS Build 10240.17643).
According to Nick Freeman, the Bishop Fox researcher who discovered the vulnerabilities, the problem resides in the Microsoft’s implementation of the NSEC3 (Next Secure Record version 3) feature for DNSSEC.
“The Windows DNS client doesn’t do enough sanity checking when it processes a DNS response that contains an NSEC3 record,” Freeman wrote in a report released today. “Malformed NSEC3 records can trigger this vulnerability and corrupt the memory of the DNS client. If this is done carefully, it can result in arbitrary code execution on the target system.”
“Because the record is malformed, it doesn’t make it through the normal DNS system. Servers along the way will drop it because it doesn’t fit the standard for NSEC3 record,” he wrote. “This is a good thing, because otherwise this issue would be easier to exploit and have far more serious implications. So, for an attacker to exploit this issue, they need to be between you and the DNS server you’re using.”
Attackers can use malformed NSEC3 records to trigger the vulnerability and corrupt the memory of the DNS client, it can result in arbitrary code execution on the flawed system.
An attacker can trigger DNSSEC flaws in Windows only if it shares the same physical network as the targeted machine. An insider or an external attacker is in the condition to run a man-in-the-middle attack to intercept DNS requests from the victim’s machine could exploit the flaw.
“In the majority of cases, the only requirement would be that an attacker is connected to the same network as their target,” Freeman said.
An attacker can trigger the flaws by injecting a malicious payload into a DNS response to a Windows machine’s DNS request.
“If someone was using a corporate laptop at a coffee shop and on WiFi, or hacked your cable router and you got hit … giving the attacker an entry point into the network,” Freeman added. “They could then launch this attack against other systems on that network.”
Bishop Fox confirmed it is not aware of any public attacks exploiting this flaw.
“This is a very traditional vulnerability, so it’s reasonable” for most attackers to be able to exploit it, Freeman concluded.
Accenture – Embarrassing data leak business data in a public Amazon S3 bucket 14.10.2017 securityaffairs Incindent
The leading global professional services company Accenture exposed its business data in a public Amazon S3 bucket. Disconcerting! Another Tech giant has fallen victim of an embarrassing data leak, this time the leading global professional services company Accenture exposed its business data in a public Amazon S3 bucket.
The incident exposed internal Accenture private keys, secret API data, and other information, a gift for attackers that want to target the firm or its clients
The unsecured Amazon S3 bucket was discovered by researchers at UpGuard that privately reported to Accenture on Sept. 17. The company solved the problem in one day.
“The UpGuard Cyber Risk Team can now reveal that Accenture, one of the world’s largest corporate consulting and management firms, left at least four cloud-based storage servers unsecured and publicly downloadable, exposing secret API data, authentication credentials, certificates, decryption keys, customer information, and more data that could have been used to attack both Accenture and its clients.” states the report published by UpGuard.
“Taken together, the significance of these exposed buckets is hard to overstate. In the hands of competent threat actors, these cloud servers, accessible to anyone stumbling across their URLs, could have exposed both Accenture and its thousands of top-flight corporate customers to malicious attacks that could have done an untold amount of financial damage.”
The popular researcher Chris Vickery found four servers left open online containing a huge trove of company secrets such as authentication credentials, certificates, decryption key, logs of customer data, decryption keys, customer information, and more data that could have been used to target both Accenture and its clients.
Vickery also found software used by Accenture’s Cloud Platform enterprise-level management service.
Accenture is trying to downplay the data leak.
“There was no risk to any of our clients – no active credentials, PII and other sensitive information was compromised,” Accenture noted in a statement. “The information involved could not have provided access to client systems and was not production data or applications.”
“There was no risk to any of our clients – no active credentials, PII or other sensitive information was compromised,” “We have a multi-layered security model, and the data in question would not have allowed anyone that found it to penetrate any of those layers. The information involved could not have provided access to client systems and was not production data or applications.”
The four buckets discovered by Vickery are:
acp-deployment that contained internal access keys, credentials used by Accenture’s identity API, plaintext documents containing a master access key for Accenture’s account with Amazon Web Services’ Key Management Service, and also private signing keys. acpcollector that contained data related to the maintenance of Accenture’s cloud stores, including VPN keys for the company’s private network and a master view of its cloud ecosystem. acp-software is a 137 GB-bucket, the largest one, that contained database dumps of Accenture client credentials, hashed passwords and 40,000 plaintext passwords. It also included access keys for Accenture’s Enstratus cloud management platform and data from its Zenoss event tracker system, including JSession IDs that if not expired could be plugged into cookies in order to bypass authentication. acp-ssl, contained encryption key stores that provide access to a number of Accenture environments. more key stores in a folder called “acp.aws.accenture.com,” as well as certificates that, in theory, could be used to decrypt traffic between Accenture and clients. This is absurd … One of the core services in the Accenture’s portfolio is the security of its customers. Who accessed the data of the company and its customers while it was unsecured only. The impact could be disastrous, probably many customers will choose partners that could ensure them a higher level of security.
In September Viacom Vickery discovered Viacom left the keys of its digital kingdom on a publicly exposed AWS S3 bucket.
Earlier September, researchers from cybersecurity company UpGuard have discovered thousands of files containing personal data on former US military, intelligence, and government workers have allegedly been exposed online for months.
On August, Vickery discovered more than 1.8 million voter records belonging to Americans have been accidentally leaked online by a US voting machine supplier for dozens of US states.
In June, Vickery discovered that a top defense contractor left tens of thousands sensitive Pentagon documents on Amazon Server Without any protection in places.
Chris Vickery discovered many other clamorous cases of open database exposed on the Internet. In July, he discovered data belonging to 14 million U.S.-based Verizon customers that have been exposed on an unprotected AWS Server by a partner of the telecommunications company. In December 2015, the security expert discovered U.S.-based Verizon customers that have been exposed on an unprotected AWS Server by a partner of the telecommunications company. In December 2015 the security expert discovered 191 million records belonging to US voters online, on April 2016 he also discovered a 132 GB MongoDB database open online and containing 93.4 million Mexican voter records.
In March 2016, Chris Vickery has discovered online the database of the Kinoptic iOS app, which was abandoned by developers, with details of over 198,000 users.
In January 2017, the expert discovered online an open Rsync server hosting the personal details for at least 200,000 IndyCar racing fans.
In March, he announced a 1.37 billion records data leak, in June 2017 Vickery revealed the DRA firm left 1.1 TB of data unsecured on an Amazon S3, 198 million US voter records exposed.
Recently also the giant Deloitte suffered an embarrassing incident that exposed clients’ secret emails.
Microsoft addresses CVE-2017-11826 Office Zero-Day used to deliver malware 14.10.2017 securityaffairs Vulnerebility
Microsoft October Patch Tuesday addresses the CVE-2017-11826 Office Zero-Day vulnerability that has been exploited in the wild in targeted attacks. Yesterday we discussed Microsoft’s October Patch Tuesday addressed three critical zero-day security vulnerabilities tied to the DNSSEC protocol.
Going deep in the analysis of the Patch Tuesday updates for October 2017 we can see that Microsoft addressed a total of 62 vulnerabilities, including a critical Office zero-day flaw that has been exploited in the wild in targeted attacks.
The vulnerability, tracked as CVE-2017-11826, is a memory corruption issue affecting all supported versions of Office and was rated as “important.” A remote attacker can exploit the vulnerability to execute arbitrary code by tricking victims into opening a specially crafted file.
“A remote code execution vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. ” reads the security advisory published by Microsoft.
“Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Office software.”
The vulnerability was spotted by researchers at China-based security firm Qihoo 360 who confirmed to have observed for the first time an attack exploiting this flaw on September 28.
The attacks aimed a small number of the organizations, attackers triggered the CVE-2017-11826 by using malicious RTF files.
“On September 28, 2017, Qihoo 360 Core Security (@360CoreSec) detected an in-the-wild attack that leveraged CVE-2017-11826, an office 0day vulnerability. This vulnerability exists in all the supported office versions. The attack only targeted limited customers. The attacker embedded malicious .docx in the RTF files.” reads the blog post published by Qihoo 360.
“This attack that Qihoo 360 detected in the wild is initiated with RTF (Rich Text Format) files. The RTF file contains highly targeted phishing subfiles to allure user to open.”
According to Qihoo 360, the analysis of the command and control (C&C) server used by the attackers revealed the operation was initiated in August and the first attacks were launched in September.
The campaign observed by Qihoo 360 was spreading a Trojan designed to steal sensitive information from target devices.
The Qihoo 360 researchers added the attack also involved a DLL hijacking vulnerability in a “well-known” security software.
Upon the detection of the CVE-2017-11826 zero-day vulnerability, 360 has released a hot patch which is available in the latest updates. Attacks using office 0day vulnerabilities targeting common users have been increasing since the beginning of 2017.
Experts highlighted that attacks leveraging office zero-day vulnerabilities have been increasing since the beginning of 2017.
Israel hackers caught Russian cyber spies abusing Kaspersky AV to steal NSA secrets 14.10.2017 securityaffairs BigBrothers
Israeli hackers compromised the Kaspersky infrastructure and caught Russian spies using AV tool to harvest NSA exploits. Kaspersky was not aware of the hack. There is still a heated discussion about the alleged hack of Kaspersky’s antivirus and its use to steal an NSA exploit from a US subcontractor.
Explosive new revelations put at risk the US-Israeli cooperation.
Israeli cyber spies looked on as Russian state-sponsored hackers breached Kaspersky software two years ago to gather data on US intelligence programs.
The Israeli agents discovered the Russian offensive after they also hacked into the Kaspersky software. This revelation clarifies the position of the security firm that was aware that its software was hacked by the intelligence agencies.
Last month, the US government decided to stop using the Russian firm’s software on its computers.
The Israelis reported the discovery to the US intelligence, in response, the US Government banned the Russian firm solutions from US Government agencies.
“It was a case of spies watching spies watching spies: Israeli intelligence officers looked on in real time as Russian government hackers searched computers around the world for the code names of American intelligence programs.” reported The New York Times.
“The Israeli officials who had hacked into Kaspersky’s own network alerted the United States to the broad Russian intrusion, which has not been previously reported, leading to a decision just last month to order Kaspersky software removed from government computers.”
The Russian operation that allowed to steal classified documents from an NSA employee who had stored them on his PC running Kaspersky’s antivirus software had been described by “multiple people who have been briefed on the matter”.
The Russian hackers hacked Kaspersky’s servers to harvest any code detected by the antivirus that matched known indicator of compromises for NSA exploits.
“The role of Israeli intelligence in uncovering [the Kaspersky] breach and the Russian hackers’ use of Kaspersky software in the broader search for American secrets have not previously been disclosed,” the NYT reported.
The NSA, the White House and both Israeli and Russian embassies have not commented on the matter.
Kaspersky has published a statement claiming it is not involved in the Russian operation and confirmed it was victims of the events.
Kaspersky Lab ✔@kaspersky Kaspersky Lab has never helped, nor will help, any government in the world with its cyberespionage efforts.
1:16 AM - Oct 11, 2017 26 26 Replies 60 60 Retweets 94 94 likes Twitter Ads info and privacy “As the integrity of our products is fundamental to our business, Kaspersky Lab patches any vulnerabilities it identifies or that are reported to the company,” the statement said.
“Kaspersky Lab reiterates its willingness to work alongside US authorities to address any concerns they may have about its products as well as its systems, and respectfully requests any relevant, verifiable information that would enable the company to begin an investigation at the earliest opportunity.”
At the time it is not clear what information was exfiltrated by the Russian hackers, and probably we will never know it, but it seems that Kremlin’s cyber spies remained into corporate network for two years.
Eugene Kaspersky announces an internal investigation about the facts were reported by the media.
Follow Eugene Kaspersky ✔@e_kaspersky I am launching internal investigation to cross-check. If US LEA has relevant facts - please share.
1:29 AM - Oct 11, 2017 26 26 Replies 147 147 Retweets 196 196 likes Twitter Ads info and privacy Kaspersky hacked by Russian hackers
In 2015, Kaspersky detected a sophisticated cyber attack against its infrastructure, hackers leveraged a sophisticated strain of malware tracked as Duqu.
Experts linked Duqu to the Tilded Platform, the same factory behind Stuxnet that was known to have been developed by Israel and US.
Researchers with Kaspersky named the platform “Tilded” because many of the files in Duqu and Stuxnet have names beginning with the tilde symbol “~” and the letter “d.”
The security firm was also infected by the Duqu 2.0 spyware, which was once again linked to the American-Israeli-developed Stuxnet malware.
In response to the recent revelation on the Kaspersky hack, Symantec CEO Greg Clark told Reuters that his company will no longer let governments inspect its source code.
Other concerns are related to fact that HPE allowed Russians to review the code of ArcSight software also used by the Pentagon.
Kaspersky spotted ATMii, a new strain of ATM malware 14.10.2017 securityaffairs Virus
Security researchers from Kaspersky Lab have discovered a new strain of ATM malware dubbed ATMii that could be used to empty an ATM. Security researchers from Kaspersky Lab have discovered a new strain of ATM malware dubbed ATMii. The ATMii malware was discovered in April this year, it implements an injector module (exe.exe) and the module to be injected (dll.dll). Crooks can use ATMii to drain available cash from targeted machines.
Cyber criminals need a direct access to a target ATM, either physically or over the network, to install the malicious code.
The injector is unprotected command line application that was written in Visual C language with a fake compilation timestamp dated back to four years ago.
The malicious code works for a Windows XP and later that are the OSs most ATMs run.
The analysis of the injector is poorly written, it targets the proprietary ATM software process atmapp.exe
“The injector, which targets the atmapp.exe (proprietary ATM software) process, is fairly poorly written, since it depends on several parameters. If none are given, the application catches an exception.” reads the analysis.
The supported parameters include:
/load, which attempts to inject dll.dll into atmapp.exe. /cmd, which creates or updates the C:\ATM\c.ini file to pass commands and params to infected library. /unload, which tries to unload injected library from atmapp.exeprocess, while restoring its state. The available commands allow dispensing a desired amount of cash, retrieve information about ATM cash cassettes, and completely remove the C:\ATM\c.ini file from the ATM.
After the injection of the DllMain function, the dll.dll library loads msxfs.dll and replaces the WFSGetInfofunction with the function mWFSGetInfo.
The injected module attempts to find the ATM’s CASH_UNIT service id to and stores the result.
If successful, all successive calls are redirected to the mWFSGetInfofunction, which parses and executes the commands from the C:\ATM\c.inifile.
“ATMii is yet another example of how criminals can use legitimate proprietary libraries and a small piece of code to dispense money from an ATM. Some appropriate countermeasures against such attacks are default-deny policies and device control.” concluded Kaspersky.
“The first measure prevents criminals from running their own code on the ATM’s internal PC, while the second measure will prevent them from connecting new devices, such as USB sticks,”
ASD revealed hacker stole 30GB of sensitive data on Australia’s military capabilities 13.10.2017 securityaffairs BigBrothers
The Australia’s foreign intelligence Agency ASD has revealed military sensitive information has been stolen by hackers who breached a Department of Defence contractor. The Australia’s foreign intelligence agency, the Australian Signals Directorate (ASD), admitted a hacker has stolen over 30 GB of military documents. Stolen data includes details on fighter jets, military aircraft, and naval ships.
The hacker stole the huge trove of confidential data on military capabilities at an unnamed Department of Defence contractor. The ASD spokesperson Mitchell Clarke, who revealed the incident, confirmed that not “top secret” data was compromised, but data breach included sensitive information not publicly accessible.
The intelligence agency dubbed the hacker “Alf,” after a character in the “Home and Away” Australian TV soap opera.
The stolen files include confidential information, diagrams, and plans and details about the country’s arsenal, such as details on the new F-35 Joint Strike Fighter jet, the Boeing P-8 Poseidon submarine-hunting airplane, Lockheed-Marting C-130 transport aircrafts, JDAM guided bombs, and data on “some naval ships.”
“That ITAR data included information on the the [F-35] Joint Strike Fighters, the C-130, the P-8 Poseidon, the JDAM –that’s a smart bomb – and a few Australian naval vessels,” Mr Clarke said.
According to The Sydney Morning Herald, some of the stolen data was linked to the International Traffic in Arms Regulations, a US regulatory regime.
“A CYBER attack was successfully carried out by hackers who gained access to the computer system of a national security contractor last year.” reported the website news.com.au.
“The Federal Government is set to reveal details about the hack today when Assistant Minister for Cyber Security Dan Tehan launches the Australian Cyber Security Centre’s (ACSC) annual threat report.”
The data breach is dated back July 2016, but the ASD discovered it in November 2016, when a “partner organization” notified the Agency.
According to the ASD, the root cause of the incident was the use of weak passwords for the authentication at some of the target systems used by the defense contractor.
The defense contractor has roughly 50 employees and only one of them was tacked to secure its network.
ASD experts who conducted the forensic investigation on the breached servers found evidence of the China Chopper web shell, it is likely associated with the intrusion.
At the time is still unclear the threat actors’ motivation.
“It could have been a state actor, it could have been cyber criminals, and that’s why it was taken so seriously,” Mr Tehan said.
“We’re not 100 per cent sure, and that’s one of the difficulties of this area.”
Swiss BPC banking software SmartVista is vulnerable to SQL Injection attacks 13.10.2017 securityaffairs Vulnerebility
The suite of payment infrastructure and management systems SmartVista created by the BPC Group is vulnerable to SQL Injection attacks. Researchers at security firm Rapid7 have publicly disclosed a SQL injection vulnerability affecting the financial platform SmartVista after they couldn’t raise a response from the vendor.
SmartVista is a suite of payment infrastructure and management systems created by BPC Group.
SmartVista is a financial product from BPC Banking, Rapid7 experts analyzed it and reported the flaws to the vendor back in May 2017.
The US CERT Coordination Centre and SwissCERT published an alert after the public disclosure of the flaw.
Even if the vulnerability can be triggered only by a user authenticated to the front end (SmartVista’s transactions), the attacker can pass access sensitive data.
“Today we are announcing a SQL injection vulnerability discovered in BPC’s SmartVista, a suite of products related to e-commerce and other financial transaction operations.” reads the analysis published by” Rapid7. Exploiting this vulnerability requires authenticated access to the Transactions portion of SmartVista Front-End. A successful exploitation can yield sensitive data, including usernames and passwords of the database backend. This vulnerability is characterized as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).”.
Users authenticated to the platform with access to the Transactions interface are provided with three input fields:
“Card Number” “Account Number” “Transaction Date from” Rapid7 experts discovered that the front end lack of input validation, it doesn’t sanitize the card number or account number input fields used in the transaction module.
The Card Number field only accepts the exact card number to provide output. The researchers noticed that without knowing a card number beforehand, an attacker can launch a Boolean-based SQL injection through this field.
However, the database responded with a five second delay when Boolean true statements (such as ‘ or ‘1’=’1) were provided, resulting in a time-based SQL injection vector.
An attacker can use this trick to brute-force query the database, allowing information from accessible tables to be exposed.
An attacker adept at scripting could go a long way, the post explains:
“to access usernames and encrypted passwords in the DBA_USERS table of database SYS (Oracle specific), one could craft a series of database queries to ask true/false statements such as “Does the first character, of the first row, in the user’s column start with ‘a’?” On a true response, the transaction values would be returned, indicating that the first character does indeed start with ‘a’. On a false reply, no data would be returned, and the automated system could move on to the next character. This could continue until the full username has been discovered, as well as the password.” continues the analysis.
Rapid7 suggests companies using the SmartVista to press BPC Banking to issue a security update, meantime the adoption of a Web Application Firewalls (WAF) could help to protect the platform from SQL injection attacks.
Equifax service set up for obtaining free and discounted credit reports had been redirecting users to websites offering a fake Flash Player installer. The independent security analyst Randy Abrams discovered an Equifax service set up for obtaining free and discounted credit reports had been redirecting users to websites offering a fake Flash Player installer.
“As I tried to find my credit report on the Equifax website I clicked on an Equifax link and was redirected to a malicious URL. The URL brought up one of the ubiquitous fake Flash Player Update screens.” Abrams said in a blog post.
Crooks redirected users to the website used to serve adware and scams, the browsing session was taken through multiple domains before the final landing page was reached.
The compromised Equifax webpage (aa.econsumer.equifax.com) was promptly sanitized by the company.
Crooks were redirecting users depending on the type of device and their geographical location, for example, both Android and iOS users were served with fake updates, premium SMS services, and other fraudulent sites.
The company confirmed the problem affected credit report assistance link on its website.
“We are aware of the situation,” a spokesman said. “Our IT and Security teams are looking into this matter, and out of an abundance of caution have temporarily taken this page offline.”
What’s happened?
It seems that Equifax wasn’t hacked again, but the hack occurred with a third-party ad network or analytics provider which is the root cause of the redirect.
The hypothesis was confirmed by the security researcher Kevin Beaumont that blamed a third-party ad network or analytics provider for the redirects.
Beaumont Porg, Esq. ✔@GossiTheDog Looked into this briefly at lunch. Looks like Equifax use SDK by @ironSource, who maybe are delivering malvertising https://arstechnica.com/information-technology/2017/10/equifax-website-hacked-again-this-time-to-redirect-to-fake-flash-update/ …
4:04 PM - Oct 12, 2017 Photo published for Equifax website hacked again, this time to redirect to fake Flash update Equifax website hacked again, this time to redirect to fake Flash update Malware researcher encounters bogus download links during multiple visits.
arstechnica.com 5 5 Replies 31 31 Retweets 29 29 likes Twitter Ads info and privacy A few days ago, Equifax announced that additional 2.5 million U.S. consumers were exposed as a result of the massive data breach that affected the company in September. The credit reporting agency confirmed that a total of 145.5 million individuals have been exposed, hackers accessed names, social security numbers, dates of birth, addresses and, in some cases, driver’s license numbers and credit card numbers.
Hi-Tech Crime Trends 2017 – Banks, powerstations and cryptocyrrency exchanges are forecast to be the most likely targets for hacking in the near future Group-IB, one of the global leaders in preventing and investigating high-tech crimes and online fraud, presented its Hi-Tech Crime Trends 2017 report at CyberCrimeCon,
In the next year, the main source of losses for banks from cyber-attacks will not be theft of money, but destruction of their IT infrastructure during the final stages of a targeted attack. Banks used to be attacked by cybercriminals. Today, state-backed hackers are also doing this much more frequently. By destroying IT infrastructure cybercriminals will attempt to cover their tracks during thefts, while the aim of state-sponsored hackers will be to maximize the damage to banks and discontinue banking operations. In both cases, the damage done to banks may be even greater than the amount of funds stolen due to service interruptions and the resulting reputational and regulatory impact.
One of the possible sabotage scenarios may be trading on exchanges on behalf of the victim bank in order to influence exchange rates and cause losses. This can lead to snowballing style flash crashes as HFT trading algorithms respond to fluctuations in exchange rates. Out of 22 new malicious programs used to steal funds, 20 (91%) were created and are controlled by Russian-speaking hackers. Phishing for banks and payment systems is automated and conducted in real time, which allows cybercriminals to bypass SMS confirmations for debiting money. On average, 10-15% of visitors of financial phishing websites enter their data. Hackers are increasing their focus on the crypto industry (ICO, wallets, exchanges, funds), which have been accumulating increasingly large capitalisations and funds. In technical terms, the attacks against service providers in this sector are no more difficult than against banks, however the information security in place and maturity of blockchain companies is significantly lower. A further motivation for criminal attackers is that blockchain technologies are more anonymous and unregulated – this considerably reduces the risk of being caught during money withdrawal.
The total damage caused by targeted hacker attacks on the crypto-currency industry amounts to more than $168 million, and the income from attacks on cryptocurrency exchanges varies from $1.5 million (Bitcurex) to $72 million (Bitfinex). While a successful attack on a bank brings criminals only about $1.5 million on average. Attacks on cryptocurrency exchanges are conducted in the same way as targeted attacks on banks with similar or sometimes identical tools and tactics. E.g. cybercriminals use fake ID to get victim’s SIM-card to recover passwords and gain control over accounts in cryptocurrency services. The fact attackers are “retargeting” popular banking Trojans such as TrickBot, Vawtrak, Qadars, Tinba, Marcher to collect logins and passwords of cryptocurrency users suggests that they have found a new niche and might focus outside of the traditional banking sector in the nearest future. Targeted attacks on cryptocurrency exchanges will be carried out not only by financially motivated hackers but by state-sponsored attackers as well. Hackers will now successfully attack more industrial facilities as they have learnt how to work with the “logic” of critical infrastructure. These facilities use complex and unique IT systems: even if one gains access to them, specific knowledge about the principles of their operation is needed to conduct attacks. Over the past year, we have observed that hackers’ competence has increased along with their capacities to impact critical infrastructure. Therefore, we now forecast new large-scale incidents targeting industrials and related core infrastructure.
BlackEnergy group continues to attack financial and energy companies. The group uses new tools that allow Remote terminal units (RTUs) responsible for the physical opening/closing of power grids to be remotely controlled. Test attacks on power generating companies in the UK and Ireland were tracked in the summer of 2017.
HI-TECH CRIME MARKET ASSESSMENT
The growth in the number of attacks and the totals stolen is a significant indicator of hackers’ capabilities, which drive changes in their tactics and targets. The majority of attackers follow the money, and if they find more efficient and safer ways to earn it, they start investing in them, creating new tools, services, and attack schemes.
In Russia, the amount of losses caused by theft from legal entities is still in decline, but the loss caused by Android banking Trojans is still on the increase. The number of targeted attacks on banks and payment systems is on the rise, but hackers have earned the majority of their profits outside Russia, as we predicted last year.
After phishing attacks on bank clients and payment systems were fully automated, the amount of loss from their activity in Russia became very significant. Every day they attack many more users than banking Trojans, but the net amount of loss is still smaller. However, due to the simplicity of this scheme, an increasing number of criminals are starting to use it.
Development of Hacking Tools
Fileless malware using malicious scripts to launch an attack is a new and currently the primary attack method. To slip under the radar, hackers use fileless software that exists only in RAM until the system is rebooted. That said, malicious PowerShell, VBS, PHP scripts help them to ensure persistence in the system and automate some stages of their attacks. NotPetya has demonstrated that creating a template can be enough to gain control over a corporate network. In the future, we should expect many scripted cyber-attacks as well as ready-made simple tools that can gain control over corporate domains automatically. If such tools are made publicly available or are sold among hackers, this can lead to an avalanche in growth of attacks on the corporate sector. We primarily expect more incidents involving ransomware, theft of confidential information and extortion for non-disclosure, money theft, and incidents of public exposure by non-financially motivated hackers. We expect malware developers to be more active in continuing to publish codes of their programs online. In addition, leaks published by The Shadow Brokers and similar organisations will also be immediately used for malware creation and improvement. This will give a powerful boost to the development of the cybercrime industry. The full version of Hi-Tech Crime Trends 2017 is available on the Group-IB website
https://www.group-ib.com.
North Korea Hacked Seoul's War Plans: Report 10.10.2017 securityweek BigBrothers
North Korean computer hackers have stolen hundreds of classified military documents from South Korea including detailed wartime operational plans involving its US ally, a report said Tuesday.
Rhee Cheol-Hee, a lawmaker for the ruling Democratic party, said the hackers had broken into the South's military network last September and gained access to 235 gigabytes of sensitive data, the Chosun Ilbo daily reported.
Among the leaked documents was Operational Plans 5015 for use in case of war with the North and including procedures for "decapitation" attacks on leader Kim Jong-Un, the paper quoted Rhee as saying.
Rhee, a member of parliament's defence committee, could not be reached for comment but his office said he had been quoted correctly.
The report comes amid heightened fears of conflict on the Korean peninsula, fuelled by US President Donald Trump's continued threats of military action against Pyongyang to tame its weapons ambitions.
In his latest tweet over the weekend, Trump reiterated that diplomatic efforts with North Korea have consistently failed, adding that "only one thing will work".
Citing Seoul's defence ministry, Rhee said that 80 percent of the leaked documents had yet to be identified.
But the contingency plan for the South's special forces was stolen, he said, as well as details about annual joint military drills with the US and information on key military facilities and power plants.
A ministry spokesman declined to confirm the report, citing intelligence matters.
In May the ministry said North Korea had hacked into Seoul's military intranet but did not say what had been leaked.
Pyongyang has a 6,800-strong unit of trained cyber-warfare specialists, according to the South Korean government. It has been accused of launching high-profile cyber-attacks including the 2014 hacking of Sony Pictures.
The Chosun Ilbo story was the second report Tuesday of military-related cyber-attacks in the Asia-Pacific.
Australia's government said separately an unidentified defence contractor had been hacked and a "significant amount of data" stolen.
There were 47,000 cyber-incidents in the last 12 months, a 15 percent increase from the previous year, Minister for Cyber Security Dan Tehan said in Canberra as he launched a report by the Cyber Security Centre
The defence contractor was exploited via an internet-facing server, with the cyber-criminals using remote administrative access to remain in its network, the report said.
The Australian newspaper reported that the hacker was based in China but Tehan told the Australian Broadcasting Corporation that "we don't know and we cannot confirm exactly who the actor was".
Iranian Cyberspies Use New Trojan in Middle East Attacks 10.10.2017 securityweek BigBrothers A cyberespionage group previously linked to Iran has been using a new Trojan in attacks aimed at entities in the Middle East, Palo Alto Networks reported on Monday.
The threat actor, known as OilRig, was recently spotted launching attacks against an organization within the government of the United Arab Emirates (UAE).
When it first discovered the group’s activities back in May 2016, Palo Alto Networks believed the attacks had been carried out by a known group, but researchers later determined that the campaign was actually the work of a new actor, which is now tracked as OilRig.
OilRig has been known to use a remote access trojan (RAT) named ISMDoor, which researchers also identified in attacks launched by another Iran-linked cyberspy group known as Greenbug.OilRig hackers use new Trojan
In attacks seen by Palo Alto Networks in July 2017, OilRig had started using a new piece of malware dubbed “ISMAgent,” which appeared to be a variant of the ISMDoor RAT. In even more recent attacks, observed by experts in August 2017, a new injector Trojan was used by the attackers.
The new malware, tracked as “ISMInjector,” is a tool that has a sophisticated architecture and it includes anti-analysis techniques that were not previously leveraged by this group.
“The complex structure and inclusion of new anti-analysis techniques may suggest that this group is increasing their development efforts in order to evade detection and gain higher efficacy in their attacks,” Palo Alto Networks researchers said in a blog post.
In the attack aimed at the UAE government, hackers delivered their malware using malicious documents attached to emails with the subject line “Important Issue.” What made the emails interesting was the fact that they came from the targeted organization’s own domain. While experts initially believed that the attackers had spoofed the sender, they later determined that they actually used a compromised Outlook Web Access (OWA) account whose credentials they obtained in a previous phishing attack.
The malicious documents sent to the UAE government, tracked by Palo Alto as “ThreeDollars,” delivered the new ISMInjector Trojan, which in turn dropped a variant of the ISMAgent backdoor by injecting it into a remote process it created.
In order to make analysis of ISMInjector more difficult, the malware’s developers have relied on what researchers call “state machines” to create a new process and inject the payload into that process. Each state is responsible for conducting a particular action and it specifies the next state that should be executed.
Since the states are not executed in sequential order, researchers analyzing the malware have to jump around in the code to determine how it works, which makes it more challenging to investigate the threat. Analysis of the malware is further complicated by the use of a crypter.
Iran appears to have several cyber espionage groups, including APT33, Rocket Kitten, Cobalt Gypsy (Magic Hound), Charming Kitten (aka Newscaster and NewsBeef) and CopyKittens.
FormBook malware used in high-volume distribution campaigns targeting organizations in the US and South Korea 10.10.2017 securityaffairs Virus
Crooks are spreading the FormBook malware to target aerospace firms, defense contractors and some manufacturing organizations in the US and South Korea. According to researchers at FireEye, FormBook was spotted in several high-volume distribution campaigns targeting aim at Aerospace, Defense Contractor, and Manufacturing industries.
The phishing emails that targeted US entities contain PDF, DOC or XLS attachments, South Korean targets received emails containing malicious archive files (ZIP, RAR, ACE, and ISOs) with executable payloads.
FormBook data-stealing malware used with cyber espionage purpose, like other spyware it is capable of extracting data from HTTP sessions, keystroke logging, stealing clipboard contents.
FormBook can also receive commands from a command-and-control (C2) server to perform many malicious activities, such as downloading more payloads.
“The malware injects itself into various processes and installs function hooks to log keystrokes, steal clipboard contents, and extract data from HTTP sessions. The malware can also execute commands from a command and control (C2) server. The commands include instructing the malware to download and execute files, start processes, shutdown and reboot the system, and steal cookies and local passwords.” states the analysis published by FireEye.
According to the researchers, one most interesting features implemented by the malware authors allows the malicious code to read “Windows’ ntdll.dll module from disk into memory, and calls its exported functions directly, rendering user-mode hooking and API monitoring mechanisms ineffective.”
Researchers explained that FormBook is ease of use and with a good pricing structure that could represent an element of attraction for both skilled crooks and wannabe cyber criminals that are entering in the cyber arena.
FormBook is offered for sale in the criminal underground since July, it goes for $29 a week up to a $299 full-package “pro” deal. The customers pay for access to the platform and generate their executable files as a service.
The C&C infrastructure is composed of newer generic top-level domains such as ‘.site’, ‘.website’, ‘.tech’, ‘.online’, and ‘.info’).
C&C servers are hosted on the Ukrainian hosting provider BlazingFast.io, the presence of multiple FormBook panel installations could be indicative of an affiliate model.
The FormBook malware may inject itself into browser processes (i.e. iexplore.exe, firefox.exe, chrome.exe), it installs different function hooks depending on the target process.
“Targeted process names include, but are not limited to:
iexplore.exe, firefox.exe, chrome.exe, MicrosoftEdgeCP.exe, explorer.exe, opera.exe, safari.exe, torch.exe, maxthon.exe, seamonkey.exe, avant.exe, deepnet.exe, k-meleon.exe, citrio.exe, coolnovo.exe, coowon.exe, cyberfox.exe, dooble.exe, vivaldi.exe, iridium.exe, epic.exe, midori.exe, mustang.exe, orbitum.exe, palemoon.exe, qupzilla.exe, sleipnir.exe, superbird.exe, outlook.exe, thunderbird.exe, totalcmd.exe After injecting into any of the target processes, it sets up user-mode API hooks based on the process.” continues the analysis.
The experts at FireEye detected two distinct email campaigns with different attachments between Aug. 11 and Aug. 22 and additional campaign between July 18 and Aug. 17. In one PDF campaign hackers leveraged FedEx and DHL shipping and package delivery themes.
One of the campaigns used PDF attachments and hackers leveraged FedEx and DHL shipping and package delivery themes. The PDFs include links to the “tny.im” URL-shortening service, which then redirected to a staging server that contained FormBook executable payloads.
In other campaigns, crooks leveraged DOC and XLS attachments containing malicious macros or emails containing ZIP, RAR, ACE, and ISO attachments that included the executable files of the FormBook malware.
Give a look at the FireEye report, it is full of interesting data and statistics related to each campaign the experts detected.
4G/5G Wireless Networks as Vulnerable as WiFi and putting SmartCities at Risk 10.10.2017 securityaffairs Mobil
Researchers from security firm Positive Technologies warns of 4G/5G Wireless Networks as vulnerable as WiFi and putting smart-cities at risk The Internet of Things (IoT) presents many new opportunities and some different challenges. The vast number of devices makes it very expensive to connect everything with traditional network cabling and in many cases the equipment only supports wireless connectivity.
Many IoT devices for consumers leverage WiFi networks and we are already seeing the security challenges with these technologies. The largest Denial of Service (DoS) attacks leverage consumer IoT equipment (Mirai Botnet) and there are many stories of bad actors spying on people through their unsecured webcams.
While WiFi is widely adopted in homes, it doesn’t scale well to large commercial installations like Industrial IoT in manufacturing, energy or SmartCities.
As communications carriers deploy expansive 4G/5G Wireless Networks these are becoming the infrastructure of choice for commercial IoT. Unfortunately, although managed by professionals, they still have many vulnerabilities that can increase risks unexpectedly. We already knew that the SMS messaging system was flawed and can not be relied upon for secure messaging.
Now security vendor, Positive Technologies, is warning that a fundamental protocol of 4G/5G Wireless Networks creates three potential risks.
“Detected vulnerabilities pose a threat to intelligent traffic lights and street lighting; electronic road signs; information displays at bus stops; and other smart city features that are commonly connected to mobile networks of the fourth generation. Positive Technologies revealed these flaws in mobile networks, which are also relevant to future 5G networks, as part of security assessment conducted in 2016 and 2017.” reads the report published by Positive Technologies.
“Vulnerability exploitation techniques specified in the report are based on flaws of the GTP protocol. They do not require an attacker to possess any sophisticated tools or skills, instead they simply need a laptop, a free software installer for penetration tests, and basic programming skills.”
You have probably heard about Voice Over IP (VoIP) which is a technology method to convert voice into discrete data packets. Once converted it becomes possible to send voice conversations through the same network as computer-to-computer data transmissions (e.g. email, streaming videos, etc.)
These networks rely on something called the Extended Packet Core (EPC) which in turn leverages General Tunneling Protocol (GTPv2) to allow voice and data communications channels to be combined. It is within the GTPv2 proposal that the most recent flaws were discovered.
On its own, there is no encryption included in the protocol so inherent security and authentication must be handled elsewhere in the applications.
“The mobile network infrastructure is based on a set of telephony signaling protocols, developed in 1975, when security wasn’t a consideration but was less of a risk as only a few people had access. Today that’s no longer true. Access has spiralled yet security is still non-existent,” explains Michael Downs, Director of Telecoms Security (EMEA) of Positive Technologies.
Positive Technologies predicts three different, potential exploits:
Information Leakage: with access to the network it is possible for bad actors to discover information about other nodes connected to the network (e.g. location, firmware versions, etc.) Denial of Service: GTP is used to create an isolated communications channel, but it isn’t completely isolated. Several users’ communications are combined in a single channel and it is possible for one of these users to disconnect the tunnel for all users. Compete Takeover: many IoT devices are running simple IP stacks and vulnerable system stacks. Existing and yet to be discovered vulnerabilities may exist in these devices and the lack of encrypted isolation means they are remotely accessible and perhaps remotely exploitable. Similar to other wireless protocols like WiFi and Bluetooth, EPC is not inherently secure. If you need to rely on these topologies for secure communications, you need to take advantage of additional security controls. As always, you must be accountable for your own security.
Warning: Millions Of P0rnHub Users Hit With Malvertising Attack 10.10.2017 thehackernews Virus
Researchers from cybersecurity firm Proofpoint have recently discovered a large-scale malvertising campaign that exposed millions of Internet users in the United States, Canada, the UK, and Australia to malware infections. Active for more than a year and still ongoing, the malware campaign is being conducted by a hacking group called KovCoreG, which is well known for distributing Kovter ad fraud malware that was used in 2015 malicious ad campaigns, and most recently earlier in 2017. The KovCoreG hacking group initially took advantage of P0rnHub—one of the world's most visited adult websites—to distribute fake browser updates that worked on all three major Windows web browsers, including Chrome, Firefox, and Microsoft Edge/Internet Explorer. According to the Proofpoint researchers, the infections in this campaign first appeared on P0rnHub web pages via a legitimate advertising network called Traffic Junky, which tricked users into installing the Kovtar malware onto their systems. Among other malicious things, the Kovter malware is known for its unique persistence mechanism, allowing the malware to load itself after every reboot of the infected host. The Traffic Junky advertising network redirected users to a malicious website, where Chrome and Firefox users were shown a fake browser update window, while Internet Explorer and Edge users got a fake Flash update. p0rnhub-malware-attack "The [infection] chain begins with a malicious redirect hosted on avertizingms[.]com, which inserts a call hosted behind KeyCDN, a major content delivery network," Proofpoint writes. The attackers used a number of filters and fingerprinting of "the timezone, screen dimension, language (user/browser) history length of the current browser windows, and unique id creation via Mumour," in an effort to target users and evade analysis. Researchers said Chrome users were infected with a JavaScript which beaconed back to the server controlled by the attackers, preventing security analysts working through the infection chain if their IP had not "checked in." "This makes it extremely unlikely that the JavaScript can be run alone and provide the payload in a sandbox environment," Proofpoint writes. "This is most likely why this component of the chain has not been documented previously." In this case, the attackers limited their campaign to click fraud to generate illicit revenue, but Proofpoint researchers believed the malware could easily be modified to spread ransomware, information stealing Trojans or any other malware. Both P0rnHub and Traffic Junky, according to the researchers, "acted swiftly to remediate this threat upon notification." Although this particular infection chain was successfully shut down after the site operator and ad network got notified, the malware campaign is still ongoing elsewhere.
ATMii: a small but effective ATM robber 10.10.2017 Kaspersky Cyber While some criminals blow up ATMs to steal cash, others use less destructive methods, such as infecting the ATM with malware and then stealing the money. We have written about this phenomenon extensively in the past and today we can add another family of malware to the list – Backdoor.Win32.ATMii.
ATMii was first brought to our attention in April 2017, when a partner from the financial industry shared some samples with us. The malware turned out to be fairly straightforward, consisting of only two modules: an injector module (exe.exe, 3fddbf20b41e335b6b1615536b8e1292) and the module to be injected (dll.dll, dc42ed8e1de55185c9240f33863a6aa4). To use this malware, criminals need direct access to the target ATM, either over the network or physically (e.g. over USB). ATMii, if it is successful, allows criminals to dispense all the cash from the ATM.
exe.exe – an injector and control module The injector is an unprotected command line application, written in Visual C with a compilation timestamp: Fri Nov 01 14:33:23 2013 UTC. Since this compilation timestamp is from 4 years ago – and we do not think this threat could have gone unnoticed for 4 years – we believe it is a fake timestamp. What’s also interesting is the OS that is supported by the malware: One more recent than Windows XP. We can see this in the image below, where the first argument for the OpenProcess() function is 0x1FFFFu.
OpenProcess call with the PROCESS_ALL_ACCESS constant
It is the PROCESS_ALL_ACCESS constant, but this constant value differs in older Windows versions such as Windows XP (see the picture below). This is interesting because most ATMs still run on Windows XP, which is thus not supported by the malware.
A list of PROCESS_ALL_ACCESS values per Windows version
The injector, which targets the atmapp.exe (proprietary ATM software) process, is fairly poorly written, since it depends on several parameters. If none are given, the application catches an exception. The parameters are pretty self-explanatory:
param short description /load Tries to inject dll.dll into atmapp.exe process /cmd Creates/Updates C:\ATM\c.ini file to pass commands and params to infected library /unload Tries to unload injected library from atmapp.exe process, while restoring its state. /load param <exe.exe> /load The application searches for a process with the name atmapp.exe and injects code into it that loads the “dll.dll” library (which has to be in the same folder as the exe.exe file). After it has been loaded it calls the DLLmain function.
/unload param <exe.exe> /unload As the name already suggests, it is the opposite of the /load parameter; it unloads the injected module and restores the process to its original state.
/cmd param <exe.exe> /cmd [cmd] [params] The application creates/updates C:\ATM\c.ini which is used by the injected DLL to read commands. The file is updated each time the .exe is run with the /cmd param.
Contents of c.ini after execution of “exe.exe /cmd info”
The executable understands the following set of commands:
command description scan Scans for the CASH_UNIT XFS service disp Stands for “dispense”. The injected module should dispense “amount” cash of “currency” (amount and currency are used as parameters) info Gets info about ATM cash cassettes, all the returned data goes to the log file. die Injected module removes C:\ATM\c.ini file dll.dll injecting module After injection and execution of the DllMain function, the dll.dll library loads msxfs.dll and replaces the WFSGetInfo function with a special wrap function, named mWFSGetInfo.
At the time of the first call to the fake WFSGetInfo function, C:\ATM\c.ini is ignored and the library tries to find the ATM’s CASH_UNIT service id and stores the result, basically in the same way as the scan command does. If the CASH_UNIT service is not found, dll.dll won’t function. However, if successful, all further calls go to the mWFSGetInfo function, which performs the additional logic (reading, parsing and executing the commands from the C:\ATM\c.ini file).
Contents of C:\ATM\c.ini after execution of “exe.exe /cmd disp RUB 6000”
Below is an output of the strings program uncovering some interesting log messages and the function names to be imported. The proprietary MSXFS.DLL library and its functions used in the ATMii malware are marked with red boxes.
“scan” command Because of the architecture of XFS, which is divided into services, the injected library first needs to find the dispense service. This command must be successfully called, because the disp and info commands depend on the service id retrieved by scan. Scan is automatically called after the dll has been injected into atmapp.exe.
After collecting the WFS_INF_CDM_STATUS data, additional data gets added to the tlogs.log. An example can be found below:
… (387):cmd_scan() Searching valid service (358):FindValidService() Checking device index=0 (70):CheckServiceForValid() ———————————————— (72):CheckServiceForValid() Waiting for lock (76):CheckServiceForValid() Device was locked (86):CheckServiceForValid() WFSGetInfo Success 0 (182):CheckServiceForValid() Done-> szDevice: WFS_CDM_DEVONLINE, szDispenser: WFS_CDM_DISPOK, szIntermediateStacker: WFS_CDM_ISEMPTY, szSafeDoor: WFS_CDM_DOORCLOSED (195):CheckServiceForValid() Unlocking device (390):cmd_scan() Service found 0 …
Part of a tlogs.log possible log after successfully executed “scan” command
“info” command Before the criminals can dispense cash, they first need to know the exact contents of the different cassettes. For this, they use the info command which provides exhaustive information on all cassettes and their contents. The list of used XFS API functions is the same as with the scan command, but this time WFSGetInfo is called with the WFS_INF_CDM_CASH_UNIT_INFO (303) constant passed as a param.
Below is an example of the data in log file returned by the info command.
Example5 Part of a tlogs.log possible log after successfully executed “info” command
“disp” command The dispense command is followed by two additional params in the command file: currency and amount. Currency must contain one of the three-letter currency codes of notes kept in the CASH_UNIT_INFO structure (currency codes are described in ISO_4217 e.g. RUB, EUR). The amount code holds the amount of cash to dispense and this value must be a multiple of ten.
“die” command Does nothing except deleting C:\ATM\c.ini command file.
Conclusion ATMii is yet another example of how criminals can use legitimate proprietary libraries and a small piece of code to dispense money from an ATM. Some appropriate countermeasures against such attacks are default-deny policies and device control. The first measure prevents criminals from running their own code on the ATM’s internal PC, while the second measure will prevent them from connecting new devices, such as USB sticks.
Jak byl odemčen zabijákův iPhone? FBI nemusí nic prozrazovat, rozhodl soud
10.10.2017 Novinky/Bezpečnost BigBrother Kauza týkající se iPhonu teroristy Syeda Farooka ze San Bernardina se pomalu chýlí ke konci. Novináři se od loňského roku domáhali u soudu, aby Federální úřad pro vyšetřování (FBI) prozradil, jak se dostal do zabijákova chytrého telefonu. Soudkyně Tanya Chutkanová však nyní rozhodla, že FBI nemusí vůbec nic prozrazovat. Na soud se obrátili takřka přesně před rokem vydavatelé USA Today, Vice Media a zároveň agentura AP, uvedl server Engadget. Ti se touto cestou snažili zjistit například to, zda se na odblokování podíleli hackeři a zda bylo vhodné utratit za nástroj pro odblokování smartphonu tak velké množství peněz.
Úřad sice oficiálně nepotvrdil, na kolik jej odblokování iPhonu přišlo, ale někdejší šéf FBI James Comey to loni v dubnu naznačil více než jasně: „Opravdu hodně. Je to víc, než si zvládnu u FBI vydělat do konce svého funkčního období. Tedy za sedm let a čtyři měsíce.“
Vzhledem k tomu, že jeho roční plat činil tehdy 183 300 dolarů (4,3 miliónu korun), není těžké spočítat úplatu za odblokování jablečného smartphonu. Celková částka musela dělat minimálně 1,3 miliónu dolarů (přes 31 miliónů korun).
Přesnou cifru ani způsob odblokování zabijákova iPhonu se ale veřejnost pravděpodobně nikdy nedozví. Rozhodnutí soudkyně Chutkanové je totiž definitivní, FBI tak nemusí nic žalující straně prozrazovat.
Spor o „zadní vrátka” Vyšetřovatelé z FBI se do uzamčeného iPhonu islámského radikála nemohli dostat dlouhé měsíce. Jeho iPhone 5C byl nastaven tak, aby se po zadání deseti nesprávných kódů automaticky vymazal, s čímž si bezpečnostní experti z FBI původně nedokázali poradit.
Soud proto Applu v únoru nařídil, aby tuto funkci vypnula, což však není technicky možné. Proto vyšetřovatelé chtěli po americkém softwarovém gigantu vytvořit v operačním systému iOS „zadní vrátka“, což však vedení Applu odmítalo.
Vyšetřovatelům z FBI se nakonec podařilo do uzamčeného zařízení dostat. Detaily o průniku však nezveřejnili.
Odemčení zabijákova iPhonu nicméně FBI příliš nepomohlo, jak informoval již dříve server CBS News. Nebyla totiž odhalena žádná data, díky nimž by se vyšetřování posunulo nějak dopředu.
I tak ale nebyly vynaložené milióny zbytečné. Získaný nástroj totiž dokáže FBI využít k odemčení i dalších jablečných přístrojů. Konkrétně by mělo jít o iPhone 5C a starší modely, na ty nové jsou vyšetřovatelé krátcí.
Pomohli Izraelci? Podle dřívějších informací pomohla FBI s uzamčeným iPhonem společnost Cellebrite se sídlem v Izraeli. Firma britské stanici BBC potvrdila, že s americkými vyšetřovateli spolupracuje, ale více nesdělila.
Na svých internetových stránkách nicméně Cellebrite prohlašuje, že jeden z jejích nástrojů umí dekódovat a extrahovat data z iPhonu 5C.
Útok v San Bernardinu byl nejtragičtějším od teroristických útoků v USA v září 2001. Zradikalizovaný muslim Syed Farook a jeho žena Tashfeen Maliková tam na počátku prosince zastřelili 14 lidí. Později byli zabiti při přestřelce s policií.
Česko patří k nejbezpečnějším zemím, tvrdí počítačoví experti
10.10.2017 Novinky/Bezpečnost Bezpečnost Každý den kolují internetem podle nejstřízlivějších odhadů milióny počítačových virů. Přesto se podle všeho nemusí tuzemští uživatelé příliš obávat. Naše domovina totiž patří podle statistik bezpečnostních expertů k nejbezpečnějším zemím. Vyplývá to z údajů antivirové společnosti Check Point. Vůbec nejnebezpečnější zemí, alespoň co se týče počtu šířených počítačových virů, se v posledním reportu bezpečnostních expertů stala Dominikánská republika. Do první desítky se dostaly i další země, které se pravidelně umísťují na předních příčkách. Řeč je například o Rusku, Spojených státech, Indii, Thajsku či Turecku.
Největším skokanem je ale pravděpodobně Uruguay, tato země ležící Jižní Americe se ve virovém žebříčku posunula o 75 míst směrem nahoru – aktuálně tak jde o 47. nejnebezpečnější stát. Naopak Bangladéš se posunula z 16. příčky až na bezpečnější 125. pozici.
Vody tuzemského internetu jsou poměrně poklidné, počítačové viry se naší domovině spíše vyhýbají. I díky tomu si Česká republika v žebříčku vysloužila 122. místo. Nepatrně více škodlivých kódů se šíří na Slovensku, i když nejde o žádný dramatický nárůst. V poslední statistice totiž našim východním sousedům patřila 119. pozice.
Jdou po penězích Útoky ve všech zemích si jsou nicméně velmi podobné, počítačoví piráti jdou totiž velmi často po penězích – často šíří bankovní trojské koně. Ve sledovaném období se do žebříčku deseti nejrozšířenějších škodlivých kódů dostaly hned tři viry cílící na bankovní účty.
„Finanční zisk je hlavním motivem pro drtivou většinu kyberzločinců a bohužel pro to mají k dispozici i celou řadu nástrojů,“ zdůraznil Peter Kovalčík, SE Manager ve společnosti Check Point.
Ten zároveň popsal, jak jednotlivé útoky probíhají. „Identifikují, kdy oběť navštíví webové stránky banky, a pak pomocí techniky webinject nebo sledováním stisknutých kláves kradou přihlašovací údaje a další citlivá data, jako jsou například PIN kódy. Trojské koně mohou také zkusit ukrást přihlašovací údaje přesměrováním obětí na falešné bankovní internetové stránky,“ uzavřel bezpečnostní expert.
FIN7 Hackers Change Attack Techniques 10.10.2017 securityweek CyberCrime The financially-motivated FIN7 hacking group recently switched to a new delivery technique and has been employing a different malware obfuscation method, ICEBRG security researchers reveal.
Highly active since the beginning of 2017, FIN7 (also known as Anunak, or Carbanak) started distributing malware via LNK files embedded in Word documents using the Object Linking and Embedding (OLE) technology. The attack employed a fileless infection method, with no files being written to disk.
The hackers have since switched to using CMD files instead of LNK ones, most probably in an attempt to evade detection. The CMD, the researchers explain, would write JScript to “tt.txt” under the current user’s home directory.
Next, the batch script copies itself to “pp.txt” under the same directory, and then runs WScript using the JScript engine on the file. According to ICEBRG, the JScript code then reads from the “pp.txt” file, evaluating anything after the first character for each line in the file. However, it skips the first four lines, which represent the CMD code itself.
The same as with the LNK files, however, the use of OLE embedded CMD files results in code execution on the victim’s machine. The use of commented out code isn’t new either, and has been previously associated with FIN7.
The security researchers also observed a series of changes to the obfuscation strategy the hackers are using for their unique backdoor, HALFBAKED, which has been continuously morphing over the past year.
Until now, different stages of the HALFBAKED codebase used base64 encoding, stored in a string array variable called “srcTxt,” the researchers explain. Now, the name is obfuscated and the base64 string is broken down into multiple strings within an array.
Furthermore, the backdoor now includes a built-in command called “getNK2”which is meant to retrieve the victim’s Microsoft Outlook email client auto-complete list. The command was likely named after the NK2 file that contains a list of auto-complete addresses for Microsoft Outlook 2007 and 2010.
“This may suggest the actor’s desire to obtain new phishing targets within a victim organization. If any of these new targets fell victim to the phishing lure, it would allow FIN7 to increase their foothold within a victim organization’s network and potentially pivot to new areas,” the researchers note.
Although newer versions of Outlook no longer use the NK2 file, the backdoor targets them as well, because the hackers also wrote functionality to handle them within the same “getNK2” command.
“Detection authors must make trade-offs to optimize signature performance; narrow signatures lead to high fidelity detections, but risk missing changes in actor behaviors, meanwhile broader detection patterns provide better coverage, at the risk of more false positives. Combatting a well-resourced and adaptive adversary requires a layered approach of both signature styles,” ICEBRG concludes.
Website Attacks Surge: Report 10.10.2017 securityweek Analysis Websites Hit by 63 Attacks Per Day, Says SiteLock
The number of attacks aimed at websites has increased considerably in the past months, according to a new report published on Monday by SiteLock.
SiteLock’s Website Security Insider report, which is based on the analysis of more than 6.3 million sites, shows that there were, on average, 63 attack attempts per day on websites in the second quarter of the year. In comparison, the company saw only 22 attacks per day in 2016.
According to the company, 87% of these attacks involved malicious bots, including ones operated by cybercriminals, spammers and data scrapers. As for attacks that did not involve bots, more than 57% of requests were blocked by SiteLock due to the fact that they came from countries blacklisted by its customers, and 36% were illegal resource access attempts, including command injections, directory traversals and file system access.
When it comes to content management systems (CMS), SiteLock says the risk of attacks on WordPress websites is twice as high as in the case of the “average site.” The security firm discovered that 69% of compromised WordPress websites had the latest WordPress core security patches installed, which indicates that the attack was likely carried out via a vulnerable theme or plugin.
The higher the number of plugins, the more likely it is for a WordPress website to get hacked, and researchers found that 44% of the plugins in the official WordPress repository have not been updated in more than a year. This includes over 120 plugins that have at least 50,000 active installs.
Joomla and Drupal are also at elevated risk of attacks, especially since they haven’t always offered reverse compatibility with legacy features, making their administrators less likely to install updates. In the case of Joomla, SiteLock found that 19% of the sites it observed had been using version 1.5, for which support ended in September 2012.
An analysis of the malicious code planted on compromised websites showed that 62% of threats were related to spam, while nearly a quarter were backdoors.
Worryingly, many websites don’t have adequate protections in place and their administrators are often alerted to malicious activity by web browser warnings such as the ones displayed in Firefox via Phishing Protection and in Chrome via Safe Browsing.
“Browser warnings about compromised websites are usually driven by blacklists maintained by search engines, where search engine crawlers have recognized that malicious code is present on the website they’re attempting to index,” SiteLock explained in its report. “For many website owners this practice creates an assumption that if there are no warnings, then there isn’t an issue. Unfortunately, this incorrect assumption puts both the website and its visitors in danger. In three out of four cases, infected websites were not flagged by search engines”
SiteLock has surveyed more than 20,000 owners and over 40% of them falsely believe that their hosting provider is responsible for securing their websites.
Varied Patch Process by Microsoft Exposes Windows Users: Google Researcher 10.10.2017 securityweek Vulnerebility Not all Windows releases receive the same treatment when it comes to security patches, leaving some users exposed to known vulnerabilities, security researchers from Google's Project Zero team warn.
The researchers explain that, because Microsoft silently patches reported vulnerabilities in major Windows 10 releases, such as the Creators Update or the Fall Creators Update, Windows 8 and Windows 7 users become exposed to vulnerabilities that affect their platform iterations as well.
The issue is that attackers can compare patched Windows 10 builds with the previous, unpatched builds to discover the addressed issues and then target older and still vulnerable platform iterations. By comparing the builds, attackers can discover the vulnerabilities and technical details surrounding them.
Called patch diffing, the technique of comparing binaries is also employed to discover so-called 1-day bugs, or vulnerabilities affecting users who are slow to install security patches, Mateusz Jurczyk of Google Project Zero explains.
Another technique that attackers can use is binary diffing, which allows them to discover differences between “two or more versions of a single product, if they share the same core code and coexist on the market, but are serviced independently by the vendor.”
The Windows operating system is one product binary diffing can be used on, as it currently has three versions under active support, namely Windows 7, 8, and 10. Despite Windows 7 having the largest desktop market share at the moment, at nearly 50%, only the most recent platform iteration is receiving structural security improvements.
“This creates a false sense of security for users of the older systems, and leaves them vulnerable to software flaws which can be detected merely by spotting subtle changes in the corresponding code in different versions of Windows,” the security researcher says.
In a blog post, Jurczyk shows how binary diffing was used “to find instances of 0-day uninitialized kernel memory disclosure to user-mode programs.” Such issues can be used in local privilege escalation exploit chains or to expose sensitive data stored in the kernel address space, he argues.
“Security-relevant differences in concurrently supported branches of a single product may be used by malicious actors to pinpoint significant weaknesses or just regular bugs in the more dated versions of said software. Not only does it leave some customers exposed to attacks, but it also visibly reveals what the attack vectors are, which works directly against user security,” Jurczyk notes.
Contacted by SecurityWeek, a Microsoft spokesperson provided the following statement: “Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. Additionally, we continually invest in defense-in-depth security, and recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”
Patches aimed to address the specific vulnerabilities Google’s researcher mentions in his post were released to all supported Windows versions, the Microsoft spokesperson also pointed out.
FIN7 hacking group is switched to new techniques to evade detection 10.10.2017 securityaffairs CyberCrime
The financially-motivated FIN7 APT group (also known as Carbanak or Anunak) recently changed attack technique again to evade detection. The financially-motivated FIN7 APT group (also known as Carbanak or Anunak) recently changed attack technique again and has been implementing a new malware obfuscation method.
The group that has been active since late 2015, it was highly active since the beginning of 2017.
Fin7 was spotted early this year to have been targeting personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations with a new PowerShell backdoor dubbed POWERSOURCE.
In April, the hacking group adopted new phishing techniques, it leveraged on hidden shortcut files (LNK files) to compromise targets.
The hackers used fileless malware, but to evade detection they have since switched to using CMD files instead of LNK ones.
“In the documents released today, FIN7 appears to have pivoted from using OLE embedded LNK files to using OLE embedded CMD files. When executed, the CMD file writes JScript to “tt.txt” under the current user’s home directory. The batch script then copies itself to “pp.txt”, also under the current user’s home directory, before running WScript using the JScript engine on the file. This JScript code will read from the file “pp.txt”, skipping the first four lines (the CMD code itself), but otherwise evaluating anything after the first character for each line in the file.” reads the analysis published by security experts.
“Both CMD and LNK file formats result in code execution, but the shift towards using CMD files may indicate a desire to stay ahead of detection authors.”
The shift towards using OLE embedded CMD files results in code execution on the victim’s machine.
The FIN7 hackers also implemented a series of changes to the obfuscation technique for their unique backdoor, HALFBAKED, that was continuously improved over the years.
“Over the course of the past year, the actor’s unique backdoor, HALFBAKED, has continued to morph to improve capabilities and reduce detection surface. In the newest observed version, ICEBRG observed a slight tweak in the obfuscation strategy.” continues the analysis.
“Previously, different stages of the HALFBAKED codebase utilized base64 encoding, stored in a string array variable called “srcTxt”. The attacker now obfuscates that name and continues to break up the base64 string into multiple strings within an array”
ICEBRG discovered the HALFBAKED backdoor now includes a built-in command called “getNK2” which was designed to retrieve the target’s Microsoft Outlook email client auto-complete list. The presence of getNK2 suggests the FIN7 group aims to launch phishing attacks within a victim organization.
Experts noticed NK2 files are used only for Microsoft Outlook 2007 and 2010, newer versions of outlook no longer use them, so FIN7 hackers leveraged a custom-functionality to handle newer versions of Outlook within the same “getNK2” command.
The changes in the FIN7 attack techniques demonstrate that they are highly adaptable.
“Detection authors must make trade-offs to optimize signature performance; narrow signatures lead to high fidelity detections, but risk missing changes in actor behaviors, meanwhile broader detection patterns provide better coverage, at the risk of more false positives. Combatting a well-resourced and adaptive adversary requires a layered approach of both signature styles,” concludes ICEBRG.
A man who goes by the nickname LiquidWorm released a FLIR Thermal Camera Exploit 10.10.2017 securityaffairs Exploit
On September 25, 2017, a man which goes by the nickname ‘LiquidWorm’ has released the exploit code for FLIR Thermal Cameras. On 2017-09-25 another CCTV exploit got release by a man which goes by the nickname ‘LiquidWorm’. He found out that FLIR CCTV ’s by the vendor “FLIR Systems” had a hard-coded ssh login credentials within its Linux distribution image, Those credentials are never exposed to the end user and CANNOT be changed through any normal operation of the camera.
What kind of exploit is this?
This exploit is what we know as a “Backdoor” because it grants Randoms access to the camera’s, and even allows them to download code, or do worse.
What are the Affected version?
So far camera models of F/FC/PT/D Software version 10.0.2.43 and Firmware version: 8.0.0.64 release: 1.4.1, 1.4, 1.3.4 GA, 1.3.3 GA and 1.3.2 are affected by the exploit.
What kind of cameras are those? The FLIR cameras are high-performance, multi-sensor pan/tilt cameras which bring thermal and visible-light imaging together in a system that gives you video and control over both IP and analog networks.
Is this exploit fixable by the end user itself?
No, after testing around with a test model, there isn’t any way of removing the hard-coded ssh login credentials, the vendor itself would have to remove the SSH login credentials from the code.
Is this exploit critical?
Yes, these kinds of exploits are unnecessary and not needed, Since Random people can now scan for affected versions and most likely infect them, the rate of IoT botnets will rise again, which is a bad thing.
What to do?
The only thing the affected camera owners can do is wait until the Vendor releases a patch which removes the hard-coded ssh login of the Linux distribution image.
FBI Arrests A Cyberstalker After Shady "No-Logs" VPN Provider Shared User Logs 9.10.2017 thehackernews Cyber FBI recently arrested a psycho cyber stalker with the help of a popular VPN service and this case apparently exposed the company's lies about the "no logs" policy. Taking down cyber stalkers and criminals is definitely a good thing, and the FBI has truly done a great job, but the VPN company whose first line of the privacy policy is—"We Do Not monitor user activity nor do we keep any logs"—has literally betrayed its customer's trust. Is your VPN also lying to you? Well, it's the right time to think about this twice. It's no secret that most VPN services—which claim to shield your Internet traffic from prying eyes, assuring you to surf the web anonymously—are not as secure as they claim. In this post-Snowden era, a majority of VPN providers promise that their service is anonymous, with no log policy, but honestly, there is no way you can verify this. PureVPN Helped the FBI with Logs A 24-year-old Massachusetts man, Ryan Lin, has been arrested in a Cyberstalking case after one of the largest VPN providers, PureVPN, helped the FBI with information that linked Lin to his alleged cyber crimes. In an FBI affidavit published last week by the US Department of Justice (DoJ), Lin is accused of stalking and harassing his housemates and former-roommates online while evading local police by using various services like Tor, VPNs and Textfree. Lin tormented his former-roommate, Jennifer Smith, for one and a half year after stealing credentials for some of her online profiles from her unlocked MacBook, and other personal files, including photographs, from her iCloud and Google Drive accounts. According to the affidavit, Lin released Smith's personal details online (known as 'doxing'), posted intimate photographs without her face suggesting they were of Smith, and emailed her private information to her contacts, including her family, relatives and colleagues. Additionally, Lin allegedly posted fake profiles of her to websites "dedicated to prostitution, sexual fetishes, and other sexual encounters," shared information about her medical background that she never shared with anyone, and sent "images that likely constitute child pornography" to her family and friends. Suspect Also Made Bomb, Death and Rape Threats What's more? Lin often spoofed Smith's identity to send bomb, death and rape threats to schools and lone individuals, which even tricked one of her friends into calling the police to her house. To conduct all these illegal actions and hide his tracks, Lin used various privacy services like ProtonMail, VPN clients, and Tor, anonymised international text messaging services and offshore private e-mail providers. However, the suspect made a mistake by using a work computer for some of his illegal campaigns. The feds were able to recover some forensic artefacts from his work computer, even though he had been terminated and the OS had been reinstalled on the computer. In the unallocated space of the system's hard drive, the FBI found artefacts referencing: Bomb threats against local schools. Username for TextNow, the anonymous texting service being Lin's most-visited Website. Lin's name on Protonmail. Lin had visited Rover.com (pet sitting site) and FetLife.com which were used in the cyberstalking campaigns. Lin repeatedly accessed his personal Gmail account. He used PureVPN in the cyberstalking campaign. How FBI Investigated the Cyberstalking Case PureVPN Helped the FBI with LogsThe FBI then managed to obtain logs from PureVPN, which linked himself to the illegal campaigns against Smith and his other former roommates. "Further, records from PureVPN show that the same email accounts—Lin's Gmail account and the teleportfx Gmail account—were accessed from the same WANSecurity IP address," the complaint reads. And then the complaint goes on to say what would be quite worrying for those who believe VPNs are their best way to protect their activities online: "Significantly, PureVPN was able to determine that their service was accessed by the same customer from two originating IP addresses: the RCN IP address from the home Lin was living in at the time, and the software company where Lin was employed at the time." Being one of the largest and well-known VPN providers, Hong Kong-based PureVPN is used by hundreds of thousands of users across the world, which eventually handed over details which a VPN is supposed to protect against. Lin was arrested by the authorities on October 5, and if found guilty, he faces up to 5 years in prison and up to 3 years of "supervised release," according to the DoJ.
KovCoreG group spreading Kovter Malware via fake browser and Flash updates 9.10.2017 securityaffairs Virus
Security experts from Proofpoint have uncovered a malvertising actor named KovCoreG group that is spreading the Kovter malware via fake browser and Flash updates. Security researchers from Proofpoint have uncovered a malvertising group dubbed KovCoreG that is spreading the Kovter malware via fake browser and Flash updates.
The Kovter malware is used in Ad fraud campaigns, victims were infected by simply clicking on online advertisements and generate revenue for the websites that host the ads.
Even if exploit kit activity drastically declined over the last year, malvertising remains a profitable business for crooks.
Crooks leveraged malicious ads on PornHub to redirect users to a scam site that was displaying users an urgent update, the messages are served depending on visitors browser.
IE and Edge users landing on this page were asked to download a Flash update, while Chrome and Firefox users were asked to download a browser update.
“Proofpoint researchers recently detected a large-scale malvertising attack by the so-called KovCoreG group, best known for distributing Kovter ad fraud malware and sitting atop the affiliate model that distributes Kovter more widely.” states ProofPoint.
“The attack has been active for more than a year and is ongoing elsewhere, but this particular infection pathway was shut down when the site operator and ad network were notified of the activity.”
The files served by the compromised website were JavaScript for Chrome and Firefox users, while IE and Edge are served with HTA files.
The malvertising impressions seem to be restricted by both geographical and ISP filtering, the KovCoreG group was focused on UK, US, Canadian, and Australian users.
“The infection chain in this campaign appeared on PornHub (Alexa US Rank 21 and world rank 38 as of this writing) and abused the Traffic Junky advertising network. It should be noted that both PornHub and Traffic Junky acted swiftly to remediate this threat upon notification.” continues ProofPoint.
Both Pornhub and Traffic Junky ad network shut down the malicious ads, once informed by Proofpoint.
The KovCoreG group, like other malvertising actors, recently are focusing on redirecting users to social engineering sites (i.e. fake download), instead of redirect users to websites hosting exploit kits.
“Once again, we see actors exploiting the human factor even as they adapt tools and approaches to a landscape in which traditional exploit kit attacks are less effective. While the payload in this case is ad fraud malware, it could just as easily have been ransomware, an information stealer, or any other malware.” concluded Proofpoint.
Credit agency Experian is using scare tactics to sell a service for tracking traded user data on the dark web 9.10.2017 securityaffairs Security
Credit agency Experian is using scare tactics to sell a service for tracking traded user data on the dark web, let’s give a close look at the user agreement In the dark web, it is quite easy to find a lot of identities of unaware individuals and any other data that could expose companies to frauds.
One of the world’s biggest consumer credit reporting agencies, Experian, is trying to sell an identity theft protection product leveraging the consumers fear of the darknet.
Experian launched at the beginning of September the IdentityWorks Premium program saying it can protect customers from the exposure of personal information on the dark Web. “Is your personal information already being traded on the dark web,” states the of Experian’s advertisements.
“Because of its hidden nature and the use of special applications to maintain anonymity, it’s not surprising that the dark Web can be a haven for all kinds of illicit activity,” Experian says on its own website. “This means if you’ve ever been a victim of a data breach, it’s a place where your sensitive information might live.” states the scaring message from the company.
The company is offering for free a first “Dark Web Email Scan” to allow customers searching for their email on the darknets.
By providing an e-mail address into the scanning service a user grants Experian to, “track and collect certain consumer information specific to,” the user.
By using the “Free Dark Web Email Scan” a user will receive advertisements for Experian products at the e-mail address that is being scanned. The user agreement includes a clause which states that not only will Experian send you advertisements, but “offers for available credit cards, loan options, financial products or services, or credit-related products or services and other offers to customers.”
Experian collects and tracks various data for the users, including credit scores, loan and credit card payments, interest rates.
“I clicked on Experian’s terms of service and found a densely written, nearly 17,600-word document — a contract the length of a novella.
Not surprisingly, this is where you’ll find an arbitration clause preventing you from suing the company — an increasingly common aspect of consumer contracts nowadays. That’s the least of your worries, though.” reported a post published by the Los Angeles Times.
“The terms reveal that Experian “receives compensation for the marketing of credit opportunities or other products or services available through third parties,” which is exactly what it sounds like. You’re giving permission for the company to sell you out.
And if you make it to the very bottom of the contract — no small feat, I assure you — you’ll find this little cow chip: Even if you cancel any Experian service, your acceptance of the arbitration clause “shall survive.”
Disturbing! What do you think about?
Without going into the details of the implementation of the Experian scanning service, it is indisputable the company is using scare tactics to get new customers for its service.
North Korea hackers threaten Irish companies with ‘almost daily’ attacks 9.10.2017 securityaffairs BigBrothers
State-sponsored hackers from North Korea are launching almost daily attacks on Irish companies and critical infrastructure North Korean state-sponsored hackers are launching almost daily attacks on Irish companies and critical infrastructure, they are also suspected to be responsible for the €4.3m cyber heist on Meath County Council in October 2016.
Ireland is considered a privileged target of nation-state actors due to the presence of many US multinationals.
Defence Minister Paul Kehoe recognized the urgency to rapidly improve the security of national infrastructure against cyber attacks.
The overall cost of cyber attacks on Irish companies has soared from €498,000 in 2014 to €1.7m in 2016, and the situation will be worst in a next future.
“The number of cyber attacks suffered by Irish businesses doubled between 2012 and 2016, but that figure is expected to double or even treble because of recent ransomware attacks.” reported the Irish Independent.
North Korea has recently turned to international cyber robbery to fund its military operations, and Ireland is on the front line of the cyber battle.
“But North Korea has thrown the entire rule book out the window. It is basically engaging in cyber warfare to raise funds and to cause global chaos.” explained the expert Ronan Murphy form Smarttech247.
“There is no safe hiding place anymore. These aren’t ordinary criminal gangs – you are essentially dealing with state cyber intelligence units.”
Murphy attributed the massive WannaCry ransomware attack to the North Korean attack that was financially motivated by that only netted a measly €120,000 for Pyongyang.
Murphy highlighted the importance to improve security defenses against even more sophisticated cyber attacks.
“These probing attacks are occurring almost 24/7 on Irish networks and, in most cases, the firms involved are simply not aware of it.” added Murphy.
“Smarttech logged an incredible 21 million attacks last year – and the rate of attacks is increasing on a daily basis.” continues the Independent.
According to a recent nationwide cyber security awareness survey, over 171,000 Irish businesses could be vulnerable to ransomware-based attacks.
Cyber Attacks Targeted Interests of Billionaire Chinese Dissident 9.10.2017 securityweek BigBrothers Two Recent Alleged Cyber Attacks Have More to do with Politics Than Cybercrime
Two little-reported but alleged cyber attacks in recent weeks -- one against the Hudson Institute (a politically conserative think tank), and one against legal firm Clark Hill -- seem to revolve around China's campaign against dissident Guo Wengui (aka Miles Kwok) currently resident in New York and seeking political asylum. In both cases the finger has been pointed at China, and in both cases China has denied any involvement.
The first led to the sudden cancellation of a Hudson Institute event scheduled for October 4: A conversation with Guo Wengui. Hudson Institute said it had detected a cyber attack emanating from Shanghai a few days earlier. Hudson spokesman David Tell played down the effect of the DDoS attack, and blamed the event cancellation on poor planning: "The planning just got away from us and we feel bad," he told the Washington Free Beacon.
The second cyber attack apparently led to law firm Clark Hill withdrawing representation from Wengui, after earlier lodging Wengui's asylum claim. Clark Hill has merely confirmed that it no longer represents Wengui; but Wengui has claimed that it follows the law firm being targeted by Chinese hackers.
Wengui is a Chinese property billionaire wanted in China on corruption charges. In turn, he claims that the Chinese government is a kleptocracy. At a press conference Thursday, he produced what he claimed were 'top secret' Chinese government documents showing that China had sent secret agents into the United States. China claims they are forgeries.
In April, China issued an Interpol red notice on Wengui. These are not arrest warrants. Unlike the European Arrest Warrant (EAW) that has validity throughout the European Union (the UK was obligated to arrest Julian Assange in 2010 because of a Swedish EAW), no Interpol country is required to arrest the subject of a red notice -- it is merely a way of telling all Interpol countries that the subject is wanted in the issuing country.
Wengui's wealth has been estimated at $38 billion, earned through property and other investments. Much of his assets in China have been blocked by the government, where he is reportedly being investigated for at least 19 crimes, ranging from kidnapping, fraud, and rape to money laundering.
The whole debacle comes at an interesting point in US/Sino relations. The U.S. is seeking increased Chinese assistance against North Korea -- and there are some signs of mutual cooperation. U.S. Secretary of State Rex Tillerson was in Beijing between September 28 and October 1, meeting with senior Chinese officials.
At this point, US Cyber Command was still delivering its DDoS attack against North Korea's military spy agency, the Reconnaissance General Bureau (RGB). At the time, the only way into North Korea was through the connection owned by China's China Unicom (Russia has since opened a second connection across the Friendship Bridge between the two countries). Technically, it would be possible for Cyber Command to use this channel without China's knowledge or cooperation. However, the possibility of footprints being left that could trace the attack back to Cyber Command make it unlikely that it was done without China's knowledge.
Similarly, on the scheduled day of the Hudson Institute event with Wengui, a Chinese delegation was in Washington for a high-level law enforcement and cyber security dialogue between the U.S. and China. The alleged attack was raised by U.S. Attorney General Jeff Sessions during a meeting with China’s Public Security Minister Guo Shengkun, and China pledged to cooperate with an investigation.
The meeting was part of a high level communication channel established between Beijing and Washington following the meeting between President Trump and President Xi Jinping in April. While Trump is keen to get China's cooperation over North Korea, Xi Jinping is keen that nothing rocks the boat too seriously ahead of the 19th Party Congress later this month. Xi Jinping, while being a strict authoritarian, has been engaged in a long-running anti-corruption campaign in China -- although this is thought to be more about strengthening the party's control over the military than about improving civil rights.
On Saturday, the Chinese Ministry of Public Security issued a statement denying any involvement in cyberattacks against the Hudson Institute or Clark Hill. “The Chinese government would like to suggest that the US law enforcement authorities supply China with the detailed information, relevant clues and evidence, so that China could assist in the investigations to identify the real source of such hacking,” the ministry said, adding it would cooperate fully in any investigation.
Disqus Discloses 2012 Breach Impacting 17 Million Users 9.10.2017 securityweek Incindent Commenting service Disqus informed customers on Friday of a data breach that apparently occurred back in 2012 and which affected roughly 17.5 million user accounts.
Disqus learned of the breach from Troy Hunt, the Australian security expert who created the Have I Been Pwned breach notification service. Hunt said it took the company just under 24 hours after being notified to take action to protect impacted accounts and disclose the breach to the public.
According to Disqus, whose service is used to post roughly 50 million comments every month, the information stored in the database obtained by Hunt had been dated between 2007 and July 2012, which is likely around the time when the breach occurred.
The exposed data includes usernames, email addresses, sign-up dates, last login dates and, for roughly one-third of the 17.5 million accounts, password hashes (SHA-1 with salt). While Disqus said no plaintext passwords were exposed and the hashes are unlikely to be cracked, Hunt pointed out that it’s not difficult to crack SHA-1 hashes, even with a salt.
While Disqus’ investigation is still in progress, the company says there is no evidence of unauthorized logins as a result of this incident. Nevertheless, affected users are being notified and their passwords have been reset. The firm does not believe the data has been widely distributed or readily available.
“We’ve taken action to protect the accounts that were included in the data snapshot. Right now, we don’t believe there is any threat to a user accounts,” said Jason Yan, co-founder and CTO of Disqus. “Since 2012, as part of normal security enhancements, we’ve made significant upgrades to our database and encryption in order to prevent breaches and increase password security. Specifically, at the end of 2012 we changed our password hashing algorithm from SHA1 to bcrypt.”
Data from the Have I Been Pwned service showed that 71% of the 17.5 million Disqus accounts were also compromised in other data breaches.
In addition to the Disqus database, Hunt also obtained information stolen from URL shortening service Bitly (9 million accounts) and Kickstarter (5.2 million accounts) back in 2014.
Unlike the Disqus incident, which does not appear to have been detected back in 2012, the Bitly and Kickstarter breaches were detected at the time of the attacks and users were notified. Both Bitly and Kickstarter informed users that there is no new information and no action needs to be taken.
U.S. Banking Regulator Hit by 54 Breaches in 2015, 2016 9.10.2017 securityweek Incindent
The U.S. Federal Deposit Insurance Corporation (FDIC) in the last two years may have suffered as many as 54 data breaches involving personally identifiable information (PII), revealed a report from the FDIC Office of Inspector General (OIG).
Created in response to the thousands of bank failures in the 1920s and 1930s, the FDIC is an independent agency that provides insurance to depositors. The standard insurance amount is $250,000 per depositor, per insured bank.
The report, made public last week, focuses on the FDIC’s processes for responding to data breaches, and it’s based on an audit conducted in response to concerns raised by the chairman of the Senate Committee on Banking, Housing, and Urban Affairs.
The OIG’s audit focused on 18 of 54 suspected or confirmed breaches discovered by FDIC between January 1, 2015 and December 1, 2016. The 18 incidents reviewed by auditors affected more than 113,000 individuals.
The audit found that in 13 of the 18 cases the FDIC did not complete some key breach investigation activities, such as assessing impact and convening the data breach management team, within the timeframe established in the agency’s Data Breach Handling Guide (DBHG).
It took the organization, on average, more than 9 months to notify affected individuals after discovering a breach. It took between 145 days and 215 days to send out notifications to impacted people after the decision was made to notify victims. In one incident that affected nearly 34,000 people, the FDIC sent out the notifications exactly one year after the breach was discovered.
The failure to notify affected individuals and investigate the breaches in a timely manner was due to the lack of an incident response coordinator, the failure to provide adequate training to information security managers, and insufficient privacy staff for managing incident response activities, the OIG said in its report.
The audit also found that the FDIC failed to adequately document key assessments and decisions; failed to clearly define the purpose, scope, governance structure and key operating procedures of its data breach management team; and it did not track and report key breach response metrics.
A report published last year by the House of Representatives Science, Space and Technology Committee revealed that threat actors believed to be from China breached the systems of the FDIC in 2010, 2011 and 2013, and planted malware on a significant number of servers and workstations. The committee concluded that the agency’s CIO had attempted to cover up the incident.
Flawed BIOS Implementations Lead to Intel Boot Guard Bypass 9.10.2017 securityweek Safety Poor firmware implementation can lead to the bypass of advanced technologies created to protect Unified Extensible Firmware Interface (UEFI) BIOS, such as Intel Boot Guard, from illegal modifications, security researchers have discovered.
Initially launched in 2013, Intel Boot Guard is a hardware-assisted BIOS integrity verification mechanism that creates a trusted boot chain so that the integrity of boot components is cryptographically verified. The boot chain uses an RSA public key (its hash is hard-coded inside the CPU) and an OEM private key.
The OEM sets the final configuration and writes it to one-time-programmable Intel chipset fuses during the manufacturing process, thus making it almost impossible for an attacker to modify the BIOS without knowing the private part of the OEM Root Key.
However, because some OEMs might fail to properly configure Intel Boot Guard, attackers could end up injecting code and permanently modifying BIOS.
Earlier this year at Black Hat 2017, security researcher Alex Matrosov presented some vulnerabilities in poor BIOS implementations, explaining that not all vendors enable the protections offered by modern hardware. Because of that, attackers could elevate privileges, bypass protections, and install rootkits, he explained.
Alexander Ermolov, a scurity researcher at Embedi, now says that one such faulty implementation impacts a series of firmware releases based on AMI Aptio UEFI BIOS. The product is highly popular among many OEMs, including Gigabyte, MSI, Asus, Acer, Dell, HP, ASRock, which suggests that vulnerable code might be present in a huge number of motherboards.
Ermolov explains that, during the verification stage, a BootGuardPei routine checks for compatibility with Intel Boot Guard, after which a Hand-Off Block (HOB) binary containing the result of verification is created. Thus, if the verification is not successful, the zero value is written to the HOB.
While this should result in an enforcement policy being applied, further execution of BIOS is allowed, resulting in modified Driver Execution Environment (DXE) code being run. This is possible because of another Boot Guard-related module that analyzes the results written to HOB and shuts down the system if DXE code didn’t pass the integrity check.
If it doesn’t find the verification results, the routine returns an error. As a result, attacks that allow for the deletion of the HOB can result in bypassing the DXE code integrity check. Furthermore, if the module responsible for this step is deleted, there will be no code responsible for analyzing the integrity verification results.
The researcher says they notified AMI to inform them on the findings and were told that the issue had been already addressed and that OEMs were alerted on the matter. The latest AMI BIOS codebase available to customers (OEMs) is no longer vulnerable.
However, after verifying the implementation of the fix in the previously analyzed motherboard (a Gigabyte GA-H170-D3H model), Ermolov discovered that things went from bad to worse. If BootGuardPei doesn’t perform a successful verification, it now writes a positive value to HOB, thus effectively bypassing the Boot Guard protection for DXE integrity check.
Extradition of Russian to U.S. on Bitcoin Charges 'Unjust': Moscow 9.10.2017 securityweek BigBrothers Moscow on Friday slammed a Greek court's ruling that a Russian national accused of helping criminals launder billions of dollars using Bitcoin should be extradited to the United States.
Alexander Vinnik, who headed BTC-e, an exchange he operated for the cyber currency, was indicted by a US court in July on 21 charges ranging from identity theft and facilitating drug trafficking to money laundering.
Vinnik said he would appeal the extradition decision of the Thessaloniki court on Wednesday.
"We consider that the verdict is unjust and violates the norms of international law," the Russian foreign ministry said in a statement.
"Greek authorities received a request from the Russian attorney general that Vinnik be extradited to Russia" which "should have priority, as Vinnik is a Russian citizen," the ministry said.
"Such a ruling is all the more surprising considering the context of friendly relations between Russia and Greece...we hope the relevant Greek authorities will take into account the request of the Russian attorney general (at appeal)."
The final decision on whether to extradite Vinnik will be made by the Greek justice minister.
The Russian has been languishing in a Greek jail since his arrest on July 25 in the tourist resort of Halkidiki, near Thessaloniki.
According to US authorities, Vinnik "stole identities, facilitated drug trafficking, and helped to launder criminal proceeds from syndicates around the world".
BTC-e, founded in 2011, became one of the world's largest and most widely used digital currency exchanges, but according to the US indictment, it was "heavily reliant on criminals".
Extradition of Russian to U.S. on Bitcoin Charges 'Unjust': Moscow 9.10.2017 securityweek BigBrothers
Moscow on Friday slammed a Greek court's ruling that a Russian national accused of helping criminals launder billions of dollars using Bitcoin should be extradited to the United States.
Alexander Vinnik, who headed BTC-e, an exchange he operated for the cyber currency, was indicted by a US court in July on 21 charges ranging from identity theft and facilitating drug trafficking to money laundering.
Vinnik said he would appeal the extradition decision of the Thessaloniki court on Wednesday.
"We consider that the verdict is unjust and violates the norms of international law," the Russian foreign ministry said in a statement.
"Greek authorities received a request from the Russian attorney general that Vinnik be extradited to Russia" which "should have priority, as Vinnik is a Russian citizen," the ministry said.
"Such a ruling is all the more surprising considering the context of friendly relations between Russia and Greece...we hope the relevant Greek authorities will take into account the request of the Russian attorney general (at appeal)."
The final decision on whether to extradite Vinnik will be made by the Greek justice minister.
The Russian has been languishing in a Greek jail since his arrest on July 25 in the tourist resort of Halkidiki, near Thessaloniki.
According to US authorities, Vinnik "stole identities, facilitated drug trafficking, and helped to launder criminal proceeds from syndicates around the world".
BTC-e, founded in 2011, became one of the world's largest and most widely used digital currency exchanges, but according to the US indictment, it was "heavily reliant on criminals".
Disqus Discloses 2012 Breach Impacting 17 Million Users 9.10.2017 securityweek Incindent Commenting service Disqus informed customers on Friday of a data breach that apparently occurred back in 2012 and which affected roughly 17.5 million user accounts.
Disqus learned of the breach from Troy Hunt, the Australian security expert who created the Have I Been Pwned breach notification service. Hunt said it took the company just under 24 hours after being notified to take action to protect impacted accounts and disclose the breach to the public.
According to Disqus, whose service is used to post roughly 50 million comments every month, the information stored in the database obtained by Hunt had been dated between 2007 and July 2012, which is likely around the time when the breach occurred.
The exposed data includes usernames, email addresses, sign-up dates, last login dates and, for roughly one-third of the 17.5 million accounts, password hashes (SHA-1 with salt). While Disqus said no plaintext passwords were exposed and the hashes are unlikely to be cracked, Hunt pointed out that it’s not difficult to crack SHA-1 hashes, even with a salt.
While Disqus’ investigation is still in progress, the company says there is no evidence of unauthorized logins as a result of this incident. Nevertheless, affected users are being notified and their passwords have been reset. The firm does not believe the data has been widely distributed or readily available.
“We’ve taken action to protect the accounts that were included in the data snapshot. Right now, we don’t believe there is any threat to a user accounts,” said Jason Yan, co-founder and CTO of Disqus. “Since 2012, as part of normal security enhancements, we’ve made significant upgrades to our database and encryption in order to prevent breaches and increase password security. Specifically, at the end of 2012 we changed our password hashing algorithm from SHA1 to bcrypt.”
Data from the Have I Been Pwned service showed that 71% of the 17.5 million Disqus accounts were also compromised in other data breaches.
In addition to the Disqus database, Hunt also obtained information stolen from URL shortening service Bitly (9 million accounts) and Kickstarter (5.2 million accounts) back in 2014.
Unlike the Disqus incident, which does not appear to have been detected back in 2012, the Bitly and Kickstarter breaches were detected at the time of the attacks and users were notified. Both Bitly and Kickstarter informed users that there is no new information and no action needs to be taken.
U.S. Banking Regulator Hit by 54 Breaches in 2015, 2016 9.10.2017 securityweek CyberCrime The U.S. Federal Deposit Insurance Corporation (FDIC) in the last two years may have suffered as many as 54 data breaches involving personally identifiable information (PII), revealed a report from the FDIC Office of Inspector General (OIG).
Created in response to the thousands of bank failures in the 1920s and 1930s, the FDIC is an independent agency that provides insurance to depositors. The standard insurance amount is $250,000 per depositor, per insured bank.
The report, made public last week, focuses on the FDIC’s processes for responding to data breaches, and it’s based on an audit conducted in response to concerns raised by the chairman of the Senate Committee on Banking, Housing, and Urban Affairs.
The OIG’s audit focused on 18 of 54 suspected or confirmed breaches discovered by FDIC between January 1, 2015 and December 1, 2016. The 18 incidents reviewed by auditors affected more than 113,000 individuals.
The audit found that in 13 of the 18 cases the FDIC did not complete some key breach investigation activities, such as assessing impact and convening the data breach management team, within the timeframe established in the agency’s Data Breach Handling Guide (DBHG).
It took the organization, on average, more than 9 months to notify affected individuals after discovering a breach. It took between 145 days and 215 days to send out notifications to impacted people after the decision was made to notify victims. In one incident that affected nearly 34,000 people, the FDIC sent out the notifications exactly one year after the breach was discovered.
The failure to notify affected individuals and investigate the breaches in a timely manner was due to the lack of an incident response coordinator, the failure to provide adequate training to information security managers, and insufficient privacy staff for managing incident response activities, the OIG said in its report.
The audit also found that the FDIC failed to adequately document key assessments and decisions; failed to clearly define the purpose, scope, governance structure and key operating procedures of its data breach management team; and it did not track and report key breach response metrics.
A report published last year by the House of Representatives Science, Space and Technology Committee revealed that threat actors believed to be from China breached the systems of the FDIC in 2010, 2011 and 2013, and planted malware on a significant number of servers and workstations. The committee concluded that the agency’s CIO had attempted to cover up the incident.
Flawed BIOS Implementations Lead to Intel Boot Guard Bypass 9.10.2017 securityweek Safety Poor firmware implementation can lead to the bypass of advanced technologies created to protect Unified Extensible Firmware Interface (UEFI) BIOS, such as Intel Boot Guard, from illegal modifications, security researchers have discovered.
Initially launched in 2013, Intel Boot Guard is a hardware-assisted BIOS integrity verification mechanism that creates a trusted boot chain so that the integrity of boot components is cryptographically verified. The boot chain uses an RSA public key (its hash is hard-coded inside the CPU) and an OEM private key.
The OEM sets the final configuration and writes it to one-time-programmable Intel chipset fuses during the manufacturing process, thus making it almost impossible for an attacker to modify the BIOS without knowing the private part of the OEM Root Key.
However, because some OEMs might fail to properly configure Intel Boot Guard, attackers could end up injecting code and permanently modifying BIOS.
Earlier this year at Black Hat 2017, security researcher Alex Matrosov presented some vulnerabilities in poor BIOS implementations, explaining that not all vendors enable the protections offered by modern hardware. Because of that, attackers could elevate privileges, bypass protections, and install rootkits, he explained.
Alexander Ermolov, a scurity researcher at Embedi, now says that one such faulty implementation impacts a series of firmware releases based on AMI Aptio UEFI BIOS. The product is highly popular among many OEMs, including Gigabyte, MSI, Asus, Acer, Dell, HP, ASRock, which suggests that vulnerable code might be present in a huge number of motherboards.
Ermolov explains that, during the verification stage, a BootGuardPei routine checks for compatibility with Intel Boot Guard, after which a Hand-Off Block (HOB) binary containing the result of verification is created. Thus, if the verification is not successful, the zero value is written to the HOB.
While this should result in an enforcement policy being applied, further execution of BIOS is allowed, resulting in modified Driver Execution Environment (DXE) code being run. This is possible because of another Boot Guard-related module that analyzes the results written to HOB and shuts down the system if DXE code didn’t pass the integrity check.
If it doesn’t find the verification results, the routine returns an error. As a result, attacks that allow for the deletion of the HOB can result in bypassing the DXE code integrity check. Furthermore, if the module responsible for this step is deleted, there will be no code responsible for analyzing the integrity verification results.
The researcher says they notified AMI to inform them on the findings and were told that the issue had been already addressed and that OEMs were alerted on the matter. The latest AMI BIOS codebase available to customers (OEMs) is no longer vulnerable.
However, after verifying the implementation of the fix in the previously analyzed motherboard (a Gigabyte GA-H170-D3H model), Ermolov discovered that things went from bad to worse. If BootGuardPei doesn’t perform a successful verification, it now writes a positive value to HOB, thus effectively bypassing the Boot Guard protection for DXE integrity check.
Sri Lanka police arrest two men over cyber theft at the Taiwan Bank 9.10.2017 securityaffairs Hacking
The Sri Lanka authorities have arrested two men allegedly involved in cyber heist at an unnamed Taiwan bank that occurred last week. The Sri Lanka police have arrested two men allegedly involved in the Taiwan cyberheist, the suspects are accused to have hacked into computers at a Taiwan bank and stole millions of dollars last week.
According to an official, the duo was identified and arrested after they tried to withdraw large sums of money that had been wired to their accounts with a Sri Lankan bank branch in the capital Colombo.
The police Criminal Investigation Department (CID) is still investigating the hack along with Taiwan police, the law enforcement agencies suspect the gang was composed by other individuals.
“We are looking at some $1.3 million that had come into three accounts in Sri Lanka,” the official involved with the investigation told AFP, speaking on condition of anonymity. “We have taken two people into custody and we are looking for one more person.”
The Sri Lankan authorities did not disclose the name of the bank in Taiwan targeted victim of the cyber heist or the sum crooks has stolen. but a Sri Lankan media report said tens of millions of dollars had been stolen.
According to a Sri Lankan media, cybercriminals have stolen tens of millions of dollars had been wired out of the island.
The Financial Regulatory Commission in Tapei confirmed that the local Far Eastern International Bank’s SWIFT system had been infected with a computer virus but did not provide further details about the hack.
The Taiwanese media quoted the bank as saying that it experts discovered anomalies in its SWIFT system, the internal staff detected suspicious transactions starting Thursday to Sri Lanka, Cambodia and the United States.
The good news is that the Taiwan police have recovered most of the money with the help of counterparts in other countries.
In February 2015, Sri Lanka authorities investigated a similar cyber heist that involved the Bangladesh central bank, crooks transferred $20 million of stolen money to a Sri Lankan businesswoman.
Experts spotted KnockKnock attacks, a new ingenious attack technique on Office 365 System Accounts 9.10.2017 securityaffairs Attack
Security experts from Skyhigh Networks discovered a wide-scale attack with a new stealthy technique, dubbed KnockKnock, that targets Office 365 accounts. The cloud access security broker Skyhigh Networks discovered a wide-scale attack with a new stealthy technique, dubbed KnockKnock, that targets Office 365 (O365) accounts.
The massive campaign leverages a low-key attack, started in May and is still continuing. Attackers are using a small botnet composed of 83 IP addresses across 63 networks, most of them registered in China. The attackers also used bots from 15 other countries, including Brazil, Russia, the US, and Malaysia.
Experts underscored the fact that the botnet attack KnockKnock was observed in targeted offensives.
“Skyhigh has detected an ingenious new botnet attack against Office 365 accounts, dubbed ‘KnockKnock’ because attackers are attempting to knock on backdoor system accounts to infiltrate entire O365 environments.” reads the analysis published by Skyhigh Networks. “One of the key distinctions of this new attack is the nature of the accounts that are being targeted. KnockKnock was designed to primarily attack system accounts that are not assigned to any one individual user, making them particularly vulnerable, as we’ll describe later.”
Attackers launched a slow and methodical attack trying to remain under the radar instead of carrying out a brute force attack against O365 accounts.
The attackers targeted only a very small proportion (typically <2%) of the O365 account base, and limited the number of attempts to 3-5 per account in order to go undetected.
Once the attackers take over an account, they snoop o any data in the inbox and then create a new inbox rule to hijack any incoming messages. This is the first stage of the attack against company networks, once compromised an account, the attackers start in-company phishing attempts for lateral movements.
Experts suggest attackers may tailor the payload based on the targeted organization “for a larger takeover over time”.
The threat actors behind the KnockKnock attack focused its attention of certain accounts such as system accounts rather than ordinary accounts because they tend to have high access privileges and poor protection.
“The system accounts that Skyhigh identified as targets included service accounts (like the ones used for user provisioning in larger enterprises), automation accounts (like the ones used to automate data and system backups), machine accounts (like the ones used for applications within data centers), marketing automation accounts (like the ones used for marketing and customer communication), internal tools accounts (like the ones used with JIRA, Jenkins, GitHub etc.), in addition to accounts set up for distribution lists and shared and delegated mailboxes.” continues the analysis.
“The reason this is so clever is that system accounts, given their purpose, tend to have higher access and privileges than an average account. And, most importantly, such accounts do not yield well to authentication frameworks like Single-Sign-On (SSO) or Multi-Factor Authentication (MFA) and are also subject to lax password policies. “
Skyhigh experts detected the KnockKnock attacks using its machine learning anomaly detection engine. The engine detected an increase in the number of anomalous accesses, experts spotted the malicious activity by correlating data from billions of 0365 events across hundreds of customers.
Skyhigh researchers confirmed that the KnockKnock attack targeted over 50 percent of their customers, it is likely that a large portion of large Office 365 customers is being attacked with this technique.
Experts noticed that none of 83 recognized IP addresses were already included on the lists of bad IP addresses, making this attack stealth in nature.
Security researcher found roughly 700 Brother printers left exposed online 9.10.2017 securityaffairs Vulnerebility
A security researcher has discovered nearly 700 Brother printers left exposed online exposing corporate and government networks to hack. The security researcher Ankit Anubhav, principal researcher at NewSky Security, has discovered nearly 700 Brother printers left exposed online. Anyone can access the administration panel of the printers and take control of the devices.
Anubhav disclosed its discovery via Bleeping Computer providing it a list of exposed printers.
“Accessing a few random URLs, Bleeping has discovered a wide range of Brother printer models, such as DCP-9020CDW, MFC-9340CDW, MFC-L2700DW, or MFC-J2510, just to name a few.” states Bleeping Computer.
Bleeping Computer also forwarded the list to the popular researcher Victor Gevers that once analyzed it will notify the affected organizations.
The researcher discovered many Brother printers exposed line with factory settings, in fact, Brother ships the printers with no admin password.
It is quite easy to locate these printers by using search engines like Shodan or Censys.
Anubhav explained that the printers belong to corporate and government networks and known universities.
“I’m surprised about so many known universities included in the list,” Anubhav told Bleeping. “I am planning to reach and notify the orgs with my colleague,”
An attacker can access the administration of the printers connected to the Internet and change settings, such as their passwords, causing problems to affected organizations.
The list provided Bleeping included only printers that exposed the “password.html” file that is related to the password reset page of Brother printers. The expert notices that administration panel exposed by the printers also included options to manage a firmware update.
An attacker can exploit the exposed administration panel to deliver tainted firmware and take full control of the printers.
“An attacker could include spyware-like behavior in tainted firmware updates and have printers send copies of printed documents to an attacker’s server.” continues Bleeping Computer.
“In the case of private businesses and government organizations, this could expose very sensitive information.”
Organizations running Brother printers urge to check if the devices expose the administration panel by default online, and change the default password to prevent unauthorized access to the device.
HPE allowed Russians review the code of ArcSight software also used by the Pentagon 9.10.2017 securityaffairs BigBrothers
HPE gave Russian gov access to review ArcSight software that is currently used by corporate and government entities worldwide, including the Pentagon. The recent news of the alleged hack of Kaspersky products to steal NSA exploit from the personal PC of a US contractor has put in the background another equally worrying news.
Another tech giant has come under fire, reports claimed the company HPE gave Russian defence forces access to review software it sold to the Pentagon. The software is the same supposedly used to protect the agency’s networks.
According to regulatory records seen by the Reuters agency, HPE allowed Russian defence agencies to access the source code of its ArcSight software with the intent to obtain the certification needed to sell its software to the Russian public sector.
The review for the ArcSight software took place last year, while the tension between Washington and Moscow was high due to the increasing number of cyber attacks against U.S. politicians, government agencies, and companies.
“Hewlett Packard Enterprise allowed a Russian defense agency to review the inner workings of cyber defense software used by the Pentagon to guard its computer networks, according to Russian regulatory records and interviews with people with direct knowledge of the issue.” states a blog post published by the Reuters.
“The HPE system, called ArcSight, serves as a cybersecurity nerve center for much of the U.S. military, alerting analysts when it detects that computer systems may have come under attack. ArcSight is also widely used in the private sector.”
The ArcSight platform is used in both government and private industries, clearly, the analysis of the code could help the Russian Government in detecting security vulnerabilities that could be exploited by state-sponsored hackers to target HPE customers, including the Pentagon.
The Reuters quoted several former US military sources and former ArcSight employees, HPE told Reuters that no “backdoor vulnerabilities” were uncovered in the Russian review.
Of course, this is not sufficient, do you believe that Russian experts would have reported HPE the flaws discovered during the review.
“Six former U.S. intelligence officials, as well as former ArcSight employees and independent security experts, said the source code review could help Moscow discover weaknesses in the software, potentially helping attackers to blind the U.S. military to a cyber attack.” continues the Reuters.
“It’s a huge security vulnerability,“ said Greg Martin, a former security architect for ArcSight. ”You are definitely giving inner access and potential exploits to an adversary.”
HPE pointed out that neither ArcSight source code or any of its products had been compromised.
The review was carried out by the company Echelon which has close ties to the Russian military. The company operated on behalf of Russia’s Federal Service for Technical and Export Control (FSTEC), the Russian agency tasked with countering cyber espionage.
“Echelon president and majority owner Alexey Markov said in an email to Reuters that he is required to report any vulnerabilities his team discovers to the Russian government.” continues the Reuters.
“But he said he does so only after alerting the software developer of the problem and getting its permission to disclose the vulnerability. Echelon did not provide details about HPE’s source code review, citing a non-disclosure agreement with the company.”
From the Russian point of view, it is essential to review the code of any software developed by foreign firms in order to prevent cyber espionage activities like the ones described by Edward Snowden.
The Russia Government requested to analysis the code to allow sales to government agencies avoiding foreign intelligence placing spy implants in the software and hardware components.
Forrester, one of the most influential research and advisory firms was hacked 9.10.2017 securityaffairs Incindent
Forrester Research announced today that Forrester.com experienced a security breach this week, attackers were ultimately detected and shut out of the system Forrester, one of the most influential research and advisory firms in the world, revealed on Friday to have suffered a security breach the past week.
The attackers broke into the infrastructure hosting the Forrester.com website, that is also used to allow customers download market research documents according to their contracts.
The advisory firm supports decision makers of its customers by providing trends, statistics, and other market research.
According to company’s Chief Business Technology Officer, Steven Peltzman, crooks stole valid Forrester.com login credentials that allowed them to take over the website.
“The hacker used that access to steal research reports made available to our clients,” Peltzman said.
“There is no evidence that confidential client data, financial information, or confidential employee data was accessed or exposed as part of the incident,”
Hackers did not access confidential client data, financial information, or confidential employee.
Stolen data are anyway a precious commodity in the hands of cyber spies that can access sensitive information related to the customers’and projects.
“We recognize that hackers will attack attractive targets — in this case, our research IP. We also understand there is a tradeoff between making it easy for our clients to access our research and security measures,” said George F. Colony, Chairman and Chief Executive Officer of Forrester. “We feel that we have taken a common-sense approach to those two priorities; however, we will continuously look at that balance to respond to changing cybersecurity risk.”
Forrester is the major financial and business organization that suffered a data breach in the past month, recent victims in order of time are Equifax, Deloitte, and the US Securities and Exchange Commission (SEC).
Research Reports Stolen in Forrester Website Hack 9.10.2017 securityweek Incindent Forrester, one of the world’s most influential market research and advisory firms, informed customers late on Friday that its main website had been breached.
According to Forrester Chief Business Technology Officer Steven Peltzman, a hacker accessed information provided to customers through the company’s website, Forrester.com, using stolen credentials.
The organization said the attacker managed to steal research reports made available to customers, but believes no confidential client data, financial information, or employee data has been compromised.
Forrester said the attack was detected while it was being carried out and the company took immediate action to limit its impact. The investigation is ongoing, but there is no evidence to date that the hacker stole anything other than research intellectual property.
Law enforcement has been notified and the firm is further strengthening its internal security processes and systems in response to the incident.
“We recognize that hackers will attack attractive targets — in this case, our research IP. We also understand there is a tradeoff between making it easy for our clients to access our research and security measures,” said George F. Colony, chairman and CEO of Forrester. “We feel that we have taken a common-sense approach to those two priorities; however, we will continuously look at that balance to respond to changing cybersecurity risk.”
Forrester disclosed the breach on Friday after the market closed so the potential impact of the incident on the company’s shares has yet to be seen.
A major cybersecurity incident can have a significant impact on a company’s stock. The breach suffered recently by consumer credit reporting agency Equifax, which affected more than 140 million individuals, led to the company losing roughly $10 billion in market value within a few days of the hacker attack coming to light.
Sri Lanka Arrests Two Men over Taiwan Bank Hacking 9.10.2017 securityweek Hacking Sri Lankan police have arrested two men for allegedly helping international criminals who hacked into computers at a Taiwan bank and stole millions of dollars, an official said Sunday.
The pair were arrested after they tried to withdraw large sums of money that had been wired to their accounts with a Sri Lankan bank branch in the capital Colombo, the official said.
The police Criminal Investigation Department (CID) was working closely with Taiwan counterparts to track down the hackers, who are said to have breached the Taiwan bank's computers last week.
"We are looking at some $1.3 million that had come into three accounts in Sri Lanka," the official involved with the investigation told AFP, asking not to be named.
"We have taken two people into custody and we are looking for one more person."
Police in Sri Lanka did not disclose the name of the affected bank in Taiwan or the sum said to have been stolen, but a Sri Lankan media report said tens of millions of dollars had been wired out of the island.
In Taipei the Financial Regulatory Commission confirmed that the local Far Eastern International Bank's SWIFT system had been hacked through a computer virus but gave no details.
Taiwanese media quoted the bank as saying that it detected irregularities in its SWIFT system and there were suspicious transactions starting Thursday to Sri Lanka, Cambodia and the United States.
However, Taiwan police have recovered most of the money with the help of counterparts in other countries, the reports said.
Bank officials were not immediately available for comment.
Sri Lankan police investigated a similar theft in February last year when hackers broke into the computer system of the Bangladesh central bank and transferred $20 million of stolen money to a Sri Lankan businesswoman.
The money was recovered and an court investigation is pending.
British Teen Admits Trying to Hack CIA Chief 7.10.2017 securityweek BigBrothers A teenager admitted in a British court on Friday to trying to hack into the computers of top US officials, including former CIA chief John Brennan, from his home in the East Midlands region of England.
Kane Gamble, 18, pleaded guilty to ten charges related to the attempted intrusions in late 2015 and early 2016, which targeted the US Department of Justice and an array of senior American security officials.
These included James Clapper, the Director of National Intelligence under President Obama; Jeh Johnson, the former US Secretary of Homeland Security; and a deputy director of the FBI.
Gamble, from Coalville, Leicester -- a small town 110 miles (177 kilometres) northwest of London -- pleaded guilty to eight charges of performing a function with intent to secure unauthorised access, and two charges of unauthorised acts with intent to impair operation of a computer.
He was released on conditional bail ahead of sentencing on December 15.
British judges have sentenced defendants in other hacking cases in recent years to up to two years in prison.
Media reports at the time of the attempted breaches said they were part of a wider "hacktivist" group known as "Crackas With Attitude", which targeted the US officials and their families between October 2015 and February 2016.
The US Justice Department arrested two men in September 2016 in North Carolina on suspicion of belonging to the network.
Experts spotted KnockKnock attacks, a new ingenious attack technique on Office 365 System Accounts 7.10.2017 secúrityaffairs Attack
Security experts from Skyhigh Networks discovered a wide-scale attack with a new stealthy technique, dubbed KnockKnock, that targets Office 365 accounts. The cloud access security broker Skyhigh Networks discovered a wide-scale attack with a new stealthy technique, dubbed KnockKnock, that targets Office 365 (O365) accounts.
The massive campaign leverages a low-key attack, started in May and is still continuing. Attackers are using a small botnet composed of 83 IP addresses across 63 networks, most of them registered in China. The attackers also used bots from 15 other countries, including Brazil, Russia, the US, and Malaysia.
Experts underscored the fact that the botnet attack KnockKnock was observed in targeted offensives.
“Skyhigh has detected an ingenious new botnet attack against Office 365 accounts, dubbed ‘KnockKnock’ because attackers are attempting to knock on backdoor system accounts to infiltrate entire O365 environments.” reads the analysis published by Skyhigh Networks. “One of the key distinctions of this new attack is the nature of the accounts that are being targeted. KnockKnock was designed to primarily attack system accounts that are not assigned to any one individual user, making them particularly vulnerable, as we’ll describe later.”
Attackers launched a slow and methodical attack trying to remain under the radar instead of carrying out a brute force attack against O365 accounts.
The attackers targeted only a very small proportion (typically <2%) of the O365 account base, and limited the number of attempts to 3-5 per account in order to go undetected.
Once the attackers take over an account, they snoop o any data in the inbox and then create a new inbox rule to hijack any incoming messages. This is the first stage of the attack against company networks, once compromised an account, the attackers start in-company phishing attempts for lateral movements.
Experts suggest attackers may tailor the payload based on the targeted organization “for a larger takeover over time”.
The threat actors behind the KnockKnock attack focused its attention of certain accounts such as system accounts rather than ordinary accounts because they tend to have high access privileges and poor protection.
“The system accounts that Skyhigh identified as targets included service accounts (like the ones used for user provisioning in larger enterprises), automation accounts (like the ones used to automate data and system backups), machine accounts (like the ones used for applications within data centers), marketing automation accounts (like the ones used for marketing and customer communication), internal tools accounts (like the ones used with JIRA, Jenkins, GitHub etc.), in addition to accounts set up for distribution lists and shared and delegated mailboxes.” continues the analysis.
“The reason this is so clever is that system accounts, given their purpose, tend to have higher access and privileges than an average account. And, most importantly, such accounts do not yield well to authentication frameworks like Single-Sign-On (SSO) or Multi-Factor Authentication (MFA) and are also subject to lax password policies. “
Skyhigh experts detected the KnockKnock attacks using its machine learning anomaly detection engine. The engine detected an increase in the number of anomalous accesses, experts spotted the malicious activity by correlating data from billions of 0365 events across hundreds of customers.
Skyhigh researchers confirmed that the KnockKnock attack targeted over 50 percent of their customers, it is likely that a large portion of large Office 365 customers is being attacked with this technique.
Experts noticed that none of 83 recognized IP addresses were already included on the lists of bad IP addresses, making this attack stealth in nature.
A critical vulnerability affects Siemens smart meters 7.10.2017 secúrityaffairs Vulnerebility
Siemens has just released a firmware update for the 7KT PAC1200 Siemens smart meters that addresses a critical vulnerability. Siemens has just released a firmware update for the 7KT PAC1200 Siemens smart meters to fix a critical vulnerability that can be exploited by remote attackers to bypass authentication and perform administrative actions on the device.
The KT PAC1200 multichannel measuring devices belong to the Siemens SENTRON energy management family that have been designed to monitor energy consumption using sensors to collect data. Data gathered by Siemens smart meters can be viewed via a desktop web browser or mobile applications for Android and iOS.
The flaw tracked as CVE-2017-9944 was discovered by the researcher Maxim Rupp, it affects the web server integrated into the Siemens smart meters. The vulnerability allows a remote attacker to bypass authentication using an alternate path or channel, exploiting the issue it is possible to access the web interface and perform administrative operations.
The web interface of Siemens smart meters provides useful information to the users, including power consumption statistics for a specified period and budget monitoring.
The vulnerability affects 7KT PAC1200 data manager running a version of the firmware prior to 2.03.
“Successful exploitation of this vulnerability could allow an attacker to bypass authentication mechanisms and perform administrative functions.” states the security advisory published by the US ICS-CERT.
Siemens urges its customers to update their devices to version 2.03 and to protect network access to the web server with appropriate mechanisms.
“Siemens provides firmware Version V2.03 for 7KT PAC1200 data manager (7KT1260) from the SENTRON portfolio, which fixes the vulnerability and recommends users update to the new fixed version. The firmware update V2.0.3 for 7KT PAC1200 data manager (7KT1260) from the SENTRON portfolio can be found on the Siemens web site at the following location:
https://support.industry.siemens.com/cs/ww/de/view/109749883/en?dl=en(link is external) ” ” continues the security advisory.
“As a general security measure, Siemens strongly recommends protecting network access to the devices with appropriate mechanisms. Siemens advises configuring the environment according to Siemens operational guidelines in order to run the devices in a protected IT environment.”
Disqus data breach – 2012 incident Exposed details for 17.5 Million users 7.10.2017 secúrityaffairs Hacking
Disqus data breach – The blog comment hosting service for web sites and online communities Disqus has confirmed a data breach that occurred back in 2012. On Friday evening, the worldwide blog comment hosting service for web sites and online communities Disqus has confirmed a data breach that occurred back in 2012.
In 2012, hackers have stolen details for at least 17.5 million Disqus user accounts.
The popular cyber security expert Troy Hunt, who runs the data breach notification service haveibeenpwned.com, come into the possession of a copy of the stolen data.
Follow Have I been pwned? ✔@haveibeenpwned New breach: Disqus had a data breach in 2012 which exposed 17.5M accounts. 71% were already in @haveibeenpwned https://haveibeenpwned.com/
1:09 AM - Oct 7, 2017 11 11 Replies 118 118 Retweets 63 63 likes Twitter Ads info and privacy Hunt reported the issue to Disqus staff on Friday afternoon.
19h Troy Hunt ✔ @troyhunt Important security alert from @Disqus. Not a fun situation, but full credit for that disclosure timeline: https://blog.disqus.com/security-alert-user-info-breach …
Follow Troy Hunt ✔@troyhunt 23 hours and 42 minutes from initial private disclosure to @disqus to public notification and impacted accounts proactively protected pic.twitter.com/lctQEjHhiH
1:08 AM - Oct 7, 2017 · Gold Coast, Queensland View image on Twitter Twitter Ads info and privacy Disqus has already started notifying users that were listed in the archive reported by Troy Hunt, the exposed records include email addresses, usernames, sign-up dates, and last login dates in plain text. The experts noticed that SHA-1 hashed passwords were only included for about 33% of all records.
Disqus declared that at the end of 2012, it switched the password hashing algorithm from SHA1 to bcrypt.
“Yesterday, on October 5th, we were alerted to a security breach that impacted a database from 2012. While we are still investigating the incident, we believe that it is best to share what we know now. We know that a snapshot of our user database from 2012, including information dating back to 2007, was exposed. The snapshot includes email addresses, Disqus user names, sign-up dates, and last login dates in plain text for 17.5mm users. Additionally, passwords (hashed using SHA1 with a salt; not in plain text) for about one-third of users are included.” states the breach notification puclished by Disqus.
According to Disqus, the last entry in the dump is from July 2012, this could be the exact moment when the data breach took place. In response to the incident, the company started contacting users and resetting the passwords related to the users that had passwords included in the breach.
“As a precautionary measure, we are forcing the reset of passwords for all affected users. We are contacting all of the users whose information was included to inform them of the situation.” continues the Disqus data breach notification.
“We’ve taken action to protect the accounts that were included in the data snapshot. Right now, we don’t believe there is any threat to a user accounts. Since 2012, as part of normal security enhancements, we’ve made significant upgrades to our database and encryption in order to prevent breaches and increase password security. Specifically, at the end of 2012 we changed our password hashing algorithm from SHA1 to bcrypt.”
According to Disqus, there is no evidence of unauthorized logins or any other abuses associated with the stolen data.
The company is still investigating the incident.
British teenager admits trying to hack CIA Chief and other top US officials 7.10.2017 secúrityaffairs BigBrothers
A British teenager admitted in a British court to have attempted to hack into the computers of top US officials, including former CIA chief John Brennan. On Friday, the British teenager Kane Gamble (18) from Coalville, Leicester, admitted in a British court to have attempted to hack into the computers of top US officials, including former CIA chief John Brennan.
Kane Gamble pleaded guilty to ten charges related to the attempted intrusions occurred between late 2015 and early 2016.
Gamble pleaded guilty to eight charges of performing a function with intent to gain unauthorized access, and two charges of unauthorized acts with intent to compromise the operation of a computer.
The teenager targeted the US Department of Justice and many other senior American security officials from his home in the East Midlands region of England.
The list of targeted officials is long and includes James Clapper, the Director of National Intelligence under President Obama’s administration and the deputy director of the FBI Jeh Johnson.
The teenager was released on conditional bail ahead of sentencing on December 15.
The man was suspected to be the member the dreaded hacking crews ‘Crackas With Attitude‘ that targeted the US officials between October 2015 and February 2016.
In September 2016, U.S. authorities arrested two alleged members of the Crackas With Attitude group involved in dumping details of officials with the FBI and the DHS.
In September 2017, one of the two men arrested has been sentenced to five years in federal prison.
Disqus Hacked: More than 17.5 Million Users' Details Stolen in 2012 Breach 7.10.2017 thehackernews Hacking Another day, Another data breach disclosure. This time the popular commenting system has fallen victim to a massive security breach. Disqus, the company which provides a web-based comment plugin for websites and blogs, has admitted that it was breached 5 years ago in July 2012 and hackers stole details of more than 17.5 million users. The stolen data includes email addresses, usernames, sign-up dates, and last login dates in plain text for all 17.5 million users. What's more? Hackers also got their hands on passwords for about one-third of the affected users, which were salted and hashed using the weak SHA-1 algorithm. The company said the exposed user information dates back to 2007 with the most recently exposed from July 2012. According to Disqus, the company became aware of the breach Thursday (5th October) evening after an independent security researcher Troy Hunt, who obtained a copy of the site's information, notified the company. Within about 24 hours, Disqus disclosed the data breach and started contacting its affected users, forcing them to reset their passwords as soon as possible. "No plain text passwords were exposed, but it is possible for this data to be decrypted (even if unlikely). As a security precaution, we have reset the passwords for all affected users. We recommend that all users change passwords on other services if they are shared," Disqus' CTO Jason Yan said in a blog post. However, since late 2012 Disqus has made other upgrades to improve its security and changed its password hashing algorithm to Bcrypt—a much stronger cryptographic algorithm which makes it difficult for hackers to obtain user's actual password. "Since 2012, as part of normal security enhancements, we have made significant upgrades to our database and encryption to prevent breaches and increase password security, Yan said. "Specifically, at the end of 2012, we changed our password hashing algorithm from SHA1 to bcrypt." In addition to resetting your password, you are also advised to change your passwords on other online services and platforms as well, if you share the same credentials. It is most likely that hackers could use this stolen information in tandem with social engineering techniques to gain further information on victims. So, you are advised to beware of spam and phishing emails carrying malicious file attachments. It is still unclear how hackers get hands-on Disqus data. San Francisco-based Disqus is still actively investigating this security incident. We will update you as soon as more details surface. This is yet another embarrassing breach disclosed recently, after Equifax’s disclosure of a breach of potentially 145.5 million US customers, U.S. Securities and Exchange Commission (SEC) disclosure of a breach that profited hackers, and recent Yahoo’s disclosure that 2013 data breach affected all of its 3 Billion users.
Spanish Court Agrees to Extradite Russian Spam King to the United States 7.10.2017 thehackernews Crime
Spain's National Court ruled on Tuesday to extradite a 36-year-old Russian computer programmer, accused by American authorities of malicious hacking offences, to the United States, according to a court document. Peter Yuryevich Levashov, also known as Peter Severa, was arrested in April this year when he was travelling with his family to Barcelona, Spain from his home in Russia—a country without an extradition treaty with the United States—for his role in a huge computer botnet. However, since Levashov has previously worked with for Vladimir Putin's United Russia Party for ten years, he fears that the US authorities would torture him for information about his political work if sent there to face the charges against him. "If I go to the U.S., I will die in a year. They want to get information of a military nature and about the United Russia party," RIA news agency quoted Levashov as saying. "I will be tortured, within a year I will be killed, or I will kill myself." Levashov was accused of operating the Kelihos botnet—a global network of more than 100,000 infected computers used to deliver spam, steal login passwords and infect computers with ransomware and other malware since at least 2010. While initially it was speculated that Levashov was involved in 2016 U.S. election hacking, the FBI made it clear that the suspect was arrested due to his involvement in the Kelihos botnet and spamming targets for trying and forcing them to buy worthless stock. According to the FBI officials, Levashov used the same IP address to operate Kelihos botnet that he used to access his email and other online accounts in his name, including Apple iCloud and Google Gmail accounts. The Department of Justice's indictment said the Russian suspect allegedly used Kelihos to distribute hundreds of millions of spam e-mails every year, and pump-and-dump stock scams, especially targeting Microsoft Windows machines for infection. Besides conducting spamming operations, Levashov also allegedly used the Kelihos botnet to infect end-user computers with malware and harvest passwords to online and bank accounts belonging to thousands of Americans. The United States had requested Levashov's arrest, and after his arrest in April 2016, Russia in September filed a counter-extradition request for Levashov hours before the original extradition hearing. However, Spain's High Court has approved the U.S. extradition request of Levashov, who has been charged with wire fraud and unauthorised interception of electronic communications. United States prosecutors are seeking a 52-year jail sentence against Levashov, who has already denied the charges against him, Reuters reported. Levashov has now just three days to appeal his extradition to the United States.
Greek Court Approves US Extradition of BTC-e Operator In $4 Billion Money Laundering Case 7.10.2017 thehackernews Crime A Greek court has approved the U.S. extradition of a 38-year-old Russian national accused of laundering more than $4 billion in bitcoin for culprits involved in hacking attacks, tax fraud and drug trafficking with the help of the now-defunct BTC-e exchange. Alexander Vinnik, an alleged operator of BTC-e—a digital currency exchange service that has been in operation since 2011 but seized by the authorities right after Vinnik's arrest in a beachside village in northern Greece in late July 2016 at the request of US law enforcement authorities. Since his arrest, Moscow has also requested Vinnik be returned home, as it has previously done with other Russian nationals wanted by the United States. However, the Greek court ruled Wednesday (4 October) to extradite Vinnik to the U.S., where he will face trial on the charges with the operation of an unlicensed money service business, money laundering, conspiracy to commit money laundering, and engaging in unlawful monetary transactions. U.S. authorities suspect Vinnik was the one responsible for facilitating crimes ranging from computer hacking to drug trafficking since at least 2011 through his digital Bitcoin exchange. U.S. authorities also linked the accused to the failure of the once-very popular Japanese bitcoin exchange Mt. Gox, which was shut down in 2014 following a massive series of mysterious robberies, which totalled at least $375 million in Bitcoin. The authorities believe Vinnik "obtained" funds from the hacker or insider who stole bitcoins from Mt. Gox and sent them to a bitcoin wallet controlled by Vinnik, who intentionally laundered them through BTC-e, over a period of three years. "After the coins entered Vinnik's wallets, most were moved to BTC-e and presumably sold off or laundered (BTC-e money codes were a popular choice). In total some 300,000 BTC ended up on BTC-e," according to WizSec, a Japanese security firm that has long been investigating the Mt. Gox case. "To be clear, this investigation turned up evidence to identify Vinnik not as a hacker/thief but as a money launderer; his arrest news also suggests this is what he is being suspected for. He may have merely bought cheap coins from thieves and offered a laundering service." While Greek police described Vinnik as "an internationally sought 'mastermind' of a crime organisation," United States authorities accused him of facilitating crimes including hacking, identity theft, tax refund fraud, public corruption and drug trafficking. Soon after the Greek court decision, Vinnik's lawyers appealed to the Supreme Court. "We have taken immediate action and appealed the ruling, and the case will be examined by the criminal division of the Supreme Court," Vinnik's lawyer, Alexandros Lykourezos, said, as quoted by The News Tribune. If extradited to the United States, Vinnik faces up to 55 years in prison, along with a $500,000 fine or twice the value of the property involved in the transaction for each count. However, he has denied all charges against him, saying he was just a technical consultant to BTC-e and not its operator. "I have nothing to do with what I am accused of," he told the judges. Vinnik also claimed that the laptop seized by the Greek authorities during his arrest was in no way related to his job, adding that it only contained children's cartoons for his family. Vinnik is trying to return to his home in Russia, where he is facing lesser fraud charges, although a hearing date for the Russian extradition request has not yet been set.
FormBook—Cheap Password Stealing Malware Used In Targeted Attacks 7.10.2017 thehackernews Virus
It seems sophisticated hackers have changed the way they conduct targeted cyber operations—instead of investing in zero-days and developing their malware; some hacking groups have now started using ready-made malware just like script kiddies. Possibly, this could be a smart move for state-sponsored hackers to avoid being attributed easily. Security researchers from multiple security firms, including Arbor Networks and FireEye, independently discovered a series of malware campaigns primarily targeting aerospace, defence contractors and manufacturing sectors in various countries, including the United States, Thailand, South Korea and India. What's common? All these attack campaigns, conducted by various hacking groups, eventually install same information and password stealer malware—dubbed FormBook—on the targeted systems. FormBook is nothing but a "malware-as-as-service," which is an affordable piece of data-stealing and form-grabbing malware that has been advertised in various hacking forums since early 2016. Anyone can rent FormBook for just $29 per week or $59 per month, which offers a range of advanced spying capabilities on target machines, including a keylogger, password stealer, network sniffer, taking the screenshots, web form data stealer and more. According to the researchers, attackers in each campaign are primarily using emails to distribute the FormBook malware as an attachment in different forms, including PDFs with malicious download links, DOC and XLS files with malicious macros, and archive files (ZIP, RAR, ACE, and ISOs) containing EXE payloads. Once installed on a target system, the malware injects itself into various processes and starts capturing keystrokes and extracts stored passwords and other sensitive data from multiple applications, including Google Chrome, Firefox, Skype, Safari, Vivaldi, Q-360, Microsoft Outlook, Mozilla Thunderbird, 3D-FTP, FileZilla and WinSCP. FormBook continuously sends all the stolen data to a remote command and control (C2) server which also allows the attacker to execute other commands on the targeted system, including start processes, shutdown and reboot the system, and stealing cookies. "One of the malware's most interesting features is that it reads Windows’ ntdll.dll module from disk into memory, and calls its exported functions directly, rendering user-mode hooking and API monitoring mechanisms ineffective," FireEye says. "The malware author calls this technique "Lagos Island method" (allegedly originating from a userland rootkit with this name)." According to the researchers, FormBook was also seen downloading other malware families such as NanoCore in the last few weeks. The attackers can even use the data successfully harvested by FormBook for further cybercriminal activities including, identity theft, continued phishing operations, bank fraud and extortion. FormBook is neither sophisticated, nor difficult-to-detect malware, so the best way to protect yourself from this malware is to keep good antivirus software on your systems, and always keep it up-to-date.
Apple Allows Uber to Use a Powerful Feature that Lets it Record iPhone Screen 7.10.2017 thehackernews Apple If you are an iPhone user and use Uber app, you would be surprised to know that widely popular ride-hailing app can record your screen secretly. Security researcher Will Strafach recently revealed that Apple selectively grants (what's known as an "entitlement") Uber a powerful ability to use the newly introduced screen-recording API with intent to improve the performance of the Uber app on Apple Watch. The screen-recording API allows the Uber app to record user's screen information even when the app is closed, giving Uber access to all the personal information passing through an iPhone screen. What's more? The company's access to such permission could make this data vulnerable to hackers if they, somehow, able to hijack Uber's software. "It looks like no other third-party developer has been able to get Apple to grant them a private sensitive entitlement of this nature," Strafach told Gizmodo, who first reported about the issue. "Considering Uber's past privacy issues I am very curious how they convinced Apple to allow this." Shortly after the public disclosure, Uber said it would remove the entitlement code from its iPhone app's codebase that lets the ride-sharing app record the screen even if running in the background. Although it's unclear when or for how long Uber's iPhone app has had this permission, Uber spokesperson said in a tweet that the entitlement was used for an old version of the Apple Watch app and was provided to Uber because the original Apple Watch could not render maps. However, due to upgrades to Apple Watch and the Uber app, the company does not need this permission anymore. According to Strafach, the entitlement is "com.apple.private.allow-explicit-graphics-priority" app permission that allows developers to read and write to part of the iPhone's memory to access the device’s screen data. Nearly every iPhone app uses entitlement in an effort to enable features like the camera or Apple Pay on iPhones and iPads. However, according to Strafach, Apple does not often grant "sensitive" entitlements to non-Apple apps. Strafach said he could not find any other app on the Apple's official App Store that has the permissions that the Uber app has. Although there is no evidence that Uber ever misused the entitlement, this special permission could have been exploited to perform a wide range of activities on an iPhone, such as recording passwords, monitoring users and harvesting other personal information, Strafach explained. Apple has not yet responded. This is not the first privacy concern surrounding Uber. Late last year, the ride-hailing company was found tracking its users' locations even after their rides ended. Uber was also in controversies at the mid of last year for monitoring the battery life of its users, as the company believed that its users were more likely to pay a much higher price to hire a cab when their phone's battery is close to dying.
U.S. Believes Russian Spies Used Kaspersky Antivirus to Steal NSA Secrets 7.10.2017 thehackernews BigBrothers
Do you know—United States Government has banned federal agencies from using Kaspersky antivirus software over spying fear? Though there's no solid evidence yet available, an article published by WSJ claims that the Russian state-sponsored hackers stole highly classified NSA documents from a contractor in 2015 with the help of a security program made by Russia-based security firm Kaspersky Lab. Currently, there is no way to independently confirm if the claims on the popular security vendor published by the Wall Street Journal is accurate—and the story does not even prove the involvement of Kaspersky. "As a private company, Kaspersky Lab does not have inappropriate ties to any government, including Russia, and the only conclusion seems to be that Kaspersky Lab is caught in the middle of a geopolitical fight," Kaspersky said in a statement. The NSA contractor working with the American intelligence agency, whose identity has not yet been disclosed, reportedly downloaded a cache of highly classified information from government systems and moved it to a personal computer at home, which is clear violation of known security procedures. Citing some anonymous sources, the Journal says that the targeted computer was running Kaspersky antivirus—the same app the U.S. Department of Homeland Security (DHS) recently banned from all government computer systems over spying fear. The classified documents taken to home by the contractor contained details about how the NSA breaks into foreign computer networks for cyber espionage operations as well as defends its systems against cyber attacks. Although what role Kaspersky played in the breach is not entirely clear, US officials believe antivirus scan performed by Kaspersky Lab’s security software on the contractor's computer helped Russian hackers in identifying the files containing sensitive information. In response to the WSJ story, Kaspersky CEO Eugene Kaspersky said his company "has not been provided with any evidence substantiating the company's involvement in the alleged incident. The only conclusion sees to be that Kaspersky Lab is caught in the middle of a geopolitical fight." Also, it is not clear exactly how the files were stolen, but it has been speculated that the antivirus’ practice of uploading suspicious files (malware executables) on the company's server, located in Russia, may have granted the Russian government access to the data. Another possibility is that Russian hackers stole the confidential data by exploiting vulnerabilities in Kaspersky Lab software installed on the targeted system, according to the person, who asked not to be identified. "Now, if we assume that what is reported is true: that Russian hackers exploited a weakness in our products installed on the PC of one of our users, and the government agencies charged with protecting national security knew about that, why didn’t they report it to us?" Kaspersky said. "We patch the most severe bugs in a matter of hours; so why not make the world a bit more secure by reporting the vulnerability to us? I cannot imagine an ethical justification for not doing so." This breach of NSA classified files, which is being called "one of the most significant security breaches in recent years," was occurred in 2015, but detected in 2016. However, it is not clear whether this security incident has any ties to the Shadow Brokers campaign, an ongoing public leak of NSA hacking tools that many officials and experts have linked to the Russian government. It is another embarrassing breach for the NSA, which has long struggled with contractor security—starting from Edward Snowden to Harold Thomas Martin and Reality Winner.
Stealthy Attack Could Hit 50 Percent of Large Office 365 Customers: Report 7.10.2017 securityweek Attack Slow and Methodical Attack Targets Large Microsoft Office 365 Customers
A widescale, yet stealthy attack against Office 365 (O365) accounts started in May and is still continuing. It is a low-key attack that tries to hide under the radar, and is delivered by a small botnet of 83 IP addresses across 63 networks. The majority of IP addresses are registered in China, but the attack activity also originates from 15 other countries, such as Russia, Brazil, the US and Malaysia.
The attack was detected by Skyhigh Networks -- a cloud access security broker (CASB) -- and described in a blog post Thursday.
The attack is not a traditional brute force attack against O365 accounts, but a slow and methodical attack that tries to avoid highlighting its activity. "First, it targets a very small proportion (typically <2%) of the O365 account base," writes Sandeep Chandana, principal data scientist at Skyhigh. "Second, it is devoid of any bursts in hacking activity, and averages only 3-5 attempts per account in order to try and fly under the radar of traditional defenses."
"This campaign on Office 365 is particularly troubling due to its focus on system accounts that are essential for today's business automation, that typically do not require MFA and that traditionally have weak security oversight," explains Sekhar Sarukkai, chief scientist at Skyhigh. "Detection and protection from attacks on these 'weakest link' accounts require a cloud-native security approach for complete visibility and mitigation."
Once an account is compromised, the attacker exfiltrates any data in the inbox and then creates a new inbox rule designed to hide and divert any incoming messages. From here the attacker can initiate harder to detect in-company phishing attempts and start to propagate infection across the network: "attack a weak-link with the potential for elevated exploits," writes Chandana. He adds, "Since this is a persistent attack that may go unnoticed, it is possible that the attackers may tailor the payload based on the organization they have infiltrated for a larger takeover over time."
The accounts targeted are carefully chosen: system accounts rather than people accounts. Such accounts tend to have two important characteristics: they have high access privileges, and poor protection.
"We have worked with our customers," Skyhigh's chief European spokesperson Nigel Hawthorn told SecurityWeek, "and seen that the attackers have used service accounts (like the ones used for user provisioning in larger enterprises), automation accounts (like the ones used to automate data and system backups), machine accounts (like the ones used for applications within data centers), marketing automation accounts (like the ones used for marketing and customer communication), internal tools accounts (like the ones used with JIRA, Jenkins, GitHub etc.), in addition to accounts set up for distribution lists and shared and delegated mailboxes."
The targeted account names have probably been guessed (eg, CRMlink@domain), or filtered from stolen credential lists published on the darknet.
Skyhigh detected the attacks when its machine learning anomaly detection engine detected anomalous access locations defying standard behavioral patterns across multiple customers. "As the number of these anomalous accesses increased, Skyhigh's threat funnel correlated multiple of these access attempt anomalies into threats." It analyzed billions of 0365 events across hundreds of customers.
However, although this attack was detected on Skyhigh customers, it is not a Skyhigh-specific problem. "We found that over 50 percent of our customers are being attacked," Hawthorn told SecurityWeek, "and I think it is fair to assume that 50 percent of all large Office 365 customers are being attacked even if they are not Skyhigh customers."
The 83 recognized attacking IP addresses have been fed back to the researchers that compile and publish lists of known bad IP addresses. None of them were already included on the lists. Some companies still rely on these lists to block individual IPs, "But," suggests Hawthorn, "it's a bit of a game of whack-a-mole to try to do this and keep up with every address, as the bad actors can move IP addresses in seconds. The best way to address it is with user behavioral analysis and machine learning that indicates unusual traffic patterns going to/from your cloud services and is able to respond to a fluid situation."
British Teen Admits Trying to Hack CIA Chief 7.10.2017 securityweek BigBrothers A teenager admitted in a British court on Friday to trying to hack into the computers of top US officials, including former CIA chief John Brennan, from his home in the East Midlands region of England.
Kane Gamble, 18, pleaded guilty to ten charges related to the attempted intrusions in late 2015 and early 2016, which targeted the US Department of Justice and an array of senior American security officials.
These included James Clapper, the Director of National Intelligence under President Obama; Jeh Johnson, the former US Secretary of Homeland Security; and a deputy director of the FBI.
Gamble, from Coalville, Leicester -- a small town 110 miles (177 kilometres) northwest of London -- pleaded guilty to eight charges of performing a function with intent to secure unauthorised access, and two charges of unauthorised acts with intent to impair operation of a computer.
He was released on conditional bail ahead of sentencing on December 15.
British judges have sentenced defendants in other hacking cases in recent years to up to two years in prison.
Media reports at the time of the attempted breaches said they were part of a wider "hacktivist" group known as "Crackas With Attitude", which targeted the US officials and their families between October 2015 and February 2016.
The US Justice Department arrested two men in September 2016 in North Carolina on suspicion of belonging to the network.
Nejobávanější trojský kůň může za každý 13. útok v Česku
6.10.2017 Novinky/Bezpečnost Viry Jedním z nejobávanějších virů současnosti je trojský kůň Chromex. Několik posledních měsíců se totiž pravidelně umísťoval na předních příčkách žebříčku nejrozšířenějších škodlivých kódů, v září mu dokonce kraloval – může za každý 13. útok v Česku. Vyplývá to z pravidelné statistiky antivirové společnosti Eset.
„Žebříček nejčastějších internetových hrozeb v České republice za měsíc září vedl trojský kůň JS/Chromex.Submelius. Jeho podíl na celkových virových hrozbách byl 7,34 procenta,“ uvedl Miroslav Dvořák, technický ředitel společnosti Eset.
Ten zároveň zdůraznil, že zářiové statistiky pěkně zamíchaly kartami. „Po více než roce z čela žebříčku sestoupil JS/Danger.ScriptAttachment. Ten ještě v loňském měsíci držel bezmála čtvrtinový podíl, nyní je to méně než tři procenta,“ podotkl Dvořák.
Chromex využívá například popularity neoficiálních streamovacích služeb na internetu a uživatelům nabízí instalaci škodlivých pluginů. Útočníci přitom často slibují, že pluginy zrychlí načítání internetových stránek, ve skutečnosti ale způsobují opak. Často je na možnost instalace podobných pluginů možné narazit na různých streamovacích stránkách s českou nebo slovenskou doménou.
Cílí na Chrome „Jak napovídá jeho název, Chromex se soustředí na doplňky k internetovému prohlížeči Chrome. V České republice se poprvé četněji vyskytl letos v březnu, kdy se ve statistice objevil na pátém místě,“ doplnil bezpečnostní expert.
Druhým nejčetnějším škodlivým kódem byl v minulém měsíci JS/ProxyChanger. „Jde o trojského koně, který brání přístupu na určité webové stránky a přesměrovává provoz na konkrétní IP adresy. Může například oběť přesměrovat na web útočníka,“ vysvětlil Dvořák.
Tento škodlivý kód v září dosáhl podílu 3,18 procenta. Virovou trojkou v minulém měsíci byl Java/Adwind, další trojský kůň, který slouží jako backdoor a umožňuje vzdálené ovládání napadeného zařízení.
Přehled deseti nejrozšířenějších virových hrozeb za uplynulý měsíc naleznete v tabulce níže:
Top 10 hrozeb v České republice za září 2017 1. JS/Chromex.Submelius (7,34 %) 2. JS/ProxyChanger (3,18 %) 3. Java/Adwind (3,17 %) 4. VBS/TrojanDownloader.Agent.PFE (2,98 %) 5. JS/Danger.ScriptAttachment (2,93 %) 6. Win32/RiskWare.PEMalform (2,40 %) 7. SMB/Exploit.DoublePulsar (2,31 %) 8. Win32/GenKryptik (1,95 %) 9. JS/Adware.AztecMedia (1,87 %) 10. VBS/TrojanDownloader.Agent.PGF (1,86 %) Zdroj: Eset
Ruští hackeři prý ukradli citlivá data americké NSA 6.10.2017 Euro.czBigBrother Hackeři najatí ruskou vládou ukradli před dvěma lety citlivá data americké Národní agentury pro bezpečnost (NSA), která obsahují detaily o pronikání do cizích počítačových sítí a o obraně před kybernetickými útoky. Napsal to list The Wall Street Journal s odvoláním na anonymní zdroje. Dat se hackeři zmocnili, když je jistý pracovník NSA přesunul do svého domácího počítače. Podle amerického listu jde o jeden z nejzávažnějších hackerských útoků vůbec. V roce 2013 Edward Snowden, jiný zaměstnanec NSA, ukradl ze serverů této bezpečnostní agentury údaje o špionážních metodách USA v zahraničí.
The Wall Street Journal napsal, že do soukromého počítače externího zaměstnance NSA se možná hackeři dostali přes antivirový program ruské společnosti Kaspersky Lab. Její produkci minulý měsíc americká vláda zakázala instalovat do úředních počítačů kvůli podezření, že firma pracuje pro ruskou rozvědku.
Firma Kaspersky Lab obvinění energicky popírá a tvrdí, že se nikoli vlastní vinou ocitla uprostřed geopolitického boje.
NSA informaci amerického deníku odmítla komentovat. Senátor Ben Sasse, člen branného výboru horní komory Kongresu, označil informaci za alarmující. „NSA musí vystrčit hlavu z písku a vyřešit problém externích zaměstnanců. Rusko je v kybernetickém prostoru naším jasným nepřítelem, nemůžeme si dovolit taková selhání,“ řekl Sasse agentuře Reuters.
NSA útok na své servery objevila až loni na jaře, píše The Wall Street Journal. Hackeři ukradli údaje o tom, jak agentura proniká do cizích počítačových sítí, jaké programy k tomu používá a jak sama chrání své sítě uvnitř USA. Pokud by Rusové tyto údaje dostali do rukou, mohli by lépe chránit své systémy a snadněji naopak pronikat do těch amerických.
Spam Rate Hit 55% in September: Symantec 6.10.2017 securityweek Spam The spam rate of overall email dropped slightly over the past couple of months to 55% in September, but remains above the year average, a new Symantec report reveals.
Spam rate last month remained above the 54.3% average registered last year, but went as high as 59.4% and 56.4% for the Mining and Manufacturing sectors, respectively, Symantec points out in the Latest intelligence report for September 2017.
Driving spam rate up were massive malicious campaigns dropping variants of the Locky ransomware. During mid-September, six massive Locky distribution runs were observed.
At 55% in September, the spam rate was also higher than the 54% rate that Symantec previously reported for the first half of the year.
Email remains a favorite distribution method for cybercriminals, with users being twice as likely to encounter malware via email, compared to other infection vectors, Symantec says. In their Email Threats 2017 report (PDF), the company also revealed that one in nine users had at least one malicious email sent to them during the first six months of 2017.
Phishing rate came in at one in 2,644 emails for September, slightly down for the second month in a row, but still well above the rates seen earlier in the year, the security company says. In July, phishing rate reached a 12-month peak at one in 1,968 emails.
According to Symantec, spambots remain the primary culprits in the distribution of spam emails, with Necurs (the largest amount of malicious email activity in 2017), Gamut (focuses almost exclusively on advertising spam), Tofsee, BlankSlate, and Waledac being some of the most popular of them.
For malicious payload distribution via email, attackers either use URLs or attachments, with the latter method being the most popular, accounting for 74% of the malicious emails in the first half of 2017.
Email malware increased in September as well, with one in every 312 emails carrying malicious code, the security company says. Thus, September was the sixth month to register growth in email malware. At one in 120 emails, the Agriculture, Forestry, & Fishing sector was impacted the most, followed by the Mining industry at one in 196 emails.
Another noteworthy event in September was the discovery of new links between attacks against the energy sector and the Dragonfly group. Dubbed Dragonfly 2.0, the campaign that Symantec has been monitoring since late 2015 has known victims in the United States, Switzerland and Turkey.
Russian Hackers Exploited Kaspersky Software to Steal NSA Exploits: Report 6.10.2017 securityweek BigBrothers Still No Smoking Gun as Russian Hackers Reportedly Exploited Kaspersky Software to Steal NSA Exploits From NSA Contractor's Home Computer
A new report in the Wall Street Journal (WSJ) purports to provide the first evidence that directly ties Russian security firm Kaspersky Lab to the Russian government.
The report states, "Hackers working for the Russian government stole details of how the U.S. penetrates foreign computer networks and defends against cyberattacks after a National Security Agency contractor removed the highly classified material and put it on his home computer, according to multiple people with knowledge of the matter.
"The hackers appear to have targeted the contractor after identifying the files through the contractor's use of a popular antivirus software made by Russia-based Kaspersky Lab, these people said."
The problem with the report is that it offers no evidence and comes from anonymous, unnamed sources: allowing Eugene Kaspersky to immediately respond, "The first statement sounds like the script of a C movie, and again -- disclosed by anonymous sources (what a surprise)."
Without specific evidence, the WSJ describes several known facts and assumes a relationship. It is told that an unnamed NSA contractor removed sensitive data from the NSA and stored it on his home computer. That contractor had Kaspersky Lab software installed at home. The Kaspersky Lab software scanned all the new files (it's what antivirus does) collecting unknown files for deeper analysis. Russian government hackers then targeted the contractor and stole the NSA documents.
There is a gap in this chain of events -- between Kaspersky automatically scanning the files and the Russian government hacking the contractor. The reported implication, strenuously denied by Kaspersky Lab, is that the company informed the Russian government of the presence of NSA files on this contractor's computer.
The reality is, based on all public data so far, any direct link between Kaspersky Lab and the Russian government remains speculation only. Now it could be that the US intelligence community has additional evidence that it is not disclosing; but this report from the WSJ is no evidence-based smoking gun.
There is an alternative scenario (which like direct Kaspersky involvement, is purely conjecture). It is highly likely that Russian intelligence would be aware of individual NSA contractors. Given that two contractors are already known to have leaked NSA documents (Edward Snowden and Harold Martin), it would be tempting to target the home computers of known contractors. It is possible that Russian hackers were already present on the contractor's computer when he brought home the NSA files. In this scenario, Kaspersky's involvement is limited to the coincidence of being the antivirus of choice by the contractor.
A second alternative is that Kaspersky Lab software has been unknowingly compromised by the Russian government. This gains some credence from the recent compromise of Avast's CCleaner, allegedly by the Chinese government (Avast is another antivirus company). The CCleaner incident, however, was rapidly detected and quickly solved.
Kaspersky has admitted that its own corporate network has been compromised in the past. In the Spring of 2016, Kaspersky Lab detected an intrusion of its internal systems while testing a prototype of technology designed to detect advanced persistent threats.
At the time, Eugene Kaspersky explained that one reason it was hacked could be that the spies were interested in the inner workings of the company. "We obviously have our share of technological secrets as we’re a competitive business, but I can’t think of anything really top secret," Kaspersky said. "Maybe the idea was to steal our technologies, source code, know-how and ideas to support the attackers’ own software development," he added.
The WSJ report provides only ambiguous indications of how the Russian hackers got the data off the contractor's computer. It includes the statement, "The breach is the first known incident in which Kaspersky software is believed to have been exploited by Russian hackers to conduct espionage against the U.S. government."
This could be interpreted as the supposed collusion between Kaspersky and the Russian government; or that the hackers exploited a vulnerability in the software itself. Assuming the latter, Kaspersky responded, "Now if we assume, that what is reported is true: that Russian hackers exploited a weakness in our products installed on a PC of one of our users, and respected government agencies concerned of national security knew about that, why didn't they report it to us?... I can't imagine an ethical justification for not doing so."
Kaspersky has addressed several remotely exploitable vulnerabilities in its products over the years, along with just about every other AV vendor, making a possible scenario that Kaspersky's software was exploited by the Russian hackers, without any knowledge or cooperation of Kaspersky Lab.
The WSJ report does, however, provoke further considerations. The first is how can the U.S. government allow insiders to walk out (literally or figuratively) with such highly sensitive data: Bradey Manning, Edward Snowden, Martin, and now +1. If the NSA cannot control the insider threat, what hope is there for any commercial organization?
The second question is whether this breach is the source of the Shadow Brokers trove of NSA exploits. There has been conjecture in the past that Martin was the source -- but the WSJ report specifically comments, Martin "allegedly removed massive amounts of classified information from the agency's headquarters and kept it at his home, but wasn't thought to have shared the data." The implication is that Martin is not the source of the Shadow Brokers' data.
Is this new breach the source? The timing fits. The incident apparently occurred in 2015, but the NSA only became aware in spring of 2016. That's exactly the time that Shadow Brokers made their first announcements and started leaking NSA exploits that fit the WSJ's description of "details about how the NSA penetrates foreign computer networks, the computer code it uses for such spying and how it defends networks inside the U.S."
As soon as the NSA was aware of the loss of its exploits, their value to the Russian government would diminish -- and the most damaging action would be to make them public.
The reality is that all of this is conjecture. The DHS has banned the use of Kaspersky software by any government agency, stating, "The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security." It talks about risk, not about proof.
Concern over the risk is understandable and proper, and keeping Kaspersky software out of government would be reasonable. However, the U.S. government has chosen to take a very public stance -- without proof -- against the Russian company.
This adds fuel to Kaspersky's own suspicions. In a statement emailed to SecurityWeek, it said, "As a private company, Kaspersky Lab does not have inappropriate ties to any government, including Russia, and the only conclusion seems to be that Kaspersky Lab is caught in the middle of a geopolitical fight."
Evidence of that geopolitical fight is all around us, from U.S. Cyber Command attacking the North Korean Spy agency and Putin's response to double Pyongyang's internet access; to Russia's interference in the 2016 American presidential election and its use of the Ukraine and Baltic areas to test cyber capabilities.
*Additional reporting by Mike Lennon
Critical Flaw Found in Siemens Smart Meters 6.10.2017 securityweek Vulnerebility Siemens has released a firmware update for its 7KT PAC1200 smart meters to address a critical vulnerability that can allow remote attackers to bypass authentication and perform administrative actions on the device.
Siemens’ 7KT PAC1200 multichannel measuring devices, part of the company’s SENTRON energy management portfolio, are designed to allow customers to monitor energy consumption. The product uses sensors to collect data that can be viewed via a desktop web browser or mobile applications for Android and iOS.Siemens smart meter
Researcher Maxim Rupp discovered that the product’s integrated web server, which is accessible on TCP port 80, has a vulnerability that allows a remote attacker to bypass authentication using an alternate path or channel. An attacker can exploit the security hole to access the web interface and perform administrative operations.
The web interface allows users to obtain power consumption statistics for a specified period and determine if the allocated budget has been exceeded, and change settings related to the device, network, firmware, sensors and the Modbus protocol.
The vulnerability found by Rupp, tracked as CVE-2017-9944 and assigned a CVSS score of 9.8, affects the 7KT PAC1200 data manager (7KT1260) running a version of the firmware prior to 2.03.
Siemens has advised customers to update their products to version 2.03 and secure network access to the web server.
Related: Learn More at SecurityWeek’s 2017 ICS Cyber Security Conference
Members of the information security industry have often warned in the past years about the risks posed by vulnerable smart meters. Last year, ICS-CERT issued security alerts after a researcher decided to disclose several flaws affecting power meters from FENIKS PRO and Schneider Electric.
More recently, a researcher warned that smart meters continue to expose consumers and electric utilities to cyberattacks, and even claimed that malicious actors may be able to cause the devices to explode. However, some experts have questioned these claims.
Firefox 57 to Get New XSS Protections 6.10.2017 securityweek Security Mozilla this week announced plans to boost the Cross-Site-Scripting (XSS) protections in Firefox by treating data URLs as unique origin.
The use of a data URL scheme allows web developers to inline small files directly into HTML or CSS documents, which also results in faster page load times. Because of this mechanism, the browser doesn’t have to perform a large number of HTTP requests to load external resources, as they are already in the page.
However, the same technique allows cybercriminals to craft attack pages and steal usernames, passwords, and other confidential information from unsuspecting users.
By embedding the entire attack code within the data URL, miscreants can launch attacks without having to actually host a full website. The data URL inherits the security context of the embedding element, and this inheritance model opens the door for Cross-Site-Scripting (XSS) attacks.
To prevent such attacks, Firefox 57 will treat data URLs as unique origins and will no longer inherit the origin of the settings object responsible for the navigation. Thus, data URLs loaded inside an iframe will no longer be same-origin with their parent document.
“Starting with Firefox 57, data URLs loaded inside an iframe will be considered cross-origin. Not only will that behavior mitigate the risk of XSS, it will also make Firefox standards compliant and consistent with the behavior of other browsers,” Mozilla notes in a blog post.
However, the company also explains that data URLs that do not end up creating a scripting environment will continue to be considered same-origin. Data URLs in img elements will be treated as such, Mozilla says.
Because of the new security setting, Firefox 57 will block attempts to reach content from a different origin, such as when a script within a data URL iframe attempts to access objects from the embedding context. In Firefox version 56 and older, this was possible because the data URLs inherited the security context.
The security enhancement was announced the same week Mozilla revealed plans to completely remove support for Windows XP and Vista from Firefox starting June 2018. A couple of months ago, the company made the Adobe Flash plugin click-to-activate by default, thus further improving the security of its users.
Zapad drills – Russia may have tested cyber weapons on Latvia 6.10.2017 securityaffairs BigBrothers
According to intelligence experts the recent Zapad drills conducted by Russia simulated an attack on all Baltic countries, it included the use of cyber weapons. Baltic and NATO officials claim Russia was behind outage in Latvia’s mobile communications network before Russia’s war games in September code-named Zapad. According to the expert, Russia may have tested one of the weapons in its cyber arsenal.
The cyber attacks caused the interruption of the mobile network along Latvia’s western coast for seven hours on Aug. 30. The Russian army may have used communications jammer aimed towards Sweden from the Russia’s Baltic outpost Kaliningrad.
A Swedish defense ministry spokesperson said the ministry was not aware of any jamming attempt directed at Sweden infrastructure.
“Russia appears to have switched on a mobile communications jammer in Kaliningrad, a very powerful one that wasn’t aimed at Latvia, but towards Gotland, the Aland Islands,” explained Karlis Serzants, the deputy chairman of the Latvian parliament’s National Security Committee.
“One of the edges (of the beam) affected Latvia too,” he told Reuters after being briefed by Latvian intelligence.
Latvian officials believe the Russian hackers also targeted Latvia’s emergency services’ 112 hotline, which started having problems since Sept. 13.
“Russia simulated an attack on all Baltic countries,” said Lithuania’s Defence Minister Raimundas Karoblis.
Reuters contacted the Russian Defence Ministry but did not receive any comment on the allegations.
The experts also observed other incidents linked to the Zapad drills, the first one revolves around hacking soldiers’ smartphones. It seems that Russian soldiers used both drones with hacking tools a mobile telephone tower similar to the stingray equipment. The sophistication of the attacks leaves little doubt that there is some state-sponsorship involved.
According to the WSJ, one victim, U.S. Army Lt. Col. Christopher L’Heureux, “said at least six soldiers he commands have had phones or Facebook accounts hacked. He said he suspects the incidents were meant as a message that Russian intelligence forces were tracking him, could crack his passwords and wanted to intimidate his soldiers.”
WSJ reports, “Military cyberespionage experts said the drone flights and cellphone data collection suggest Russia is trying to monitor troop levels at NATO’s new bases to see if there are more forces present there than the alliance has publicly disclosed.”
NATO intelligence experts believe that the tests of cyber capabilities were the core the Zapad drills. Unfortunately, not all European allies in NATO are ready to repel such kind of attacks, and NATO cyber strategy is purely defensive.
NATO diplomat highlighted the ability of Russian units to intercept or jam civilian networks “within a significant radius and with relative ease”, posing serious risks for NATO communications and radars.
There is no doubt, the Zapad drills just confirmed that Russia had developed “a significant electronic warfare capability” over the past three years.
“A lot of this was on display during the (Zapad) exercises,” U.S. Army Lieutenant General Ben Hodges, who heads U.S. Army forces in Europe, told reporters.
Ongoing Email Exchanges Hijacked in Spear-Phishing Attacks 6.10.2017 securityweek Phishing Malicious actors have injected themselves into ongoing email exchanges in highly targeted spear-phishing attacks aimed at entities across the world, Palo Alto Networks said on Thursday.
An ongoing campaign tracked by the security firm since May involves pieces of malware dubbed PoohMilk, Freenki and N1stAgent. The operation has been named FreeMilk by Palo Alto Networks based on strings found in the malware code.
The attacks observed by Palo Alto were aimed at a bank in the Middle East, an international sporting company, a trademark and intellectual property services firm in Europe, and individuals with indirect ties to an unnamed country in Northeast Asia.
The threat group has leveraged malicious Microsoft Word documents set up to exploit the vulnerability tracked as CVE-2017-0199 in an effort to deliver the first-stage loader PoohMilk and the second-stage downloader Freenki. PoohMilk was spotted delivering the remote administration tool (RAT) N1stAgent.
What makes the FreeMilk campaign interesting is the fact that the attackers delivered the malicious documents by injecting themselves into ongoing email exchanges between the main target and another individual. They hacked into that individual’s email account – likely by stealing their credentials – and identified an in-progress email exchange with the main target.
The attacker then sent the target an email that appeared relevant to the conversation with a malicious document attached to it.
“Unlike phishing or even general spear phishing, this is a highly sophisticated, labor intensive, focused attack,” explained Christopher Budd, Senior Threat Communications Manager at Palo Alto Networks.
“Carrying out a successful conversation hijacking spear phishing attack requires knowing someone that the ultimate target is communicating with, compromising that person’s account, identifying an ongoing email conversation with the ultimate target, crafting an email to appear part of that ongoing email conversation and finally sending it. Even then there’s no guarantee of success since the target may somehow recognize the attack or have sufficient prevention controls in place to prevent the attack from succeeding,” Budd added.
Another interesting aspect of the FreeMilk attacks is that all the malware is designed to only execute successfully if a specific argument is provided, which makes it difficult for automated analysis systems to investigate the threat.
The N1stAgent RAT, which has only been spotted in targeted attacks, was first seen in January 2016 when it was delivered via phishing emails referencing a security patch for the South Korean Hangul word processor developed by Hancom.
Palo Alto Networks has not made any statements regarding attribution, but it’s worth noting that attacks involving Hangul vulnerabilities and documents (HWP) have often been linked to North Korea.
The security firm did point to an August 2016 attack aimed at North Korean defectors in the United Kingdom. The attack, which delivered the Freenki malware, was linked at the time to the North Korean regime.
Researchers also discovered some overlaps in command and control (C&C) infrastructure with a campaign involving the ROKRAT RAT analyzed by Cisco Talos, and an attack analyzed last year by a Singapore-based security firm. However, the connection is not conclusive as the C&C domains were compromised sites and the attacks took place several months apart.
Islamic State: Defeating the Virtual Caliphate 6.10.2017 securityweek CyberCrime The Islamic State group may soon be defeated in Iraq and Syria but a "virtual caliphate" could be harder to conquer, experts and officials have warned.
The jihadist propaganda machine will continue to exist in hidden corners of the dark web, inciting sympathisers to action, they say.
"Defeating ISIL on the physical battlefield is not enough," General Joseph Votel, the top commander for US military forces in the Middle East, warned in a paper earlier this year.
"Following even a decisive defeat in Iraq and Syria, ISIL will likely retreat to a virtual safe haven -- a virtual caliphate -- from which it will continue to coordinate and inspire external attacks as well as build a support base until the group has the capability to reclaim physical territory," said Votel.
He described this online network as "a distorted version of the historic Islamic caliphate: it is a stratified community of Muslims who are led by a caliph (currently Abu Bakr al-Baghdadi), aspire to participate in a state governed by sharia, and are located in the global territory of cyberspace."
The Islamic State group's loss of almost all its territory in Iraq and in Syria has damaged its online communication efforts, following a boom in propaganda operations in 2014-2015.
But it has not put an end to it completely.
The IS "news agency" and propaganda machine Amaq continues to claim responsibility for attacks and incite further violence.
Most recently, it claimed that Stephen Paddock, the gunman who massacred 58 people in Las Vegas on Sunday, was an IS "soldier" -- an assertion met with widespread scepticism.
One theory is that IS is seeking to keep up publicity efforts to maintain relevance with its sympathisers and continue to recruit support, even as it faces military defeat on the ground in Iraq and Syria.
'Censorship won't work'
Researcher Charlie Winter, who wrote a report on IS's web presence for British think tank Quilliam, says the group will work to persuade followers that the idea of a caliphate is more important that its physical presence.
"Censoring the internet is not going to work," he told AFP.
"Policy makers are focusing their attention on the wrong part of the internet, and that's problematic given that it's going to be a phenomenon to be dealt with in the next few years.
"Terrorists are now hiding in the deep web using encryption. There will always be a safe place for them on the internet regardless of what politicians like to say."
Under pressure from public authorities, internet providers and major online players are beginning to put in place measures and procedures to disrupt IS's exploitation of the web.
"But despite the increased vigilance of authorities and social networks the Islamic State has demonstrated significant resilience due to its flexibilty and ability to adapt when facing the suppression of online jihadist content," according to French researchers Laurence Binder and Raphael Gluck.
"It manages to still disseminate sufficiently to reach a pool of sympathizers and recruits."
New Rowhammer Attack Bypasses Existing Defenses 6.10.2017 securityweek Attack A group of security researchers has discovered a new type of attack that can exploit the Rowhammer vulnerability in DRAM chips that was uncovered several years ago, effectively bypassing existing defenses.
In a newly published paper (PDF), eight researchers from Graz University of Technology, the University of Pennsylvania (and University of Maryland), and University of Adelaide reveal attack methods that can allegedly bypass even a combination of defenses against Rowhammer.
In March 2015, Google demonstrated that the Rowhammer bug affects some dynamic random-access memory (DRAM) chips and can be exploited to gain kernel privileges on Linux systems. Although initially discovered in 2012, the issue was not documented until 2014.
Memory cells, which are arranged in a grid pattern of rows and columns, are smaller and placed closer together in newer DRAM chips, which have become smaller in size. Thus, it is more difficult to prevent cells from electrically interacting with each other, and repeatedly accessing a row of memory can cause data to become corrupt in nearby rows.
In July 2015, a team of researchers from Austria and France demonstrated that Rowhammer can be exploited remotely using JavaScript. Although the researchers hadn’t developed a full root exploit at the time, they did warn that malicious actors could adapt Rowhammer exploits to gain root privileges.
Late last year, a team of researchers proposed two software-based mitigation techniques, claiming that they can even work against single-sided attacks. One is a bootloader extension to detect and disable vulnerable memory, while the other ensures that there is at least one raw of memory between the row controlled by the attacker and the row storing the targeted data.
The newly published research paper proposes a novel attack technique called one-location hammering, which doesn’t target multiple DRAM rows, but focuses on keeping only one DRAM row constantly open. The exploitation technique, opcode flipping, can bypass isolation mechanisms by flipping bits in a predictable and targeted way in userspace binaries, the researchers say.
“We replace conspicuous and memory-exhausting spraying and grooming techniques with a novel reliable technique called memory waylaying. Memory waylaying exploits system-level optimizations and a side channel to coax the operating system into placing target pages at attacker chosen physical locations,” the researchers explain.
By abusing Intel SGX, the team also managed to hide the attack from the user and the operating system, thus evading all detection attempts. According to the paper, the abused Rowhammer enclave can be leveraged both for denial of service attacks in the cloud and for privilege escalation on personal computers.
The new method, the paper reveals, can evade all existing defenses, including static analysis, monitoring of CPU performance counters, monitoring of unusual high-frequency memory access patterns, preventing abuse of memory exhaustion, and using memory allocator to physically isolate user and kernel memory cells.
Securing smart grid and advanced metering infrastructure 6.10.2017 securityaffairs BigBrothers
The year is 2020, high economic, military and cultural tension between Russia & the US.
You are at the London office, entering a video meeting with the sales team in America, the American team presents with enthusiasm the sales achievement of the recent quarter, then, suddenly the call is disconnected. You are trying to re-establish the connection with no success.
You are receiving a WhatsApp message to your mobile: “we have an electricity outage in the office, we are leaving the conference room. We will reschedule”.
One hour later, reports are starting to pop up in the media announcing about an outage in dozens of countries in the US.
A few hours later, many Tweets from the news channel indicate that the US president is about to give a special announcement about the power outage in the US.
You turn on the television and the president begins to speech: “Today we are experiencing a national tragedy. Dozens of areas in the US have been cut off from power, in what appears to be a cyber-attack on our country.”
“I have spoken with the director of the FBI who confirmed that millions of meters have transformed into bricks”
“I have ordered a full resource of the federal government, go to help the victimizes and their family and to conduct full-scale investigation to hunt down and to find the people who committed this act”
Science fiction? Let us review some of the examples from the recent years.
Black hat as an incubator
The Black Hat conference is a meeting place for cyber-security activists around the world. On several occasions, it presented vulnerabilities and exploits on smart/electricity metering devices and network.
It began in 2008 when Cleveland presented how to send a disconnect message to millions of smart meters on the power grid.
A year later, P. McDaniel and S. McLaughlin demonstrated how to change the energy usage of the smart meter.
In 2014, researchers from universities in the United States and China introduced the “puppet attack” that increased the network traffic of smart meter by up to 20%, which could potentially lead to a denial of service attack.
From the cyber security conferences to a reality
During the recent years, there have been two cyber-attacks on power plants in the largest country in Europe – Ukraine, which for the first time in the history succeeded to disrupted and cut power in a country.
The cyber-attacks, which were a part of the Russia-Ukraine war, began in December 2015, when 230,000 people were left without electricity for one to six hours as attackers hit three electricity providers in Ukraine and demonstrated a variety of techniques, including spear phishing emails, variants of the “BlackEnergy” malware, and the manipulation of Microsoft Office documents that contained the malware to gain a foothold in the networks.
A year after, another cyber-attack hit the capital Kiev when citizens were disconnected from power for an hour due to a malware framework called “Industroyer” or “crashoverride”, specifically designed to attack electric grids, succeeded to shut down the Ukraine’s power plant.
Lesson Learned?
In addition to the two cases attributed to Russia, there was another case in June 2017 when the Chernobyl nuclear power plant was extinguished by damage caused by the Petya / No Petya malware, which affected rail stations, banks, and parliamentary activities.
Three conditions to materialize a cyber attack
An analysis of the events in Ukraine indicates that in order for a cyber-attack to materialize, three conditions must exist: opportunity, ability, and motivation.
Opportunity: every day hundreds and dozens of new security vulnerabilities are being discovered across different platforms – some of them are published and some of them not.
These vulnerabilities are a window of opportunity for potential attackers in transition to exploit.
Ability: in an age of HaaS (hacking as a service), hacktivism, organized crime and hackers groups that publish Nation’s cyber tools, the ability to execute a major cyber-attack has become easier, faster and smarter than ever.
Motivation: what causes the attacker to attack? various reasons. In continuous to the first chapter – it was an anonymous act that conducted to totally disrupt the US citizen normal life.
Hardware level attack example
This part of the article will focus on the advanced metering attack surface. The smart metering infrastructure consists of three main components:
Smart meter Meters Hub, Data management System. These components are part of a heterogeneous, multi-vendor system and interfaces that communicate using standards for such as: IEC 62056.
Smart meters are usually installed in public places such as residential & business areas and their function is to identify and calculate the power consumption. The meters are connected to the data management system through hubs and enable the service provider to manage the meter remotely and provide additional innovative services to customers.
Schematically smart meter has 5 main components: 1. Main control unit 2. Identification and calculation unit 3. PLC communication unit 4. Radio communication unit 5. Optical management interface. Each of the components has an attack surface.
The next part of the article will focus on the attack surface of the control unit.
The main control unit orchestrates the main functions of the metering and includes microcontrollers, memory chips and firmware. The primary control unit is exposed to hardware and firmware attacks by an attacker who has physical access to the primary control unit and can install compatible malicious hardware to help steal the encryption keys or use an unprotected JTAG interface to extract data from the central control unit such as passwords.
An attacker can use an unprotected JTAG to run a malicious firmware that would allow an attacker to control information transmitted from the data management system and to support external interfaces such as a cellular modem to allow remote connection.
Firmware and hardware manipulation can also steal and change the electricity usage which has major implications, including customer privacy and provider’s cache flow (theft of electricity).
We should embrace cyber security initiatives as we embrace innovation and new technologies, the evolution of techniques and technologies used by attackers is a wakeup call to the regulator, leading power companies, and vendors to add cyber defense as safety, reliability and productivity in order to minimize the ability and opportunity of the cyber attack as an act of war.
macOS High Sierra Update Patches Keychain Access Flaw 6.10.2017 securityweek Apple An update released on Thursday by Apple for its macOS High Sierra operating system patches two vulnerabilities, including one that allows malicious applications to steal passwords from the Keychain.
The Keychain flaw, tracked as CVE-2017-7150, was disclosed last week by Patrick Wardle, director of research at Synack. Apple has now addressed the issue with the release of High Sierra 10.13 Supplemental Update.
The researcher warned that High Sierra and previous versions of macOS are affected by a security hole that can be exploited by unsigned applications to programmatically dump and exfiltrate sensitive data from the Keychain, including plaintext passwords. However, he only released a video demonstrating the attack, without making any technical details public.
“A method existed for applications to bypass the keychain access prompt with a synthetic click. This was addressed by requiring the user password when prompting for keychain access,” Apple said in its advisory.
SecurityWeek has reached out to Wardle to find out if the latest update properly patches the vulnerability he found. This article will be updated once the researcher responds.
Wardle also demonstrated recently how Apple's new Secure Kernel Extension Loading (SKEL) security feature, introduced in High Sierra, can be easily bypassed.
The High Sierra 10.13 Supplemental Update also fixes a password disclosure issue involving encrypted Apple File System (APFS) volumes.
Brazil-based developer Matheus Mariano discovered that passwords set by users via Disk Utility for new encrypted APFS volumes are displayed in clear text via the “Show Hint” button when the volume is mounted. The problem only appears to affect encrypted APFS volumes created via Disk Utility.
“This was addressed by clearing hint storage if the hint was the password, and by improving the logic for storing hints,” Apple said about the flaw, which it tracks as CVE-2017-7149.
Apple has also published a knowledge base article for the password leakage issue. The company has advised users to protect their existing APFS volumes by creating a backup, erasing the existing volume, and restoring the initial volume to set a new password.
“Changing the password on an affected volume clears the hint but doesn’t affect the underlying encryption keys that protect the data,” Apple said.
Critical Remote Code Execution Flaws Found in HPE iMC 6.10.2017 securityweek Vulnerebility HPE has released an update for its Intelligent Management Center (iMC) platform to address several vulnerabilities, including critical flaws that allow remote attackers to execute arbitrary code on affected systems.
HPE Intelligent Management Centre is a comprehensive network infrastructure management platform designed for campus core and data center networks. According to the vendor, the product was built to support the Fault, Configuration, Accounting, Performance, Security (FCAPS) model.
A few months ago, Steven Seeley of Offensive Security discovered a total of seven vulnerabilities in the product. The expert noticed that the dbman service in HPE iMC, which listens on TCP port 2810 by default, introduces a weakness that allows an unauthenticated attacker to execute arbitrary code (CVE-2017-12561).
“A crafted opcode 10012 message can cause a pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of SYSTEM,” reads an advisory from the Zero Day Initiative (ZDI), which coordinated reporting and disclosure of the flaw.
Seeley also discovered four other critical remote code execution vulnerabilities in the WebDMServlet, WebDMDebugServlet, MibBrowserTopoFilterServlet and mibFileServlet components of the product.
The security holes exist due to the lack of proper validation for user-supplied data, and they allow an unauthenticated attacker to execute arbitrary code with SYSTEM privileges. The flaws are tracked as CVE-2017-12558, CVE-2017-12557, CVE-2017-12556 and CVE-2017-12554.
HPE and ZDI also published advisories for two remotely exploitable denial-of-service (DoS) flaws discovered by Seeley.
The security holes, identified as CVE-2017-12559 and CVE-2017-12560, allow a remote attacker to delete arbitrary files and folders from vulnerable installations. While an attack requires authentication, the existing authentication mechanism can be bypassed, ZDI said.
The vulnerabilities affect iMC Plat 7.3 E0504P4 and earlier, and they have been addressed by HPE this week with the release of version 7.3 E0506P03.
Intel Launches IoT Device Management Service 6.10.2017 securityweek IoT Intel this week announced the launch of a new offering to help securely automate the deploytment Internet of Things (IoT) devices and bring them online fast.
Called Intel Secure Device Onboard (Intel SDO), the new product will be offered to IoT platform providers as a service they can provide to customers looking to install and manage thousands of connected devices at once. With Intel SDO, the company says, bringing a device online will take only seconds, making the installation of a large number of devices a simple task.
According to Intel, the new product also eliminates poor security practices, such as shipping default passwords, while also offering an innovative device privacy model for IoT.
Intel SDO comes with Intel Enhanced Privacy ID (Intel EPID), the company’s privacy-preserving IoT identity solution, which allows devices to be anonymously authenticated and which establishes an encrypted communication tunnel that prevents hackers from being able to track the device.
Intel EPID is embedded in silicon before it is assembled into a device and Intel SDO leverages the TCG/ISO identity and authentication standard to cryptographically validate the device. Intel EPID can provide increased privacy by ensuring device onboarding and software provisioning updates are kept anonymous and more secure.
According to the technology giant, one of the main issues that Intel SDO addresses is the transfer of ownership. Typically, manufacturers that build and sell a large number of devices don’t know which environments their products are being deployed in, which could result in increased costs when attempting to support customer orders.
The new service, Intel says, provides compatibility with almost all IoT platforms out there. To ensure broad availability, the company partnered with silicon providers like Infineon, Microchip and Cypress Semiconductor to have the EPID identity capability embedded in their hardware.
Furthermore, cloud service platform and device management software providers like Google Cloud, Amazon Web Services (AWS), Microsoft Azure and Intel’s Wind River Helix Device Cloud will also offer integration to support Intel SDO’s zero touch model.
Intel says it has the entire value chain covered: Intel EPID identity will be embedded in the silicon, manufacturers will insert client software into boot code to support anonymous communication, owners will load their digital ownership receipt, the IoT platform will use an API to enable device registration, and the device will ultimately contact Intel SDO to prove authenticity at power on.
“Intel SDO vastly accelerates trusted onboarding of IoT devices—from minutes to seconds—with a zero-touch, automated process that begins when the device is first powered on and ends when the IoT service provider of choice takes control with a baseline chain of trust from the silicon provider through to the IoT control platform,” the company notes in the Intel SDO product description (PDF).
macOS High Sierra Leaks APFS Volume Passwords via Hint 6.10.2017 securityweek Apple A developer from Brazil noticed that the recently launched macOS High Sierra 10.13 operating system leaks the passwords for encrypted Apple File System (APFS) volumes via the password hint.
APFS is a new file system introduced by Apple with macOS High Sierra. When High Sierra is installed on a computer with a solid-state drive (SSD), the startup volume is automatically converted to APFS and users cannot opt out of the transition. APFS promises strong encryption, fast directory sizing, space sharing, and improved file system fundamentals.
Developer Matheus Mariano discovered the password leakage after he used the Disk Utility in High Sierra to add a new encrypted APFS volume to the container. When users add a new volume, they are asked to enter a password and, optionally, write a hint for it.
When the new volume is mounted, the user is asked to enter the password. However, Mariano noticed that if the “Show Hint” button is pressed, the hint that is displayed is actually the password set by the user. The password is not disclosed if no information is entered into the “Password hint” field when creating a new volume, although Apple recommends adding a hint.
“I really don’t know how this went unnoticed by Apple (and anyone else),” Mariano said.
SecurityWeek can confirm that the password for encrypted APFS volumes is leaked via the password hint on High Sierra.
macOS developer Felix Schwarz pointed out that users who have set a hint via the Disk Utility can address the issue by changing the hint using the diskutil command line utility.
Mariano said he reported the issue to Apple before making his findings public. He also published a video showing the vulnerability:
SecurityWeek has reached out to Apple for comment and will update this article if the company responds.
This is not the first security hole discovered by researchers in High Sierra. Patrick Wardle, director of research at Synack, reported last month that unsigned apps can steal passwords from the macOS keychain, and that Apple’s new Secure Kernel Extension Loading (SKEL) security feature can be easily bypassed.
UPDATE. Apple told SecurityWeek that an update released on Thursday, October 5, for High Sierra addresses both the APFS password disclosure issue and the keychain vulnerability reported by Wardle.
The company has also published a knowledge base article that provides more guidance to users on the password disclosure bug.
Backdoor Uses FTP Server as C&C 6.10.2017 securityweek Virus A newly detailed backdoor is using an FTP server for command and control (C&C) purposes, Trend Micro security researchers warn.
Dubbed SYSCON, the malware is being distributed through malicious documents containing macros. All of these documents mention North Korea and appear to be targeted at individuals connected to the Red Cross and the World Health Organization.
The use of an FTP server for C&C is rather unusual for a botnet, thus possibly slipping unnoticed by administrators and researchers. While this is a clear advantage, the fact that it leaves traffic open for monitoring is a great downside.
Trend Micro also discovered that SYSCON’s authors made a coding mistake that resulted in the backdoor sometimes executing the wrong commands.
The documents carrying the malware feature two long strings, with Base64 encoding using a custom alphabet, a technique used to deliver the Sanny malware family in late 2012. Sanny too leveraged relatively unusual techniques for C&C, had a similar structure, and used an identical encoding key, which could suggest that the same threat actor is behind the new backdoor.
The Base64 strings are cabinet files containing the 32-bit and 64-bit versions of the malware, with the appropriate one (based on OS) being extracted into the %Temp% folder, after which one of the files in the cabinet (uacme.exe) is executed.
The executed file determines the operating system version and either directly executes a BAT file or injects a DLL into the taskhost(ex) process to execute the BAT without triggering a UAC prompt.
The BAT file was designed to inject the main malware module and the configuration file into %Windows%\System32, and to achieve persistence. For that, it configures a new COMSysApp service, adds the service parameters into the registry, and starts the service. It also deletes all previously created files in the %Temp% directory.
After execution, the malware gets the computer name and uses it as an identifier, then logs into the FTP server using credentials stored in the configuration file. The attackers use the byethost free FTP service provider, the researchers discovered.
On the FTP server, commands are stored in .txt files, either meant to be processed by all bots or by specific victim computers. After processing a command, the backdoor lists all currently running processes, then sends the data to the server. Transmitted files are generally zipped and encoded with the same custom Base64 encoding used earlier.
Supported commands include: copy file to temp.ini, pack it to temp.zip, encode and upload; pack file to temp.zip, encode and upload; delete config file, write string to the new config file; put file to the given path on infected system; execute command but don’t report back; and execute downloaded file, among others.
The command processing loop contains what appears to be a typo or mistake, the researchers say. They explain that, while the malware treats the commands as strings in wide character format, a parameter in one of the functions has an incorrect file name, thus preventing the process from executing.
“It is interesting to see something atypical, like C&C communication via FTP. While the malware authors probably used this method in an attempt to avoid security solutions inspection and/or blocking, they may not have realized this would make it very easy to monitor their actions and victims’ data,” Trend Micro concludes.
